Merge remote-tracking branch 'upstream/android-9.0' into pie

* upstream/android-9.0: (21 commits)
  Actually we want to force samsung workaround off
  Allow treble app to write "battery info"
  [Samsung chmods] Need to set selinux too in input/enabled
  If we have both vendor and boot security_patch, prefer vendor security_patch
  We need to restart samsung hal when doing chown
  Also copy vendor security patch level
  [phh-securize] remove self script
  Add phh-securize.sh to switch to `user` build, copy vendor fingerprint, and tighten adb security
  [su] Allow write on any file/dir
  Add persist.sys.phh.mainkeys property to persist qemu.hw.mainkeys
  More rights to su
  SaR is more annoying to resize because there is no such thing as /dev/root, but mknod it so we can do it
  More chmods for /sys Samsung
  Use Samsung key layouts on all samsung devices
  Restart Samsung fingerprint HAL on boot
  Also chown `cmd`
  If /sys/class/sec/tsp rules are obviously completely broken, unbreak them a little
  Samsung running pie vendor have fixed fingerprint remaning
  Restart Samsung lights HAL late in the boot process.
  Mark successful boot before the 30s sleep
  ...

base.mk

@@ -132,3 +132,9 @@ PRODUCT_PACKAGES += \
 
 PRODUCT_PACKAGES += \
 	Stk
+
+PRODUCT_PACKAGES += \
+	resetprop
+PRODUCT_COPY_FILES += \
+	device/phh/treble/phh-securize.sh:system/bin/phh-securize.sh \
+

phh-on-boot.sh

@@ -9,6 +9,15 @@ if [ -f /vendor/bin/mtkmal ];then
     fi
 fi
 
+if grep -qF android.hardware.boot /vendor/manifest.xml || grep -qF android.hardware.boot /vendor/etc/vintf/manifest.xml ;then
+	bootctl mark-boot-successful
+fi
+
+setprop ctl.restart sec-light-hal-2-0
+if find /sys/firmware -name support_fod |grep -qE .;then
+	setprop ctl.restart vendor.fps_hal
+fi
+
 #Clear looping services
 sleep 30
 getprop | \
@@ -17,7 +26,3 @@ getprop | \
     while read -r svc ;do
         setprop ctl.stop "$svc"
     done
-
-if grep -qF android.hardware.boot /vendor/manifest.xml || grep -qF android.hardware.boot /vendor/etc/vintf/manifest.xml ;then
-	bootctl mark-boot-successful
-fi

phh-securize.sh

@@ -0,0 +1,16 @@
+#!/system/bin/sh
+
+mount -o remount,rw /
+mount -o remount,rw /system
+
+touch /system/phh/secure
+umount -l /system/xbin/su
+rm /system/xbin/su
+rm /system/bin/phh-su
+rm /system/etc/init/su.rc
+rm /system/bin/phh-securize.sh
+rm -Rf /system/bin/me.phh.superuser/
+mount -o remount,ro /
+mount -o remount,ro /system
+sync
+reboot

rw-system.sh

@@ -59,7 +59,7 @@ changeKeylayout() {
     changed=false
 
     if getprop ro.vendor.build.fingerprint |
-        grep -qE -e ".*(crown|star)[q2]*lte.*" -e ".*(SC-0[23]K|SCV3[89]).*"; then
+        grep -qE -e "^samsung"; then
         changed=true
 
         cp /system/phh/samsung-gpio_keys.kl /mnt/phh/keylayout/gpio_keys.kl
@@ -112,7 +112,11 @@ changeKeylayout() {
 if mount -o remount,rw /system; then
     resize2fs "$(grep ' /system ' /proc/mounts | cut -d ' ' -f 1)" || true
 elif mount -o remount,rw /; then
+    major="$(stat -c '%D' /.|sed -E 's/^([0-9a-f]+)([0-9a-f]{2})$/\1/g')"
+    minor="$(stat -c '%D' /.|sed -E 's/^([0-9a-f]+)([0-9a-f]{2})$/\2/g')"
+    mknod /dev/tmp-phh b $((0x$major)) $((0x$minor))
     resize2fs /dev/root || true
+    resize2fs /dev/tmp-phh || true
 fi
 mount -o remount,ro /system || true
 mount -o remount,ro / || true
@@ -343,3 +347,70 @@ done
 if [ -n "$(getprop ro.boot.product.hardware.sku)" ] && [ -z "$(getprop ro.hw.oemName)" ];then
 	setprop ro.hw.oemName "$(getprop ro.boot.product.hardware.sku)"
 fi
+
+if getprop ro.vendor.build.fingerprint | grep -qiE '^samsung/' && [ "$vndk" -ge 28 ];then
+	setprop persist.sys.phh.samsung_fingerprint 0
+	#obviously broken perms
+	if [ "$(stat -c '%A' /sys/class/sec/tsp/ear_detect_enable)" == "-rw-rw-r--" ] &&
+		[ "$(stat -c '%U' /sys/class/sec/tsp/ear_detect_enable)" == "root" ] &&
+		[ "$(stat -c '%G' /sys/class/sec/tsp/ear_detect_enable)" == "root" ];then
+
+		chcon u:object_r:sysfs_ss_writable:s0 /sys/class/sec/tsp/ear_detect_enable
+		chown system /sys/class/sec/tsp/ear_detect_enable
+
+		chcon u:object_r:sysfs_ss_writable:s0 /sys/class/sec/tsp/cmd{,_list,_result,_status}
+		chown system /sys/class/sec/tsp/cmd{,_list,_result,_status}
+
+		chown system /sys/class/power_supply/battery/wc_tx_en
+		chcon u:object_r:sysfs_app_writable:s0 /sys/class/power_supply/battery/wc_tx_en
+
+	fi
+
+	if [ "$(stat -c '%U' /sys/class/sec/tsp/input/enabled)" == "root" ] &&
+		[ "$(stat -c '%G' /sys/class/sec/tsp/input/enabled)" == "root" ];then
+			chown system:system /sys/class/sec/tsp/input/enabled
+			chcon u:object_r:sysfs_ss_writable:s0 /sys/class/sec/tsp/input/enabled
+			setprop ctl.restart sec-miscpower-1-0
+	fi
+fi
+
+if [ -f /system/phh/secure ];then
+    copyprop() {
+        p="$(getprop "$2")"
+        if [ "$p" ]; then
+            resetprop "$1" "$(getprop "$2")"
+        fi
+    }
+
+    copyprop ro.build.device ro.vendor.build.device
+    copyprop ro.bootimage.build.fingerprint ro.vendor.build.fingerprint
+    copyprop ro.build.fingerprint ro.vendor.build.fingerprint
+    copyprop ro.build.device ro.vendor.product.device
+    copyprop ro.product.device ro.vendor.product.device
+    copyprop ro.product.device ro.product.vendor.device
+    copyprop ro.product.name ro.vendor.product.name
+    copyprop ro.product.name ro.product.vendor.device
+    copyprop ro.product.brand ro.vendor.product.brand
+    copyprop ro.product.model ro.vendor.product.model
+    copyprop ro.product.model ro.product.vendor.model
+    copyprop ro.build.product ro.vendor.product.model
+    copyprop ro.build.product ro.product.vendor.model
+    copyprop ro.product.manufacturer ro.vendor.product.manufacturer
+    copyprop ro.product.manufacturer ro.product.vendor.manufacturer
+    copyprop ro.build.version.security_patch ro.keymaster.xxx.security_patch
+    copyprop ro.build.version.security_patch ro.vendor.build.security_patch
+    resetprop ro.build.tags release-keys
+    resetprop ro.boot.vbmeta.device_state locked
+    resetprop ro.boot.verifiedbootstate green
+    resetprop ro.boot.flash.locked 1
+    resetprop ro.boot.veritymode enforcing
+    resetprop ro.boot.warranty_bit 0
+    resetprop ro.warranty_bit 0
+    resetprop ro.debuggable 0
+    resetprop ro.secure 1
+    resetprop ro.build.type user
+    resetprop ro.build.selinux 0
+
+    resetprop ro.adb.secure 1
+    setprop ctl.restart adbd
+fi

sepolicy/su.te

@@ -39,6 +39,7 @@ net_domain(phhsu_daemon)
 
 hwbinder_use(phhsu_daemon)
 
+allow domain untrusted_app_all_devpts:chr_file { getattr read write };
 allow phhsu_daemon untrusted_app_all_devpts:chr_file { getattr read write open ioctl };
 allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr };
 
@@ -52,7 +53,7 @@ allow phhsu_daemon self:lnk_file { r_file_perms execmod };
 
 allow phhsu_daemon adbd_exec:file { getattr read };
 allow phhsu_daemon { rootfs same_process_hal_file system_file tmpfs }:file { mounton getattr };
-allow phhsu_daemon self:capability { sys_admin chown setuid setgid net_raw dac_override dac_read_search kill };
+allow phhsu_daemon self:capability { sys_admin chown setuid setgid net_raw dac_override dac_read_search kill fowner mknod };
 allow phhsu_daemon self:capability2 { syslog };
 allow phhsu_daemon shell_exec:file rx_file_perms;
 allow phhsu_daemon system_file:file { rx_file_perms entrypoint };
@@ -89,10 +90,11 @@ allow phhsu_daemon dex2oat_exec:file rx_file_perms;
 
 allow phhsu_daemon phhsu_daemon_tmpfs:file rwx_file_perms;
 
-allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:file { rwx_file_perms create mounton};
-allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:dir { rw_dir_perms mounton };
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:file { rwx_file_perms create mounton setattr getattr relabelto relabelfrom };
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:lnk_file { rw_file_perms create mounton setattr getattr relabelto relabelfrom };
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:dir { rw_dir_perms create mounton setattr getattr relabelto relabelfrom };
 allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:chr_file rwx_file_perms;
-allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:blk_file rw_file_perms;
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type }:blk_file { rw_file_perms create };
 
 allow phhsu_daemon device:file rwx_file_perms;
 allow phhsu_daemon device:dir rw_dir_perms;
@@ -126,4 +128,12 @@ allow phhsu_daemon phhsu_daemon:file relabelfrom;
 
 allow phhsu_daemon properties_device:dir { map };
 allow phhsu_daemon { tmpfs }:dir { mounton };
-allow phhsu_daemon system_file:file { relabelto };
+allow phhsu_daemon { file_type shell_data_file system_file}:file { relabelto relabelfrom} ;
+
+allow phhsu_daemon domain:fd { use };
+allow phhsu_daemon domain:unix_stream_socket { connectto ioctl getattr getopt read write shutdown };
+allow phhsu_daemon self:netlink_kobject_uevent_socket create_socket_perms;
+allow phhsu_daemon self:{ netlink_tcpdiag_socket } { create_socket_perms nlmsg_write nlmsg_read };
+
+allow phhsu_daemon file_type:file create_file_perms;
+allow phhsu_daemon file_type:dir create_dir_perms;

sepolicy/treble_app.te

@@ -3,5 +3,7 @@ allow system_app hidl_base_hwservice:hwservice_manager { add };
 allow system_app wifi_data_file:dir create_dir_perms;
 allow system_app wifi_data_file:file create_file_perms;
 
+allow system_app sysfs_batteryinfo:file rw_file_perms;
+
 type vendor_camera_prop, property_type;
 set_prop(system_app, vendor_camera_prop);

vndk.rc

@@ -12,3 +12,6 @@ on property:sys.boot_completed=1
     start phh_on_boot
     chown wifi system /data/misc/wifi
     chown system wifi /data/misc/wifi/hostapd.conf
+
+on property:persist.sys.phh.mainkeys=*
+    setprop qemu.hw.mainkeys ${persist.sys.phh.mainkeys}