The restorecon_recursive directive in init is only applied if the
file_contexts file changed between builds, but not necessarily if any
file or folder inside /mnt/vendor/persist/ has changed.
The restorecon code checks whether an xattr named
"security.sehash" contains a string that matches the current
combined hashes of the SELinux context files and skips restoring labels
if there is a match, see
https://android.googlesource.com/platform/external/selinux/+/refs/tags/android-9.0.0_r35/libselinux/src/android/android_platform.c#1546
Force wiping that xattr so that restorecon always runs since it's not
very expensive (there are currently only about 50 files on /persist).
The restorecon is needed to fix issues such as wrong stock labels on
/mnt/vendor/persist/sensors/:
sensors_persist_file -> persist_sensors_file
Change-Id: Ic0cd848836ee550499d9236f56ed6e939e35f01e
The core SEPolicy for vendor_init is being restricted to the proper
Treble restrictions. Since this is a legacy device, it is tagged as a
data_between_core_and_vendor_violators and the needed permissions are
added to its device specific vendor_init.te
Bug: 62875318
Test: boot walleye without audits
Change-Id: I13aaa2278e71092d740216d3978dc720afafe8ea
Signed-off-by: Subhajeet Muhuri <kenny3fcb@gmail.com>
Move vendor policy to vendor and add a place for system extensions.
Also add such an extension: a labeling of the qti.ims.ext service.
Bug: 38151691
Bug: 62041272
Test: Policy binary identical before and after, except plat_service_contexts
has new service added.
Change-Id: Ie4e8527649787dcf2391b326daa80cf1c9bd9d2f
Change-Id: I1493c4c8876c4446a1de46b39942098bf49c79f8
