From 7ea95fe6a470c71531a2465e0c2a0aca36ee410f Mon Sep 17 00:00:00 2001
From: Grant Yoshida <gyoshida@google.com>
Date: Tue, 13 Aug 2019 12:40:27 -0700
Subject: Fix GSI selinux policies.

Install them into the system partition using
BOARD_PLAT_PRIVATE_SEPOLICY_DIR.

Bug: 139096707
Test: Verified that pp selinux errors no longer occur on an MTP.
Change-Id: I9bae2030aa225baaf8c4f819f2f532201928875c
---
 xr/products/experimental_google_xr.mk | 2 +-
 xr/sepolicy/platform_app.te           | 1 +
 xr/sepolicy/untrusted_app_27.te       | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 xr/sepolicy/platform_app.te
 create mode 100644 xr/sepolicy/untrusted_app_27.te

diff --git a/xr/products/experimental_google_xr.mk b/xr/products/experimental_google_xr.mk
index 2f3c1a1..ed37904 100644
--- a/xr/products/experimental_google_xr.mk
+++ b/xr/products/experimental_google_xr.mk
@@ -2,7 +2,7 @@ PRODUCT_SYSTEM_DEFAULT_PROPERTIES += \
     ro.dvr.lens_metrics=/etc/hmd_config
 
 # SELinux permissions
-BOARD_SEPOLICY_DIRS += device/google/vrservices/xr/sepolicy
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR := device/google/vrservices/xr/sepolicy
 
 # Remove non-critical and non-XR packages from PRODUCT_PACKAGES.
 #
diff --git a/xr/sepolicy/platform_app.te b/xr/sepolicy/platform_app.te
new file mode 100644
index 0000000..09214ae
--- /dev/null
+++ b/xr/sepolicy/platform_app.te
@@ -0,0 +1 @@
+allow platform_app system_prop:property_service set;
diff --git a/xr/sepolicy/untrusted_app_27.te b/xr/sepolicy/untrusted_app_27.te
new file mode 100644
index 0000000..a61c35f
--- /dev/null
+++ b/xr/sepolicy/untrusted_app_27.te
@@ -0,0 +1 @@
+allow untrusted_app_27 vr_hwc_service:service_manager find;
-- 
cgit v1.2.3


From 2a872fb0cb6acb8806a7eecb79bd096e0b4fe410 Mon Sep 17 00:00:00 2001
From: Grant Yoshida <gyoshida@google.com>
Date: Mon, 19 Aug 2019 17:54:13 -0700
Subject: Fix some additional selinux errors.

These came up on boot after fixing the previous errors.

Test: GSI XR on an MTP, booted into VR.
Change-Id: I35362e2660ec8f38799429981f15552272dcc2fe
---
 xr/sepolicy/untrusted_app_27.te | 1 +
 xr/sepolicy/vr_hwc.te           | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 xr/sepolicy/vr_hwc.te

diff --git a/xr/sepolicy/untrusted_app_27.te b/xr/sepolicy/untrusted_app_27.te
index a61c35f..e9bc2b3 100644
--- a/xr/sepolicy/untrusted_app_27.te
+++ b/xr/sepolicy/untrusted_app_27.te
@@ -1 +1,2 @@
 allow untrusted_app_27 vr_hwc_service:service_manager find;
+allow untrusted_app_27 virtual_touchpad_service:service_manager find;
diff --git a/xr/sepolicy/vr_hwc.te b/xr/sepolicy/vr_hwc.te
new file mode 100644
index 0000000..295205e
--- /dev/null
+++ b/xr/sepolicy/vr_hwc.te
@@ -0,0 +1 @@
+allow vr_hwc untrusted_app_27:binder call;
-- 
cgit v1.2.3


From 0f30e5e15d81742ce9bac99cbad35ebf758ee1bd Mon Sep 17 00:00:00 2001
From: Grant Yoshida <gyoshida@google.com>
Date: Mon, 19 Aug 2019 18:22:09 -0700
Subject: Move boot-to-vr.sh to device/google/vrservices.

Test: Ran script on a GSI XR MTP.
Change-Id: I332fe62d71864465ce25a7013433e404fff00123
---
 xr/products/experimental_google_xr.mk |  2 +-
 xr/scripts/boot-to-vr.sh              | 74 +++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100755 xr/scripts/boot-to-vr.sh

diff --git a/xr/products/experimental_google_xr.mk b/xr/products/experimental_google_xr.mk
index 2f3c1a1..9430331 100644
--- a/xr/products/experimental_google_xr.mk
+++ b/xr/products/experimental_google_xr.mk
@@ -34,9 +34,9 @@ PRODUCT_PACKAGES += NonXrProductPackagesRemover
 
 PRODUCT_COPY_FILES += \
     device/google/vrservices/xr/init/init.xr.rc:$(TARGET_COPY_OUT_SYSTEM)/etc/init/init.xr.rc \
+    device/google/vrservices/xr/scripts/boot-to-vr.sh:$(TARGET_COPY_OUT_SYSTEM)/bin/boot-to-vr.sh \
     frameworks/native/data/etc/android.hardware.vr.high_performance.xml:$(TARGET_COPY_OUT_SYSTEM)/etc/permissions/android.hardware.vr.high_performance.xml \
     vendor/unbundled_google/packages/PrebuiltGoogleVr/configs/daydream_viewer_config:$(TARGET_COPY_OUT_SYSTEM)/etc/hmd_config \
-    vendor/unbundled_google/packages/PrebuiltGoogleVr/scripts/boot-to-vr.sh:$(TARGET_COPY_OUT_SYSTEM)/bin/boot-to-vr.sh \
 
 # XR/VR prebuilt packages
 PRODUCT_PACKAGES += \
diff --git a/xr/scripts/boot-to-vr.sh b/xr/scripts/boot-to-vr.sh
new file mode 100755
index 0000000..853efb9
--- /dev/null
+++ b/xr/scripts/boot-to-vr.sh
@@ -0,0 +1,74 @@
+#
+# This script finds the init.rc file for a certain Pixel XR device and updates
+# the value of ro.boot.vr being set during the init process.
+#
+PROP_RO_HARDWARE="$(getprop ro.hardware)"
+PROP_RO_BOOT_HARDWARE_PLATFORM="$(getprop ro.boot.hardware.platform)"
+PROP_RO_PRODUCT_NAME="$(getprop ro.product.name)"
+
+function print_usage {
+  echo "Update $(get_init_rc_file)"
+  echo "Usage:"
+  echo "  boot-to-vr.sh (true|false))"
+  echo "      Enable or disable whether the system should boot into VR."
+  exit 1
+}
+
+function get_hardware_name() {
+  case $PROP_RO_HARDWARE in
+    walleye) echo walleye ;;
+    taimen) echo taimen ;;
+    blueline) echo $PROP_RO_BOOT_HARDWARE_PLATFORM ;;
+    crosshatch) echo $PROP_RO_BOOT_HARDWARE_PLATFORM ;;
+  esac
+}
+
+function get_init_rc_file() {
+  echo "/vendor/etc/init/hw/init.$(get_hardware_name).rc"
+}
+
+function print_init_rc() {
+  cat $(get_init_rc_file) | grep -A10 -B10 ro.boot.vr
+}
+
+function fail_to_write_file() {
+  echo "Cannot modify $(get_init_rc_file). The following commands may help:
+    adb disable-verity
+    adb reboot
+    adb remount"
+  exit 1
+}
+
+function enable_boot_to_vr() {
+  sed -i "s/setprop ro.boot.vr 0/setprop ro.boot.vr 1/" $(get_init_rc_file)
+  rc=$?
+
+  if [[ $rc != 0 ]]; then
+    fail_to_write_file
+  else
+    print_init_rc
+  fi
+}
+
+function disable_boot_to_vr() {
+  sed -i "s/setprop ro.boot.vr 1/setprop ro.boot.vr 0/" $(get_init_rc_file)
+  rc=$?
+
+  if [[ $rc != 0 ]]; then
+    fail_to_write_file
+  else
+    print_init_rc
+  fi
+}
+
+WHOAMI=$(whoami)
+if ! [ "$WHOAMI" == "root" ]; then
+  echo "*** Root access required. Run 'adb root' first."
+  exit 1
+fi
+
+case "$1" in
+  true) enable_boot_to_vr ;;
+  false) disable_boot_to_vr ;;
+  *) print_usage ;;
+esac
-- 
cgit v1.2.3