From 69797e03ca6b3d53e64441e450292afc12a4775a Mon Sep 17 00:00:00 2001
From: Kiwon Park <kiwonp@google.com>
Date: Thu, 22 Aug 2024 09:33:40 -0700
Subject: [PATCH] Add eSIM directory and disable bootstrap when bootloader is
 unlocked in user build

Allow vendor_init to set setupwizard prop
Allow priv_app and gmscore_app to get setupwizard prop
<11>[    7.276992][  T329] init: Unable to set property 'setupwizard.feature.provisioning_profile_mode' from uid:0 gid:0 pid:330: SELinux permission check failed

08-28 15:35:42.536 10156  5884  5884 W oid.setupwizard: type=1400 audit(0.0:63): avc:  denied  { read } for  name="u:object_r:setupwizard_feature_prop:s0" dev="tmpfs" ino=335 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:setupwizard_feature_prop:s0 tclass=file permissive=0 app=com.google.android.setupwizard

08-28 15:11:52.015 10185  6915  6915 W highpool[8]: type=1400 audit(0.0:17): avc:  denied  { read } for  name="u:object_r:setupwizard_feature_prop:s0" dev="tmpfs" ino=339 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:setupwizard_feature_prop:s0 tclass=file permissive=0 app=com.google.android.gms

Bug: 349592724
Test: m
Change-Id: I8330c9f6f9efd215ec4ea1f7d3d6ff5596773e21
Flag: NONE disabling a feature just in factory
---
 esim/Android.bp                                    | 10 ++++++++++
 esim/OWNERS                                        |  2 ++
 esim/esim.mk                                       |  5 +++++
 esim/init.esim-gs.rc                               |  7 +++++++
 esim/sepolicy/system_ext/private/gmscore_app.te    |  2 ++
 esim/sepolicy/system_ext/private/priv_app.te       |  2 ++
 esim/sepolicy/system_ext/private/property_contexts |  2 ++
 esim/sepolicy/system_ext/public/property.te        |  2 ++
 esim/sepolicy/vendor/vendor_init.te                |  2 ++
 9 files changed, 34 insertions(+)
 create mode 100644 esim/Android.bp
 create mode 100644 esim/OWNERS
 create mode 100644 esim/esim.mk
 create mode 100644 esim/init.esim-gs.rc
 create mode 100644 esim/sepolicy/system_ext/private/gmscore_app.te
 create mode 100644 esim/sepolicy/system_ext/private/priv_app.te
 create mode 100644 esim/sepolicy/system_ext/private/property_contexts
 create mode 100644 esim/sepolicy/system_ext/public/property.te
 create mode 100644 esim/sepolicy/vendor/vendor_init.te

diff --git a/esim/Android.bp b/esim/Android.bp
new file mode 100644
index 0000000..a2427f1
--- /dev/null
+++ b/esim/Android.bp
@@ -0,0 +1,10 @@
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+prebuilt_etc {
+    name: "init.esim-gs.rc",
+    src: "init.esim-gs.rc",
+    vendor: true,
+    sub_dir: "init",
+}
diff --git a/esim/OWNERS b/esim/OWNERS
new file mode 100644
index 0000000..157ecd6
--- /dev/null
+++ b/esim/OWNERS
@@ -0,0 +1,2 @@
+kiwonp@google.com
+mewan@google.com
\ No newline at end of file
diff --git a/esim/esim.mk b/esim/esim.mk
new file mode 100644
index 0000000..47e21b7
--- /dev/null
+++ b/esim/esim.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += init.esim-gs.rc
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/vendor
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/private
diff --git a/esim/init.esim-gs.rc b/esim/init.esim-gs.rc
new file mode 100644
index 0000000..291f9ee
--- /dev/null
+++ b/esim/init.esim-gs.rc
@@ -0,0 +1,7 @@
+# Disable bootstrap when bootloader is unlocked in user build
+on property:ro.build.type=user && property:ro.boot.flash.locked=0
+    setprop setupwizard.feature.provisioning_profile_mode false
+
+# Disable bootstrap for DVT devices shipping to non-US carriers
+on property:ro.boot.warranty.sku=BOF
+    setprop setupwizard.feature.provisioning_profile_mode false
diff --git a/esim/sepolicy/system_ext/private/gmscore_app.te b/esim/sepolicy/system_ext/private/gmscore_app.te
new file mode 100644
index 0000000..90bc371
--- /dev/null
+++ b/esim/sepolicy/system_ext/private/gmscore_app.te
@@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)
diff --git a/esim/sepolicy/system_ext/private/priv_app.te b/esim/sepolicy/system_ext/private/priv_app.te
new file mode 100644
index 0000000..90bc371
--- /dev/null
+++ b/esim/sepolicy/system_ext/private/priv_app.te
@@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)
diff --git a/esim/sepolicy/system_ext/private/property_contexts b/esim/sepolicy/system_ext/private/property_contexts
new file mode 100644
index 0000000..464a289
--- /dev/null
+++ b/esim/sepolicy/system_ext/private/property_contexts
@@ -0,0 +1,2 @@
+# setupwizard
+setupwizard.feature.provisioning_profile_mode    u:object_r:setupwizard_feature_prop:s0
diff --git a/esim/sepolicy/system_ext/public/property.te b/esim/sepolicy/system_ext/public/property.te
new file mode 100644
index 0000000..96cb3b3
--- /dev/null
+++ b/esim/sepolicy/system_ext/public/property.te
@@ -0,0 +1,2 @@
+# setupwizard
+system_public_prop(setupwizard_feature_prop)
diff --git a/esim/sepolicy/vendor/vendor_init.te b/esim/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..c9cb14e
--- /dev/null
+++ b/esim/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,2 @@
+# setupwizard
+set_prop(vendor_init, setupwizard_feature_prop)