Install and use vendor shell for shell scripts
Bug: 36463595
Test: Boot sailfish and make sure all init services (that are shell
scripts) exit with status 0
Change-Id: I2f8b57926bac8d0a7b2b77dad898e11330bc0996
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/device-common.mk b/device-common.mk
index 8166a6e..7489651 100644
--- a/device-common.mk
+++ b/device-common.mk
@@ -163,6 +163,8 @@
android.hardware.drm@1.0-impl
PRODUCT_PACKAGES += \
+ mkshrc_vendor \
+ sh_vendor \
toybox_vendor
# set audio fluence, ns, aec property
diff --git a/init.foreground.sh b/init.foreground.sh
index 866c9ed..d38ba94 100644
--- a/init.foreground.sh
+++ b/init.foreground.sh
@@ -1,4 +1,4 @@
-#!/system/bin/sh
+#!/vendor/bin/sh
# move spi6 thread and nanohub thread into foreground cpuset to prevent them
# from stealing time from top app UIThread or RenderThread
diff --git a/init.mid.sh b/init.mid.sh
index 69a9c1f..7703f87 100755
--- a/init.mid.sh
+++ b/init.mid.sh
@@ -1,4 +1,4 @@
-#!/system/bin/sh
+#!/vendor/bin/sh
# Convert ro.boot.mid to ro.boot.hardware.sku format
diff --git a/init.power.sh b/init.power.sh
index bb635aa..eeabb0a 100755
--- a/init.power.sh
+++ b/init.power.sh
@@ -1,4 +1,4 @@
-#!/system/bin/sh
+#!/vendor/bin/sh
################################################################################
# helper functions to allow Android init like script
diff --git a/init.qcom.devstart.sh b/init.qcom.devstart.sh
index bdab56b..5503d83 100755
--- a/init.qcom.devstart.sh
+++ b/init.qcom.devstart.sh
@@ -1,4 +1,4 @@
-#!/system/bin/sh
+#!/vendor/bin/sh
echo 1 > /sys/kernel/boot_adsp/boot
echo 1 > /sys/kernel/boot_slpi/boot
diff --git a/init.radio.sh b/init.radio.sh
index 1e0a6c8..5db768a 100755
--- a/init.radio.sh
+++ b/init.radio.sh
@@ -1,4 +1,4 @@
-#!/system/bin/sh
+#!/vendor/bin/sh
#
# Copy qcril.db if needed for RIL
diff --git a/sepolicy/init-devstart-sh.te b/sepolicy/init-devstart-sh.te
index 31626d4..16805b6 100644
--- a/sepolicy/init-devstart-sh.te
+++ b/sepolicy/init-devstart-sh.te
@@ -3,11 +3,10 @@
init_daemon_domain(init-qcom-devstart-sh)
-allow init-qcom-devstart-sh shell_exec:file rx_file_perms;
-
+# execute vendor_shell
+allow init-qcom-devstart-sh vendor_shell_exec:file rx_file_perms;
# execute toybox/toolbox
allow init-qcom-devstart-sh vendor_toolbox_exec:file rx_file_perms;
-allow init-qcom-devstart-sh toolbox_exec:file rx_file_perms;
# Set the sys.qcom.devup property
set_prop(init-qcom-devstart-sh, system_prop)
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 39d54dd..f4b0582 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -12,4 +12,4 @@
allow init userdata_block_device:blk_file { write };
allow init debugfs_sps:dir search;
-allow init debugfs_sps:file w_file_perms;
\ No newline at end of file
+allow init debugfs_sps:file w_file_perms;
diff --git a/sepolicy/init_foreground.te b/sepolicy/init_foreground.te
index e73e066..a58e96c 100644
--- a/sepolicy/init_foreground.te
+++ b/sepolicy/init_foreground.te
@@ -12,9 +12,8 @@
dontaudit init_foreground proc_timer:file getattr;
dontaudit init_foreground proc_zoneinfo:file getattr;
-allow init_foreground shell_exec:file { getattr read };
+allow init_foreground vendor_shell_exec:file rx_file_perms;
allow init_foreground vendor_toolbox_exec:file rx_file_perms;
-allow init_foreground toolbox_exec:file rx_file_perms;
allow init_foreground domain:dir { getattr search };
allow init_foreground domain:file { read open };
diff --git a/sepolicy/init_mid.te b/sepolicy/init_mid.te
index 10abb0d..8c05461 100644
--- a/sepolicy/init_mid.te
+++ b/sepolicy/init_mid.te
@@ -3,9 +3,8 @@
init_daemon_domain(init_mid)
+allow init_mid vendor_shell_exec:file rx_file_perms;
allow init_mid vendor_toolbox_exec:file rx_file_perms;
-allow init_mid toolbox_exec:file rx_file_perms;
-allow init_mid shell_exec:file rx_file_perms;
set_prop(init_mid, hw_sku_prop);
get_prop(init_mid, mid_prop);
diff --git a/sepolicy/init_power.te b/sepolicy/init_power.te
index 2de7191..03b14a4 100644
--- a/sepolicy/init_power.te
+++ b/sepolicy/init_power.te
@@ -4,9 +4,8 @@
init_daemon_domain(init_power)
allow init_power rootfs:file r_file_perms;
-allow init_power shell_exec:file rx_file_perms;
+allow init_power vendor_shell_exec:file rx_file_perms;
allow init_power vendor_toolbox_exec:file rx_file_perms;
-allow init_power toolbox_exec:file rx_file_perms;
# files are created in /sys as this script executes. Grant
# access to all of /sys to make this robust.
diff --git a/sepolicy/init_radio.te b/sepolicy/init_radio.te
index d9342db..4371c67 100644
--- a/sepolicy/init_radio.te
+++ b/sepolicy/init_radio.te
@@ -5,9 +5,8 @@
init_daemon_domain(init_radio)
# copy files from /firmware to /data/misc/radio
+allow init_radio vendor_shell_exec:file rx_file_perms;
allow init_radio vendor_toolbox_exec:file rx_file_perms;
-allow init_radio toolbox_exec:file rx_file_perms;
-allow init_radio shell_exec:file rx_file_perms;
allow init_radio firmware_file:dir r_dir_perms;
allow init_radio firmware_file:file r_file_perms;
allow init_radio self:capability chown;
