msm8996-common: Conditionally remove the OEM unlocking option

* It would get disabled anyway when bootloader is unlocked, but this way makes safetynet pass even when unlocked

Change-Id: I2dfe641bf60e0409f290b7b31492df00568c9916

4 files changed, 9 insertions, 0 deletions

diff --git a/sepolicy/property.te b/sepolicy/property.te
index 550baf9..87aea86 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1 +1,2 @@
 type wcg_prop, property_type;
+type oem_unlock_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index 18b724a..697ecaf 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -4,6 +4,9 @@ persist.camera.                                  u:object_r:camera_prop:s0
 # BootParsed
 sys.post_boot.parsed                             u:object_r:vendor_mpctl_prop:s0
 
+# OEM unlocking
+ro.oem_unlock_supported                          u:object_r:oem_unlock_prop:s0
+
 # Qseecomd
 sys.listeners.registered                         u:object_r:vendor_tee_listener_prop:s0
 
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index cc3ba68..c5b8387 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -5,4 +5,8 @@ allow qti_init_shell file_contexts_file:file { getattr open read };
 allow qti_init_shell mnt_vendor_file:dir rw_dir_perms;
 allow qti_init_shell mnt_vendor_file:file create_file_perms;
 
+# Allow qti_init_shell to read cmdline
+allow qti_init_shell proc_cmdline:file { getattr open read };
+
 get_prop(qti_init_shell, wcg_prop)
+set_prop(qti_init_shell, oem_unlock_prop)
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 5fe4bd9..1158907 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -3,3 +3,4 @@ allow system_app sysfs_fingerprint:dir search;
 allow system_app shell_prop:property_service set;
 
 binder_call(system_app, wificond);
+get_prop(system_app, oem_unlock_prop);