From 1ec6d6b8ee8d6a3ab7a785f7b9023f0e1c1746f3 Mon Sep 17 00:00:00 2001
From: Davide Garberi <dade.garberi@gmail.com>
Date: Thu, 9 May 2019 18:43:52 +0200
Subject: msm8996-common: Conditionally remove the OEM unlocking option

* It would get disabled anyway when bootloader is unlocked, but this way makes safetynet pass even when unlocked

Change-Id: I2dfe641bf60e0409f290b7b31492df00568c9916
---
 msm8996.mk                 | 4 ----
 rootdir/bin/init.qcom.sh   | 6 ++++++
 sepolicy/property.te       | 1 +
 sepolicy/property_contexts | 3 +++
 sepolicy/qti_init_shell.te | 4 ++++
 sepolicy/system_app.te     | 1 +
 6 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/msm8996.mk b/msm8996.mk
index 155e58b..dc1eb5b 100755
--- a/msm8996.mk
+++ b/msm8996.mk
@@ -284,10 +284,6 @@ PRODUCT_PACKAGES += \
     libandroid_net \
     netutils-wrapper-1.0
 
-# OEM Unlock reporting
-PRODUCT_DEFAULT_PROPERTY_OVERRIDES += \
-    ro.oem_unlock_supported=1
-
 # OMX
 PRODUCT_PACKAGES += \
     libextmedia_jni \
diff --git a/rootdir/bin/init.qcom.sh b/rootdir/bin/init.qcom.sh
index 12615aa..93439bb 100755
--- a/rootdir/bin/init.qcom.sh
+++ b/rootdir/bin/init.qcom.sh
@@ -65,3 +65,9 @@ if [ ! -f /vendor/firmware_mnt/verinfo/ver_info.txt -o "$prev_version_info" != "
 fi
 chmod g-w /data/vendor/modem_config
 setprop ro.vendor.ril.mbn_copy_completed 1
+
+if [[ -z $(grep "androidboot.lock=unlocked" /proc/cmdline) ]]; then
+    setprop ro.oem_unlock_supported 1
+else
+    setprop ro.oem_unlock_supported 0
+fi
diff --git a/sepolicy/property.te b/sepolicy/property.te
index 550baf9..87aea86 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1 +1,2 @@
 type wcg_prop, property_type;
+type oem_unlock_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index 18b724a..697ecaf 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -4,6 +4,9 @@ persist.camera.                                  u:object_r:camera_prop:s0
 # BootParsed
 sys.post_boot.parsed                             u:object_r:vendor_mpctl_prop:s0
 
+# OEM unlocking
+ro.oem_unlock_supported                          u:object_r:oem_unlock_prop:s0
+
 # Qseecomd
 sys.listeners.registered                         u:object_r:vendor_tee_listener_prop:s0
 
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index cc3ba68..c5b8387 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -5,4 +5,8 @@ allow qti_init_shell file_contexts_file:file { getattr open read };
 allow qti_init_shell mnt_vendor_file:dir rw_dir_perms;
 allow qti_init_shell mnt_vendor_file:file create_file_perms;
 
+# Allow qti_init_shell to read cmdline
+allow qti_init_shell proc_cmdline:file { getattr open read };
+
 get_prop(qti_init_shell, wcg_prop)
+set_prop(qti_init_shell, oem_unlock_prop)
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 5fe4bd9..1158907 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -3,3 +3,4 @@ allow system_app sysfs_fingerprint:dir search;
 allow system_app shell_prop:property_service set;
 
 binder_call(system_app, wificond);
+get_prop(system_app, oem_unlock_prop);
-- 
cgit v1.2.3