From c621f4bcdcad50af6d9d8f95dd6ecb99deeda799 Mon Sep 17 00:00:00 2001
From: Andy CrossGate Yan <GeForce8800Ultra@gmail.com>
Date: Sat, 2 Nov 2019 01:02:42 +0000
Subject: [PATCH] Sync up to v202

---
 ...-on-Moto-devices-using-unknown-class.patch | 84 +++++++++++++++++++
 ...e-devices-by-checking-for-null-clien.patch | 35 ++++++++
 2 files changed, 119 insertions(+)
 create mode 100644 patches/platform_external_selinux/0007-Fix-boot-on-Moto-devices-using-unknown-class.patch
 create mode 100644 patches/platform_frameworks_base/0040-Fix-crash-on-some-devices-by-checking-for-null-clien.patch

diff --git a/patches/platform_external_selinux/0007-Fix-boot-on-Moto-devices-using-unknown-class.patch b/patches/platform_external_selinux/0007-Fix-boot-on-Moto-devices-using-unknown-class.patch
new file mode 100644
index 0000000..d2ce917
--- /dev/null
+++ b/patches/platform_external_selinux/0007-Fix-boot-on-Moto-devices-using-unknown-class.patch
@@ -0,0 +1,84 @@
+From 477ef41ac3a639f4c34c8ecf323d25ed2d3e8e8e Mon Sep 17 00:00:00 2001
+From: Pierre-Hugues Husson <phh@phh.me>
+Date: Fri, 25 Oct 2019 13:29:20 +0200
+Subject: [PATCH 7/7] Fix boot on Moto devices using unknown class
+
+vendor sepolicy never contains new class or classorder, and are not
+allowed to.
+Though this is not tested, and it turns out Moto did it anyway.
+This raises an issue, because class need to be ordered, and thus the cil
+contains the ordering. This ordering needs to be merged.
+Android 10 added new classes, so the ordering can no longer be merged,
+and secilc fails on those devices, preventing boot.
+
+Considering vendor are not supposed to declare new class (and thus
+declare classorder), this fix ignores class-es/classorder in vendor
+SELinux policy.
+
+Since the vendor selinux policy has allows rules based on this context,
+those allows will fail since the class doesn't exist.
+Workaround this by ignoring rules with the problematic class
+( keystore_moto_key )
+
+Lucky us, this new class `keystore_moto_key` is used by Moto for
+framework to framework (more accurately priv app to keymaster), since
+our own framework doesn't use this class, simply ignoring it fixes the
+issue.
+
+Change-Id: I66339857634ebfdba359f12a99dfd0bff709d80b
+---
+ libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index b90b0f60..6f391940 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -386,6 +386,14 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct
+ 	struct cil_tree_node *perms = NULL;
+ 	int rc = SEPOL_ERR;
+ 
++    {
++        const char* path = cil_tree_get_cil_path(parse_current);
++        if(strstr(path, "vendor")) {
++            cil_clear_node(ast_node);
++            return SEPOL_OK;
++        }
++    }
++
+ 	rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
+ 	if (rc != SEPOL_OK) {
+ 		goto exit;
+@@ -452,6 +460,14 @@ int cil_gen_classorder(struct cil_db *db, struct cil_tree_node *parse_current, s
+ 	struct cil_list_item *head = NULL;
+ 	int rc = SEPOL_ERR;
+ 
++    {
++        const char* path = cil_tree_get_cil_path(parse_current);
++        if(strstr(path, "vendor")) {
++            cil_clear_node(ast_node);
++            return SEPOL_OK;
++        }
++    }
++
+ 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
+ 		goto exit;
+ 	}
+@@ -2050,6 +2066,14 @@ int cil_gen_avrule(struct cil_tree_node *parse_current, struct cil_tree_node *as
+ 	rule->src_str = parse_current->next->data;
+ 	rule->tgt_str = parse_current->next->next->data;
+ 
++    {
++        const char *classname = parse_current->next->next->next->cl_head->data;
++        if(strcmp(classname, "keystore_moto_key") == 0) {
++            cil_clear_node(ast_node);
++            return SEPOL_OK;
++        }
++    }
++
+ 	rc = cil_fill_classperms_list(parse_current->next->next->next, &rule->perms.classperms);
+ 	if (rc != SEPOL_OK) {
+ 		goto exit;
+-- 
+2.17.1
+
diff --git a/patches/platform_frameworks_base/0040-Fix-crash-on-some-devices-by-checking-for-null-clien.patch b/patches/platform_frameworks_base/0040-Fix-crash-on-some-devices-by-checking-for-null-clien.patch
new file mode 100644
index 0000000..85029e3
--- /dev/null
+++ b/patches/platform_frameworks_base/0040-Fix-crash-on-some-devices-by-checking-for-null-clien.patch
@@ -0,0 +1,35 @@
+From 1573fc903e5c874b7a4fa78284801aa67a9f1ff7 Mon Sep 17 00:00:00 2001
+From: Pierre-Hugues Husson <phh@phh.me>
+Date: Sun, 27 Oct 2019 16:27:55 +0100
+Subject: [PATCH 40/40] Fix crash on some devices by checking for null client
+
+Some device get the following system_server crash:
+ *** FATAL EXCEPTION IN SYSTEM PROCESS: main
+ java.lang.NullPointerException: Attempt to invoke virtual method 'boolean com.android.server.biometrics.ClientMonitor.onEnumerationResult(android.hardware.biometrics.BiometricAuthenticator$Identifier, int)' on a null object reference
+        at com.android.server.biometrics.BiometricServiceBase.handleEnumerate(BiometricServiceBase.java:777)
+        at com.android.server.biometrics.fingerprint.FingerprintService.access$6901(FingerprintService.java:93)
+        at com.android.server.biometrics.fingerprint.FingerprintService$1.lambda$onEnumerate$5$FingerprintService$1(FingerprintService.java:686)
+        at com.android.server.biometrics.fingerprint.-$$Lambda$FingerprintService$1$3I9ge5BoesXZUovbayCOCR754fc.run(Unknown Source:10)
+
+Fix it by checking for `null` client before acting on it
+
+Change-Id: If39d8c1b26c8c0a44b3d9292b646cb71ff258a95
+---
+ .../java/com/android/server/biometrics/BiometricServiceBase.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/services/core/java/com/android/server/biometrics/BiometricServiceBase.java b/services/core/java/com/android/server/biometrics/BiometricServiceBase.java
+index d3c62bed7b5..b6710992a6e 100644
+--- a/services/core/java/com/android/server/biometrics/BiometricServiceBase.java
++++ b/services/core/java/com/android/server/biometrics/BiometricServiceBase.java
+@@ -774,6 +774,7 @@ public abstract class BiometricServiceBase extends SystemService
+     protected void handleEnumerate(BiometricAuthenticator.Identifier identifier, int remaining) {
+         ClientMonitor client = getCurrentClient();
+ 
++        if(client == null) return;
+         client.onEnumerationResult(identifier, remaining);
+ 
+         // All templates in the HAL for this user were enumerated
+-- 
+2.17.1
+