The following SELinux denials are seen when booting into charger mode:
type=1400 audit(1746.159:22): avc: denied { dac_read_search } for
comm="init.qcom.usb.s" capability=2 scontext=u:r:vendor_qti_init_shell:s0
tcontext=u:r:vendor_qti_init_shell:s0 tclass=capability permissive=0
type=1400 audit(1746.159:23): avc: denied { dac_override } for
comm="init.qcom.usb.s" capability=1 scontext=u:r:vendor_qti_init_shell:s0
tcontext=u:r:vendor_qti_init_shell:s0 tclass=capability permissive=0
type=1400 audit(1746.267:24): avc: denied { dac_read_search } for
comm="init.qcom.usb.s" capability=2 scontext=u:r:vendor_qti_init_shell:s0
tcontext=u:r:vendor_qti_init_shell:s0 tclass=capability permissive=0
type=1400 audit(1746.267:25): avc: denied { dac_override } for
comm="init.qcom.usb.s" capability=1 scontext=u:r:vendor_qti_init_shell:s0
tcontext=u:r:vendor_qti_init_shell:s0 tclass=capability permissive=0
The DAC errors indicate that there is some kind of access, usually
by root, to a file or directory where the ownership is given to another
user/group which is not root. So since root may not have explicit
permission to access it has to override the default access control
which is flagged by SELinux.
In charger mode, like in normal boot, the init.qcom.usb.sh script
executes in the same process as init, so it is executing as root.
The script is trying to read/write to the ConfigFS string entries.
The fix for these denials is to ensure that any files/directories
being accessed by the script give root permission to access the same.
Hence remove the shell/shell ownership change when creating the USB
gadget and config subdirectories in ConfigFS.
While at it also remove mounting of ADB FFS and the ConfigFS function
instance as we are not enabling ADB in charger mode.
Change-Id: I33d6a9ce8e1bb4594a053156d46688ab11c5491d
d3edfa00f0