From a0aa4c41f921134482737cf32437854816aba057 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 23 Feb 2022 17:37:47 -0500
Subject: [PATCH 2/2] init: Override select system properties

* ro.apex.updatable is overridden based on the kernel version and
  vendor.
* adb secure props and logd can be overridden from system.

Change-Id: I94efa3f108ae97711026f099f367b6bea325629f
---
 init/property_service.cpp | 42 +++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/init/property_service.cpp b/init/property_service.cpp
index 013924778..90c6fa538 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -64,6 +64,8 @@
 #include <selinux/android.h>
 #include <selinux/label.h>
 #include <selinux/selinux.h>
+#include <sys/utsname.h>
+
 #include "debug_ramdisk.h"
 #include "epoll.h"
 #include "init.h"
@@ -704,6 +706,26 @@ uint32_t InitPropertySet(const std::string& name, const std::string& value) {
 static Result<void> load_properties_from_file(const char*, const char*,
                                               std::map<std::string, std::string>*);
 
+static bool kernel_supports_capex() {
+    // Put a threshold at >= 5.0
+    struct utsname buf;
+    uname(&buf);
+    const char *where = buf.release;
+    int a = atoi(where);
+    if (a >= 5) return true;
+
+    // If there are vendor apexes, we most likely actually need them
+    auto dir = std::unique_ptr<DIR, decltype(&closedir)>{opendir("/vendor/apex"), closedir};
+    if (!dir) {
+        return false;
+    }
+    for (struct dirent* ent = readdir(dir.get()); ent; ent = readdir(dir.get())) {
+        if(strstr(ent->d_name, "apex")) return true;
+    }
+
+    return false;
+}
+
 /*
  * Filter is used to decide which properties to load: NULL loads all keys,
  * "ro.foo.*" is a prefix match, and "ro.foo.bar" is an exact match.
@@ -796,13 +818,25 @@ static void LoadProperties(char* data, const char* filter, const char* filename,
             std::string error;
             if (CheckPermissions(key, value, context, cr, &error) == PROP_SUCCESS) {
                 auto it = properties->find(key);
+                const char *new_value = value;
+
+                if (strcmp("ro.apex.updatable", key) == 0) {
+                    new_value = kernel_supports_capex() ? "true" : "false";
+                }
                 if (it == properties->end()) {
-                    (*properties)[key] = value;
-                } else if (it->second != value) {
+                    (*properties)[key] = new_value;
+                } else if (it->second != new_value) {
                     LOG(WARNING) << "Overriding previous property '" << key << "':'" << it->second
                                  << "' with new value '" << value << "'";
-                    it->second = value;
-                }
+                    if (strcmp("ro.apex.updatable", key) == 0) {
+                        LOG(WARNING) << "... Ignored apex by kernel version";
+                    } else if (strstr(key, "adb") || strstr(key, "secure") || strstr(key, "ro.logd.kernel")
+                                   || strcmp("ro.control_privapp_permissions", key) == 0) {
+                        LOG(WARNING) << "... Ignored";
+                    } else {
+                        it->second = new_value;
+                    }
+		}
             } else {
                 LOG(ERROR) << "Do not have permissions to set '" << key << "' to '" << value
                            << "' in property file '" << filename << "': " << error;
-- 
2.43.1