From 3bb240bd4ce66f6e85dd8a4b5218ac565841a02c Mon Sep 17 00:00:00 2001
From: Alistair Delva <adelva@google.com>
Date: Tue, 9 Mar 2021 11:01:10 -0800
Subject: [PATCH 1/2] Allow android_dt_dir to be set by bootconfig

The androidboot.android_dt_dir property is special, because it is loaded
to find out where to get the other DT properties from, and those DT
properties are supposed to override the cmdline/bootconfig ones. So, it
need special casing, and that special case lacked bootconfig support.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.android_dt_dir=/tmp
[..]
init: Using Android DT directory /tmp
[..]
Change-Id: Ie0958dd0a96394d65f6568653b754ea6f885212e
---
 init/util.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/init/util.cpp b/init/util.cpp
index eab99d4e3..a40d10416 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -376,6 +376,15 @@ static std::string init_android_dt_dir() {
             android_dt_dir = value;
         }
     });
+    // ..Or bootconfig
+    if (android_dt_dir == kDefaultAndroidDtDir) {
+        ImportBootconfig([&](const std::string& key, const std::string& value) {
+            if (key == "androidboot.android_dt_dir") {
+                android_dt_dir = value;
+            }
+        });
+    }
+
     LOG(INFO) << "Using Android DT directory " << android_dt_dir;
     return android_dt_dir;
 }

From 63594a4dbc56bd49e55cf7a1cad719cb11242691 Mon Sep 17 00:00:00 2001
From: Alistair Delva <adelva@google.com>
Date: Tue, 9 Mar 2021 11:04:23 -0800
Subject: [PATCH 2/2] Allow selinux to be set by bootconfig

The androidboot.selinux property is loaded in a special way, because it
happens in the "selinux_setup" stage, and not the true second stage.
Allow it to be passed through bootconfig instead of only via the kernel
cmdline.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive
Test: launch_cvd -guest_enforce_security=false [bootconfig method]
[..]
init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.
[..]
Change-Id: I92003c7a2dac5d6e7d0e0f4ee2757f86cc0087c7
---
 init/selinux.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/init/selinux.cpp b/init/selinux.cpp
index 033693655..47686b833 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -92,7 +92,7 @@ namespace {
 
 enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
 
-EnforcingStatus StatusFromCmdline() {
+EnforcingStatus StatusFromProperty() {
     EnforcingStatus status = SELINUX_ENFORCING;
 
     ImportKernelCmdline([&](const std::string& key, const std::string& value) {
@@ -101,12 +101,20 @@ EnforcingStatus StatusFromCmdline() {
         }
     });
 
+    if (status == SELINUX_ENFORCING) {
+        ImportBootconfig([&](const std::string& key, const std::string& value) {
+            if (key == "androidboot.selinux" && value == "permissive") {
+                status = SELINUX_PERMISSIVE;
+            }
+        });
+    }
+
     return status;
 }
 
 bool IsEnforcing() {
     if (ALLOW_PERMISSIVE_SELINUX) {
-        return StatusFromCmdline() == SELINUX_ENFORCING;
+        return StatusFromProperty() == SELINUX_ENFORCING;
     }
     return true;
 }