use max priority for snapuserd process

fs_mgr/libsnapshot/snapuserd/snapuserd.rc

@@ -4,7 +4,7 @@ service snapuserd /system/bin/snapuserd
     disabled
     user root
     group root system
-    task_profiles OtaProfiles
+    task_profiles MaxIoPriority MaxPerformance ProcessCapacityMax
     seclabel u:r:snapuserd:s0
 
 service snapuserd_proxy /system/bin/snapuserd -socket-handoff

init/first_stage_init.cpp

@@ -243,9 +243,9 @@ int FirstStageMain(int argc, char** argv) {
     CHECKCALL(mkdir("/dev/pts", 0755));
     CHECKCALL(mkdir("/dev/socket", 0755));
     CHECKCALL(mkdir("/dev/dm-user", 0755));
-    CHECKCALL(mount("devpts", "/dev/pts", "devpts", 0, NULL));
+    CHECKCALL(mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL));
 #define MAKE_STR(x) __STRING(x)
-    CHECKCALL(mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC)));
+    CHECKCALL(mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC)));
 #undef MAKE_STR
     // Don't expose the raw commandline to unprivileged processes.
     CHECKCALL(chmod("/proc/cmdline", 0440));
@@ -257,7 +257,7 @@ int FirstStageMain(int argc, char** argv) {
     android::base::ReadFileToString("/proc/bootconfig", &bootconfig);
     gid_t groups[] = {AID_READPROC};
     CHECKCALL(setgroups(arraysize(groups), groups));
-    CHECKCALL(mount("sysfs", "/sys", "sysfs", 0, NULL));
+    CHECKCALL(mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL));
     CHECKCALL(mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL));
 
     CHECKCALL(mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11)));

init/property_service.cpp

@@ -1402,6 +1402,10 @@ static void HandleInitSocket() {
             // Read persistent properties after all default values have been loaded.
             auto persistent_properties = LoadPersistentProperties();
             for (const auto& persistent_property_record : persistent_properties.properties()) {
+                if (persistent_property_record.name() == "persist.adb.tls_server.enable") {
+                    continue;
+                }
+
                 InitPropertySet(persistent_property_record.name(),
                                 persistent_property_record.value());
             }

rootdir/init.rc

@@ -303,6 +303,14 @@ on init
     write /proc/sys/kernel/hung_task_timeout_secs 0
     write /proc/cpu/alignment 4
 
+    write /proc/sys/fs/protected_hardlinks 1
+    write /proc/sys/fs/protected_symlinks 1
+
+    write /proc/sys/fs/protected_fifos 2
+    write /proc/sys/fs/protected_regular 2
+
+    write /proc/sys/dev/tty/ldisc_autoload 0
+
     # scheduler tunables
     # Disable auto-scaling of scheduler tunables with hotplug. The tunables
     # will vary across devices in unpredictable ways if allowed to scale with
@@ -1132,6 +1140,8 @@ on boot
     symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata
     symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk
 
+    write /proc/sys/vm/max_map_count 1048576
+
     # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs,
     # to avoid power consumption when system becomes mostly idle. Be careful
     # to make it too large, since it may bring userdata loss, if they
@@ -1242,6 +1252,18 @@ on property:perf.drop_caches=3
 on property:net.tcp_def_init_rwnd=*
     write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}
 
+on property:persist.security.deny_new_usb=disabled
+    write /proc/sys/kernel/deny_new_usb 0
+
+on property:persist.security.deny_new_usb=enabled
+    write /proc/sys/kernel/deny_new_usb 1
+
+on property:persist.security.deny_new_usb=dynamic
+    write /proc/sys/kernel/deny_new_usb 1
+
+on property:security.deny_new_usb=*
+    write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb}
+
 # perf_event_open syscall security:
 # Newer kernels have the ability to control the use of the syscall via SELinux
 # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the

rootdir/init.zygote32.rc

@@ -3,6 +3,7 @@ service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-sys
     priority -20
     user root
     group root readproc reserved_disk
+    rlimit nofile 32768 262144
     socket zygote stream 660 root system
     socket usap_pool_primary stream 660 root system
     onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse

rootdir/init.zygote64.rc

@@ -3,6 +3,7 @@ service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-s
     priority -20
     user root
     group root readproc reserved_disk
+    rlimit nofile 32768 262144
     socket zygote stream 660 root system
     socket usap_pool_primary stream 660 root system
     onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse

rootdir/init.zygote64_32.rc

@@ -5,6 +5,7 @@ service zygote_secondary /system/bin/app_process32 -Xzygote /system/bin --zygote
     priority -20
     user root
     group root readproc reserved_disk
+    rlimit nofile 32768 262144
     socket zygote_secondary stream 660 root system
     socket usap_pool_secondary stream 660 root system
     onrestart restart zygote