let lspinit copy rule

scripts/build.sh

@@ -474,8 +474,6 @@ if [ "$HAS_GAPPS" ] || [ "$ROOT_SOL" = "magisk" ]; then
         "add 0644 overlay.d/sbin/magisk32.xz $WORK_DIR/magisk/magisk32.xz" \
         "add 0644 overlay.d/sbin/stub.xz $WORK_DIR/magisk/stub.xz" \
         "mkdir 000 .backup" \
-        "add 0750 overlay.d/sbin/post-fs-data.sh post-fs-data.sh" \
-        "add 000 overlay.d/init.lsp.se.rc init.lsp.se.rc" \
         || abort "Unable to patch initrd"
 elif [ "$ROOT_SOL" = "kernelsu" ]; then
     echo "Extracting KernelSU"
@@ -503,7 +501,7 @@ if [ "$HAS_GAPPS" ]; then
         echo "Integrating GApps"
         "$WORK_DIR/magisk/magiskboot" cpio "$WORK_DIR/wsa/$ARCH/Tools/initrd.img" \
             "add 000 overlay.d/init.lsp.cust.rc init.lsp.cust.rc" \
-            "add 000 overlay.d/sbin/sepolicy.rule sepolicy.rule" \
+            "add 000 /lspolicy.rule sepolicy.rule" \
             "add 000 overlay.d/sbin/cust.img $GAPPS_PATH" \
             || abort "Unable to patch initrd"
         echo -e "done\n"

scripts/init.lsp.cust.rc

@@ -1,11 +1,12 @@
 on post-fs
     mkdir /mnt/cust 0775 system system
-    mount erofs loop@${MAGISKTMP}/cust.img /mnt/cust ro,seclabel
+    mount erofs loop@${MAGISKTMP}/cust.img /mnt/cust noatime,ro cache_strategy=readaround
     wait /system_ext
-    mount overlay overlay /system_ext lowerdir=/mnt/cust/system_ext:/system_ext,seclabel
+    mount overlay system_ext_etc_permissions_overlay /system_ext/etc/permissions noatime lowerdir=/system_ext/etc/permissions:/mnt/cust/system_ext/etc/permissions,redirect_dir=on,xino=on
+    mount overlay system_ext_priv-app_overlay /system_ext/priv-app noatime lowerdir=/system_ext/priv-app:/mnt/cust/system_ext/priv-app,redirect_dir=on,xino=on
     wait /product
-    mount overlay overlay /product lowerdir=/mnt/cust/product:/product,seclabel
+    mount overlay product_overlay /product noatime lowerdir=/product:/mnt/cust/product,redirect_dir=on,xino=on
     wait /vendor
-    mount overlay overlay /vendor lowerdir=/mnt/cust/vendor:/vendor,seclabel
+    mount overlay vendor_overlay /vendor noatime lowerdir=/vendor:/mnt/cust/vendor,redirect_dir=on,xino=on
     wait /system
-    mount overlay overlay /system/priv-app lowerdir=/mnt/cust/system/priv-app:/system/priv-app,seclabel
+    mount overlay system_priv-app_overlay /system/priv-app noatime lowerdir=/mnt/cust/system/priv-app:/system/priv-app,redirect_dir=on,xino=on

scripts/init.lsp.se.rc

@@ -1,2 +0,0 @@
-on post-fs-data
-    exec u:r:magisk:s0 0 0 -- ${MAGISKTMP}/post-fs-data.sh

scripts/post-fs-data.sh

@@ -1,14 +0,0 @@
-#!/system/bin/sh
-MAGISKTMP=/sbin
-[ -d /sbin ] || MAGISKTMP=/debug_ramdisk
-MAGISKBIN=/data/adb/magisk
-if [ ! -f $MAGISKBIN/magiskpolicy ]; then
-    # shellcheck disable=SC2174
-    mkdir -p -m 755 $MAGISKBIN
-    chcon u:object_r:system_file:s0 $MAGISKBIN
-    ABI=$(/system/bin/getprop ro.product.cpu.abi)
-    /system/bin/unzip -d $MAGISKBIN -j $MAGISKTMP/stub.apk "lib/$ABI/libmagiskpolicy.so"
-    mv $MAGISKBIN/libmagiskpolicy.so $MAGISKBIN/magiskpolicy
-    chmod 755 $MAGISKBIN/magiskpolicy
-fi
-[ -f $MAGISKTMP/sepolicy.rule ] && $MAGISKBIN/magiskpolicy --live --apply $MAGISKTMP/sepolicy.rule

scripts/sepolicy.rule

@@ -3,5 +3,3 @@ allow gmscore_app device_config_runtime_native_boot_prop file read
 allow gmscore_app system_server_tmpfs dir search
 allow gmscore_app system_server_tmpfs file open
 allow gmscore_app { system_server_tmpfs media_rw_data_file } filesystem getattr
-allow { platform_app system_app } default_android_service service_manager { find add }
-allow system_server default_android_service service_manager add