Merge "Allow virtualizationservice to check for PKVM extension"
diff --git a/Android.bp b/Android.bp
index 874e96f..438b13f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -817,6 +817,32 @@
],
}
+// policy for recovery
+se_policy_conf {
+ name: "recovery_sepolicy.conf",
+ srcs: plat_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+ target_recovery: true,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "recovery_sepolicy.cil",
+ src: ":recovery_sepolicy.conf",
+ secilc_check: false, // will be done in se_policy_binary module
+ installable: false,
+}
+
+se_policy_binary {
+ name: "sepolicy.recovery",
+ srcs: [":recovery_sepolicy.cil"],
+ stem: "sepolicy",
+ recovery: true,
+}
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
diff --git a/Android.mk b/Android.mk
index 1431841..e235bde 100644
--- a/Android.mk
+++ b/Android.mk
@@ -527,31 +527,6 @@
include $(BUILD_PHONY_PACKAGE)
-#################################
-
-ifeq ($(mixed_sepolicy_build),true)
-ver := $(BOARD_SEPOLICY_VERS)
-reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
-plat_public_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/public
-plat_private_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/private
-system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
-system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
-product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
-product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
-ver :=
-else
-reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
-plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
-plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
-system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
-system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
-product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
-product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
-endif
-
-built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
-
##################################
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
@@ -584,6 +559,8 @@
endif
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
+built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
+built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
#################################
# sepolicy is also built with Android.bp.
@@ -603,66 +580,6 @@
$(LOCAL_BUILT_MODULE): $(built_sepolicy)
$(copy-file-to-target)
-#################################
-include $(CLEAR_VARS)
-
-# keep concrete sepolicy for neverallow checks
-# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
-
-LOCAL_MODULE := sepolicy.recovery
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := sepolicy
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# We use vendor version's policy files because recovery partition is vendor-owned.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
-$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy.recovery.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
- $(hide) mv $@.neverallow $@
-endif
-
-$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-sepolicy.recovery.conf :=
-
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 3308e2c..2b190e6 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -83,6 +83,9 @@
// Whether to build CTS specific policy or not. Default is false
Cts *bool
+ // Whether to build recovery specific policy or not. Default is false
+ Target_recovery *bool
+
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
}
@@ -130,6 +133,10 @@
return proptools.Bool(c.properties.Cts)
}
+func (c *policyConf) isTargetRecovery() bool {
+ return proptools.Bool(c.properties.Target_recovery)
+}
+
func (c *policyConf) withAsan(ctx android.ModuleContext) string {
isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
@@ -139,6 +146,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
}
@@ -146,6 +156,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return "true"
}
@@ -153,6 +166,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
}
@@ -160,6 +176,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
@@ -206,6 +225,7 @@
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
+ FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@@ -439,6 +459,10 @@
return c
}
+func (c *policyBinary) InstallInRoot() bool {
+ return c.InstallInRecovery()
+}
+
func (c *policyBinary) Installable() bool {
return proptools.BoolDefault(c.properties.Installable, true)
}
@@ -505,7 +529,12 @@
c.SkipInstall()
}
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if c.InstallInRecovery() {
+ // install in root
+ c.installPath = android.PathForModuleInstall(ctx)
+ } else {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ }
c.installSource = out
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
diff --git a/private/clatd.te b/private/clatd.te
index 104121e..da6820c 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -18,5 +18,4 @@
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;