Merge "[NC#3] clatd: remove raw and packet socket creation privs"
diff --git a/Android.bp b/Android.bp
index d22010c..438b13f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -149,482 +149,41 @@
],
}
-se_cil_compat_map {
- name: "plat_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "plat_29.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "plat_30.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "plat_31.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "plat_32.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "plat_33.0.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "system_ext_29.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "system_ext_30.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "system_ext_31.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "system_ext_32.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "system_ext_33.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "product_29.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "product_30.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "product_31.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "product_32.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "product_33.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "28.0.ignore.cil",
- bottom_half: [":28.0.board.ignore.map"],
- top_half: "29.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "29.0.ignore.cil",
- bottom_half: [":29.0.board.ignore.map"],
- top_half: "30.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "31.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "32.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "33.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "system_ext_31.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "system_ext_32.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "system_ext_33.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "product_31.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "product_32.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "product_33.0.ignore.cil",
- product_specific: true,
-}
-
-se_compat_cil {
- name: "28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "system_ext_28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
- stem: "28.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
- stem: "29.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
- stem: "30.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
- stem: "31.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
- stem: "32.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_filegroup {
+se_build_files {
name: "file_contexts_files",
srcs: ["file_contexts"],
}
-se_filegroup {
+se_build_files {
name: "file_contexts_asan_files",
srcs: ["file_contexts_asan"],
}
-se_filegroup {
+se_build_files {
name: "file_contexts_overlayfs_files",
srcs: ["file_contexts_overlayfs"],
}
-se_filegroup {
+se_build_files {
name: "hwservice_contexts_files",
srcs: ["hwservice_contexts"],
}
-se_filegroup {
+se_build_files {
name: "property_contexts_files",
srcs: ["property_contexts"],
}
-se_filegroup {
+se_build_files {
name: "service_contexts_files",
srcs: ["service_contexts"],
}
-se_filegroup {
+se_build_files {
name: "keystore2_key_contexts_files",
srcs: ["keystore2_key_contexts"],
}
-file_contexts {
- name: "plat_file_contexts",
- srcs: [":file_contexts_files"],
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files"],
- },
- },
-
- flatten_apex: {
- srcs: ["apex/*-file_contexts"],
- },
-}
-
-file_contexts {
- name: "plat_file_contexts.recovery",
- srcs: [":file_contexts_files"],
- stem: "plat_file_contexts",
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files"],
- },
- },
-
- flatten_apex: {
- srcs: ["apex/*-file_contexts"],
- },
-
- recovery: true,
-}
-
-file_contexts {
- name: "vendor_file_contexts",
- srcs: [":file_contexts_files"],
- soc_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "system_ext_file_contexts",
- srcs: [":file_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "product_file_contexts",
- srcs: [":file_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "odm_file_contexts",
- srcs: [":file_contexts_files"],
- device_specific: true,
- recovery_available: true,
-}
-
-hwservice_contexts {
- name: "plat_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
-}
-
-hwservice_contexts {
- name: "system_ext_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- system_ext_specific: true,
-}
-
-hwservice_contexts {
- name: "product_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- product_specific: true,
-}
-
-hwservice_contexts {
- name: "vendor_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
-hwservice_contexts {
- name: "odm_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- device_specific: true,
-}
-
-property_contexts {
- name: "plat_property_contexts",
- srcs: [":property_contexts_files"],
-}
-
-property_contexts {
- name: "plat_property_contexts.recovery",
- srcs: [":property_contexts_files"],
- stem: "plat_property_contexts",
- recovery: true,
-}
-
-property_contexts {
- name: "system_ext_property_contexts",
- srcs: [":property_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "product_property_contexts",
- srcs: [":property_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "vendor_property_contexts",
- srcs: [":property_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "odm_property_contexts",
- srcs: [":property_contexts_files"],
- device_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "plat_service_contexts",
- srcs: [":service_contexts_files"],
-}
-
-service_contexts {
- name: "plat_service_contexts.recovery",
- srcs: [":service_contexts_files"],
- stem: "plat_service_contexts",
- recovery: true,
-}
-
-service_contexts {
- name: "system_ext_service_contexts",
- srcs: [":service_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "product_service_contexts",
- srcs: [":service_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "vendor_service_contexts",
- srcs: [":service_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
- recovery_available: true,
-}
-
-keystore2_key_contexts {
- name: "plat_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
-}
-
-keystore2_key_contexts {
- name: "system_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- system_ext_specific: true,
-}
-
-keystore2_key_contexts {
- name: "product_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- product_specific: true,
-}
-
-keystore2_key_contexts {
- name: "vendor_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -661,6 +220,11 @@
],
}
+se_build_files {
+ name: "sepolicy_technical_debt",
+ srcs: ["technical_debt.cil"],
+}
+
reqd_mask_policy = [":se_build_files{.reqd_mask}"]
plat_public_policy = [":se_build_files{.plat_public}"]
plat_private_policy = [":se_build_files{.plat_private}"]
@@ -775,7 +339,7 @@
se_policy_cil {
name: "plat_sepolicy.cil",
src: ":plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
@@ -790,7 +354,7 @@
se_policy_cil {
name: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
debug_ramdisk: true,
dist: {
targets: ["droidcore"],
@@ -815,7 +379,7 @@
name: "system_ext_userdebug_plat_sepolicy.cil",
stem: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
system_ext_specific: true,
enabled: false,
installable: false,
@@ -898,24 +462,193 @@
product_specific: true,
}
+// vendor/odm sepolicy
+//
+// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+// policy files of platform (system, system_ext, product) can't be mixed with
+// policy files of vendor (vendor, odm). If it's the case, platform policies and
+// vendor policies are separately built. More specifically,
+//
+// - Platform policy files needed to build vendor policies, such as plat_policy,
+// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+//
+// - sepolicy_neverallows only checks platform policies, and a new module
+// sepolicy_neverallows_vendor checks vendor policies.
+//
+// - neverallow checks are turned off while compiling precompiled_sepolicy
+// module and sepolicy module.
+//
+// - Vendor policies are not checked on the compat test (compat.mk).
+//
+// In such scenario, we can grab platform policy files from the prebuilts/api
+// directory. But we need more than that: prebuilts of system_ext, product,
+// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
+// variables are introduced to specify such prebuilts.
+//
+// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+//
+// Vendors are responsible for copying policy files from the old version of the
+// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
+// can be used to build vendor policies.
+//
+// To support both mixed build and normal build, platform policy files are
+// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
+// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
+// Otherwise, they will be equal to the Makefile variables above.
+
+plat_public_policies_for_vendor = [
+ ":se_build_files{.plat_public_for_vendor}",
+ ":se_build_files{.system_ext_public_for_vendor}",
+ ":se_build_files{.product_public_for_vendor}",
+ ":se_build_files{.reqd_mask_for_vendor}",
+]
+
+plat_policies_for_vendor = [
+ ":se_build_files{.plat_public_for_vendor}",
+ ":se_build_files{.plat_private_for_vendor}",
+ ":se_build_files{.system_ext_public_for_vendor}",
+ ":se_build_files{.system_ext_private_for_vendor}",
+ ":se_build_files{.product_public_for_vendor}",
+ ":se_build_files{.product_private_for_vendor}",
+]
+
+se_policy_conf {
+ name: "plat_policy_for_vendor.conf",
+ srcs: plat_policies_for_vendor,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_policy_for_vendor.cil",
+ src: ":plat_policy_for_vendor.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "reqd_policy_mask_for_vendor.conf",
+ srcs: [":se_build_files{.reqd_mask_for_vendor}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "reqd_policy_mask_for_vendor.cil",
+ src: ":reqd_policy_mask_for_vendor.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "pub_policy_for_vendor.conf",
+ srcs: plat_public_policies_for_vendor,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy_for_vendor.cil",
+ src: ":pub_policy_for_vendor.conf",
+ filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "plat_mapping_file_for_vendor",
+ base: ":pub_policy_for_vendor.cil",
+ mapping: true,
+ version: "vendor",
+ installable: false,
+}
+
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy.cil",
- target_policy: ":pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":pub_policy_for_vendor.cil",
+ version: "vendor",
vendor: true,
}
+// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+// policy and the platform public policy files in order to use checkpolicy.
+se_policy_conf {
+ name: "vendor_sepolicy.conf",
+ srcs: plat_public_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "vendor_sepolicy.cil.raw",
+ src: ":vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "vendor_sepolicy.cil",
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":vendor_sepolicy.cil.raw",
+ version: "vendor",
+ dependent_cils: [
+ ":plat_policy_for_vendor.cil",
+ ":plat_pub_versioned.cil",
+ ":plat_mapping_file_for_vendor",
+ ],
+ filter_out: [":plat_pub_versioned.cil"],
+ vendor: true,
+}
+
+// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
+// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+// policy and the platform public policy files in order to use checkpolicy.
+se_policy_conf {
+ name: "odm_sepolicy.conf",
+ srcs: plat_public_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "odm_sepolicy.cil.raw",
+ src: ":odm_sepolicy.conf",
+ filter_out: [
+ ":reqd_policy_mask_for_vendor.cil",
+ ":vendor_sepolicy.cil",
+ ],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "odm_sepolicy.cil",
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":odm_sepolicy.cil.raw",
+ version: "vendor",
+ dependent_cils: [
+ ":plat_policy_for_vendor.cil",
+ ":plat_pub_versioned.cil",
+ ":plat_mapping_file_for_vendor",
+ ":vendor_sepolicy.cil",
+ ],
+ filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
+ device_specific: true,
+}
+
//////////////////////////////////
// Precompiled sepolicy is loaded if and only if:
// - plat_sepolicy_and_mapping.sha256 equals
@@ -979,15 +712,15 @@
}
soong_config_module_type {
- name: "precompiled_sepolicy_defaults",
+ name: "precompiled_sepolicy_prebuilts_defaults",
module_type: "prebuilt_defaults",
config_namespace: "ANDROID",
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
}
-precompiled_sepolicy_defaults {
- name: "precompiled_sepolicy",
+precompiled_sepolicy_prebuilts_defaults {
+ name: "precompiled_sepolicy_prebuilts",
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
@@ -1003,7 +736,7 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
src: ":plat_sepolicy_and_mapping.sha256_gen",
@@ -1015,7 +748,7 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
@@ -1027,13 +760,88 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
src: ":product_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
+soong_config_module_type {
+ name: "precompiled_se_policy_binary",
+ module_type: "se_policy_binary",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
+ value_variables: ["MIXED_SEPOLICY_VERSION"],
+ properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+}
+
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+}
+
+// policy for recovery
+se_policy_conf {
+ name: "recovery_sepolicy.conf",
+ srcs: plat_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+ target_recovery: true,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "recovery_sepolicy.cil",
+ src: ":recovery_sepolicy.conf",
+ secilc_check: false, // will be done in se_policy_binary module
+ installable: false,
+}
+
+se_policy_binary {
+ name: "sepolicy.recovery",
+ srcs: [":recovery_sepolicy.cil"],
+ stem: "sepolicy",
+ recovery: true,
+}
//////////////////////////////////
// SELinux policy embedded into CTS.
@@ -1209,6 +1017,25 @@
vendor: true,
}
+se_neverallow_test {
+ name: "sepolicy_neverallows",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy,
+}
+
+se_neverallow_test {
+ name: "sepolicy_neverallows_vendor",
+ srcs: plat_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+}
+
//////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables:
diff --git a/Android.mk b/Android.mk
index e487214..e235bde 100644
--- a/Android.mk
+++ b/Android.mk
@@ -81,55 +81,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-# TODO: move to README when doing the README update and finalizing versioning.
-# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
-# version identifier corresponding to the sepolicy on which the non-platform
-# policy is to be based. If unspecified, this will build against the current
-# public platform policy in tree
-ifndef BOARD_SEPOLICY_VERS
-# The default platform policy version.
-BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
-endif
-
-# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-# policy files of platform (system, system_ext, product) can't be mixed with
-# policy files of vendor (vendor, odm). If it's the case, platform policies and
-# vendor policies are separately built. More specifically,
-#
-# - Platform policy files needed to build vendor policies, such as plat_policy,
-# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-#
-# - sepolicy_neverallows only checks platform policies, and a new module
-# sepolicy_neverallows_vendor checks vendor policies.
-#
-# - neverallow checks are turned off while compiling precompiled_sepolicy module
-# and sepolicy module.
-#
-# - Vendor policies are not checked on the compat test (compat.mk).
-#
-# In such scenario, we can grab platform policy files from the prebuilts/api
-# directory. But we need more than that: prebuilts of system_ext, product,
-# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
-# are introduced to specify such prebuilts.
-#
-# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-#
-# Vendors are responsible for copying policy files from the old version of the
-# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
-# be used to build vendor policies. See prebuilt_policy.mk for more details.
-#
-# To support both mixed build and normal build, platform policy files are
-# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
-# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
-# for more details.
-#
-# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
mixed_sepolicy_build := true
else
@@ -576,426 +527,46 @@
include $(BUILD_PHONY_PACKAGE)
-#################################
-
-ifeq ($(mixed_sepolicy_build),true)
-include $(LOCAL_PATH)/prebuilt_policy.mk
-else
-reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
-plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
-plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
-system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
-system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
-product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
-product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
-endif
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-# In a mixed build target, vendor policies are checked separately, on the module
-# sepolicy_neverallows_vendor.
-
-all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
-ifeq ($(mixed_sepolicy_build),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
-else
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-endif
-
-sepolicy_policy.conf := $(intermediates)/policy.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
- $(hide) mv $@.tmp $@
-
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
-
-#################################
-# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
-ifeq ($(mixed_sepolicy_build),true)
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy_neverallows_vendor
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Check neverallow with prebuilt policy files
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
- $(hide) mv $@.tmp $@
-
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
-
-endif # ifeq ($(mixed_sepolicy_build),true)
-
##################################
-# plat policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of plat policy files.
+# Policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of policy files.
#
reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
-reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
-pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-
system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
-system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-
plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
-plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-#################################
-include $(CLEAR_VARS)
-
-# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
-# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := vendor_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-vendor_policy.conf := $(intermediates)/vendor_policy.conf
-$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(vendor_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
- -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
- -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
- -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-
-built_vendor_cil := $(LOCAL_BUILT_MODULE)
-vendor_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
+built_vendor_cil := $(call intermediates-dir-for,ETC,vendor_sepolicy.cil)/vendor_sepolicy.cil
ifdef BOARD_ODM_SEPOLICY_DIRS
-# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
-# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := odm_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-odm_policy.conf := $(intermediates)/odm_policy.conf
-$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(odm_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
- -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
- -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
- -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-
-built_odm_cil := $(LOCAL_BUILT_MODULE)
-odm_policy.conf :=
-odm_policy_raw :=
+built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
endif
+built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
+built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
+built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
+
#################################
+# sepolicy is also built with Android.bp.
+# This module is to keep compatibility with monolithic sepolicy devices.
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
- $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
-
-#################################
-# Precompiled sepolicy is loaded if and only if:
-# - plat_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-# AND
-# - system_ext_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-# AND
-# - product_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-# See system/core/init/selinux.cpp for details.
-#################################
-
-#################################
-include $(CLEAR_VARS)
-# build this target so that we can still perform neverallow checks
-
LOCAL_MODULE := sepolicy
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -1006,111 +577,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-built_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
-
-#################################
-include $(CLEAR_VARS)
-
-# keep concrete sepolicy for neverallow checks
-# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
-
-LOCAL_MODULE := sepolicy.recovery
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := sepolicy
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# We use vendor version's policy files because recovery partition is vendor-owned.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
-$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy.recovery.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
- $(hide) mv $@.neverallow $@
-endif
-
-$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-sepolicy.recovery.conf :=
+$(LOCAL_BUILT_MODULE): $(built_sepolicy)
+ $(copy-file-to-target)
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -1296,28 +764,16 @@
base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
-version_under_treble_tests := 28.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 29.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 31.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 32.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+ $(eval version_under_treble_tests := $(v)) \
+ $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
+)
endif # PRODUCT_SEPOLICY_SPLIT
-version_under_treble_tests := 28.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 29.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 31.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 32.0
-include $(LOCAL_PATH)/compat.mk
+$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+ $(eval version_under_treble_tests := $(v)) \
+ $(eval include $(LOCAL_PATH)/compat.mk) \
+)
built_plat_sepolicy :=
built_system_ext_sepolicy :=
@@ -1343,7 +799,6 @@
built_product_mapping_cil :=
built_vendor_cil :=
built_odm_cil :=
-built_precompiled_sepolicy :=
built_sepolicy :=
built_sepolicy_neverallows :=
built_plat_svc :=
diff --git a/apex/Android.bp b/apex/Android.bp
index 5276cca..166c2d3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -22,6 +22,11 @@
}
filegroup {
+ name: "apex_file_contexts_files",
+ srcs: ["*-file_contexts"],
+}
+
+filegroup {
name: "apex.test-file_contexts",
srcs: [
"apex.test-file_contexts",
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index e3b6541..ea11e1f 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -36,6 +36,7 @@
"cil_compat_map.go",
"compat_cil.go",
"filegroup.go",
+ "neverallow_test.go",
"policy.go",
"selinux.go",
"selinux_contexts.go",
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 8f77e4f..865dbb4 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -95,8 +95,33 @@
b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)
+ b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
+ b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
+
+ if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
+ // vendor uses the same source with plat policy
+ b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
+ b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
+ b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
+ b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
+ b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
+ b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
+ b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
+ b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
+ } else {
+ // use vendor-supplied plat prebuilts
+ b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
+ b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
+ b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+ b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+ b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
+ b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
+ b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
+ b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
+ }
}
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 47fd14c..59d1172 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -181,7 +181,15 @@
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
+var _ android.OutputFileProducer = (*cilCompatMap)(nil)
func (c *cilCompatMap) GeneratedMapFile() android.Path {
return c.installSource
}
+
+func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
diff --git a/build/soong/neverallow_test.go b/build/soong/neverallow_test.go
new file mode 100644
index 0000000..119e477
--- /dev/null
+++ b/build/soong/neverallow_test.go
@@ -0,0 +1,188 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "fmt"
+ "strconv"
+
+ "android/soong/android"
+)
+
+func init() {
+ ctx := android.InitRegistrationContext
+ ctx.RegisterModuleType("se_neverallow_test", neverallowTestFactory)
+}
+
+type neverallowTestProperties struct {
+ // Policy files to be tested.
+ Srcs []string `android:"path"`
+}
+
+type neverallowTestModule struct {
+ android.ModuleBase
+ properties neverallowTestProperties
+ testTimestamp android.ModuleOutPath
+}
+
+type nameProperties struct {
+ Name *string
+}
+
+var checkpolicyTag = dependencyTag{name: "checkpolicy"}
+var sepolicyAnalyzeTag = dependencyTag{name: "sepolicy_analyze"}
+
+// se_neverallow_test builds given policy files and checks whether any neverallow violations exist.
+// This module creates two conf files, one with build test and one without build test. Policy with
+// build test will be compiled with checkpolicy, and policy without build test will be tested with
+// sepolicy-analyze's neverallow tool. This module's check can be skipped by setting
+// SELINUX_IGNORE_NEVERALLOWS := true.
+func neverallowTestFactory() android.Module {
+ n := &neverallowTestModule{}
+ n.AddProperties(&n.properties)
+ android.InitAndroidModule(n)
+ android.AddLoadHook(n, func(ctx android.LoadHookContext) {
+ n.loadHook(ctx)
+ })
+ return n
+}
+
+// Child conf module name for checkpolicy test.
+func (n *neverallowTestModule) checkpolicyConfModuleName() string {
+ return n.Name() + ".checkpolicy.conf"
+}
+
+// Child conf module name for sepolicy-analyze test.
+func (n *neverallowTestModule) sepolicyAnalyzeConfModuleName() string {
+ return n.Name() + ".sepolicy_analyze.conf"
+}
+
+func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
+ checkpolicyConf := n.checkpolicyConfModuleName()
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(checkpolicyConf),
+ }, &policyConfProperties{
+ Srcs: n.properties.Srcs,
+ Build_variant: proptools.StringPtr("user"),
+ Installable: proptools.BoolPtr(false),
+ })
+
+ sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(sepolicyAnalyzeConf),
+ }, &policyConfProperties{
+ Srcs: n.properties.Srcs,
+ Build_variant: proptools.StringPtr("user"),
+ Exclude_build_test: proptools.BoolPtr(true),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (n *neverallowTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ ctx.AddDependency(n, checkpolicyTag, n.checkpolicyConfModuleName())
+ ctx.AddDependency(n, sepolicyAnalyzeTag, n.sepolicyAnalyzeConfModuleName())
+}
+
+func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ n.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ if ctx.Config().SelinuxIgnoreNeverallows() {
+ // just touch
+ android.WriteFileRule(ctx, n.testTimestamp, "")
+ return
+ }
+
+ var checkpolicyConfPaths android.Paths
+ var sepolicyAnalyzeConfPaths android.Paths
+
+ ctx.VisitDirectDeps(func(child android.Module) {
+ depTag := ctx.OtherModuleDependencyTag(child)
+ if depTag != checkpolicyTag && depTag != sepolicyAnalyzeTag {
+ return
+ }
+
+ o, ok := child.(android.OutputFileProducer)
+ if !ok {
+ panic(fmt.Errorf("Module %q isn't an OutputFileProducer", ctx.OtherModuleName(child)))
+ }
+
+ outputs, err := o.OutputFiles("")
+ if err != nil {
+ panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
+ }
+
+ switch ctx.OtherModuleDependencyTag(child) {
+ case checkpolicyTag:
+ checkpolicyConfPaths = outputs
+ case sepolicyAnalyzeTag:
+ sepolicyAnalyzeConfPaths = outputs
+ }
+ })
+
+ if len(checkpolicyConfPaths) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output", n.checkpolicyConfModuleName()))
+ }
+
+ if len(sepolicyAnalyzeConfPaths) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output", n.sepolicyAnalyzeConfModuleName()))
+ }
+
+ checkpolicyConfPath := checkpolicyConfPaths[0]
+ sepolicyAnalyzeConfPath := sepolicyAnalyzeConfPaths[0]
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ // Step 1. Build a binary policy from the conf file including build test
+ binaryPolicy := android.PathForModuleOut(ctx, "policy")
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-M").
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", binaryPolicy).
+ Input(checkpolicyConfPath)
+
+ // Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
+ // file from Step 1
+
+ msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
+ `of an expanded attribute in a neverallow assertion. Please fix\n` +
+ `the policy.`
+
+ rule.Command().BuiltTool("sepolicy-analyze").
+ Input(binaryPolicy).
+ Text("neverallow").
+ Flag("-w").
+ FlagWithInput("-f ", sepolicyAnalyzeConfPath).
+ Text("|| (echo").
+ Flag("-e").
+ Text(`"` + msg + `"`).
+ Text("; exit 1)")
+
+ rule.Temporary(binaryPolicy)
+ rule.Command().Text("touch").Output(n.testTimestamp)
+ rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
+}
+
+func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(n.testTimestamp),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", true)
+ },
+ },
+ }}
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8d0e1a4..2b190e6 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -83,6 +83,9 @@
// Whether to build CTS specific policy or not. Default is false
Cts *bool
+ // Whether to build recovery specific policy or not. Default is false
+ Target_recovery *bool
+
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
}
@@ -130,6 +133,10 @@
return proptools.Bool(c.properties.Cts)
}
+func (c *policyConf) isTargetRecovery() bool {
+ return proptools.Bool(c.properties.Target_recovery)
+}
+
func (c *policyConf) withAsan(ctx android.ModuleContext) string {
isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
@@ -139,6 +146,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
}
@@ -146,6 +156,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return "true"
}
@@ -153,6 +166,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
}
@@ -160,6 +176,9 @@
if c.cts() {
return "cts"
}
+ if c.isTargetRecovery() {
+ return "false"
+ }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
@@ -206,6 +225,7 @@
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
+ FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@@ -439,6 +459,10 @@
return c
}
+func (c *policyBinary) InstallInRoot() bool {
+ return c.InstallInRecovery()
+}
+
func (c *policyBinary) Installable() bool {
return proptools.BoolDefault(c.properties.Installable, true)
}
@@ -452,7 +476,7 @@
ctx.PropertyErrorf("srcs", "must be specified")
return
}
- bin := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
rule := android.NewRuleBuilder(pctx, ctx)
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls
@@ -466,15 +490,52 @@
if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
secilcCmd.Flag("-N")
}
+ rule.Temporary(bin)
+ // permissive check is performed only in user build (not debuggable).
+ if !ctx.Config().Debuggable() {
+ permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
+ rule.Command().BuiltTool("sepolicy-analyze").
+ Input(bin).
+ Text("permissive").
+ Text(" > ").
+ Output(permissiveDomains)
+ rule.Temporary(permissiveDomains)
+
+ msg := `==========\n` +
+ `ERROR: permissive domains not allowed in user builds\n` +
+ `List of invalid domains:`
+
+ rule.Command().Text("if test").
+ FlagWithInput("-s ", permissiveDomains).
+ Text("; then echo").
+ Flag("-e").
+ Text(`"` + msg + `"`).
+ Text("&& cat ").
+ Input(permissiveDomains).
+ Text("; exit 1; fi")
+ }
+
+ out := android.PathForModuleOut(ctx, c.stem())
+ rule.Command().Text("cp").
+ Flag("-f").
+ Input(bin).
+ Output(out)
+
+ rule.DeleteTemporaryFiles()
rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
if !c.Installable() {
c.SkipInstall()
}
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- c.installSource = bin
+ if c.InstallInRecovery() {
+ // install in root
+ c.installPath = android.PathForModuleInstall(ctx)
+ } else {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ }
+ c.installSource = out
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a40716a..71de38a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -34,18 +34,11 @@
Stem *string
Product_variables struct {
- Debuggable struct {
- Srcs []string
- }
-
Address_sanitize struct {
- Srcs []string
+ Srcs []string `android:"path"`
}
}
- // Whether reqd_mask directory is included to sepolicy directories or not.
- Reqd_mask *bool
-
// Whether the comments in generated contexts file will be removed or not.
Remove_comment *bool
@@ -61,7 +54,7 @@
// Apex paths, /system/apex/{apex_name}, will be amended to the paths of file_contexts
// entries.
Flatten_apex struct {
- Srcs []string
+ Srcs []string `android:"path"`
}
}
@@ -145,51 +138,7 @@
}
}
- var inputs android.Paths
-
- ctx.VisitDirectDeps(func(dep android.Module) {
- depTag := ctx.OtherModuleDependencyTag(dep)
- if !android.IsSourceDepTagWithOutputTag(depTag, "") {
- return
- }
- segroup, ok := dep.(*fileGroup)
- if !ok {
- ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup",
- ctx.OtherModuleName(dep))
- return
- }
-
- if ctx.ProductSpecific() {
- inputs = append(inputs, segroup.ProductPrivateSrcs()...)
- } else if ctx.SocSpecific() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
- inputs = append(inputs, segroup.VendorSrcs()...)
- } else if ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.OdmSrcs()...)
- } else if ctx.SystemExtSpecific() {
- inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemPrivateSrcs()...)
- inputs = append(inputs, segroup.SystemPublicSrcs()...)
- }
-
- if proptools.Bool(m.properties.Reqd_mask) {
- if ctx.SocSpecific() || ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
- }
- }
- })
-
- for _, src := range m.properties.Srcs {
- // Module sources are handled above with VisitDirectDepsWithTag
- if android.SrcIsModule(src) == "" {
- inputs = append(inputs, android.PathForModuleSrc(ctx, src))
- }
- }
-
- m.outputPath = m.build(ctx, inputs)
+ m.outputPath = m.build(ctx, android.PathsForModuleSrc(ctx, m.properties.Srcs))
ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
}
@@ -197,6 +146,7 @@
m := &selinuxContextsModule{}
m.AddProperties(
&m.properties,
+ &m.fileContextsProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -209,10 +159,6 @@
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
- if ctx.Config().Debuggable() {
- srcs = append(srcs, m.properties.Product_variables.Debuggable.Srcs...)
- }
-
for _, sanitize := range ctx.Config().SanitizeDevice() {
if sanitize == "address" {
srcs = append(srcs, m.properties.Product_variables.Address_sanitize.Srcs...)
@@ -333,25 +279,18 @@
rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
- for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- ctx.ModuleErrorf(
- "Module srcs dependency %q is not supported for flatten_apex.srcs", m)
- return nil
- }
- for _, path := range android.PathsForModuleSrcExcludes(ctx, []string{src}, nil) {
- out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
- apex_path := "/system/apex/" + strings.Replace(
- strings.TrimSuffix(path.Base(), "-file_contexts"),
- ".", "\\\\.", -1)
+ for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
+ out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
+ apex_path := "/system/apex/" + strings.Replace(
+ strings.TrimSuffix(path.Base(), "-file_contexts"),
+ ".", "\\\\.", -1)
- rule.Command().
- Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
- Input(path).
- FlagWithOutput("> ", out)
+ rule.Command().
+ Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
+ Input(path).
+ FlagWithOutput("> ", out)
- inputs = append(inputs, out)
- }
+ inputs = append(inputs, out)
}
}
@@ -361,7 +300,6 @@
func fileFactory() android.Module {
m := newModule()
- m.AddProperties(&m.fileContextsProperties)
m.build = m.buildFileContexts
return m
}
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index d4bdd74..dc07910 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -35,8 +35,8 @@
// Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
Stem *string
- // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
- // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R), "current"
+ // (PLATFORM_SEPOLICY_VERSION), or "vendor" (BOARD_SEPOLICY_VERS). Defaults to "current"
Version *string
// If true, generate mapping file from given base cil file. Cannot be set with target_policy.
@@ -90,6 +90,8 @@
version := proptools.StringDefault(m.properties.Version, "current")
if version == "current" {
version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ } else if version == "vendor" {
+ version = ctx.DeviceConfig().BoardSepolicyVers()
}
var stem string
diff --git a/compat/Android.bp b/compat/Android.bp
new file mode 100644
index 0000000..715e4b3
--- /dev/null
+++ b/compat/Android.bp
@@ -0,0 +1,262 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for compatibility files.
+
+se_cil_compat_map {
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "plat_29.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ top_half: "plat_31.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map"],
+ top_half: "plat_32.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map"],
+ // top_half: "plat_33.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ top_half: "system_ext_31.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map"],
+ top_half: "system_ext_32.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map"],
+ // top_half: "system_ext_33.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "product_30.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ top_half: "product_31.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map"],
+ top_half: "product_32.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map"],
+ // top_half: "product_33.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "28.0.ignore.cil",
+ bottom_half: [":28.0.board.ignore.map"],
+ top_half: "29.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "29.0.ignore.cil",
+ bottom_half: [":29.0.board.ignore.map"],
+ top_half: "30.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ top_half: "31.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map"],
+ top_half: "32.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map"],
+ // top_half: "33.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ top_half: "system_ext_31.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map"],
+ top_half: "system_ext_32.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map"],
+ // top_half: "system_ext_33.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ top_half: "product_31.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map"],
+ top_half: "product_32.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map"],
+ // top_half: "product_33.0.ignore.cil",
+ product_specific: true,
+}
+
+se_compat_cil {
+ name: "28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "31.0.compat.cil",
+ srcs: [":31.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "32.0.compat.cil",
+ srcs: [":32.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_31.0.compat.cil",
+ srcs: [":31.0.board.compat.cil"],
+ stem: "31.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_32.0.compat.cil",
+ srcs: [":32.0.board.compat.cil"],
+ stem: "32.0.compat.cil",
+ system_ext_specific: true,
+}
diff --git a/contexts/Android.bp b/contexts/Android.bp
new file mode 100644
index 0000000..ed98683
--- /dev/null
+++ b/contexts/Android.bp
@@ -0,0 +1,224 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for various contexts files.
+
+file_contexts {
+ name: "plat_file_contexts",
+ srcs: [":file_contexts_files{.plat_private}"],
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files{.plat_private}"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files{.plat_private}"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: [":apex_file_contexts_files"],
+ },
+}
+
+file_contexts {
+ name: "plat_file_contexts.recovery",
+ srcs: [":file_contexts_files{.plat_private}"],
+ stem: "plat_file_contexts",
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files{.plat_private}"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files{.plat_private}"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: [":apex_file_contexts_files"],
+ },
+
+ recovery: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts",
+ srcs: [":file_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts",
+ srcs: [":file_contexts_files{.odm}"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+hwservice_contexts {
+ name: "plat_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.plat_private}"],
+}
+
+hwservice_contexts {
+ name: "system_ext_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+hwservice_contexts {
+ name: "product_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+hwservice_contexts {
+ name: "vendor_hwservice_contexts",
+ srcs: [
+ ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.vendor}",
+ ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
+hwservice_contexts {
+ name: "odm_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.odm}"],
+ device_specific: true,
+}
+
+property_contexts {
+ name: "plat_property_contexts",
+ srcs: [":property_contexts_files{.plat_private}"],
+}
+
+property_contexts {
+ name: "plat_property_contexts.recovery",
+ srcs: [":property_contexts_files{.plat_private}"],
+ stem: "plat_property_contexts",
+ recovery: true,
+}
+
+property_contexts {
+ name: "system_ext_property_contexts",
+ srcs: [":property_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "product_property_contexts",
+ srcs: [":property_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "vendor_property_contexts",
+ srcs: [
+ ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.vendor}",
+ ":property_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "odm_property_contexts",
+ srcs: [":property_contexts_files{.odm}"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "plat_service_contexts",
+ srcs: [":service_contexts_files{.plat_private}"],
+}
+
+service_contexts {
+ name: "plat_service_contexts.recovery",
+ srcs: [":service_contexts_files{.plat_private}"],
+ stem: "plat_service_contexts",
+ recovery: true,
+}
+
+service_contexts {
+ name: "system_ext_service_contexts",
+ srcs: [":service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "product_service_contexts",
+ srcs: [":service_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "vendor_service_contexts",
+ srcs: [
+ ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.vendor}",
+ ":service_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.plat_private}"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [
+ ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 5ec418c..cca95c2 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -98,3 +98,6 @@
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
get_prop(apexd, cold_boot_done_prop)
+
+# apexd uses this to determine where there metadata partition is.
+get_prop(apexd, apexd_payload_metadata_prop)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 7866b20..cbf09ad 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -19,20 +19,12 @@
use
};
-# Although the compos should not really read/write the FD on authfs_fuse, this
-# is apparently required for the binder driver to pass the FDs to compos from
-# authfs_service.
-allow compos authfs_fuse:file { read write };
-
-# Allow getattr (in fact, getxattr) as a workaround to retrieve fs-verity
-# metadata. See b/196635431.
-allow compos authfs_fuse:file getattr;
-
-# Allow creating the odrefresh output directory in authfs.
-allow compos authfs_fuse:dir create_dir_perms;
+# Read artifacts created by odrefresh and create signature files.
+allow compos authfs_fuse:dir rw_dir_perms;
+allow compos authfs_fuse:file create_file_perms;
# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir { search };
+allow compos authfs_data_file:dir search;
# Allow domain transition into odrefresh and dex2oat.
# TODO(b/209008712): Remove dex2oat once the migration is done.
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 0f8b905..c7c53c2 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -12,6 +12,10 @@
# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
allow dex2oat authfs_fuse:file { read write getattr map };
+# Allow to search in authfs directories.
+allow dex2oat authfs_data_file:dir { search };
+allow dex2oat authfs_fuse:dir { search };
+
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
@@ -23,3 +27,8 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
+
+# Don't audit because we don't configure the compiler through system properties
+# in the VM.
+dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
+dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 18fa8bb..d15f9ba 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -13,3 +13,7 @@
allow system_data_file tmpfs:filesystem associate;
type authfs_fuse, fs_type, contextmount_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..258c8d7 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,19 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c281896..d8b4392 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -25,5 +25,8 @@
# supported on Android.
allow odrefresh compos:fifo_file read;
-# Do not audit unused resources from parent processes.
-dontaudit odrefresh compos:fd use;
+# Allow using FDs from the parent. It's possible that this could be avoided,
+# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
+# (unless specified otherwise). Without allowing the use, the execution will
+# fail immediately. See b/210909688.
+allow odrefresh compos:fd use;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 799ac3c..7911753 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,7 @@
+# Declare ART properties for CompOS
+system_public_prop(dalvik_config_prop)
+system_restricted_prop(device_config_runtime_native_prop)
+
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
@@ -37,3 +41,9 @@
-microdroid_manager
-apkdmverity
} microdroid_manager_roothash_prop:file no_rw_file_perms;
+
+# apexd_payload_metadata_prop can only set by init
+neverallow {
+ domain
+ -init
+} apexd_payload_metadata_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index abd14fd..7b63cae 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -117,7 +117,9 @@
ro.revision u:object_r:bootloader_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
ro.debuggable u:object_r:build_prop:s0 exact bool
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
@@ -145,8 +147,8 @@
persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
-log.tag. u:object_r:log_tag_prop:s0 prefix
-persist.log.tag. u:object_r:log_tag_prop:s0 prefix
+log.tag u:object_r:log_tag_prop:s0 prefix
+persist.log.tag u:object_r:log_tag_prop:s0 prefix
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
@@ -159,3 +161,9 @@
ro.vndk.version u:object_r:build_prop:s0 exact string
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+
+# ART properties for CompOS
+dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f92face..c62e091 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,5 +1,6 @@
type adbd_prop, property_type;
type apex_config_prop, property_type;
+type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
deleted file mode 100644
index e46f92a..0000000
--- a/prebuilt_policy.mk
+++ /dev/null
@@ -1,321 +0,0 @@
-# Copyright (C) 2020 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
-# The policy files will only be used to compile vendor and odm policies.
-#
-# Specifically, the following prebuilts are used...
-# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
-# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
-# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
-#
-# ... to generate following policy files.
-#
-# - reqd policy mask
-# - plat, system_ext, product public policy
-# - plat, system_ext, product policy
-# - plat, system_ext, product versioned policy
-#
-# These generated policy files will be used only when building vendor policies.
-# They are not installed to system, system_ext, or product partition.
-ver := $(BOARD_SEPOLICY_VERS)
-prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
-plat_public_policy_$(ver) := $(prebuilt_dir)/public
-plat_private_policy_$(ver) := $(prebuilt_dir)/private
-system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
-system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
-product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
-product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
-
-##################################
-# policy-to-conf-rule: a helper macro to transform policy files to conf file.
-#
-# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
-# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
-#
-# $(1): output path (.conf file)
-define policy-to-conf-rule
-$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
-$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
-$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
-$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
-$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
-$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
-$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
-$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
-$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
-$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
-$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
-$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
-$(1): PRIVATE_POLICY_FILES := $$(policy_files)
-$(1): $$(policy_files) $$(M4)
- $$(transform-policy-to-conf)
-endef
-
-##################################
-# reqd_policy_mask_$(ver).cil
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
-reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
-
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
-$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask_$(ver).conf :=
-
-reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
-
-##################################
-# plat_pub_policy_$(ver).cil: exported plat policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
-plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
-
-plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
-$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
-$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-plat_pub_policy_$(ver).conf :=
-
-##################################
-# plat_mapping_cil_$(ver).cil: versioned exported system policy
-#
-plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
-$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
-
-##################################
-# plat_policy_$(ver).cil: system policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
-plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
-
-plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
-$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
-$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-plat_policy_$(ver).conf :=
-
-built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-##################################
-# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
-system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
-
-system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-system_ext_pub_policy_$(ver).conf :=
-
-##################################
-# system_ext_policy_$(ver).cil: system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
-system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
-
-system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
-$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
-$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-system_ext_policy_$(ver).conf :=
-
-built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
-
-##################################
-# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
-#
-system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
-
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_policy_$(ver).cil: product policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
-product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
-
-product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
-$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
-$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-product_policy_$(ver).conf :=
-
-built_product_cil_$(ver) := $(product_policy_$(ver).cil)
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
-pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
-
-pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
-$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
-$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-pub_policy_$(ver).conf :=
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_mapping_cil_$(ver).cil: versioned exported product policy
-#
-product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
-$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# plat_pub_versioned_$(ver).cil - the exported platform policy
-#
-plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
-$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
-$(built_product_mapping_cil_$(ver))
-$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
- $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/prebuilts/api/32.0/private/app.te b/prebuilts/api/32.0/private/app.te
index 2b3554f..30c76d3 100644
--- a/prebuilts/api/32.0/private/app.te
+++ b/prebuilts/api/32.0/private/app.te
@@ -13,6 +13,7 @@
get_prop(appdomain, userspace_reboot_config_prop)
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
+get_prop(appdomain, dck_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
diff --git a/prebuilts/api/32.0/private/zygote.te b/prebuilts/api/32.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/32.0/private/zygote.te
+++ b/prebuilts/api/32.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/private/apexd.te b/private/apexd.te
index 2e890a0..9dfe45f 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -158,6 +158,9 @@
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
diff --git a/private/app.te b/private/app.te
index 8477133..7177b92 100644
--- a/private/app.te
+++ b/private/app.te
@@ -13,6 +13,7 @@
get_prop(appdomain, userspace_reboot_config_prop)
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
+get_prop(appdomain, dck_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index dce2649..f796813 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -9,18 +9,22 @@
artd_service
attestation_verification_service
charger_vendor
+ cloudsearch_service
device_config_nnapi_native_prop
+ device_config_surface_flinger_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diced_exec
extra_free_kbytes
extra_free_kbytes_exec
+ gesture_prop
hal_contexthub_service
hal_dice_service
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
+ hal_ir_service
hal_nlinterceptor_service
hal_radio_config_service
hal_radio_data_service
@@ -33,6 +37,7 @@
hal_system_suspend_service
hal_tv_tuner_service
hal_uwb_service
+ hal_vehicle_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index 72964c3..a1a8a64 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -4,15 +4,18 @@
# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
# TODO(b/209008712): Remove once migration is done.
allow compos_fd_server odrefresh:fd use;
-allow compos_fd_server apex_art_data_file:file { getattr read };
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
-# Allow creating new files and directory in the staging directory.
+# Allow creating new files and directories in the staging directory.
allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
+# Allow creating new files and directories in the artifacts directory.
+allow compos_fd_server apex_art_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_data_file:file create_file_perms;
+
# Use a pipe to signal readiness
# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
allow compos_fd_server odrefresh:fifo_file write;
diff --git a/private/composd.te b/private/composd.te
index 88c4e4a..5b8f586 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,16 +13,19 @@
# Start a VM
virtualizationservice_use(composd)
-# Allow preparing staging directory for odrefresh
+# Prepare staging directory for odrefresh
allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+# Delete files in the odrefresh target directory
+allow composd apex_art_data_file:file unlink;
+
# Access our APEX data files
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Removed these when we run odrefresh in the VM
+# TODO(b/209008712): Remove these when we run odrefresh in the VM
# Run odrefresh to refresh ART artifacts, and kill it if we need to
domain_auto_trans(composd, odrefresh_exec, odrefresh)
allow composd odrefresh:process sigkill;
@@ -33,3 +36,6 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+
+# We never create any artifact files directly
+neverallow composd apex_art_data_file:file ~unlink;
diff --git a/private/domain.te b/private/domain.te
index 24e05b5..d12cbc7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -304,7 +304,9 @@
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
- # art processes
+ # art-related processes
+ -composd
+ -compos_fd_server
-odrefresh
-odsign
# others
@@ -316,9 +318,10 @@
neverallow {
domain
# art-related processes
+ -composd
+ -compos_fd_server
-odrefresh
-odsign
- -composd
# others
-apexd
-init
diff --git a/private/file.te b/private/file.te
index f3e1855..0eb2018 100644
--- a/private/file.te
+++ b/private/file.te
@@ -77,3 +77,7 @@
# /metadata/sepolicy
type sepolicy_metadata_file, file_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ea5f66f..41bc184 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -19,6 +19,7 @@
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:rootfs:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
@@ -196,6 +197,15 @@
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+
+# Apex sepoolicy files.
+/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
+/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
+/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
+/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
+/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
#############################
# System files
#
diff --git a/private/kernel.te b/private/kernel.te
index 5341163..6775b3b 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -31,3 +31,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/private/property.te b/private/property.te
index b196a1b..5d5869c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -11,7 +12,6 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
-system_internal_prop(device_config_surface_flinger_native_boot_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -376,6 +376,15 @@
}:property_service set;
neverallow {
+ # Only allow init to set apexd_payload_metadata_prop
+ domain
+ -init
+} {
+ apexd_payload_metadata_prop
+}:property_service set;
+
+
+neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 1627014..3650a44 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -70,6 +70,7 @@
persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.tap_gesture u:object_r:gesture_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
@@ -457,6 +458,9 @@
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -603,6 +607,7 @@
vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
odsign.key.done u:object_r:odsign_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index c378aec..1d8b64d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,5 @@
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
@@ -9,6 +10,7 @@
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
@@ -110,6 +112,7 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 6cf993a..ce76b69 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -42,6 +42,7 @@
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
+set_prop(system_app, gesture_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, usb_control_prop)
diff --git a/private/zygote.te b/private/zygote.te
index 8e2b15a..ea983fd 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/public/hal_ir.te b/public/hal_ir.te
index 29555f7..452127a 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -2,4 +2,7 @@
binder_call(hal_ir_client, hal_ir_server)
binder_call(hal_ir_server, hal_ir_client)
+hal_attribute_service(hal_ir, hal_ir_service)
+binder_call(hal_ir_server, servicemanager)
+
hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index 6855d14..c9eff55 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -4,3 +4,4 @@
hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
+hal_attribute_service(hal_vehicle, hal_vehicle_service)
diff --git a/public/property.te b/public/property.te
index c33d8a6..83dfc36 100644
--- a/public/property.te
+++ b/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(hypervisor_prop)
@@ -193,6 +194,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
diff --git a/public/service.te b/public/service.te
index e4cdc13..493017f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -80,6 +80,7 @@
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -271,6 +272,7 @@
type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_ir_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
@@ -293,6 +295,7 @@
type hal_system_suspend_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
+type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 1f27727..77945b7 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -113,11 +113,8 @@
# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
# nonplat_sepolicy.cil.
-$(version)_nonplat := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
+$(version)_vendor := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
$($(version)_prebuilts_dir)/plat_pub_versioned.cil
-ifeq (,$(wildcard $($(version)_nonplat)))
-$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
-endif
cil_files := $(built_plat_cil)
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
@@ -128,7 +125,7 @@
cil_files += $(built_product_cil)
endif # (,$(PRODUCT_PREBUILT_POLICY)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
+cil_files += $($(version)_mapping.cil) $($(version)_vendor)
$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
@@ -188,7 +185,7 @@
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
-$(version)_nonplat :=
+$(version)_vendor :=
$(version)_prebuilts_dir :=
built_$(version)_plat_sepolicy :=
version :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6816b97..4fc0460 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-default-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -51,6 +52,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.example u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 56a47b7..52769dd 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -8,3 +8,6 @@
# communication with CAN bus HAL
hal_client_domain(hal_vehicle_default, hal_can_bus)
+
+# communicate with servicemanager
+binder_call(hal_vehicle_server, servicemanager)