commit 0fe4586bb139936173f7d76725730eafa2ba6edb
author Treehugger Robot <treehugger-gerrit@google.com> Mon Feb 05 20:31:23 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Feb 05 20:31:23 2018 +0000
tree 968cca75d63b12f641251b3bee9acc90baa72956
parent 4c19b3d1d67ce3b5a4a20408dcf1779250ba860c
parent 2c8ca45d2dd60ce40b236d7f35b41801744da0da

Merge changes from topic "user-build-traceur"

* changes:
  Use a whitelisting strategy for tracefs.
  Enable Traceur on user builds.

Android.mk

diff --git a/Android.mk b/Android.mk
index 0d4d67f..759efe1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -222,15 +222,16 @@
     plat_and_mapping_sepolicy.cil.sha256 \
     secilc \
     plat_sepolicy_vers.txt \
-    vendor_service_contexts \
 
 # Include precompiled policy, unless told otherwise
 ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
 LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
 endif
 else
-# Use monolithic SELinux policy
-LOCAL_REQUIRED_MODULES += sepolicy
+# The following files are only allowed for non-Treble devices.
+LOCAL_REQUIRED_MODULES += \
+    sepolicy \
+    vendor_service_contexts
 endif
 
 LOCAL_REQUIRED_MODULES += \

CleanSpec.mk

diff --git a/CleanSpec.mk b/CleanSpec.mk
index 3a302bb..c9ac5be 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -83,3 +83,40 @@
 $(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+# For non-Treble devices.
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_seapp_contexts)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/vendor_property_contexts)
+# For non-Treble devices.
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_seapp_contexts)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_service_contexts)

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index df14019..78c1b86 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -180,6 +180,7 @@
 neverallow all_untrusted_apps {
   default_android_hwservice
   hal_audio_hwservice
+  hal_authsecret_hwservice
   hal_bluetooth_hwservice
   hal_bootctl_hwservice
   hal_camera_hwservice

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ae0d4e7..3a493e0 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -35,6 +35,7 @@
     exported3_default_prop
     exported3_system_prop
     fs_bpf
+    hal_authsecret_hwservice
     hal_broadcastradio_hwservice
     hal_cas_hwservice
     hal_confirmationui_hwservice

private/hwservice_contexts

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 96233fc..d7ffb8f 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -3,6 +3,7 @@
 android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_sensor_hwservice:s0
 android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
+android.hardware.authsecret::IAuthSecret                        u:object_r:hal_authsecret_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.boot::IBootControl                             u:object_r:hal_bootctl_hwservice:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 6ba98f5..e9942ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -179,6 +179,7 @@
 
 # Use HALs
 hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)

public/attributes

diff --git a/public/attributes b/public/attributes
index 77823cf..6c6b129 100644
--- a/public/attributes
+++ b/public/attributes
@@ -206,6 +206,7 @@
 # HALs
 hal_attribute(allocator);
 hal_attribute(audio);
+hal_attribute(authsecret);
 hal_attribute(bluetooth);
 hal_attribute(bootctl);
 hal_attribute(broadcastradio);

public/hal_authsecret.te

diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
new file mode 100644
index 0000000..81b0c04
--- /dev/null
+++ b/public/hal_authsecret.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_authsecret_client, hal_authsecret_server)
+
+add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
+allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;

public/hwservice.te

diff --git a/public/hwservice.te b/public/hwservice.te
index 436ec68..0125924 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -3,6 +3,7 @@
 type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hal_audio_hwservice, hwservice_manager_type;
+type hal_authsecret_hwservice, hwservice_manager_type;
 type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
 type hal_broadcastradio_hwservice, hwservice_manager_type;

public/su.te

diff --git a/public/su.te b/public/su.te
index fd90ebe..c63ae0a 100644
--- a/public/su.te
+++ b/public/su.te
@@ -58,6 +58,7 @@
   typeattribute su halclientdomain;
   typeattribute su hal_allocator_client;
   typeattribute su hal_audio_client;
+  typeattribute su hal_authsecret_client;
   typeattribute su hal_bluetooth_client;
   typeattribute su hal_bootctl_client;
   typeattribute su hal_camera_client;

tests/sepolicy_tests.py

diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index ea9ba10..ca95f8a 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -50,7 +50,7 @@
 
 if __name__ == '__main__':
     usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
-    usage += "-f nonplat_file_contexts -f "
+    usage += "-f vendor_file_contexts -f "
     usage +="plat_file_contexts -p policy [--test test] [--help]"
     parser = OptionParser(option_class=MultipleOption, usage=usage)
     parser.add_option("-f", "--file_contexts", dest="file_contexts",

vendor/hal_authsecret_default.te

diff --git a/vendor/hal_authsecret_default.te b/vendor/hal_authsecret_default.te
new file mode 100644
index 0000000..46f5291
--- /dev/null
+++ b/vendor/hal_authsecret_default.te
@@ -0,0 +1,5 @@
+type hal_authsecret_default, domain;
+hal_server_domain(hal_authsecret_default, hal_authsecret)
+
+type hal_authsecret_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authsecret_default)