Merge "Compatibility for vendor_hidraw_device" into main
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index a15c65c..9f9ea63 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -15,10 +15,8 @@
package selinux
import (
- "fmt"
"path"
"path/filepath"
- "strings"
"android/soong/android"
)
@@ -76,16 +74,6 @@
// do nothing
}
-func (b *buildFiles) OutputFiles(tag string) (android.Paths, error) {
- if paths, ok := b.srcs[tag]; ok {
- return paths, nil
- }
-
- return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedKeys(b.srcs), " "))
-}
-
-var _ android.OutputFileProducer = (*buildFiles)(nil)
-
type sepolicyDir struct {
tag string
paths []string
@@ -120,4 +108,12 @@
b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
b.srcs[".product_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
}
+
+ b.setOutputFiles(ctx)
+}
+
+func (b *buildFiles) setOutputFiles(ctx android.ModuleContext) {
+ for tag, files := range b.srcs {
+ ctx.SetOutputFiles(files, tag)
+ }
}
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index dd883cc..f834f5d 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -19,7 +19,6 @@
import (
"android/soong/android"
- "fmt"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -149,6 +148,10 @@
c.installSource = android.OptionalPathForPath(bottomHalf)
}
ctx.InstallFile(c.installPath, c.stem(), c.installSource.Path())
+
+ if c.installSource.Valid() {
+ ctx.SetOutputFiles(android.Paths{c.installSource.Path()}, "")
+ }
}
func (c *cilCompatMap) DepsMutator(ctx android.BottomUpMutatorContext) {
@@ -176,19 +179,7 @@
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
-var _ android.OutputFileProducer = (*cilCompatMap)(nil)
func (c *cilCompatMap) GeneratedMapFile() android.OptionalPath {
return c.installSource
}
-
-func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- if c.installSource.Valid() {
- return android.Paths{c.installSource.Path()}, nil
- } else {
- return nil, nil
- }
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index baad413..3b9d5e2 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -92,6 +92,10 @@
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
c.installSource = android.OptionalPathForPath(out)
ctx.InstallFile(c.installPath, c.stem(), out)
+
+ if c.installSource.Valid() {
+ ctx.SetOutputFiles(android.Paths{c.installSource.Path()}, "")
+ }
}
func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
@@ -110,21 +114,6 @@
}}
}
-func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
- switch tag {
- case "":
- if c.installSource.Valid() {
- return android.Paths{c.installSource.Path()}, nil
- } else {
- return nil, nil
- }
- default:
- return nil, fmt.Errorf("unsupported module reference tag %q", tag)
- }
-}
-
-var _ android.OutputFileProducer = (*compatCil)(nil)
-
// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
// current policy.
func compatTestFactory() android.SingletonModule {
@@ -239,15 +228,7 @@
func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
var inputs android.Paths
ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
- o, ok := child.(android.OutputFileProducer)
- if !ok {
- panic(fmt.Errorf("Module %q should be an OutputFileProducer but it isn't", ctx.OtherModuleName(child)))
- }
-
- outputs, err := o.OutputFiles("")
- if err != nil {
- panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
- }
+ outputs := android.OutputFilesForModule(ctx, child, "")
if len(outputs) != 1 {
panic(fmt.Errorf("Module %q should produce exactly one output, but did %q", ctx.OtherModuleName(child), outputs.Strings()))
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index be9d34e..7b2122c 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -15,7 +15,6 @@
package selinux
import (
- "fmt"
"os"
"sort"
"strconv"
@@ -294,6 +293,8 @@
c.installSource = c.transformPolicyToConf(ctx)
c.installPath = android.PathForModuleInstall(ctx, "etc")
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ ctx.SetOutputFiles(android.Paths{c.installSource}, "")
}
func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
@@ -310,15 +311,6 @@
}}
}
-func (c *policyConf) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyConf)(nil)
-
type policyCilProperties struct {
// Name of the output. Default is {module_name}
Stem *string
@@ -457,6 +449,8 @@
}
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ ctx.SetOutputFiles(android.Paths{c.installSource}, "")
}
func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
@@ -473,15 +467,6 @@
}}
}
-func (c *policyCil) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyCil)(nil)
-
type policyBinaryProperties struct {
// Name of the output. Default is {module_name}
Stem *string
@@ -604,6 +589,8 @@
}
c.installSource = out
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ ctx.SetOutputFiles(android.Paths{c.installSource}, "")
}
func (c *policyBinary) AndroidMkEntries() []android.AndroidMkEntries {
@@ -619,12 +606,3 @@
},
}}
}
-
-func (c *policyBinary) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyBinary)(nil)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 1282b90..d0bbc28 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -153,6 +153,8 @@
m.outputPath = m.build(ctx, android.PathsForModuleSrc(ctx, m.properties.Srcs))
ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+
+ ctx.SetOutputFiles([]android.Path{m.outputPath}, "")
}
func newModule() *selinuxContextsModule {
@@ -541,16 +543,6 @@
return m
}
-var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
-
-// Implements android.OutputFileProducer
-func (m *selinuxContextsModule) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return []android.Path{m.outputPath}, nil
- }
- return nil, fmt.Errorf("unsupported module reference tag %q", tag)
-}
-
type contextsTestProperties struct {
// Contexts files to be tested.
Srcs []string `android:"path"`
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index e1e8956..d6f4f3c 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -94,17 +94,7 @@
}
dep := deps[0]
- outputFileProducer, ok := dep.(android.OutputFileProducer)
- if !ok {
- ctx.ModuleErrorf("module %q is not an output file producer", dep.String())
- return nil
- }
-
- output, err := outputFileProducer.OutputFiles("")
- if err != nil {
- ctx.ModuleErrorf("module %q failed to produce output: %w", dep.String(), err)
- return nil
- }
+ output := android.OutputFilesForModule(ctx, dep, "")
if len(output) != 1 {
ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
return nil
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index d46c6b4..78cbc84 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -125,15 +125,7 @@
return
}
- o, ok := child.(android.OutputFileProducer)
- if !ok {
- panic(fmt.Errorf("Module %q isn't an OutputFileProducer", ctx.OtherModuleName(child)))
- }
-
- outputs, err := o.OutputFiles("")
- if err != nil {
- panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
- }
+ outputs := android.OutputFilesForModule(ctx, child, "")
switch ctx.OtherModuleDependencyTag(child) {
case checkpolicyTag:
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index ca40173..894a3ef 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -15,8 +15,6 @@
package selinux
import (
- "fmt"
-
"github.com/google/blueprint/proptools"
"android/soong/android"
@@ -89,6 +87,8 @@
v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
v.installSource = out
ctx.InstallFile(v.installPath, v.stem(), v.installSource)
+
+ ctx.SetOutputFiles(android.Paths{v.installSource}, "")
}
func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
@@ -103,12 +103,3 @@
},
}}
}
-
-func (v *sepolicyVers) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{v.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*sepolicyVers)(nil)
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index be396e3..9c8b9cd 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -15,7 +15,6 @@
package selinux
import (
- "fmt"
"os"
"strconv"
@@ -163,6 +162,8 @@
m.installPath = m.installPath.Join(ctx, subdir)
}
ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
+
+ ctx.SetOutputFiles(android.Paths{m.installSource}, "")
}
func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
@@ -178,12 +179,3 @@
},
}}
}
-
-func (m *versionedPolicy) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{m.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyConf)(nil)
diff --git a/private/keystore.te b/private/keystore.te
index b35a16e..53e5dd3 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,11 +11,6 @@
# talk to keymint
hal_client_domain(keystore, hal_keymint)
-# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
-# access it.
-# TODO(b/312427637): Investigate the reason and fix the denial.
-dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
-
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/property.te b/private/property.te
index a55bfb2..19513d9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -74,6 +74,9 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
+# Properties which should only be written by vendor_init
+system_vendor_config_prop(avf_virtualizationservice_prop)
+
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
typeattribute wifi_log_prop log_property_type;
diff --git a/private/property_contexts b/private/property_contexts
index f2cd2d6..9b48082 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -753,6 +753,9 @@
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+# Allow the vendor to disable the remote attestation feature at boot-time.
+avf.remote_attestation.enabled u:object_r:avf_virtualizationservice_prop:s0 exact bool
+
hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index f423c66..3d0aac0 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -34,6 +34,10 @@
# pVM remote attestation.
hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
+# Allow the virtualizationservice to inspect whether remote attestation is supported
+# through the system property.
+get_prop(virtualizationservice, avf_virtualizationservice_prop)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;