Merge "Revert "Allowing userdebug/eng builds crash dump access to ks"" into main
diff --git a/Android.bp b/Android.bp
index 9ef7e5a..9905e73 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1004,6 +1004,7 @@
"system_ext_202404.compat.cil",
],
}),
+ system_ext_specific: true,
}
phony {
@@ -1086,3 +1087,218 @@
default: [],
}),
}
+
+phony {
+ name: "selinux_policy_system",
+ required: [
+ "29.0.compat.cil",
+ "30.0.compat.cil",
+ "31.0.compat.cil",
+ "32.0.compat.cil",
+ "33.0.compat.cil",
+ "34.0.compat.cil",
+ "build_sepolicy",
+ "fuzzer_bindings_test",
+ "plat_29.0.cil",
+ "plat_30.0.cil",
+ "plat_31.0.cil",
+ "plat_32.0.cil",
+ "plat_33.0.cil",
+ "plat_34.0.cil",
+ "plat_bug_map",
+ "plat_file_contexts",
+ "plat_file_contexts_data_test",
+ "plat_file_contexts_test",
+ "plat_hwservice_contexts",
+ "plat_hwservice_contexts_test",
+ "plat_keystore2_key_contexts",
+ "plat_mac_permissions.xml",
+ "plat_mapping_file",
+ "plat_property_contexts",
+ "plat_property_contexts_test",
+ "plat_seapp_contexts",
+ "plat_sepolicy.cil",
+ "plat_service_contexts",
+ "plat_service_contexts_test",
+ "searchpolicy",
+ "secilc",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "202404.compat.cil",
+ "plat_202404.cil",
+ ],
+ }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: ["plat_sepolicy_and_mapping.sha256"],
+ default: [],
+ }) + select((
+ soong_config_variable("ANDROID", "ASAN_ENABLED"),
+ product_variable("selinux_ignore_neverallows"),
+ ), {
+ (true, true): [
+ ],
+ (default, default): [
+ "sepolicy_compat_test",
+ "sepolicy_test",
+ "sepolicy_dev_type_test",
+ "treble_sepolicy_tests_29.0",
+ "treble_sepolicy_tests_30.0",
+ "treble_sepolicy_tests_31.0",
+ "treble_sepolicy_tests_32.0",
+ "treble_sepolicy_tests_33.0",
+ "treble_sepolicy_tests_34.0",
+ ],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "ASAN_ENABLED"),
+ product_variable("selinux_ignore_neverallows"),
+ ), {
+ ("202404", true, true): [],
+ (default, true, true): [],
+ (default, default, default): [
+ "treble_sepolicy_tests_202404",
+ ],
+ }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
+ true: ["se_freeze_test"],
+ default: [],
+ }),
+}
+
+phony {
+ name: "selinux_policy",
+ required: [
+ // Runs checkfc against merged service_contexts files
+ "merged_hwservice_contexts_test",
+ "merged_service_contexts_test",
+ "selinux_policy_nonsystem",
+ "selinux_policy_system",
+ ],
+}
+
+// selinux_policy is a main goal and triggers lots of tests.
+// Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
+// By setting as droidcore's dependency, tests will run on normal builds.
+phony_rule {
+ name: "droidcore",
+ phony_deps: ["selinux_policy"],
+}
+
+//-----------------------------------------------------------------------------
+// TODO - remove this. Keep around until we get the filesystem creation stuff
+// taken care of.
+//
+// The file_contexts.bin is built in the following way:
+// 1. Collect all file_contexts files in THIS repository and process them with
+// m4 into a tmp file called file_contexts.local.tmp.
+// 2. Collect all device specific file_contexts files and process them with m4
+// into a tmp file called file_contexts.device.tmp.
+// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
+// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+// into file_contexts.concat.tmp.
+// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+// file_contexts.bin.
+//
+// Note: That a newline file is placed between each file_context file found to
+// ensure a proper build when an fc file is missing an ending newline.
+//---
+// 1. Collect all file_contexts files in THIS repository and process them with
+// m4 into a tmp file called file_contexts.local.tmp.
+genrule {
+ name: "file_contexts.local.tmp",
+ srcs: [
+ ":plat_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.local.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s $(in) > $(out)",
+}
+
+// 2. Collect all device specific file_contexts files and process them with m4
+// into a tmp file called file_contexts.device.tmp.
+PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), {
+ any @ m4defs: m4defs,
+ default: "",
+})
+genrule {
+ name: "file_contexts.device.tmp",
+ srcs: [
+ ":vendor_file_contexts",
+ ":odm_file_contexts",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.device.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s " + PRIVATE_ADDITIONAL_M4DEFS +
+ " $(in) > $(out)",
+}
+
+// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
+genrule {
+ name: "file_contexts.device.sorted.tmp",
+ srcs: [
+ ":file_contexts.device.tmp",
+ ":precompiled_sepolicy",
+ ],
+ tools: [
+ "checkfc",
+ "fc_sort",
+ ],
+ out: ["file_contexts.device.sorted.tmp"],
+ cmd: "$(location checkfc) " +
+ "-e $(location :precompiled_sepolicy) " +
+ "$(location :file_contexts.device.tmp) && " +
+ "$(location fc_sort) " +
+ "-i $(location :file_contexts.device.tmp) " +
+ "-o $(out)",
+}
+
+// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+// into file_contexts.concat.tmp.
+genrule {
+ name: "file_contexts.concat.tmp",
+ srcs: [
+ ":file_contexts.local.tmp",
+ ":file_contexts.device.sorted.tmp",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.concat.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s $(location :file_contexts.local.tmp) " +
+ "$(location :file_contexts.device.sorted.tmp) > $(out)",
+}
+
+// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+// file_contexts.bin.
+genrule {
+ name: "file_contexts_bin_gen",
+ srcs: [
+ ":file_contexts.concat.tmp",
+ ":precompiled_sepolicy",
+ ],
+ tools: [
+ "checkfc",
+ "sefcontext_compile",
+ ],
+ out: ["file_contexts.bin"],
+ cmd: "$(location checkfc) " +
+ "$(location :precompiled_sepolicy) " +
+ "$(location :file_contexts.concat.tmp) && " +
+ "$(location sefcontext_compile) " +
+ "-o $(out) $(location :file_contexts.concat.tmp)",
+}
+
+prebuilt_etc {
+ name: "file_contexts.bin",
+ src: ":file_contexts_bin_gen",
+}
diff --git a/Android.mk b/Android.mk
index 6655919..6474b2a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -6,12 +6,6 @@
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
-ifdef BOARD_SEPOLICY_M4DEFS
-LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
-else
-LOCAL_ADDITIONAL_M4DEFS :=
-endif
-
# sepolicy is now divided into multiple portions:
# public - policy exported on which non-platform policy developers may write
# additional policy. types and attributes are versioned and included in
@@ -178,221 +172,7 @@
#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_TAGS := optional
-LOCAL_REQUIRED_MODULES += \
- selinux_policy_nonsystem \
- selinux_policy_system \
-
-# Runs checkfc against merged service_contexts files
-LOCAL_REQUIRED_MODULES += \
- merged_service_contexts_test \
- merged_hwservice_contexts_test
-
-include $(BUILD_PHONY_PACKAGE)
-
-# selinux_policy is a main goal and triggers lots of tests.
-# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
-# By setting as droidcore's dependency, tests will run on normal builds.
-droidcore: selinux_policy
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy_system
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# These build targets are not used on non-Treble devices. However, we build these to avoid
-# divergence between Treble and non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
- plat_mapping_file \
- $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
- $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
- plat_sepolicy.cil \
- secilc \
-
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
-endif
-
-LOCAL_REQUIRED_MODULES += \
- build_sepolicy \
- plat_file_contexts \
- plat_file_contexts_test \
- plat_file_contexts_data_test \
- plat_keystore2_key_contexts \
- plat_mac_permissions.xml \
- plat_property_contexts \
- plat_property_contexts_test \
- plat_seapp_contexts \
- plat_service_contexts \
- plat_service_contexts_test \
- plat_hwservice_contexts \
- plat_hwservice_contexts_test \
- fuzzer_bindings_test \
- plat_bug_map \
- searchpolicy \
-
-ifneq ($(with_asan),true)
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
-LOCAL_REQUIRED_MODULES += \
- sepolicy_compat_test \
-
-# HACK: sepolicy_test is implemented as genrule
-# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
-# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
-
-LOCAL_REQUIRED_MODULES += \
- $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-
-endif # SELINUX_IGNORE_NEVERALLOWS
-endif # with_asan
-
-ifeq ($(RELEASE_BOARD_API_LEVEL_FROZEN),true)
-LOCAL_REQUIRED_MODULES += \
- se_freeze_test
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-##################################
-# Policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of policy files.
-#
-built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
-
-##################################
-# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
-#
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := file_contexts.bin
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# The file_contexts.bin is built in the following way:
-# 1. Collect all file_contexts files in THIS repository and process them with
-# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
-# into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
-# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
-# into file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
-# file_contexts.bin.
-#
-# Note: That a newline file is placed between each file_context file found to
-# ensure a proper build when an fc file is missing an ending newline.
-
-local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
-endif
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
-
-file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-
-device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
-endif
-
-file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
-$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files)
-$(file_contexts.device.tmp): $(device_fc_files) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@
-
-file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
-$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
- $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
-
-file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-
-local_fc_files :=
-device_fc_files :=
-file_contexts.concat.tmp :=
-file_contexts.device.sorted.tmp :=
-file_contexts.device.tmp :=
-file_contexts.local.tmp :=
-
-##################################
-# Tests for Treble compatibility of current platform policy and vendor policy of
-# given release version.
-
-ver := $(PLATFORM_SEPOLICY_VERSION)
-ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
-# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
-else
-# If not, use ToT for compat test
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
-endif
-ver :=
-
-$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(eval version_under_treble_tests := $(v)) \
- $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
-)
-
-base_plat_pub_policy.cil :=
-base_product_pub_policy.cil :=
-
-#################################
-
build_policy :=
-built_sepolicy :=
sepolicy_build_files :=
with_asan :=
diff --git a/apex/Android.bp b/apex/Android.bp
index a6d0853..304eb85 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -314,3 +314,10 @@
"com.android.biometrics.virtual.face-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.documentsuibundle-file_contexts",
+ srcs: [
+ "com.android.documentsuibundle-file_contexts",
+ ],
+}
diff --git a/apex/com.android.documentsuibundle-file_contexts b/apex/com.android.documentsuibundle-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.documentsuibundle-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index fef2e69..d02d61e 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -119,7 +119,7 @@
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
f.AddProperties(&f.properties)
- android.InitAndroidModule(f)
+ android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 78cbc84..c2a21dd 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -57,7 +57,7 @@
func neverallowTestFactory() android.Module {
n := &neverallowTestModule{}
n.AddProperties(&n.properties)
- android.InitAndroidModule(n)
+ android.InitAndroidArchModule(n, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(n, func(ctx android.LoadHookContext) {
n.loadHook(ctx)
})
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 698d68f..6b135bd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -350,6 +350,7 @@
"media_communication": EXCEPTION_NO_FUZZER,
"media_metrics": EXCEPTION_NO_FUZZER,
"media_projection": EXCEPTION_NO_FUZZER,
+ "media_quality": EXCEPTION_NO_FUZZER,
"media_resource_monitor": EXCEPTION_NO_FUZZER,
"media_router": EXCEPTION_NO_FUZZER,
"media_session": EXCEPTION_NO_FUZZER,
@@ -410,6 +411,7 @@
"restrictions": EXCEPTION_NO_FUZZER,
"rkpd.registrar": EXCEPTION_NO_FUZZER,
"rkpd.refresh": EXCEPTION_NO_FUZZER,
+ "rkp_cert_processor.service": EXCEPTION_NO_FUZZER,
"role": EXCEPTION_NO_FUZZER,
"rollback": EXCEPTION_NO_FUZZER,
"rttmanager": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 72b17ca..e990aba 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -326,6 +326,7 @@
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
+/system/bin/rkp_cert_processor rkp_cert_processor_exec
/system/bin/toolbox toolbox_exec
/system/bin/toybox toolbox_exec
/system/bin/ld.mc rs_exec
@@ -485,6 +486,7 @@
/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
/system/bin/uprobestats uprobestats_exec
/system/bin/trace_redactor trace_redactor_exec
+/system/bin/bert_collector bert_collector_exec
/vendor vendor_file
/vendor/does_not_exist vendor_file
@@ -777,8 +779,7 @@
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
-/system_ext/bin/custom_vm_setup custom_vm_setup_exec
-/system/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+/system/bin/linux_vm_setup linux_vm_setup_exec
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 97e7493..1601e61 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,15 +1,9 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain;
+type aconfigd, domain, coredomain;
type aconfigd_exec, exec_type, file_type, system_file_type;
-typeattribute aconfigd coredomain;
-
init_daemon_domain(aconfigd)
-# only init is allowed to enter the aconfigd domain
-neverallow { domain -init } aconfigd:process transition;
-neverallow * aconfigd:process dyntransition;
-
allow aconfigd metadata_file:dir search;
allow aconfigd {
@@ -22,17 +16,15 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
-allow aconfigd aconfigd_socket:sock_file rw_file_perms;
-
# allow aconfigd to access shell_data_file for atest
userdebug_or_eng(`
allow aconfigd shell_data_file:dir search;
allow aconfigd shell_data_file:file { getattr read open map };
')
-# allow aconfigd to log to the kernel.
-allow aconfigd kmsg_device:chr_file w_file_perms;
+# allow aconfigd to log to the kernel dmesg via a file descriptor
+# passed from init to aconfigd
+allow aconfigd kmsg_device:chr_file write;
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
@@ -41,3 +33,11 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
diff --git a/private/adbd.te b/private/adbd.te
index a298f08..b87b319 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -2,13 +2,17 @@
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
+typeattribute adbd adbd_common;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
+# Allow adb to setcon() to tradeinmode.
+allow adbd self:process setcurrent;
+allow adbd adbd_tradeinmode:process dyntransition;
+
userdebug_or_eng(`
- allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
@@ -78,6 +82,7 @@
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
+set_prop(adbd, adbd_tradeinmode_prop)
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
@@ -182,6 +187,10 @@
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
# Allow pull /vendor/apex files for CTS tests
r_dir_file(adbd, vendor_apex_file)
@@ -206,10 +215,15 @@
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+# transitions to the shell or tradeinmode domain (except when it crashes). In
+# particular, we never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell -adbd_tradeinmode }:process transition;
+neverallow adbd {
+ domain
+ userdebug_or_eng(`-su')
+ recovery_only(`-shell')
+ -adbd_tradeinmode
+}:process dyntransition;
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
diff --git a/private/adbd_common.te b/private/adbd_common.te
index 6cf8e49..c24b029 100644
--- a/private/adbd_common.te
+++ b/private/adbd_common.te
@@ -2,34 +2,30 @@
### Put things here that are needed for both adbd proper and adbd in trade-in mode.
# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(adbd, mdnsd, mdnsd)
+unix_socket_connect(adbd_common, mdnsd, mdnsd)
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
-dontaudit { adbd } self:{ socket vsock_socket } create;
+dontaudit adbd_common self:{ socket vsock_socket } create;
# Allow adbd inside vm to forward vm's vsock.
-allow { adbd } self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+allow adbd_common self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Access device logging gating property
-get_prop(adbd, device_logging_prop)
+get_prop(adbd_common, device_logging_prop)
# Use a pseudo tty.
-allow { adbd } devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow { adbd } shell_data_file:dir create_dir_perms;
-allow { adbd } shell_data_file:file create_file_perms;
+allow adbd_common devpts:chr_file rw_file_perms;
# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
+get_prop(adbd_common, system_adbd_prop)
# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
+get_prop(adbd_common, test_harness_prop)
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
+set_prop(adbd_common, adbd_prop)
+set_prop(adbd_common, adbd_config_prop)
# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
+get_prop(adbd_common, serialno_prop)
diff --git a/private/adbd_tradeinmode.te b/private/adbd_tradeinmode.te
new file mode 100644
index 0000000..2eae26a
--- /dev/null
+++ b/private/adbd_tradeinmode.te
@@ -0,0 +1,23 @@
+### ADB in trade-in mode
+type adbd_tradeinmode, domain, coredomain, adbd_common;
+
+# Create and use network sockets.
+net_domain(adbd_tradeinmode)
+
+# Baseline rules to make adbd work after setcon().
+allow adbd_tradeinmode adbd:unix_stream_socket {
+ rw_socket_perms_no_ioctl
+ listen
+ accept
+};
+allow adbd_tradeinmode adbd:fd use;
+allow adbd_tradeinmode adbd:unix_dgram_socket { connect write };
+allow adbd_tradeinmode functionfs:dir r_dir_perms;
+allow adbd_tradeinmode functionfs:file rw_file_perms;
+allow adbd_tradeinmode proc_uptime:file r_file_perms;
+allow adbd_tradeinmode rootfs:dir r_dir_perms;
+
+set_prop(adbd_tradeinmode, ffs_control_prop)
+
+# Allow changing persist.adb.tradeinmode when testing.
+userdebug_or_eng(`set_prop(adbd_tradeinmode, shell_prop)')
diff --git a/private/apexd.te b/private/apexd.te
index c87c5ef..450b563 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -191,6 +191,9 @@
# Allow apexd to write to statsd.
unix_socket_send(apexd, statsdw, statsd)
+# Allow apexd to call
+allow apexd statsbootstrap_service:service_manager find;
+binder_call(apexd, system_server) # system_server serves statsbootstrap_service
###
### Neverallow rules
diff --git a/private/attributes b/private/attributes
index fe50b0d..2d6181d 100644
--- a/private/attributes
+++ b/private/attributes
@@ -15,3 +15,5 @@
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;
+# Common to adbd and adbd_tradeinmode.
+attribute adbd_common;
diff --git a/private/bert_collector.te b/private/bert_collector.te
new file mode 100644
index 0000000..b11bd76
--- /dev/null
+++ b/private/bert_collector.te
@@ -0,0 +1,12 @@
+type bert_collector, domain, coredomain;
+type bert_collector_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(bert_collector)
+
+r_dir_file(bert_collector, sysfs_firmware_acpi_tables)
+
+binder_use(bert_collector)
+binder_call(bert_collector, system_server)
+
+allow bert_collector dropbox_service:service_manager find;
+allow bert_collector proc_version:file r_file_perms;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 787531a..8bb0a2d 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -19,5 +19,7 @@
virtual_fingerprint_exec
virtual_face
virtual_face_exec
+ media_quality_service
advanced_protection_service
+ sysfs_firmware_acpi_tables
))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 6c52dba..3132c5a 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -52,4 +52,5 @@
aconfigd_socket
enable_16k_pages_prop
proc_cgroups
+ media_quality_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 93cbff5..8a46a08 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -220,6 +220,7 @@
neverallow {
coredomain
-adbd
+ -adbd_tradeinmode
-init
-mediaprovider
-system_server
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
deleted file mode 100644
index c14f5e0..0000000
--- a/private/custom_vm_setup.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type custom_vm_setup, domain, coredomain;
-type custom_vm_setup_exec, system_file_type, exec_type, file_type;
-
-is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- init_daemon_domain(custom_vm_setup)
-')
diff --git a/private/domain.te b/private/domain.te
index 03bcb85..ceab2dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -816,6 +816,7 @@
neverallow {
domain
-adbd
+ -adbd_tradeinmode
-dumpstate
-fastbootd
-hal_camera_server
diff --git a/private/ferrochrome_app.te b/private/ferrochrome_app.te
deleted file mode 100644
index e12c84c..0000000
--- a/private/ferrochrome_app.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type ferrochrome_app, domain;
-typeattribute ferrochrome_app coredomain;
-
-app_domain(ferrochrome_app)
-
-allow ferrochrome_app app_api_service:service_manager find;
-allow ferrochrome_app system_api_service:service_manager find;
-
-# TODO(b/348113995): after remove sysprop usage, we can use just (priv_)app.te
-set_prop(ferrochrome_app, debug_prop);
-get_prop(ferrochrome_app, debug_prop);
diff --git a/private/file.te b/private/file.te
index 70b8523..662d5cc 100644
--- a/private/file.te
+++ b/private/file.te
@@ -182,6 +182,9 @@
# Type for /sys/kernel/mm/pgsize_migration/enabled
type sysfs_pgsize_migration, fs_type, sysfs_type;
+# /sys/firmware/acpi/tables
+type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/private/file_contexts b/private/file_contexts
index fa2fe3a..016e3e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -362,7 +362,8 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
-/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/system/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
+/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -407,6 +408,9 @@
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
+/system/bin/bert_collector u:object_r:bert_collector_exec:s0
+/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
+
#############################
# Vendor files
@@ -534,8 +538,6 @@
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
-
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b8b7247..e300d78 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -149,6 +149,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/acpi/tables u:object_r:sysfs_firmware_acpi_tables:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
diff --git a/private/init.te b/private/init.te
index dd84ae8..dbb3f02 100644
--- a/private/init.te
+++ b/private/init.te
@@ -580,6 +580,7 @@
allow init {
sysfs_android_usb
sysfs_dm_verity
+ sysfs_firmware_acpi_tables
sysfs_leds
sysfs_power
sysfs_fs_f2fs
diff --git a/private/keystore.te b/private/keystore.te
index b43271f..50542b0 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
+# Allow keystore to check whether to post-process RKP certificates
+get_prop(keystore, remote_prov_cert_prop)
+
# Allow keystore to check rkpd feature flags
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
@@ -45,6 +48,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, remote_provisioning_service_server)
+binder_call(keystore, rkp_cert_processor)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -54,8 +58,9 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
+allow keystore rkp_cert_processor_service:service_manager find;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/private/linux_vm_setup.te b/private/linux_vm_setup.te
new file mode 100644
index 0000000..ba483e8
--- /dev/null
+++ b/private/linux_vm_setup.te
@@ -0,0 +1,6 @@
+type linux_vm_setup, domain, coredomain;
+type linux_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(linux_vm_setup)
+')
diff --git a/private/property.te b/private/property.te
index 8cc91e4..c746cb3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(crashrecovery_prop)
@@ -19,6 +20,7 @@
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
+system_internal_prop(bert_collector_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -43,6 +45,7 @@
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
+system_internal_prop(remote_prov_cert_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapshotctl_prop)
@@ -507,6 +510,7 @@
-init
-vendor_init
-adbd
+ -adbd_tradeinmode
-system_server
} {
adbd_config_prop
@@ -517,6 +521,7 @@
domain
-init
-adbd
+ -adbd_tradeinmode
} {
adbd_prop
}:property_service set;
@@ -783,6 +788,11 @@
} remote_prov_prop:property_service set;
neverallow {
+ domain
+ -init
+} remote_prov_cert_prop:property_service set;
+
+neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 13dff31..ea2df66 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -51,6 +51,7 @@
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
+persist.adb.tradeinmode u:object_r:adbd_tradeinmode_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -870,6 +871,8 @@
dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+acpi.bert_collector.start u:object_r:bert_collector_start_prop:s0 exact bool
+
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -1013,6 +1016,7 @@
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.critical_issues.fixed_issues.long_list u:object_r:build_prop:s0 exact string
ro.build.flavor u:object_r:build_prop:s0 exact string
ro.build.host u:object_r:build_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
@@ -1539,6 +1543,9 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+# Support for post-processing RKP certificates
+remote_provisioning.use_cert_processor u:object_r:remote_prov_cert_prop:s0 exact bool
+
# Connection Timeout for remote provisioning step
remote_provisioning.connect_timeout_millis u:object_r:remote_prov_prop:s0 exact int
diff --git a/private/rkp_cert_processor.te b/private/rkp_cert_processor.te
new file mode 100644
index 0000000..578bd4c
--- /dev/null
+++ b/private/rkp_cert_processor.te
@@ -0,0 +1,12 @@
+# Cert processor service
+type rkp_cert_processor, domain, coredomain;
+type rkp_cert_processor_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(rkp_cert_processor)
+net_domain(rkp_cert_processor)
+
+binder_use(rkp_cert_processor)
+
+add_service(rkp_cert_processor, rkp_cert_processor_service)
+
+use_bootstrap_libs(rkp_cert_processor)
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index b4c655b..41b2799 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -124,3 +124,25 @@
# Only dirs should be created at sdk_sandbox_all_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+# Restrict unix stream sockets for IPC.
+neverallow sdk_sandbox_all {
+ domain
+ -sdk_sandbox_all
+ -netd
+ -logd
+ -adbd
+ userdebug_or_eng(`-su')
+ # needed for profiling
+ -traced
+ -traced_perf
+ -heapprofd
+ # fallback crash handling for processes that can't exec crash_dump.
+ -tombstoned
+ # needed to connect to PRNG seeder daemon.
+ -prng_seeder
+}:unix_stream_socket connectto;
+neverallow {
+ domain
+ -adbd
+ -sdk_sandbox_all
+} sdk_sandbox_all:unix_stream_socket connectto;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 0b857de..ce49fc4 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -225,5 +225,3 @@
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.virtualization.linuxinstaller domain=ferrochrome_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.virtualization.ferrochrome domain=ferrochrome_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index a4d00f3..d0ee060 100644
--- a/private/service.te
+++ b/private/service.te
@@ -22,11 +22,15 @@
type resolver_service, system_server_service, service_manager_type;
type rkpd_registrar_service, service_manager_type;
type rkpd_refresh_service, service_manager_type;
+type rkp_cert_processor_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+until_board_api(202504, `
+ type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 7c3efc7..5be600e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -337,6 +337,7 @@
media_communication u:object_r:media_communication_service:s0
media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
+media_quality u:object_r:media_quality_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
@@ -399,6 +400,7 @@
restrictions u:object_r:restrictions_service:s0
rkpd.registrar u:object_r:rkpd_registrar_service:s0
rkpd.refresh u:object_r:rkpd_refresh_service:s0
+rkp_cert_processor.service u:object_r:rkp_cert_processor_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
diff --git a/private/shell.te b/private/shell.te
index 18e3462..839178c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -273,12 +273,6 @@
# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
-# Allow shell access to socket for test
-userdebug_or_eng(`
- allow shell aconfigd_socket:sock_file write;
- allow shell aconfigd:unix_stream_socket connectto;
-')
-
# Create and use network sockets.
net_domain(shell)
@@ -479,7 +473,7 @@
allow shell vendor_shell_exec:file rx_file_perms;
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+ allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
# Everything is labeled as rootfs in recovery mode. Allow shell to
diff --git a/private/system_server.te b/private/system_server.te
index fc4faef..063c2ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1134,9 +1134,9 @@
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow system_server adbd_common:unix_stream_socket connectto;
+allow system_server adbd_common:fd use;
+allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Read service.adb.tls.port, persist.adb.wifi. properties
get_prop(system_server, adbd_prop)
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index c76c117..71c9f3f 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -11,6 +11,8 @@
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)
+allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
@@ -24,3 +26,6 @@
# Allow other processes to access the pts.
allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr;
')
+
+# TODO(b/372664601): Remove this when we don't need linux_vm_setup
+set_prop(vmlauncher_app, debug_prop);
diff --git a/public/service.te b/public/service.te
index 9d77fb9..cc9b1ab 100644
--- a/public/service.te
+++ b/public/service.te
@@ -176,6 +176,9 @@
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
deleted file mode 100644
index 2e9d68f..0000000
--- a/treble_sepolicy_tests_for_release.mk
+++ /dev/null
@@ -1,81 +0,0 @@
-version := $(version_under_treble_tests)
-
-include $(CLEAR_VARS)
-# For Treble builds run tests verifying that processes are properly labeled and
-# permissions granted do not violate the treble model. Also ensure that treble
-# compatibility guarantees are upheld between SELinux version bumps.
-LOCAL_MODULE := treble_sepolicy_tests_$(version)
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-IS_TREBLE_TEST_ENABLED_PARTNER := false
-ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
-IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
-endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
-# built to enable us to determine the diff between the current policy and the
-# $(version) policy, which will be used in tests to make sure that compatibility has
-# been maintained by our mapping files.
-built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
-
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
-$(version)_mapping.ignore.cil := \
- $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
-endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
-ifneq (,$(BOARD_PRODUCT_PREBUILT_DIR))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
-endif # (,$(BOARD_PRODUCT_PREBUILT_DIR))
-endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-
-# $(version)_mapping.combined.cil - a combination of the mapping file used when
-# combining the current platform policy with nonplatform policy based on the
-# $(version) policy release and also a special ignored file that exists purely for
-# these tests.
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
-$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
-$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
- mkdir -p $(dir $@)
- cat $^ > $@
-
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-public_cil_files := $(base_product_pub_policy.cil)
-else
-public_cil_files := $(base_plat_pub_policy.cil)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(public_cil_files) \
- $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD)
- $(hide) touch $@
-
-built_sepolicy_files :=
-public_cil_files :=
-$(version)_mapping.cil :=
-$(version)_mapping.combined.cil :=
-$(version)_mapping.ignore.cil :=
-built_$(version)_plat_sepolicy :=
-version :=
-version_under_treble_tests :=
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
new file mode 100644
index 0000000..7256deb
--- /dev/null
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -0,0 +1,448 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: [
+ "Android-Apache-2.0",
+ "system_sepolicy_license",
+ ],
+}
+
+//////////////////////////////////
+// Tests for Treble compatibility of current platform policy and vendor policy of
+// given release version.
+//////////////////////////////////
+genrule {
+ name: "29.0_mapping.combined.cil",
+ srcs: [
+ ":plat_29.0.cil",
+ ":29.0.ignore.cil",
+ ],
+ out: ["29.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_29.0.cil) $(location :29.0.ignore.cil) > $(out)",
+}
+
+genrule {
+ name: "treble_sepolicy_tests_29.0",
+ srcs: [
+ ":29.0_plat_policy.cil",
+ ":29.0_mapping.combined.cil",
+ ":29.0_plat_pub_policy.cil",
+ ],
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_29.0"],
+ cmd: "$(location treble_sepolicy_tests) " +
+ "-b $(location :29.0_plat_pub_policy.cil) " +
+ "-m $(location :29.0_mapping.combined.cil) " +
+ "-o $(location :29.0_plat_policy.cil) && " +
+ "touch $(out)",
+}
+
+genrule {
+ name: "30.0_mapping.combined.cil",
+ srcs: [
+ ":plat_30.0.cil",
+ ":30.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_30.0.cil",
+ ":system_ext_30.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_30.0.cil",
+ ":product_30.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["30.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_30.0.cil) " +
+ "$(location :30.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_30.0.cil) " +
+ "$(location :system_ext_30.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_30.0.cil) " +
+ "$(location :product_30.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+genrule {
+ name: "treble_sepolicy_tests_30.0",
+ srcs: [
+ ":30.0_plat_policy.cil",
+ ":30.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":30.0_plat_pub_policy.cil"],
+ (default, default): [":30.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_30.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :30.0_plat_pub_policy.cil) " +
+ "-m $(location :30.0_mapping.combined.cil) " +
+ "-o $(location :30.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :30.0_product_pub_policy.cil) " +
+ "-m $(location :30.0_mapping.combined.cil) " +
+ "-o $(location :30.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+genrule {
+ name: "31.0_mapping.combined.cil",
+ srcs: [
+ ":plat_31.0.cil",
+ ":31.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_31.0.cil",
+ ":system_ext_31.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_31.0.cil",
+ ":product_31.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["31.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_31.0.cil) " +
+ "$(location :31.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_31.0.cil) " +
+ "$(location :system_ext_31.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_31.0.cil) " +
+ "$(location :product_31.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+genrule {
+ name: "treble_sepolicy_tests_31.0",
+ srcs: [
+ ":31.0_plat_policy.cil",
+ ":31.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":31.0_plat_pub_policy.cil"],
+ (default, default): [":31.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_31.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :31.0_plat_pub_policy.cil) " +
+ "-m $(location :31.0_mapping.combined.cil) " +
+ "-o $(location :31.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :31.0_product_pub_policy.cil) " +
+ "-m $(location :31.0_mapping.combined.cil) " +
+ "-o $(location :31.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+genrule {
+ name: "32.0_mapping.combined.cil",
+ srcs: [
+ ":plat_32.0.cil",
+ ":32.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_32.0.cil",
+ ":system_ext_32.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_32.0.cil",
+ ":product_32.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["32.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_32.0.cil) " +
+ "$(location :32.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_32.0.cil) " +
+ "$(location :system_ext_32.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_32.0.cil) " +
+ "$(location :product_32.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+genrule {
+ name: "treble_sepolicy_tests_32.0",
+ srcs: [
+ ":32.0_plat_policy.cil",
+ ":32.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":32.0_plat_pub_policy.cil"],
+ (default, default): [":32.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_32.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :32.0_plat_pub_policy.cil) " +
+ "-m $(location :32.0_mapping.combined.cil) " +
+ "-o $(location :32.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :32.0_product_pub_policy.cil) " +
+ "-m $(location :32.0_mapping.combined.cil) " +
+ "-o $(location :32.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+genrule {
+ name: "33.0_mapping.combined.cil",
+ srcs: [
+ ":plat_33.0.cil",
+ ":33.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_33.0.cil",
+ ":system_ext_33.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_33.0.cil",
+ ":product_33.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["33.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_33.0.cil) " +
+ "$(location :33.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_33.0.cil) " +
+ "$(location :system_ext_33.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_33.0.cil) " +
+ "$(location :product_33.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+genrule {
+ name: "treble_sepolicy_tests_33.0",
+ srcs: [
+ ":33.0_plat_policy.cil",
+ ":33.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":33.0_plat_pub_policy.cil"],
+ (default, default): [":33.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_33.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :33.0_plat_pub_policy.cil) " +
+ "-m $(location :33.0_mapping.combined.cil) " +
+ "-o $(location :33.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :33.0_product_pub_policy.cil) " +
+ "-m $(location :33.0_mapping.combined.cil) " +
+ "-o $(location :33.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+genrule {
+ name: "34.0_mapping.combined.cil",
+ srcs: [
+ ":plat_34.0.cil",
+ ":34.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_34.0.cil",
+ ":system_ext_34.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_34.0.cil",
+ ":product_34.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["34.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_34.0.cil) " +
+ "$(location :34.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_34.0.cil) " +
+ "$(location :system_ext_34.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_34.0.cil) " +
+ "$(location :product_34.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+genrule {
+ name: "treble_sepolicy_tests_34.0",
+ srcs: [
+ ":34.0_plat_policy.cil",
+ ":34.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":34.0_plat_pub_policy.cil"],
+ (default, default): [":34.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_34.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :34.0_plat_pub_policy.cil) " +
+ "-m $(location :34.0_mapping.combined.cil) " +
+ "-o $(location :34.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :34.0_product_pub_policy.cil) " +
+ "-m $(location :34.0_mapping.combined.cil) " +
+ "-o $(location :34.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+genrule {
+ name: "202404_mapping.combined.cil",
+ srcs: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [
+ ],
+ default: [
+ ":plat_202404.cil",
+ ":202404.ignore.cil",
+ ],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ ), {
+ ("202404", true): [],
+ ("202404", default): [],
+ (default, true): [
+ ":system_ext_202404.cil",
+ ":system_ext_202404.ignore.cil",
+ ],
+ (default, default): [],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ ("202404", true): [],
+ ("202404", default): [],
+ (default, true): [
+ ":product_202404.cil",
+ ":product_202404.ignore.cil",
+ ],
+ (default, default): [],
+ }),
+ out: ["202404_mapping.combined.cil"],
+ cmd: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": "touch $(out)",
+ default: "cat $(in) > $(out)",
+ }),
+}
+
+genrule {
+ name: "treble_sepolicy_tests_202404",
+ srcs: [
+ ":202404_plat_policy.cil",
+ ":202404_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":202404_plat_pub_policy.cil"],
+ (default, default): [":202404_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_202404"],
+ cmd: select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ ("202404", false, false): "touch $(out)",
+ ("202404", default, default): "touch $(out)",
+ (default, false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :202404_plat_pub_policy.cil) " +
+ "-m $(location :202404_mapping.combined.cil) " +
+ "-o $(location :202404_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :202404_product_pub_policy.cil) " +
+ "-m $(location :202404_mapping.combined.cil) " +
+ "-o $(location :202404_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}