Merge "Allow heapprofd to write to /proc/$PID/page_idle."
diff --git a/Android.bp b/Android.bp
index bf91041..e1b57a5 100644
--- a/Android.bp
+++ b/Android.bp
@@ -109,7 +109,7 @@
se_cil_compat_map {
name: "28.0.ignore.cil",
bottom_half: [":28.0.board.ignore.map"],
- // top_half: "29.0.ignore.cil",
+ top_half: "29.0.ignore.cil",
}
se_cil_compat_map {
diff --git a/Android.mk b/Android.mk
index b011da3..a58ecbe 100644
--- a/Android.mk
+++ b/Android.mk
@@ -162,6 +162,11 @@
with_asan := true
endif
+with_native_coverage := false
+ifeq ($(NATIVE_COVERAGE),true)
+ with_native_coverage := true
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -340,23 +345,30 @@
# sepolicy_policy.conf - All of the policy for the device. This is only used to
# check neverallow rules.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
-$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
-$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
# check neverallow rules using sepolicy-analyze, similar to CTS.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -364,12 +376,11 @@
$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
-$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
-$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -402,16 +413,19 @@
# the compilation of public policy and subsequent removal of CIL policy that
# should not be exported.
+policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
+$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(reqd_policy_mask.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
# b/37755687
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
@@ -430,17 +444,20 @@
# policy that would not compile in checkpolicy on its own. To get around this
# limitation, add only the required files from private policy, which will
# generate CIL policy that will then be filtered out by the reqd_policy_mask.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
pub_policy.conf := $(intermediates)/pub_policy.conf
$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
pub_policy.cil := $(intermediates)/pub_policy.cil
$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
@@ -455,17 +472,20 @@
pub_policy.conf :=
##################################
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -493,17 +513,20 @@
# plat_policy.conf - A combination of the private and public platform policy
# which will ship with the device. The platform will always reflect the most
# recent platform version and is not currently being attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
plat_policy.conf := $(intermediates)/plat_policy.conf
$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -535,17 +558,20 @@
include $(BUILD_SYSTEM)/base_rules.mk
# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(userdebug_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(userdebug_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -578,18 +604,21 @@
# product_policy.conf - A combination of the private and public product policy
# which will ship with the device. Product policy is not attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
product_policy.conf := $(intermediates)/product_policy.conf
$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(product_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
-$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -719,18 +748,21 @@
include $(BUILD_SYSTEM)/base_rules.mk
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS))
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
-$(BOARD_VENDOR_SEPOLICY_DIRS))
+$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -769,18 +801,21 @@
include $(BUILD_SYSTEM)/base_rules.mk
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
odm_policy.conf := $(intermediates)/odm_policy.conf
$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -986,19 +1021,22 @@
include $(BUILD_SYSTEM)/base_rules.mk
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
+ $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
- $(BOARD_ODM_SEPOLICY_DIRS))
+$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -1036,6 +1074,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
@@ -1044,8 +1084,8 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
+$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -1098,9 +1138,10 @@
endif
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(file_contexts.local.tmp): $(local_fc_files)
+$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
+$(file_contexts.local.tmp): $(local_fc_files) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@
device_fc_files := $(call build_vendor_policy, file_contexts)
@@ -1110,9 +1151,10 @@
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(file_contexts.device.tmp): $(device_fc_files)
+$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files)
+$(file_contexts.device.tmp): $(device_fc_files) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@
file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
@@ -1123,9 +1165,10 @@
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
+$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
+$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -1183,9 +1226,9 @@
vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles)
+$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1233,6 +1276,8 @@
# to enable partners to add their own compatibility mapping
BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1242,8 +1287,8 @@
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
+$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -1261,6 +1306,8 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1270,8 +1317,8 @@
$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 592975d..642c61c 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -7,6 +7,5 @@
/bin/profman(d)? u:object_r:profman_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 286d698..29c5c1f 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -7,4 +7,3 @@
/bin/profman u:object_r:profman_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 632237c..020357a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -263,7 +263,8 @@
rule := android.NewRuleBuilder()
rule.Command().
- Text("m4 --fatal-warnings -s").
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Inputs(inputs).
FlagWithOutput("> ", m.outputPath)
diff --git a/definitions.mk b/definitions.mk
index 2ea2b03..1a7d06e 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -2,16 +2,17 @@
# processed by checkpolicy
define transform-policy-to-conf
@mkdir -p $(dir $@)
-$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
+$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
$(PRIVATE_TGT_RECOVERY) \
- -s $^ > $@
+ -s $(PRIVATE_POLICY_FILES) > $@
endef
.KATI_READONLY := transform-policy-to-conf
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 86ea9ab..7cb1b98 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -7,14 +7,16 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
+
# Build keys.conf
plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+$(plat_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_plat_mac_perms_keys)
+$(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
all_plat_keys := platform media networkstack shared testkey
@@ -27,8 +29,9 @@
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-all_mac_perms_files :=
all_plat_keys :=
+all_plat_mac_perms_files :=
+all_plat_mac_perms_keys :=
plat_mac_perms_keys.tmp :=
##################################
@@ -41,14 +44,16 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_product_mac_perms_keys := $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
# Build keys.conf
product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
+$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -58,6 +63,7 @@
product_mac_perms_keys.tmp :=
all_product_mac_perms_files :=
+all_product_mac_perms_keys :=
##################################
include $(CLEAR_VARS)
@@ -69,14 +75,16 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
# Build keys.conf
vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+$(vendor_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_vendor_mac_perms_keys)
+$(vendor_mac_perms_keys.tmp): $(all_vendor_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -86,6 +94,7 @@
vendor_mac_perms_keys.tmp :=
all_vendor_mac_perms_files :=
+all_vendor_mac_perms_keys :=
##################################
include $(CLEAR_VARS)
@@ -97,14 +106,16 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_odm_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
# Build keys.conf
odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+$(odm_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_odm_mac_perms_keys)
+$(odm_mac_perms_keys.tmp): $(all_odm_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 796321a..7219d42 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -131,6 +131,7 @@
task_profiles_file
testharness_service
test_harness_prop
+ theme_prop
time_prop
timedetector_service
timezonedetector_service
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d5..d2d0209 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -169,7 +169,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index abb83ed..b453414 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -59,6 +59,7 @@
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te
index e8627151..9ed1d36 100644
--- a/prebuilts/api/29.0/private/system_app.te
+++ b/prebuilts/api/29.0/private/system_app.te
@@ -24,6 +24,12 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 781bb18..f048814 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -574,6 +574,7 @@
set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
+set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
@@ -1017,7 +1018,7 @@
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
diff --git a/prebuilts/api/29.0/public/property.te b/prebuilts/api/29.0/public/property.te
index 3ccaad7..e166c00 100644
--- a/prebuilts/api/29.0/public/property.te
+++ b/prebuilts/api/29.0/public/property.te
@@ -83,6 +83,7 @@
type system_trace_prop, property_type;
type test_boot_reason_prop, property_type;
type test_harness_prop, property_type;
+type theme_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
type traced_lazy_prop, property_type;
@@ -457,6 +458,7 @@
-system_trace_prop
-test_boot_reason_prop
-test_harness_prop
+ -theme_prop
-time_prop
-traced_enabled_prop
-traced_lazy_prop
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 5930191..e969aaf 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -157,6 +157,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
+persist.sys.theme u:object_r:theme_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/vendor_init.te b/prebuilts/api/29.0/public/vendor_init.te
index da4dddc..375673c 100644
--- a/prebuilts/api/29.0/public/vendor_init.te
+++ b/prebuilts/api/29.0/public/vendor_init.te
@@ -247,6 +247,7 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, theme_prop)
###
### neverallow rules
diff --git a/private/apexd.te b/private/apexd.te
index d0ec9f4..14778b2 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -80,6 +80,9 @@
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
diff --git a/private/atrace.te b/private/atrace.te
index 75be787..2545c8b 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -55,6 +55,7 @@
allow atrace hwservicemanager:hwservice_manager list;
# Notify the camera HAL.
hal_client_domain(atrace, hal_camera)
+ hal_client_domain(atrace, hal_vibrator)
')
# Remove logspam from notification attempts to non-whitelisted services.
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 293d97d..c005a14 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -34,6 +34,7 @@
color_display_service
content_capture_service
crossprofileapps_service
+ ctl_apexd_prop
ctl_interface_restart_prop
ctl_interface_start_prop
ctl_interface_stop_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fbc241a..7d2f8dd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -32,6 +32,7 @@
color_display_service
content_capture_service
crossprofileapps_service
+ ctl_apexd_prop
ctl_interface_restart_prop
ctl_interface_start_prop
ctl_interface_stop_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 4d32997..66caf4b 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -33,6 +33,7 @@
content_capture_service
content_suggestions_service
cpu_variant_prop
+ ctl_apexd_prop
ctl_gsid_prop
dev_cpu_variant
device_config_activity_manager_native_boot_prop
@@ -134,6 +135,7 @@
task_profiles_file
testharness_service
test_harness_prop
+ theme_prop
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 56457a6..225b582 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ cold_boot_done_prop
+ ctl_apexd_prop
device_config_sys_traced_prop
runtime_apex_dir
system_ashmem_hwservice
diff --git a/private/domain.te b/private/domain.te
index 037a7d5..d2d0209 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -169,7 +169,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2a8f7ad..3ad0edb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -214,6 +214,7 @@
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index d077926..b907040 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -97,6 +97,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/private/logd.te b/private/logd.te
index 321727b..ca92e20 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -8,6 +8,7 @@
file_type
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
+ with_native_coverage(`-method_trace_data_file')
}:file { create write append };
# protect the event-log-tags file
diff --git a/private/logpersist.te b/private/logpersist.te
index 8cdbd2d..4187627 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -19,6 +19,10 @@
')
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow logpersist {
+ file_type
+ userdebug_or_eng(`-misc_logd_file -coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/private/perfetto.te b/private/perfetto.te
index d1e2b13..419c4b9 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -74,8 +74,14 @@
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
+neverallow perfetto {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:file ~write;
diff --git a/private/property_contexts b/private/property_contexts
index dd08c32..520383d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
@@ -135,6 +136,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to stopping apexd.
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -199,3 +203,6 @@
# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
# which can't use NNAPI vendor extensions).
ro.nnapi.extensions.deny_on_product u:object_r:nnapi_ext_deny_product_prop:s0
+
+# Property that is set once ueventd finishes cold boot.
+ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 2d244fd..7cb2e67 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -3,4 +3,9 @@
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist {
+ file_type
+ -recovery_data_file
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index b6cd56f..3c095cc 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -3,4 +3,8 @@
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh {
+ file_type
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/private/system_app.te b/private/system_app.te
index e8627151..9ed1d36 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,12 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 3549353..df87794 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -280,12 +280,15 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_stats_server
hal_sensors_server
hal_vr_server
+ system_suspend_server
}:process { signal };
# Use sockets received over binder from various services.
@@ -573,6 +576,7 @@
set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
+set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
@@ -1019,7 +1023,7 @@
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
diff --git a/private/traced.te b/private/traced.te
index 1e2d7d6..2d7d07f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -66,6 +66,7 @@
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
@@ -75,6 +76,7 @@
-zoneinfo_data_file
-perfetto_traces_data_file
-trace_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
diff --git a/private/traced_probes.te b/private/traced_probes.te
index d8d573a..8746c34 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -111,11 +111,17 @@
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *;
+neverallow traced_probes {
+ data_file_type
+ -zoneinfo_data_file
+ -packages_list_file
+ with_native_coverage(`-method_trace_data_file')
+}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
diff --git a/private/zygote.te b/private/zygote.te
index 0466372..cf5a7a3 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -3,6 +3,7 @@
typeattribute zygote mlstrustedsubject;
init_daemon_domain(zygote)
+tmpfs_domain(zygote)
read_runtime_log_tags(zygote)
@@ -51,6 +52,8 @@
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
+allow zygote zygote_tmpfs:file execute;
+allow zygote ashmem_device:chr_file execute;
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
diff --git a/public/domain.te b/public/domain.te
index 6c23f6c..a914aaf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -51,6 +51,12 @@
allow domain coredump_file:dir ra_dir_perms;
')
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
@@ -847,6 +853,7 @@
# These functions are considered vndk-stable and thus must be allowed for
# all processes.
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
@@ -855,6 +862,7 @@
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -873,6 +881,7 @@
-system_data_file # default label for files on /data. Covered below...
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
vendor_init
@@ -883,6 +892,7 @@
-system_data_file
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 614e1b8..6a50f87 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -79,6 +79,7 @@
hal_bluetooth_server
hal_camera_server
hal_drm_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
@@ -88,6 +89,7 @@
hal_sensors_server
hal_thermal_server
hal_vr_server
+ system_suspend_server
}:process signal;
# Connect to tombstoned to intercept dumps.
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 8fe6bbe..1a95b72 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -42,6 +42,7 @@
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
+ with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
diff --git a/public/kernel.te b/public/kernel.te
index 99ad014..46864b8 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -106,6 +106,9 @@
allow kernel rootfs:file execute;
')
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file read;
+
###
### neverallow rules
###
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index c9ff732..c5138a9 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -75,4 +75,5 @@
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/public/property.te b/public/property.te
index 8cb19fb..67aa55d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,10 +6,12 @@
type bluetooth_prop, property_type;
type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
+type cold_boot_done_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
type cpu_variant_prop, property_type;
type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
@@ -84,6 +86,7 @@
type system_trace_prop, property_type;
type test_boot_reason_prop, property_type;
type test_harness_prop, property_type;
+type theme_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
type traced_lazy_prop, property_type;
@@ -361,9 +364,11 @@
-bootloader_boot_reason_prop
-boottime_prop
-bpf_progs_loaded_prop
+ -cold_boot_done_prop
-config_prop
-cppreopt_prop
-ctl_adbd_prop
+ -ctl_apexd_prop
-ctl_bootanim_prop
-ctl_bugreport_prop
-ctl_console_prop
@@ -459,6 +464,7 @@
-system_trace_prop
-test_boot_reason_prop
-test_harness_prop
+ -theme_prop
-time_prop
-traced_enabled_prop
-traced_lazy_prop
diff --git a/public/property_contexts b/public/property_contexts
index 5930191..ecc2610 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -135,8 +135,6 @@
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
@@ -157,6 +155,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
+persist.sys.theme u:object_r:theme_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
diff --git a/public/recovery.te b/public/recovery.te
index d5d16a2..2b77bc3 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -162,9 +162,11 @@
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms;
diff --git a/public/te_macros b/public/te_macros
index 777f481..1187320 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -510,6 +510,12 @@
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
@@ -707,3 +713,13 @@
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+ hal_client_domain(dumpstate, $1);
+ allow $1_server dumpstate:fifo_file write;
+ allow $1_server dumpstate:fd use;
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index 98e3bda..4c80c90 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -59,17 +59,14 @@
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
+
#####
##### neverallow rules
#####
-# ueventd must never set properties, otherwise deadlocks may occur.
-# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
-# No writing to the property socket, connecting to init, or setting properties.
-neverallow ueventd property_socket:sock_file write;
-neverallow ueventd init:unix_stream_socket connectto;
-neverallow ueventd property_type:property_service set;
-
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 7114a02..c439ffd 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -248,6 +248,7 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, theme_prop)
###
### neverallow rules
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 39bff10..3d9bca4 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -16,19 +16,22 @@
# been maintained by our mapping files.
$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
+policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
+$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$($(version)_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+policy_files :=
built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 390ec0b..1fa885d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -66,6 +66,7 @@
# Same process HALs installed by platform into /vendor
#
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0