API flagging macro until/starting_at for private and public
- Applies the starting_at_board_api macro also to private types
- Add a macro complementary to the starting_at_board_api macro to write rules if
the the board api level is lower than the specified api
(Re-land of aosp/3229062 without proc_compaction_proactiveness.
Cause: b/363981334)
Bug: 356832676
Bug: 358516352
Change-Id: I923d26ac581da3b947f8e8dde0db993e3bb637ba
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4476f94..29685ea 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -225,17 +225,7 @@
}
func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
- level := proptools.StringDefault(c.properties.Board_api_level, "system")
-
- if level == "system" {
- // aribtrary value greater than any other vendor API levels
- return "1000000"
- } else if level == "vendor" {
- return ctx.Config().VendorApiLevel()
- } else {
- return level
- }
-
+ return ctx.Config().VendorApiLevel()
}
func findPolicyConfOrder(name string) int {
diff --git a/flagging/flagging_macros b/flagging/flagging_macros
index baf26c3..44cd33a 100644
--- a/flagging/flagging_macros
+++ b/flagging/flagging_macros
@@ -9,16 +9,15 @@
define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
####################################
-# starting_at_board_api(api_level, rules)
+# starting_at_board_api(api_level, rules_if_api_level)
#
-# This macro conditionally exposes SELinux rules within system/sepolicy/public,
-# ensuring they are available to vendors only when the board API level is at or
-# above the specified 'api_level'.
-#
-# * Platform sepolicy: Rules are always enabled, regardless of API level.
-# * Vendor sepolicy: Rules are enabled only when the board API level meets or
-# exceeds the value provided in 'api_level'.
-#
-# Apply this macro to public types and attributes (in system/sepolicy/public) to
-# restrict vendor access based on board API level.
+# This macro conditionally exposes SELinux rules ensuring they are available
+# only when the board API level is at or above the specified 'api_level'.
define(`starting_at_board_api', `ifelse(eval(target_board_api_level >= $1), 1, `$2')')
+
+####################################
+# until_board_api(api_level, rules_if_lower_api_level)
+#
+# This macro conditionally exposes SELinux rules ensuring they are available
+# only when the board API level is below the specified 'api_level'.
+define(`until_board_api', `ifelse(eval(target_board_api_level < $1), 1, `$2')')
diff --git a/private/file.te b/private/file.te
index 038e899..3cb8d18 100644
--- a/private/file.te
+++ b/private/file.te
@@ -213,3 +213,30 @@
# /data/misc_ce/userId/storage_area_keys
type storage_area_key_file, file_type, data_file_type, core_data_file_type;
+
+
+# Types added in 202504 in public/file.te
+until_board_api(202504, `
+ type binderfs_logs_transactions, fs_type;
+ type binderfs_logs_transaction_history, fs_type;
+')
+
+until_board_api(202504, `
+ type proc_cgroups, fs_type, proc_type;
+')
+
+until_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+')
+
+until_board_api(202504, `
+ type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+ type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+')
+
+until_board_api(202504, `
+ # boot otas for 16KB developer option
+ type vendor_boot_ota_file, vendor_file_type, file_type;
+')
+## END Types added in 202504 in public/file.te
+
diff --git a/private/property.te b/private/property.te
index 7c2d6d1..54565f9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -79,6 +79,12 @@
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_restricted_prop(enable_16k_pages_prop)
+ system_restricted_prop(profcollectd_etr_prop)
+')
+
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
diff --git a/private/service.te b/private/service.te
index 63259c6..a4d00f3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,5 +1,10 @@
type adaptive_auth_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
+
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
type attention_service, system_server_service, service_manager_type;
type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;