Merge "Change sepolicy of virtualizationservice and vfio_handler for VM DTBO" into main
diff --git a/Android.bp b/Android.bp
index b0544cf..3c53931 100644
--- a/Android.bp
+++ b/Android.bp
@@ -753,33 +753,6 @@
}
se_policy_conf {
- name: "base_system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_sepolicy.cil",
- src: ":base_system_ext_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- system_ext_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_system_ext_sepolicy",
- srcs: [":base_system_ext_sepolicy.cil"],
- system_ext_specific: true,
- installable: false,
-}
-
-se_policy_conf {
name: "base_product_sepolicy.conf",
srcs: plat_public_policy +
plat_private_policy +
@@ -828,25 +801,6 @@
}
se_policy_conf {
- name: "base_system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_pub_policy.cil",
- src: ":base_system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_conf {
name: "base_product_pub_policy.conf",
srcs: plat_public_policy +
system_ext_public_policy +
@@ -913,7 +867,7 @@
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
se_freeze_test {
- name: "sepolicy_freeze_test",
+ name: "se_freeze_test",
}
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index b39ee44..5ce31d2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,13 +1,7 @@
LOCAL_PATH:= $(call my-dir)
-include $(LOCAL_PATH)/definitions.mk
-include $(LOCAL_PATH)/policy_version.mk
-
include $(CLEAR_VARS)
-MLS_SENS=1
-MLS_CATS=1024
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -73,7 +67,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@@ -81,7 +74,6 @@
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
It does not work in user builds and using it will \
not stop you from failing CTS.)
-NEVERALLOW_ARG := -N
endif
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@@ -170,36 +162,11 @@
endif
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-# CIL files which contain workarounds for current limitation of human-readable
-# module policy language. These files are appended to the CIL files produced
-# from module language files.
-sepolicy_build_cil_workaround_files := technical_debt.cil
-
-my_target_arch := $(TARGET_ARCH)
-ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
- my_target_arch := mips
-endif
-
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
-
with_asan := false
ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true
endif
-with_native_coverage := false
-ifeq ($(NATIVE_COVERAGE),true)
- with_native_coverage := true
-endif
-ifeq ($(CLANG_COVERAGE),true)
- with_native_coverage := true
-endif
-
-treble_sysprop_neverallow := true
-ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
- treble_sysprop_neverallow := false
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -208,16 +175,6 @@
endif
endif
-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
- enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -226,13 +183,6 @@
endif
endif
-# Library extension for host-side tests
-ifeq ($(HOST_OS),darwin)
-SHAREDLIB_EXT=dylib
-else
-SHAREDLIB_EXT=so
-endif
-
#################################
include $(CLEAR_VARS)
@@ -306,7 +256,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test
+ se_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -480,16 +430,6 @@
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
#
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
@@ -542,6 +482,23 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
+
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@@ -581,11 +538,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-built_fc := $(LOCAL_BUILT_MODULE)
local_fc_files :=
-local_fcfiles_with_nl :=
device_fc_files :=
-device_fcfiles_with_nl :=
file_contexts.concat.tmp :=
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
@@ -593,45 +547,28 @@
file_contexts.modules.tmp :=
##################################
-
-all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
-all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
-endif
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
-endif
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
-endif
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-
-##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
-built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
-built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
-
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+ver := $(PLATFORM_SEPOLICY_VERSION)
+ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
+# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
+else
+# If not, use ToT for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+endif
+ver :=
$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
)
-built_plat_sepolicy :=
-built_system_ext_sepolicy :=
-built_product_sepolicy :=
base_plat_pub_policy.cil :=
-base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil :=
-all_fc_files :=
-all_fc_args :=
#################################
@@ -639,19 +576,7 @@
build_vendor_policy :=
build_odm_policy :=
build_policy :=
-built_plat_cil :=
-built_system_ext_cil :=
-built_product_cil :=
built_sepolicy :=
built_sepolicy_neverallows :=
-built_plat_svc :=
-built_vendor_svc :=
-treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
-my_target_arch :=
sepolicy_build_files :=
-sepolicy_build_cil_workaround_files :=
with_asan :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 9aa510b..053e36a 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,9 +11,6 @@
},
{
"include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
- },
- {
- "include-filter": "android.security.cts.SeamendcHostTest"
}
]
}
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
index 412c555..3264177 100644
--- a/apex/com.android.threadnetwork-file_contexts
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -1,3 +1,2 @@
(/.*)? u:object_r:system_file:s0
/bin/ot-daemon u:object_r:ot_daemon_exec:s0
-/bin/ot-ctl u:object_r:ot_ctl_exec:s0
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index db028e6..a15c65c 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -16,6 +16,7 @@
import (
"fmt"
+ "path"
"path/filepath"
"strings"
@@ -103,8 +104,15 @@
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
+ prebuilt_directories, err := ctx.GlobWithDeps("system/sepolicy/prebuilts/api/*", nil)
+ if err != nil {
+ ctx.ModuleErrorf("error while globbing: %w", err)
+ return
+ }
+
// directories used for compat tests and Treble tests
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ for _, dir := range prebuilt_directories {
+ ver := path.Base(dir)
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/policy.go b/build/soong/policy.go
index d8c3ffb..0793e2a 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -27,7 +27,6 @@
)
const (
- // TODO: sync with Android.mk
MlsSens = 1
MlsCats = 1024
PolicyVers = 30
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 9ae7826..385d6af 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -15,12 +15,14 @@
package selinux
import (
- "path/filepath"
"sort"
"android/soong/android"
)
+var currentCilTag = dependencyTag{name: "current_cil"}
+var prebuiltCilTag = dependencyTag{name: "prebuilt_cil"}
+
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
@@ -32,6 +34,9 @@
func freezeTestFactory() android.SingletonModule {
f := &freezeTestModule{}
android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
return f
}
@@ -40,26 +45,23 @@
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
-func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+func (f *freezeTestModule) shouldSkip(ctx android.EarlyModuleContext) bool {
platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+ return platformVersion == totVersion
+}
+
+func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if platformVersion == totVersion {
+ if f.shouldSkip(ctx) {
if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
return
}
- // we still build a rule to prevent possible regression
- android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
return
}
@@ -67,17 +69,80 @@
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
return
}
+}
- platPublic := filepath.Join(ctx.ModuleDir(), "public")
- platPrivate := filepath.Join(ctx.ModuleDir(), "private")
- prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
- prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+func (f *freezeTestModule) prebuiltCilModuleName(ctx android.EarlyModuleContext) string {
+ return ctx.DeviceConfig().PlatformSepolicyVersion() + "_plat_pub_policy.cil"
+}
- sourceDirs := append(extraDirs, platPublic, platPrivate)
- prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ if f.shouldSkip(ctx) {
+ return
+ }
+
+ ctx.AddDependency(f, currentCilTag, "base_plat_pub_policy.cil")
+ ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
+ deps := ctx.GetDirectDepsWithTag(depTag)
+ if len(deps) != 1 {
+ ctx.ModuleErrorf("%d deps having tag %q; expected only one dep", len(deps), depTag)
+ return nil
+ }
+
+ dep := deps[0]
+ outputFileProducer, ok := dep.(android.OutputFileProducer)
+ if !ok {
+ ctx.ModuleErrorf("module %q is not an output file producer", dep.String())
+ return nil
+ }
+
+ output, err := outputFileProducer.OutputFiles("")
+ if err != nil {
+ ctx.ModuleErrorf("module %q failed to produce output: %w", dep.String(), err)
+ return nil
+ }
+ if len(output) != 1 {
+ ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
+ return nil
+ }
+
+ return output[0]
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if f.shouldSkip(ctx) {
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ // Freeze test 1: compare ToT sepolicy and prebuilt sepolicy
+ currentCil := f.outputFileOfDep(ctx, currentCilTag)
+ prebuiltCil := f.outputFileOfDep(ctx, prebuiltCilTag)
+ if ctx.Failed() {
+ return
+ }
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("sepolicy_freeze_test").
+ FlagWithInput("-c ", currentCil).
+ FlagWithInput("-p ", prebuiltCil)
+
+ // Freeze test 2: compare extra directories
+ // We don't know the exact structure of extra directories, so just directly compare them
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
var implicits []string
- for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
if err != nil {
ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
@@ -87,15 +152,13 @@
}
sort.Strings(implicits)
- rule := android.NewRuleBuilder(pctx, ctx)
-
- for idx, _ := range sourceDirs {
+ for idx, _ := range extraDirs {
rule.Command().Text("diff").
Flag("-r").
Flag("-q").
FlagWithArg("-x ", "bug_map"). // exclude
- Text(sourceDirs[idx]).
- Text(prebuiltDirs[idx])
+ Text(extraDirs[idx]).
+ Text(extraPrebuiltDirs[idx])
}
rule.Command().Text("touch").
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 345a9d2..e53f468 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -70,6 +70,8 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": EXCEPTION_NO_FUZZER,
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
diff --git a/definitions.mk b/definitions.mk
deleted file mode 100644
index 63c4d94..0000000
--- a/definitions.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-# Command to turn collection of policy files into a policy.conf file to be
-# processed by checkpolicy
-define transform-policy-to-conf
-@mkdir -p $(dir $@)
-$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
- -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
- -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
- -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
- -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
- -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
- -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
- $(PRIVATE_TGT_RECOVERY) \
- -s $(PRIVATE_POLICY_FILES) > $@
-endef
-.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
diff --git a/policy_version.mk b/policy_version.mk
deleted file mode 100644
index e6bb747..0000000
--- a/policy_version.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
new file mode 100644
index 0000000..fd2099f
--- /dev/null
+++ b/prebuilts/api/29.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "29.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_29.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_pub_policy.cil",
+ src: ":29.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_product_pub_policy.cil",
+ src: ":29.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.plat_private_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.system_ext_private_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.product_private_29.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_policy.cil",
+ src: ":29.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "29.0_plat_policy",
+ srcs: [":29.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
new file mode 100644
index 0000000..b958de0
--- /dev/null
+++ b/prebuilts/api/30.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "30.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_30.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_pub_policy.cil",
+ src: ":30.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_product_pub_policy.cil",
+ src: ":30.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.plat_private_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.system_ext_private_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.product_private_30.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_policy.cil",
+ src: ":30.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "30.0_plat_policy",
+ srcs: [":30.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
new file mode 100644
index 0000000..dbb07b4
--- /dev/null
+++ b/prebuilts/api/31.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "31.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_31.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_pub_policy.cil",
+ src: ":31.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_product_pub_policy.cil",
+ src: ":31.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.plat_private_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.system_ext_private_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.product_private_31.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_policy.cil",
+ src: ":31.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "31.0_plat_policy",
+ srcs: [":31.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
new file mode 100644
index 0000000..39722b4
--- /dev/null
+++ b/prebuilts/api/32.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "32.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_32.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_pub_policy.cil",
+ src: ":32.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_product_pub_policy.cil",
+ src: ":32.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.plat_private_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.system_ext_private_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.product_private_32.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_policy.cil",
+ src: ":32.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "32.0_plat_policy",
+ srcs: [":32.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
new file mode 100644
index 0000000..9bc68c6
--- /dev/null
+++ b/prebuilts/api/33.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "33.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_33.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_pub_policy.cil",
+ src: ":33.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_product_pub_policy.cil",
+ src: ":33.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.plat_private_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.system_ext_private_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.product_private_33.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_policy.cil",
+ src: ":33.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "33.0_plat_policy",
+ srcs: [":33.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
new file mode 100644
index 0000000..499a342
--- /dev/null
+++ b/prebuilts/api/34.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "34.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_34.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_pub_policy.cil",
+ src: ":34.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_product_pub_policy.cil",
+ src: ":34.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.plat_private_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.system_ext_private_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.product_private_34.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_policy.cil",
+ src: ":34.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "34.0_plat_policy",
+ srcs: [":34.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 7315687..408cf33 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,13 +1,15 @@
;; types removed from current policy
(type ashmemd)
+(type clatd_exec)
+(type clatd)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_vold_prop)
(type exported2_config_prop)
(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
-(type install_recovery)
(type install_recovery_exec)
+(type install_recovery)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 83d83ff..f95488c 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,11 +1,16 @@
;; types removed from current policy
+(type adbd_prop)
(type cgroup_bpf)
+(type device_config_configuration_prop)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
(type exported_radio_prop)
+(type exported_system_radio_prop)
(type exported_vold_prop)
(type exported_wifi_prop)
(type exported2_config_prop)
@@ -16,8 +21,19 @@
(type exported3_default_prop)
(type exported3_radio_prop)
(type ffs_prop)
+(type gsid_prop)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type last_boot_reason_prop)
+(type mediatranscoding_exec)
+(type netd_stable_secret_prop)
+(type pm_prop)
+(type system_adbd_prop)
(type system_radio_prop)
(type thermalcallback_hwservice)
+(type traced_perf_enabled_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)
(typeattribute binder_in_vendor_violators)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index e16be89..60b9ba6 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,6 +9,7 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_codec2_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 60962cb..6cc1828 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -32,6 +32,9 @@
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
+# Read Vendor APEX directories
+allow crash_dump vendor_apex_metadata_file:dir { getattr search };
+
###
### neverallow assertions
###
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a74..5d4070d 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+hal_client_domain(isolated_compute_app, hal_codec2)
+
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
# Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
deleted file mode 100644
index 12e7ce2..0000000
--- a/private/ot_ctl.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
-#
-
-type ot_ctl, domain, coredomain;
-type ot_ctl_exec, exec_type, system_file_type, file_type;
-
-init_daemon_domain(ot_ctl)
-
-# Allow the ot_ctl to read/write the socket file.
-allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/service_contexts b/private/service_contexts
index 71bd7e4..746cde1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,8 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 91e9aba..c1aa4cc 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -68,6 +68,7 @@
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
+get_prop(surfaceflinger, device_config_aconfig_flags_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..f05e00a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index d2e6ca3..8cc5acc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -285,6 +285,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
diff --git a/tests/Android.bp b/tests/Android.bp
index cc0bdc1..2c2c9a6 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -50,9 +50,7 @@
},
libs: [
"mini_cil_parser",
- "pysepolwrap",
],
- data: [":libsepolwrap"],
}
python_binary_host {
@@ -146,3 +144,18 @@
name: "check_prop_prefix",
srcs: ["check_prop_prefix.py"],
}
+
+python_binary_host {
+ name: "sepolicy_freeze_test",
+ srcs: [
+ "sepolicy_freeze_test.py",
+ ],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
+ libs: [
+ "mini_cil_parser",
+ ],
+}
diff --git a/tests/policy.py b/tests/policy.py
index 910dd3d..805c451 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -429,6 +429,7 @@
# load file_contexts
def __InitFC(self, FcPaths):
+ self.__FcDict = {}
if FcPaths is None:
return
fc = []
@@ -438,7 +439,6 @@
fd = open(path, "r")
fc += fd.readlines()
fd.close()
- self.__FcDict = {}
for i in fc:
rec = i.split()
try:
@@ -467,3 +467,159 @@
def __del__(self):
if self.__policydbP is not None:
self.__libsepolwrap.destroy_policy(self.__policydbP)
+
+coredomainAllowlist = {
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
+ 'vendor_init',
+ # TODO(b/152813275): need to avoid allowlist for rootdir
+ "modprobe",
+ "slideshow",
+ }
+
+class scontext:
+ def __init__(self):
+ self.fromSystem = False
+ self.fromVendor = False
+ self.coredomain = False
+ self.appdomain = False
+ self.attributes = set()
+ self.entrypoints = []
+ self.entrypointpaths = []
+ self.error = ""
+
+class TestPolicy:
+ """A policy loaded in memory with its domains easily accessible."""
+
+ def __init__(self):
+ self.alldomains = {}
+ self.coredomains = set()
+ self.appdomains = set()
+ self.vendordomains = set()
+ self.pol = None
+
+ # compat vars
+ self.alltypes = set()
+ self.oldalltypes = set()
+ self.compatMapping = None
+ self.pubtypes = set()
+
+ def GetAllDomains(self):
+ for result in self.pol.QueryTypeAttribute("domain", True):
+ self.alldomains[result] = scontext()
+
+ def GetAppDomains(self):
+ for d in self.alldomains:
+ # The application of the "appdomain" attribute is trusted because core
+ # selinux policy contains neverallow rules that enforce that only zygote
+ # and runas spawned processes may transition to processes that have
+ # the appdomain attribute.
+ if "appdomain" in self.alldomains[d].attributes:
+ self.alldomains[d].appdomain = True
+ self.appdomains.add(d)
+
+ def GetCoreDomains(self):
+ for d in self.alldomains:
+ domain = self.alldomains[d]
+ # TestCoredomainViolations will verify if coredomain was incorrectly
+ # applied.
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
+ self.coredomains.add(d)
+ # check whether domains are executed off of /system or /vendor
+ if d in coredomainAllowlist:
+ continue
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
+ if d in self.appdomains:
+ continue
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
+ continue
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
+
+ ###
+ # Add the entrypoint type and path(s) to each domain.
+ #
+ def GetDomainEntrypoints(self):
+ for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
+ if not x.sctx in self.alldomains:
+ continue
+ self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
+ # postinstall_file represents a special case specific to A/B OTAs.
+ # Update_engine mounts a partition and relabels it postinstall_file.
+ # There is no file_contexts entry associated with postinstall_file
+ # so skip the lookup.
+ if x.tctx == "postinstall_file":
+ continue
+ entrypointpath = self.pol.QueryFc(x.tctx)
+ if not entrypointpath:
+ continue
+ self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
+
+ ###
+ # Get attributes associated with each domain
+ #
+ def GetAttributes(self):
+ for domain in self.alldomains:
+ for result in self.pol.QueryTypeAttribute(domain, False):
+ self.alldomains[domain].attributes.add(result)
+
+ def setup(self, pol):
+ self.pol = pol
+ self.GetAllDomains()
+ self.GetAttributes()
+ self.GetDomainEntrypoints()
+ self.GetAppDomains()
+ self.GetCoreDomains()
+
+ def GetAllTypes(self, basepol, oldpol):
+ self.alltypes = basepol.GetAllTypes(False)
+ self.oldalltypes = oldpol.GetAllTypes(False)
+
+ # setup for the policy compatibility tests
+ def compatSetup(self, basepol, oldpol, mapping, types):
+ self.GetAllTypes(basepol, oldpol)
+ self.compatMapping = mapping
+ self.pubtypes = types
+
+ def DomainsWithAttribute(self, attr):
+ domains = []
+ for domain in self.alldomains:
+ if attr in self.alldomains[domain].attributes:
+ domains.append(domain)
+ return domains
+
+ def PrintScontexts(self):
+ for d in sorted(self.alldomains.keys()):
+ sctx = self.alldomains[d]
+ print(d)
+ print("\tcoredomain="+str(sctx.coredomain))
+ print("\tappdomain="+str(sctx.appdomain))
+ print("\tfromSystem="+str(sctx.fromSystem))
+ print("\tfromVendor="+str(sctx.fromVendor))
+ print("\tattributes="+str(sctx.attributes))
+ print("\tentrypoints="+str(sctx.entrypoints))
+ print("\tentrypointpaths=")
+ if sctx.entrypointpaths is not None:
+ for path in sctx.entrypointpaths:
+ print("\t\t"+str(path))
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
new file mode 100644
index 0000000..72c8fde
--- /dev/null
+++ b/tests/sepolicy_freeze_test.py
@@ -0,0 +1,56 @@
+# Copyright 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from optparse import OptionParser
+import mini_parser
+import os
+import sys
+
+def do_main():
+ usage = "sepolicy_freeze_test "
+ usage += "-c current_cil -p prebuilt_cil [--help]"
+ parser = OptionParser(usage=usage)
+ parser.add_option("-c", "--current", dest="current", metavar="FILE")
+ parser.add_option("-p", "--prebuilt", dest="prebuilt", metavar="FILE")
+
+ (options, args) = parser.parse_args()
+
+ if not options.current or not options.prebuilt:
+ sys.exit("Must specify both current and prebuilt\n" + parser.usage)
+ if not os.path.exists(options.current):
+ sys.exit("Current policy " + options.current + " does not exist\n"
+ + parser.usage)
+ if not os.path.exists(options.prebuilt):
+ sys.exit("Prebuilt policy " + options.prebuilt + " does not exist\n"
+ + parser.usage)
+
+ current_policy = mini_parser.MiniCilParser(options.current)
+ prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
+
+ results = ""
+ removed_types = prebuilt_policy.types - current_policy.types
+ removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
+ removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
+
+ if removed_types:
+ results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
+
+ if removed_attributes:
+ results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"
+
+ if len(results) > 0:
+ sys.exit(results)
+
+if __name__ == '__main__':
+ do_main()
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 63144dd..4ef161b 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -84,8 +84,11 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
+ ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
+ "/data/vendor_de/"], [], "core_data_file_type")
+ return ret
def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()
@@ -115,7 +118,152 @@
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
"dmabuf_heap_device_type")
+def TestCoredomainViolations(test_policy):
+ # verify that all domains launched from /system have the coredomain
+ # attribute
+ ret = ""
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in test_policy.alldomains.values():
+ ret += domain.error
+
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and "coredomain" not in domain.attributes:
+ violators.append(d);
+ if len(violators) > 0:
+ ret += "The following domain(s) must be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/system:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ # verify that all domains launched form /vendor do not have the coredomain
+ # attribute
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromVendor and "coredomain" in domain.attributes:
+ violators.append(d)
+ if len(violators) > 0:
+ ret += "The following domains must not be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/vendor or /system/vendor:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ return ret
+
+def TestViolatorAttribute(test_policy, attribute):
+ # TODO(b/113124961): re-enable once all violator attributes are removed.
+ return ""
+
+ # ret = ""
+ # return ret
+
+ # violators = test_policy.DomainsWithAttribute(attribute)
+ # if len(violators) > 0:
+ # ret += "SELinux: The following domains violate the Treble ban "
+ # ret += "against use of the " + attribute + " attribute: "
+ # ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ # return ret
+
+def TestViolatorAttributes(test_policy):
+ ret = ""
+ ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
+ ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
+ return ret
+
+def TestIsolatedAttributeConsistency(test_policy):
+ permissionAllowList = {
+ # access given from technical_debt.cil
+ "codec2_config_prop" : ["file"],
+ "device_config_nnapi_native_prop":["file"],
+ "hal_allocator_default":["binder", "fd"],
+ "hal_codec2": ["binder", "fd"],
+ "hal_codec2_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator": ["binder", "fd"],
+ "hal_graphics_allocator_service":["service_manager"],
+ "hal_graphics_allocator_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator_server":["binder", "service_manager"],
+ "hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
+ "hal_neuralnetworks_hwservice":["hwservice_manager"],
+ "hal_omx_hwservice":["hwservice_manager"],
+ "hidl_allocator_hwservice":["hwservice_manager"],
+ "hidl_manager_hwservice":["hwservice_manager"],
+ "hidl_memory_hwservice":["hwservice_manager"],
+ "hidl_token_hwservice":["hwservice_manager"],
+ "hwservicemanager":["binder"],
+ "hwservicemanager_prop":["file"],
+ "mediacodec":["binder", "fd"],
+ "mediaswcodec":["binder", "fd"],
+ "media_variant_prop":["file"],
+ "nnapi_ext_deny_product_prop":["file"],
+ "servicemanager":["fd"],
+ "toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
+ }
+
+ def resolveHalServerSubtype(target):
+ # permission given as a client in technical_debt.cil
+ hal_server_attributes = [
+ "hal_codec2_server",
+ "hal_graphics_allocator_server",
+ "hal_neuralnetworks_server"]
+
+ for attr in hal_server_attributes:
+ if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
+ return attr.rsplit("_", 1)[0]
+ return target
+
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+ def checkPermissions(permissions):
+ violated_permissions = []
+ for perm in permissions:
+ tctx, tclass, p = perm.split(":")
+ tctx = resolveHalServerSubtype(tctx)
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
+ or tclass not in permissionAllowList[tctx] \
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
+ violated_permissions += [perm]
+ return violated_permissions
+
+ ret = ""
+
+ isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
+ baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
+ basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in baseRules for perm in rule.perms])
+ for subType in isolatedMemberTypes:
+ if subType == "isolated_app" : continue
+ currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
+ typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in currentTypeRule for perm in rule.perms
+ if not rule.tctx in [subType, subType + "_userfaultfd"]])
+ deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
+ violated_permissions = checkPermissions(list(deltaPermissionSet))
+ for perm in violated_permissions:
+ ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
+
+ if ret:
+ ret = ("Found prohibited permission granted for isolated like types. " + \
+ "Please replace your allow statements that involve \"-isolated_app\" with " + \
+ "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
+ return ret
###
# extend OptionParser to allow the same option flag to be used multiple times.
@@ -147,6 +295,9 @@
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
"TestDmaHeapDevTypeViolations",
+ "TestCoredomainViolations",
+ "TestViolatorAttributes",
+ "TestIsolatedAttributeConsistency",
]
def do_main(libpath):
@@ -179,6 +330,8 @@
parser.usage)
pol = policy.Policy(options.policy, options.file_contexts, libpath)
+ test_policy = policy.TestPolicy()
+ test_policy.setup(pol)
results = ""
# If an individual test is not specified, run all tests.
@@ -206,6 +359,12 @@
results += TestAppDataTypeViolations(pol)
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
results += TestDmaHeapDevTypeViolations(pol)
+ if options.test is None or "TestCoredomainViolations" in options.test:
+ results += TestCoredomainViolations(test_policy)
+ if options.test is None or "TestViolatorAttributes" in options.test:
+ results += TestViolatorAttributes(test_policy)
+ if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
+ results += TestIsolatedAttributeConsistency(test_policy)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 0628d35..ff1a348 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,236 +16,30 @@
from optparse import Option, OptionValueError
import os
import mini_parser
-import pkgutil
-import policy
-from policy import MatchPathPrefix
import re
import shutil
import sys
import tempfile
-DEBUG=False
-SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
-
-# TODO(b/266998144): consider rename this file.
-
'''
-Use file_contexts and policy to verify Treble requirements
-are not violated.
+Verify that Treble compatibility are not broken.
'''
-coredomainAllowlist = {
- # TODO: how do we make sure vendor_init doesn't have bad coupling with
- # /vendor? It is the only system process which is not coredomain.
- 'vendor_init',
- # TODO(b/152813275): need to avoid allowlist for rootdir
- "modprobe",
- "slideshow",
- }
-
-class scontext:
- def __init__(self):
- self.fromSystem = False
- self.fromVendor = False
- self.coredomain = False
- self.appdomain = False
- self.attributes = set()
- self.entrypoints = []
- self.entrypointpaths = []
- self.error = ""
-
-
-class TestPolicy:
- """A policy loaded in memory with its domains easily accessible."""
-
- def __init__(self):
- self.alldomains = {}
- self.coredomains = set()
- self.appdomains = set()
- self.vendordomains = set()
- self.pol = None
-
- # compat vars
- self.alltypes = set()
- self.oldalltypes = set()
- self.compatMapping = None
- self.pubtypes = set()
-
- # Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
- self.FakeTreble = False
-
- def GetAllDomains(self):
- for result in self.pol.QueryTypeAttribute("domain", True):
- self.alldomains[result] = scontext()
-
- def GetAppDomains(self):
- for d in self.alldomains:
- # The application of the "appdomain" attribute is trusted because core
- # selinux policy contains neverallow rules that enforce that only zygote
- # and runas spawned processes may transition to processes that have
- # the appdomain attribute.
- if "appdomain" in self.alldomains[d].attributes:
- self.alldomains[d].appdomain = True
- self.appdomains.add(d)
-
- def GetCoreDomains(self):
- for d in self.alldomains:
- domain = self.alldomains[d]
- # TestCoredomainViolations will verify if coredomain was incorrectly
- # applied.
- if "coredomain" in domain.attributes:
- domain.coredomain = True
- self.coredomains.add(d)
- # check whether domains are executed off of /system or /vendor
- if d in coredomainAllowlist:
- continue
- # TODO(b/153112003): add checks to prevent app domains from being
- # incorrectly labeled as coredomain. Apps don't have entrypoints as
- # they're always dynamically transitioned to by zygote.
- if d in self.appdomains:
- continue
- # TODO(b/153112747): need to handle cases where there is a dynamic
- # transition OR there happens to be no context in AOSP files.
- if not domain.entrypointpaths:
- continue
-
- for path in domain.entrypointpaths:
- vendor = any(MatchPathPrefix(path, prefix) for prefix in
- ["/vendor", "/odm"])
- system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product" ])
-
- # only mark entrypoint as system if it is not in legacy /system/vendor
- if MatchPathPrefix(path, "/system/vendor"):
- vendor = True
- elif MatchPathPrefix(path, "/system"):
- system = True
-
- if not vendor and not system:
- domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
-
- domain.fromSystem = domain.fromSystem or system
- domain.fromVendor = domain.fromVendor or vendor
-
- ###
- # Add the entrypoint type and path(s) to each domain.
- #
- def GetDomainEntrypoints(self):
- for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
- if not x.sctx in self.alldomains:
- continue
- self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
- # postinstall_file represents a special case specific to A/B OTAs.
- # Update_engine mounts a partition and relabels it postinstall_file.
- # There is no file_contexts entry associated with postinstall_file
- # so skip the lookup.
- if x.tctx == "postinstall_file":
- continue
- entrypointpath = self.pol.QueryFc(x.tctx)
- if not entrypointpath:
- continue
- self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
-
- ###
- # Get attributes associated with each domain
- #
- def GetAttributes(self):
- for domain in self.alldomains:
- for result in self.pol.QueryTypeAttribute(domain, False):
- self.alldomains[domain].attributes.add(result)
-
- def setup(self, pol):
- self.pol = pol
- self.GetAllDomains()
- self.GetAttributes()
- self.GetDomainEntrypoints()
- self.GetAppDomains()
- self.GetCoreDomains()
-
- def GetAllTypes(self, basepol, oldpol):
- self.alltypes = basepol.GetAllTypes(False)
- self.oldalltypes = oldpol.GetAllTypes(False)
-
- # setup for the policy compatibility tests
- def compatSetup(self, basepol, oldpol, mapping, types):
- self.GetAllTypes(basepol, oldpol)
- self.compatMapping = mapping
- self.pubtypes = types
-
- def DomainsWithAttribute(self, attr):
- domains = []
- for domain in self.alldomains:
- if attr in self.alldomains[domain].attributes:
- domains.append(domain)
- return domains
-
- def PrintScontexts(self):
- for d in sorted(self.alldomains.keys()):
- sctx = self.alldomains[d]
- print(d)
- print("\tcoredomain="+str(sctx.coredomain))
- print("\tappdomain="+str(sctx.appdomain))
- print("\tfromSystem="+str(sctx.fromSystem))
- print("\tfromVendor="+str(sctx.fromVendor))
- print("\tattributes="+str(sctx.attributes))
- print("\tentrypoints="+str(sctx.entrypoints))
- print("\tentrypointpaths=")
- if sctx.entrypointpaths is not None:
- for path in sctx.entrypointpaths:
- print("\t\t"+str(path))
#############################################################
# Tests
#############################################################
-def TestCoredomainViolations(test_policy):
- # verify that all domains launched from /system have the coredomain
- # attribute
- ret = ""
-
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and domain.fromVendor:
- ret += "The following domain is system and vendor: " + d + "\n"
-
- for domain in test_policy.alldomains.values():
- ret += domain.error
-
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and "coredomain" not in domain.attributes:
- violators.append(d);
- if len(violators) > 0:
- ret += "The following domain(s) must be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/system:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- # verify that all domains launched form /vendor do not have the coredomain
- # attribute
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromVendor and "coredomain" in domain.attributes:
- violators.append(d)
- if len(violators) > 0:
- ret += "The following domains must not be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/vendor or /system/vendor:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- return ret
###
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
- newt = test_policy.alltypes - test_policy.oldalltypes
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
+ newt = base_pub_policy.types - old_pub_policy.types
ret = ""
violators = []
for n in newt:
- if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+ if mapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
@@ -262,13 +56,13 @@
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
- rmt = test_policy.oldalltypes - test_policy.alltypes
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
+ rmt = old_pub_policy.types - base_pub_policy.types
ret = ""
violators = []
for o in rmt:
- if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+ if o in mapping.pubtypes and not o in mapping.types:
violators.append(o)
if len(violators) > 0:
@@ -281,124 +75,11 @@
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
-def TestTrebleCompatMapping(test_policy):
- ret = TestNoUnmappedNewTypes(test_policy)
- ret += TestNoUnmappedRmTypes(test_policy)
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
+ ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
+ ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
return ret
-def TestViolatorAttribute(test_policy, attribute):
- ret = ""
- if test_policy.FakeTreble:
- return ret
-
- violators = test_policy.DomainsWithAttribute(attribute)
- if len(violators) > 0:
- ret += "SELinux: The following domains violate the Treble ban "
- ret += "against use of the " + attribute + " attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- return ret
-
-def TestViolatorAttributes(test_policy):
- ret = ""
- ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
- ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
- return ret
-
-# TODO move this to sepolicy_tests
-def TestCoreDataTypeViolations(test_policy):
- return test_policy.pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
- "/data/vendor_de/"], [], "core_data_file_type")
-
-# TODO move this to sepolicy_tests
-def TestIsolatedAttributeConsistency(test_policy):
- permissionAllowList = {
- # access given from technical_debt.cil
- "codec2_config_prop" : ["file"],
- "device_config_nnapi_native_prop":["file"],
- "hal_allocator_default":["binder", "fd"],
- "hal_codec2": ["binder", "fd"],
- "hal_codec2_hwservice":["hwservice_manager"],
- "hal_graphics_allocator": ["binder", "fd"],
- "hal_graphics_allocator_service":["service_manager"],
- "hal_graphics_allocator_hwservice":["hwservice_manager"],
- "hal_graphics_allocator_server":["binder", "service_manager"],
- "hal_graphics_mapper_hwservice":["hwservice_manager"],
- "hal_neuralnetworks": ["binder", "fd"],
- "hal_neuralnetworks_service": ["service_manager"],
- "hal_neuralnetworks_hwservice":["hwservice_manager"],
- "hal_omx_hwservice":["hwservice_manager"],
- "hidl_allocator_hwservice":["hwservice_manager"],
- "hidl_manager_hwservice":["hwservice_manager"],
- "hidl_memory_hwservice":["hwservice_manager"],
- "hidl_token_hwservice":["hwservice_manager"],
- "hwservicemanager":["binder"],
- "hwservicemanager_prop":["file"],
- "mediacodec":["binder", "fd"],
- "mediaswcodec":["binder", "fd"],
- "media_variant_prop":["file"],
- "nnapi_ext_deny_product_prop":["file"],
- "servicemanager":["fd"],
- "toolbox_exec": ["file"],
- # extra types being granted to isolated_compute_app
- "isolated_compute_allowed":["service_manager", "chr_file"],
- }
-
- def resolveHalServerSubtype(target):
- # permission given as a client in technical_debt.cil
- hal_server_attributes = [
- "hal_codec2_server",
- "hal_graphics_allocator_server",
- "hal_neuralnetworks_server"]
-
- for attr in hal_server_attributes:
- if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
- return attr.rsplit("_", 1)[0]
- return target
-
- def checkIsolatedComputeAllowed(tctx, tclass):
- # check if the permission is in isolated_compute_allowed
- allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
- .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
- return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
-
-
- def checkPermissions(permissions):
- violated_permissions = []
- for perm in permissions:
- tctx, tclass, p = perm.split(":")
- tctx = resolveHalServerSubtype(tctx)
- # check unwanted permissions
- if not checkIsolatedComputeAllowed(tctx, tclass) and \
- ( tctx not in permissionAllowList \
- or tclass not in permissionAllowList[tctx] \
- or ( p == "write") \
- or ( p == "rw_file_perms") ):
- violated_permissions += [perm]
- return violated_permissions
-
- ret = ""
-
- isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
- baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
- basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in baseRules for perm in rule.perms])
- for subType in isolatedMemberTypes:
- if subType == "isolated_app" : continue
- currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
- typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in currentTypeRule for perm in rule.perms
- if not rule.tctx in [subType, subType + "_userfaultfd"]])
- deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
- violated_permissions = checkPermissions(list(deltaPermissionSet))
- for perm in violated_permissions:
- ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
-
- if ret:
- ret = ("Found prohibited permission granted for isolated like types. " + \
- "Please replace your allow statements that involve \"-isolated_app\" with " + \
- "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
- return ret
-
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -416,111 +97,38 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = {"CoredomainViolations": TestCoredomainViolations,
- "CoreDatatypeViolations": TestCoreDataTypeViolations,
- "TrebleCompatMapping": TestTrebleCompatMapping,
- "ViolatorAttributes": TestViolatorAttributes,
- "IsolatedAttributeConsistency": TestIsolatedAttributeConsistency}
-
-def do_main(libpath):
- """
- Args:
- libpath: string, path to libsepolwrap.so
- """
- test_policy = TestPolicy()
-
+def do_main():
usage = "treble_sepolicy_tests "
- usage += "-f nonplat_file_contexts -f plat_file_contexts "
- usage += "-p curr_policy -b base_policy -o old_policy "
- usage +="-m mapping file [--test test] [--help]"
+ usage += "-b base_pub_policy -o old_pub_policy "
+ usage += "-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
- parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
- parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+ parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE")
- parser.add_option("-f", "--file_contexts", dest="file_contexts",
- metavar="FILE", action="extend", type="string")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
- parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
- parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-t", "--test", dest="tests", action="extend",
- help="Test options include "+str(Tests))
- parser.add_option("--fake-treble", action="store_true", dest="faketreble",
- default=False)
+ parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
+ metavar="FILE")
(options, args) = parser.parse_args()
- if not options.policy:
- sys.exit("Must specify current monolithic policy file\n" + parser.usage)
- if not os.path.exists(options.policy):
- sys.exit("Error: policy file " + options.policy + " does not exist\n"
- + parser.usage)
- if not options.file_contexts:
- sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
- for f in options.file_contexts:
- if not os.path.exists(f):
- sys.exit("Error: File_contexts file " + f + " does not exist\n" +
- parser.usage)
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
- if options.tests is None or options.tests == "TrebleCompatMapping":
- if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n"
- + parser.usage)
- if not options.mapping:
- sys.exit("Must specify a compatibility mapping file\n"
- + parser.usage)
- if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n"
- + parser.usage)
- if not options.base_pub_policy:
- sys.exit("Must specify the current platform-only public policy "
- + ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, libpath)
- oldpol = policy.Policy(options.oldpolicy, None, libpath)
- mapping = mini_parser.MiniCilParser(options.mapping)
- pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
- test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+ if not options.mapping:
+ sys.exit("Must specify a compatibility mapping file\n"
+ + parser.usage)
+ if not options.old_pub_policy:
+ sys.exit("Must specify the previous public policy .cil file\n"
+ + parser.usage)
+ if not options.base_pub_policy:
+ sys.exit("Must specify the current platform-only public policy "
+ + ".cil file\n" + parser.usage)
+ mapping = mini_parser.MiniCilParser(options.mapping)
+ base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
+ old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
- if options.faketreble:
- test_policy.FakeTreble = True
-
- pol = policy.Policy(options.policy, options.file_contexts, libpath)
- test_policy.setup(pol)
-
- if DEBUG:
- test_policy.PrintScontexts()
-
- results = ""
- # If an individual test is not specified, run all tests.
- if options.tests is None:
- for t in Tests.values():
- results += t(test_policy)
- else:
- for tn in options.tests:
- t = Tests.get(tn)
- if t:
- results += t(test_policy)
- else:
- err = "Error: unknown test: " + tn + "\n"
- err += "Available tests:\n"
- for tn in Tests.keys():
- err += tn + "\n"
- sys.exit(err)
+ results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
if len(results) > 0:
sys.exit(results)
if __name__ == '__main__':
- temp_dir = tempfile.mkdtemp()
- try:
- libname = "libsepolwrap" + SHARED_LIB_EXTENSION
- libpath = os.path.join(temp_dir, libname)
- with open(libpath, "wb") as f:
- blob = pkgutil.get_data("treble_sepolicy_tests", libname)
- if not blob:
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
- f.write(blob)
- do_main(libpath)
- finally:
- shutil.rmtree(temp_dir)
+ do_main()
diff --git a/tools/Android.mk b/tools/Android.mk
deleted file mode 100644
index 34f4385..0000000
--- a/tools/Android.mk
+++ /dev/null
@@ -1,3 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
index 33ce861..f82c53d 100755
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
if [ "$MK" != "$BP" ]; then
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index c8d5b46..9d6960b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,15 +11,9 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@@ -30,59 +24,7 @@
# built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
-$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
-$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$($(version)_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-policy_files :=
-
-built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
-$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
-$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
-
-# TODO(b/214336258): move to Soong
-$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
-
-$(version)_plat_policy.conf :=
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
@@ -106,51 +48,31 @@
# combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for
# these tests.
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
mkdir -p $(dir $@)
cat $^ > $@
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
public_cil_files := $(base_product_pub_policy.cil)
else
-built_sepolicy_files := $(built_plat_sepolicy)
public_cil_files := $(base_plat_pub_policy.cil)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
-ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-# TODO(b/113124961): remove fake-treble
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
-endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) \
- $(built_sepolicy_files) \
$(public_cil_files) \
- $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+ $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+ -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD)
$(hide) touch $@
-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
-$(version)_PLAT_PUBLIC_POLICY :=
-$(version)_PLAT_PRIVATE_POLICY :=
built_sepolicy_files :=
public_cil_files :=
-cil_files :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 564ca9d..efe0b71 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0