Merge "Allow adbd to pull apexes from /data/apex/active"
diff --git a/Android.bp b/Android.bp
index 15adf7e..ed766e4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -80,6 +80,41 @@
}
se_filegroup {
+ name: "26.0.board.compat.cil",
+ srcs: [
+ "compat/26.0/26.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "27.0.board.compat.cil",
+ srcs: [
+ "compat/27.0/27.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "28.0.board.compat.cil",
+ srcs: [
+ "compat/28.0/28.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "29.0.board.compat.cil",
+ srcs: [
+ "compat/29.0/29.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "30.0.board.compat.cil",
+ srcs: [
+ "compat/30.0/30.0.compat.cil",
+ ],
+}
+
+se_filegroup {
name: "26.0.board.ignore.map",
srcs: [
"compat/26.0/26.0.ignore.cil",
@@ -259,34 +294,64 @@
// top_half: "31.0.ignore.cil",
}
-prebuilt_etc {
+se_compat_cil {
name: "26.0.compat.cil",
- src: "private/compat/26.0/26.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":26.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "27.0.compat.cil",
- src: "private/compat/27.0/27.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":27.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "28.0.compat.cil",
- src: "private/compat/28.0/28.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":28.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "29.0.compat.cil",
- src: "private/compat/29.0/29.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":29.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "30.0.compat.cil",
- src: "private/compat/30.0/30.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "system_ext_26.0.compat.cil",
+ srcs: [":26.0.board.compat.cil"],
+ stem: "26.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_27.0.compat.cil",
+ srcs: [":27.0.board.compat.cil"],
+ stem: "27.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
}
se_filegroup {
diff --git a/Android.mk b/Android.mk
index 767a864..7e0e02e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -458,6 +458,7 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
+ $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index aa6ad71..6a52fe5 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -33,6 +33,7 @@
srcs: [
"build_files.go",
"cil_compat_map.go",
+ "compat_cil.go",
"filegroup.go",
"policy.go",
"selinux.go",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
new file mode 100644
index 0000000..230fdc3
--- /dev/null
+++ b/build/soong/compat_cil.go
@@ -0,0 +1,113 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_compat_cil", compatCilFactory)
+}
+
+// se_compat_cil collects and installs backwards compatibility cil files.
+func compatCilFactory() android.Module {
+ c := &compatCil{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type compatCil struct {
+ android.ModuleBase
+ properties compatCilProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type compatCilProperties struct {
+ // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ Srcs []string
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (c *compatCil) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
+ srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
+ for _, src := range c.properties.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
+ if module == nil {
+ // Error would have been handled by ExtractSourcesDeps
+ continue
+ }
+ if fg, ok := module.(*fileGroup); ok {
+ if c.SystemExtSpecific() {
+ srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+ } else {
+ srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+ }
+ } else {
+ ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+ }
+ } else {
+ srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+ }
+ }
+ return srcPaths
+}
+
+func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
+ android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+}
+
+func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
+ ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
+ }
+
+ srcPaths := c.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, c.Name())
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining compat cil for " + c.Name(),
+ })
+
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+ c.installSource = out
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
diff --git a/private/network_stack.te b/private/network_stack.te
index 6fa3055..9a22a19 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -32,6 +32,9 @@
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit network_stack self:key_socket getopt;
# Grant read permission of connectivity namespace system property prefix.
get_prop(network_stack, device_config_connectivity_prop)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 286ff4d..e8fd29e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -59,6 +59,10 @@
# Needed because libdm reads sysfs to validate when a dm path is ready.
r_dir_file(update_engine_common, sysfs_dm)
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file rw_file_perms;