Merge "Add IKeystoreService interface to keystore_service"
diff --git a/Android.bp b/Android.bp
index aca6e40..56d9066 100644
--- a/Android.bp
+++ b/Android.bp
@@ -493,137 +493,294 @@
],
}
-// This is a minimized cil modules to test microdroid.
-// TODO(b/178993690): migrate cil files to Android.bp and remove below
-filegroup {
- name: "microdroid_sepolicy_build_files",
+se_build_files {
+ name: "se_build_files",
srcs: [
- // This order is important. Should be identical to sepolicy_build_files in Android.mk
- "private/security_classes",
- "private/initial_sids",
- "private/access_vectors",
- "public/global_macros",
- "public/neverallow_macros",
- "private/mls_macros",
- "private/mls_decl",
- "private/mls",
- "private/policy_capabilities",
- "public/te_macros",
- "public/attributes",
- "private/attributes",
- "public/ioctl_defines",
- "public/ioctl_macros",
- "public/*.te",
- "private/*.te",
- "private/roles_decl",
- "public/roles",
- "private/users",
- "private/initial_sid_contexts",
- "private/fs_use",
- "private/genfs_contexts",
- "private/port_contexts",
+ "security_classes",
+ "initial_sids",
+ "access_vectors",
+ "global_macros",
+ "neverallow_macros",
+ "mls_macros",
+ "mls_decl",
+ "mls",
+ "policy_capabilities",
+ "te_macros",
+ "attributes",
+ "ioctl_defines",
+ "ioctl_macros",
+ "*.te",
+ "roles_decl",
+ "roles",
+ "users",
+ "initial_sid_contexts",
+ "fs_use",
+ "genfs_contexts",
+ "port_contexts",
],
}
-filegroup {
- name: "microdroid_sepolicy_public_and_reqd_mask_build_files",
- srcs: [
- // This order is important. Should be identical to sepolicy_build_files in Android.mk
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "public/global_macros",
- "public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "public/te_macros",
- "public/attributes",
- "public/ioctl_defines",
- "public/ioctl_macros",
- "public/*.te",
- "reqd_mask/*.te",
- "reqd_mask/roles_decl",
- "public/roles",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
- ],
-}
-
-filegroup {
- name: "microdroid_sepolicy_reqd_mask_build_files",
- srcs: [
- // This order is important. Should be identical to sepolicy_build_files in Android.mk
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "reqd_mask/*.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
- ],
-}
-
-// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
-// these configurations should be fine to test microdroid on normal devices with full treble.
-// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
-// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
-// migrated into Soong, these will have correct values.
-policy_to_conf_flags = "$(location m4) --fatal-warnings " +
-"-D mls_num_sens=1 -D mls_num_cats=1024 " +
-"-D target_build_variant=userdebug " +
-"-D target_with_asan=false " +
-"-D target_with_native_coverage=false " +
-"-D target_full_treble=true " +
-"-D target_compatible_property=true " +
-"-D target_treble_sysprop_neverallow=true " +
-"-D target_enforce_sysprop_owner=true "
-
-genrule {
- name: "microdroid_plat_sepolicy.cil_gen",
- srcs: [":microdroid_sepolicy_build_files"],
- tools: ["m4", "checkpolicy"],
- out: ["plat_sepolicy.cil"],
- cmd: policy_to_conf_flags +
- "-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" +
- "&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf",
- visibility: ["//visibility:private"],
-}
-
-prebuilt_etc {
- name: "microdroid_plat_sepolicy.cil",
- src: ":microdroid_plat_sepolicy.cil_gen",
- filename: "plat_sepolicy.cil",
- relative_install_path: "selinux",
+// reqd_policy_mask - a policy.conf file which contains only the bare minimum
+// policy necessary to use checkpolicy.
+//
+// This bare-minimum policy needs to be present in all policy.conf files, but
+// should not necessarily be exported as part of the public policy.
+//
+// The rules generated by reqd_policy_mask will allow the compilation of public
+// policy and subsequent removal of CIL policy that should not be exported.
+se_policy_conf {
+ name: "reqd_policy_mask.conf",
+ srcs: [":se_build_files{.reqd_mask}"],
installable: false,
}
+se_policy_cil {
+ name: "reqd_policy_mask.cil",
+ src: ":reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+// pub_policy - policy that will be exported to be a part of non-platform
+// policy corresponding to this platform version.
+//
+// This is a limited subset of policy that would not compile in checkpolicy on
+// its own.
+//
+// To get around this limitation, add only the required files from private
+// policy, which will generate CIL policy that will then be filtered out by the
+// reqd_policy_mask.
+//
+// There are three pub_policy.cil files below:
+// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+// - plat_pub_policy.cil: exported 'system' policy.
+//
+// Those above files will in turn be used to generate the following versioned cil files:
+// - product_mapping_file: the versioned, exported 'product' policy in product partition.
+// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
+// in vendor partition.
+//
+se_policy_conf {
+ name: "pub_policy.conf",
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy.cil",
+ src: ":pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "system_ext_pub_policy.conf",
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_pub_policy.cil",
+ src: ":system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_pub_policy.cil",
+ src: ":plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+// plat_policy.conf - A combination of the private and public platform policy
+// which will ship with the device.
+//
+// The platform will always reflect the most recent platform version and is not
+// currently being attributized.
+se_policy_conf {
+ name: "plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_sepolicy.cil",
+ src: ":plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+}
+
+// system_ext_policy.conf - A combination of the private and public system_ext
+// policy which will ship with the device. System_ext policy is not attributized
+se_policy_conf {
+ name: "system_ext_sepolicy.conf",
+ srcs: [":se_build_files{.system_ext}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_sepolicy.cil",
+ src: ":system_ext_sepolicy.conf",
+ system_ext_specific: true,
+ filter_out: [":plat_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// product_policy.conf - A combination of the private and public product policy
+// which will ship with the device. Product policy is not attributized
+se_policy_conf {
+ name: "product_sepolicy.conf",
+ srcs: [":se_build_files{.product}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "product_sepolicy.cil",
+ src: ":product_sepolicy.conf",
+ product_specific: true,
+ filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// policy mapping files
+// auto-generate the mapping file for current platform policy, since it needs to
+// track platform policy development
+se_versioned_policy {
+ name: "plat_mapping_file",
+ base: ":plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+}
+
+se_versioned_policy {
+ name: "system_ext_mapping_file",
+ base: ":system_ext_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file"],
+ relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
+ system_ext_specific: true,
+}
+
+se_versioned_policy {
+ name: "product_mapping_file",
+ base: ":pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
+ relative_install_path: "mapping", // install to /product/etc/selinux/mapping
+ product_specific: true,
+}
+
+// plat_pub_versioned.cil - the exported platform policy associated with the version
+// that non-platform policy targets.
+se_versioned_policy {
+ name: "plat_pub_versioned.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ vendor: true,
+}
+
+//////////////////////////////////
+// Precompiled sepolicy is loaded if and only if:
+// - plat_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+// AND
+// - system_ext_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+// AND
+// - product_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// See system/core/init/selinux.cpp for details.
+//////////////////////////////////
genrule {
- name: "microdroid_reqd_policy_mask.cil_gen",
- srcs: [":microdroid_sepolicy_reqd_mask_build_files"],
- tools: ["m4", "checkpolicy"],
- out: ["reqd_policy_mask.cil"],
- cmd: policy_to_conf_flags +
- "-s $(in) > $(out).conf" +
- "&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf",
- visibility: ["//visibility:private"],
+ name: "plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
+ out: ["plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "plat_sepolicy_and_mapping.sha256",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
}
genrule {
+ name: "system_ext_sepolicy_and_mapping.sha256_gen",
+ srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
+ out: ["system_ext_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "system_ext_sepolicy_and_mapping.sha256",
+ filename: "system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ system_ext_specific: true,
+}
+
+genrule {
+ name: "product_sepolicy_and_mapping.sha256_gen",
+ srcs: [":product_sepolicy.cil", ":product_mapping_file"],
+ out: ["product_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "product_sepolicy_and_mapping.sha256",
+ filename: "product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ product_specific: true,
+}
+
+//////////////////////////////////
+// SELinux policy embedded into CTS.
+// CTS checks neverallow rules of this policy against the policy of the device under test.
+//////////////////////////////////
+se_policy_conf {
+ name: "general_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "user",
+ cts: true,
+ exclude_build_test: true,
+}
+
+//////////////////////////////////
+// modules for microdroid
+// TODO(b/33691272): migrate Android.mk to Android.bp and remove workarounds
+//////////////////////////////////
+genrule {
name: "microdroid_plat_mapping_file_gen",
- srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"],
- tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"],
+ srcs: [":plat_pub_policy.cil"],
+ tools: ["version_policy"],
out: ["10000.0.cil"],
- cmd: policy_to_conf_flags +
- "-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" +
- "&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" +
- "&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" +
- "&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)",
+ cmd: "$(location version_policy) -b $(location :plat_pub_policy.cil) -m -n 10000.0 -o $(out)",
visibility: ["//visibility:private"],
}
@@ -635,34 +792,32 @@
installable: false,
}
-///////////////////////////////////////////////////////////////////
-genrule {
- name: "microdroid_pub_policy.cil_gen",
- srcs: [
- ":microdroid_sepolicy_public_and_reqd_mask_build_files",
- ":microdroid_reqd_policy_mask.cil_gen",
- ],
- tools: ["m4", "checkpolicy", "build_sepolicy"],
- out: ["pub_policy.cil"],
- cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
- "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
- "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
- visibility: ["//visibility:private"],
-}
-
+// Normally plat_pub_versioned.cil is built from pub_policy.cil (including system_ext and product).
+// But microdroid only has system, so its plat_pub_versioned.cil uses plat_pub_policy.cil.
genrule {
name: "microdroid_plat_pub_versioned.cil_gen",
- srcs: [":microdroid_pub_policy.cil_gen"],
+ srcs: [":plat_pub_policy.cil"],
tools: ["version_policy"],
out: ["plat_pub_versioned.cil"],
cmd: "$(location version_policy) " +
- "-b $(location :microdroid_pub_policy.cil_gen) " +
- "-t $(location :microdroid_pub_policy.cil_gen) " +
+ "-b $(location :plat_pub_policy.cil) " +
+ "-t $(location :plat_pub_policy.cil) " +
"-n 10000.0 " +
"-o $(out)",
visibility: ["//visibility:private"],
}
+prebuilt_etc {
+ name: "microdroid_plat_pub_versioned.cil",
+ src: ":microdroid_plat_pub_versioned.cil_gen",
+ filename: "plat_pub_versioned.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+// policy files for microdroid vendor
+// This contains a minimal set of policy files for microdroid vendor.
+// TODO(b/33691272): update se_build_files to cover this
filegroup {
name: "microdroid_vendor_sepolicy_build_files",
srcs: [
@@ -689,31 +844,35 @@
],
}
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
+ srcs: [":microdroid_vendor_sepolicy_build_files"],
+ installable: false,
+}
+
genrule {
name: "microdroid_vendor_sepolicy.cil_gen",
srcs: [
- ":microdroid_vendor_sepolicy_build_files",
+ ":microdroid_vendor_sepolicy.conf",
":microdroid_plat_pub_versioned.cil_gen",
- ":microdroid_pub_policy.cil_gen",
- ":microdroid_reqd_policy_mask.cil_gen",
+ ":plat_pub_policy.cil",
+ ":reqd_policy_mask.cil",
],
tools: [
- "m4",
"build_sepolicy",
"checkpolicy",
"secilc",
"version_policy",
],
out: ["vendor_sepolicy.cil"],
- cmd: policy_to_conf_flags + " -s $(locations :microdroid_vendor_sepolicy_build_files) > $(out).conf && " +
- "$(location build_sepolicy) " +
+ cmd: "$(location build_sepolicy) " +
"--android_host_path $$(dirname $(location build_sepolicy)) " +
"build_cil " +
- "--input_policy_conf $(out).conf " +
+ "--input_policy_conf $(location :microdroid_vendor_sepolicy.conf) " +
"--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
- "--base_policy $(location :microdroid_pub_policy.cil_gen) " +
+ "--base_policy $(location :plat_pub_policy.cil) " +
"--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
- "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
+ "--reqd_mask $(location :reqd_policy_mask.cil) " +
"--treble_sepolicy_vers 10000.0 " +
"--policy_vers 30 " +
"--output_cil $(out)",
@@ -727,38 +886,3 @@
relative_install_path: "selinux",
installable: false,
}
-
-prebuilt_etc {
- name: "microdroid_plat_pub_versioned.cil",
- src: ":microdroid_plat_pub_versioned.cil_gen",
- filename: "plat_pub_versioned.cil",
- relative_install_path: "selinux",
- installable: false,
-}
-
-se_build_files {
- name: "se_build_files",
- srcs: [
- "security_classes",
- "initial_sids",
- "access_vectors",
- "global_macros",
- "neverallow_macros",
- "mls_macros",
- "mls_decl",
- "mls",
- "policy_capabilities",
- "te_macros",
- "attributes",
- "ioctl_defines",
- "ioctl_macros",
- "*.te",
- "roles_decl",
- "roles",
- "users",
- "initial_sid_contexts",
- "fs_use",
- "genfs_contexts",
- "port_contexts",
- ],
-}
diff --git a/Android.mk b/Android.mk
index 77513a0..767a864 100644
--- a/Android.mk
+++ b/Android.mk
@@ -741,209 +741,45 @@
endif # ifeq ($(mixed_sepolicy_build),true)
##################################
-# reqd_policy_mask - a policy.conf file which contains only the bare minimum
-# policy necessary to use checkpolicy. This bare-minimum policy needs to be
-# present in all policy.conf files, but should not necessarily be exported as
-# part of the public policy. The rules generated by reqd_policy_mask will allow
-# the compilation of public policy and subsequent removal of CIL policy that
-# should not be exported.
-
-policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
-reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
-$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(reqd_policy_mask.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
-$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask.conf :=
+# plat policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of plat policy files.
+#
+reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
-##################################
-# pub_policy - policy that will be exported to be a part of non-platform
-# policy corresponding to this platform version. This is a limited subset of
-# policy that would not compile in checkpolicy on its own. To get around this
-# limitation, add only the required files from private policy, which will
-# generate CIL policy that will then be filtered out by the reqd_policy_mask.
-#
-# There are three pub_policy.cil files below:
-# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
-# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
-# - plat_pub_policy.cil: exported 'system' policy.
-#
-# Those above files will in turn be used to generate the following versioned cil files:
-# - product_mapping_file: the versioned, exported 'product' policy in product partition.
-# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
-# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
-# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
-# policy in vendor partition.
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-pub_policy.conf := $(intermediates)/pub_policy.conf
-$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-pub_policy.cil := $(intermediates)/pub_policy.cil
-$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
-$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
-$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
-$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
-$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-system_ext_pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
-$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
-$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
-$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
-plat_pub_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# plat_policy.conf - A combination of the private and public platform policy
-# which will ship with the device. The platform will always reflect the most
-# recent platform version and is not currently being attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-plat_policy.conf := $(intermediates)/plat_policy.conf
-$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-built_plat_cil := $(LOCAL_BUILT_MODULE)
+built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
-plat_policy.conf :=
+built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
+
+ifdef HAS_PRODUCT_SEPOLICY
+built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
+endif # ifdef HAS_PRODUCT_SEPOLICY
+
+built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
#################################
include $(CLEAR_VARS)
@@ -997,128 +833,6 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_MODULE := system_ext_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# system_ext_policy.conf - A combination of the private and public system_ext policy
-# which will ship with the device. System_ext policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
-$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-
-built_system_ext_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
-system_ext_policy.conf :=
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_MODULE := product_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# product_policy.conf - A combination of the private and public product policy
-# which will ship with the device. Product policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-product_policy.conf := $(intermediates)/product_policy.conf
-$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
-$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_system_ext_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-
-built_product_cil := $(LOCAL_BUILT_MODULE)
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
-product_policy.conf :=
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -1138,122 +852,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_MODULE := system_ext_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
-endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_MODULE := product_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
-endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-# plat_pub_versioned.cil - the exported platform policy associated with the version
-# that non-platform policy targets.
-LOCAL_MODULE := plat_pub_versioned.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
-$(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -1449,52 +1047,6 @@
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
#################################
# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
@@ -1688,38 +1240,6 @@
sepolicy.recovery.conf :=
##################################
-# SELinux policy embedded into CTS.
-# CTS checks neverallow rules of this policy against the policy of the device under test.
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_sepolicy.conf
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
-$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
-$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
include $(CLEAR_VARS)
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index 2d59dda..551a12c 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1,2 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/derive_sdk u:object_r:derive_sdk_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/derive_classpath u:object_r:derive_classpath_exec:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 83b4b58..fe91fa2 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1 +1,2 @@
(/.*)? u:object_r:system_file:s0
+/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 4e1d27a..aa6ad71 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -37,6 +37,7 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "versioned_policy.go",
],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index caeb6eb..d734c97 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -145,6 +145,7 @@
FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
+ FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
FlagWithArg("-D target_with_native_coverage=", strconv.FormatBool(ctx.DeviceConfig().ClangCoverageEnabled() || ctx.DeviceConfig().GcovCoverageEnabled())).
FlagWithArg("-D target_build_variant=", c.buildVariant(ctx)).
FlagWithArg("-D target_full_treble=", c.sepolicySplit(ctx)).
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
new file mode 100644
index 0000000..f25cd59
--- /dev/null
+++ b/build/soong/versioned_policy.go
@@ -0,0 +1,187 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_versioned_policy", versionedPolicyFactory)
+}
+
+type versionedPolicyProperties struct {
+ // Base cil file for versioning.
+ Base *string `android:"path"`
+
+ // Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
+ Stem *string
+
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
+ // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ Version *string
+
+ // If true, generate mapping file from given base cil file. Cannot be set with target_policy.
+ Mapping *bool
+
+ // If given, version target policy file according to base policy. Cannot be set with mapping.
+ Target_policy *string `android:"path"`
+
+ // Cil files to be filtered out by the filter_out tool of "build_sepolicy".
+ Filter_out []string `android:"path"`
+
+ // Cil files to which this mapping file depends. If specified, secilc checks whether the output
+ // file can be merged with specified cil files or not.
+ Dependent_cils []string `android:"path"`
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+
+ // install to a subdirectory of the default install path for the module
+ Relative_install_path *string
+}
+
+type versionedPolicy struct {
+ android.ModuleBase
+
+ properties versionedPolicyProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_versioned_policy generates versioned cil file with "version_policy". This can generate either
+// mapping file for public plat policies, or associate a target policy file with the version that
+// non-platform policy targets.
+func versionedPolicyFactory() android.Module {
+ m := &versionedPolicy{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+func (m *versionedPolicy) installable() bool {
+ return proptools.BoolDefault(m.properties.Installable, true)
+}
+
+func (m *versionedPolicy) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ version := proptools.StringDefault(m.properties.Version, "current")
+ if version == "current" {
+ version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ }
+
+ var stem string
+ if s := proptools.String(m.properties.Stem); s != "" {
+ stem = s
+ } else if proptools.Bool(m.properties.Mapping) {
+ stem = version + ".cil"
+ } else {
+ stem = ctx.ModuleName()
+ }
+
+ out := android.PathForModuleOut(ctx, stem)
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ if proptools.String(m.properties.Base) == "" {
+ ctx.PropertyErrorf("base", "must be specified")
+ return
+ }
+
+ versionCmd := rule.Command().BuiltTool("version_policy").
+ FlagWithInput("-b ", android.PathForModuleSrc(ctx, *m.properties.Base)).
+ FlagWithArg("-n ", version).
+ FlagWithOutput("-o ", out)
+
+ if proptools.Bool(m.properties.Mapping) && proptools.String(m.properties.Target_policy) != "" {
+ ctx.ModuleErrorf("Can't set both mapping and target_policy")
+ return
+ }
+
+ if proptools.Bool(m.properties.Mapping) {
+ versionCmd.Flag("-m")
+ } else if target := proptools.String(m.properties.Target_policy); target != "" {
+ versionCmd.FlagWithInput("-t ", android.PathForModuleSrc(ctx, target))
+ } else {
+ ctx.ModuleErrorf("Either mapping or target_policy must be set")
+ return
+ }
+
+ if len(m.properties.Filter_out) > 0 {
+ rule.Command().BuiltTool("build_sepolicy").
+ Text("filter_out").
+ Flag("-f").
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Filter_out)).
+ FlagWithOutput("-t ", out)
+ }
+
+ if len(m.properties.Dependent_cils) > 0 {
+ rule.Command().BuiltTool("secilc").
+ Flag("-m").
+ FlagWithArg("-M ", "true").
+ Flag("-G").
+ Flag("-N").
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Dependent_cils)).
+ Text(out.String()).
+ FlagWithArg("-o ", os.DevNull).
+ FlagWithArg("-f ", os.DevNull)
+ }
+
+ rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+
+ m.installSource = out
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
+ m.installPath = m.installPath.Join(ctx, subdir)
+ }
+ ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
+
+ if !m.installable() {
+ m.SkipInstall()
+ }
+}
+
+func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(m.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
+ },
+ },
+ }}
+}
+
+func (m *versionedPolicy) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{m.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyConf)(nil)
diff --git a/private/access_vectors b/private/access_vectors
index c1c0359..22f2ffa 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -721,16 +721,19 @@
change_user
clear_ns
clear_uid
+ early_boot_ended
get_auth_token
get_state
list
lock
+ report_off_body
reset
unlock
}
class keystore2_key
{
+ convert_storage_key_to_ephemeral
delete
gen_unique_id
get_info
diff --git a/private/adbd.te b/private/adbd.te
index 2c62565..f569ad2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -44,6 +44,9 @@
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/app.te b/private/app.te
index 2ade955..33593aa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -71,9 +71,6 @@
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
-# Allow APFE device info to read Virtual A/B props.
-get_prop(appdomain, virtual_ab_prop)
-
# Allow access to tombstones if an fd to one is given to you.
# This is restricted by unix permissions, so an app must go through system_server to get one.
allow appdomain tombstone_data_file:file { getattr read };
@@ -96,4 +93,3 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
-
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d24d12d..e7ddf48 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -61,6 +61,7 @@
gpuservice
gsi_data_file
gsi_metadata_file
+ gsi_public_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9dff2c6..2b2b04a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1300,6 +1300,7 @@
(typeattributeset default_prop_30_0 (
default_prop
build_config_prop
+ suspend_prop
init_service_status_private_prop
setupwizard_prop
sqlite_log_prop
@@ -1481,7 +1482,9 @@
(typeattributeset graphics_device_30_0 (graphics_device))
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
+(typeattributeset gsi_metadata_file_30_0
+ ( gsi_metadata_file
+ gsi_public_metadata_file))
(typeattributeset gsid_prop_30_0 (gsid_prop))
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 0f9b7ec..2a827d8 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -20,6 +20,7 @@
authorization_service
cgroup_desc_api_file
cgroup_v2
+ codec2_config_prop
ctl_snapuserd_prop
debugfs_kprobes
debugfs_mm_events_tracing
@@ -41,6 +42,7 @@
font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_audio_service
hal_authsecret_service
hal_audiocontrol_service
hal_face_service
@@ -87,6 +89,7 @@
profcollectd
profcollectd_data_file
profcollectd_exec
+ profcollectd_node_id_prop
profcollectd_service
qemu_hw_prop
qemu_sf_lcd_density_prop
@@ -117,6 +120,7 @@
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ virtualization_service
vpn_management_service
vpnprofilestore_service
watchdog_metadata_file
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
new file mode 100644
index 0000000..71960d3
--- /dev/null
+++ b/private/derive_classpath.te
@@ -0,0 +1,12 @@
+
+# Domain for derive_classpath
+type derive_classpath, domain, coredomain;
+type derive_classpath_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_classpath)
+
+# Create /data/system/environ/classpath file
+allow derive_classpath environ_system_data_file:dir rw_dir_perms;
+allow derive_classpath environ_system_data_file:file create_file_perms;
+
+# b/183079517 fails on gphone targets otherwise
+allow derive_classpath unlabeled:dir search;
diff --git a/private/file.te b/private/file.te
index 910210d..984a7b6 100644
--- a/private/file.te
+++ b/private/file.te
@@ -53,3 +53,6 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/system/environ
+type environ_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index f8bb5ec..d5d773c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -504,6 +504,7 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
+/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
@@ -761,6 +762,10 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index a0b74b6..fb40528 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -123,7 +123,7 @@
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
@@ -131,10 +131,15 @@
}:dir rw_dir_perms;
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
allow gsid {
gsi_data_file
ota_image_data_file
@@ -153,6 +158,9 @@
allow gsid system_server:binder call;
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
neverallow {
domain
-init
@@ -160,7 +168,7 @@
-fastbootd
-recovery
-vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
@@ -168,7 +176,7 @@
-gsid
-fastbootd
-vold
-} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
domain
@@ -176,13 +184,10 @@
-gsid
-fastbootd
-vold
-} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
-neverallow {
- domain
- -gsid
- -init
-} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
@@ -192,5 +197,13 @@
neverallow {
domain
+ -init
-gsid
-} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
+ -fastbootd
+ -vold
+} gsi_data_file:file_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 3bcd761..a264be7 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -20,8 +20,8 @@
# Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
### Neverallow rules
diff --git a/private/priv_app.te b/private/priv_app.te
index e5889d1..4fd86e5 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -69,6 +69,11 @@
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
+# Allow betterbug to read profile reports generated by profcollect.
+userdebug_or_eng(`
+ allow priv_app profcollectd_data_file:file r_file_perms;
+')
+
# Allow the bug reporting frontend to read the presence and timestamp of the
# trace attached to the bugreport (but not its contents, which will go in the
# usual bugreport .zip file). This is used by the bug reporting UI to tell if
diff --git a/private/profcollectd.te b/private/profcollectd.te
index baccf88..24fb056 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -40,6 +40,7 @@
# Allow profcollectd to read its system properties.
get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+ set_prop(profcollectd, profcollectd_node_id_prop)
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
diff --git a/private/property.te b/private/property.te
index 2f5fcde..8565275 100644
--- a/private/property.te
+++ b/private/property.te
@@ -25,10 +25,10 @@
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
+system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
-system_internal_prop(suspend_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
@@ -590,3 +590,12 @@
-init
-shell
} rollback_test_prop:property_service set;
+
+neverallow {
+ # Only allow init and profcollectd to access profcollectd_node_id_prop
+ domain
+ -init
+ -dumpstate
+ -profcollectd
+} profcollectd_node_id_prop:file r_file_perms;
+
diff --git a/private/property_contexts b/private/property_contexts
index 7f3cb2f..306b40a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -64,6 +64,7 @@
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
+persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -187,7 +188,7 @@
ro.dalvik. u:object_r:dalvik_prop:s0
# qemu_hw_prop is read/written by both system and vendor.
-qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0
+qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string
# qemu_sf_lcd_density_prop is read/written by both system and vendor.
qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int
@@ -398,6 +399,8 @@
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
+media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index d536622..010c9bc 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,7 +8,6 @@
get_prop(remote_prov_app, vendor_security_patch_level_prop)
allow remote_prov_app {
- activity_service
+ app_api_service
remoteprovisioning_service
- tethering_service
}:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index 20a5f22..125b05d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
@@ -70,6 +71,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
+android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 23ee943..d57939b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,6 +170,9 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+ # The use of debugfs kcov is considered a breach of the kernel integrity
+ # according to the heuristic of lockdown.
+ allow untrusted_app_all self:lockdown integrity;
')
# Allow signalling simpleperf domain, which is the domain that the simpleperf
diff --git a/private/virtmanager.te b/private/virtmanager.te
new file mode 100644
index 0000000..b2331d4
--- /dev/null
+++ b/private/virtmanager.te
@@ -0,0 +1,8 @@
+type virtmanager, domain, coredomain;
+type virtmanager_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(virtmanager)
+
+binder_use(virtmanager)
+
+add_service(virtmanager, virtualization_service)
diff --git a/private/vold.te b/private/vold.te
index 09388f1..93a3515 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -35,6 +35,7 @@
# Vold will use Keystore instead of using Keymint directly. But it still needs
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
allow vold vold_key:keystore2_key {
+ convert_storage_key_to_ephemeral
delete
get_info
manage_blob
@@ -44,6 +45,12 @@
use
};
+# vold needs to find keystore2 services
+allow vold keystore_maintenance_service:service_manager find;
+
+# vold needs to be able to call earlyBootEnded()
+allow vold keystore:keystore2 early_boot_ended;
+
neverallow {
domain
-system_server
diff --git a/private/zygote.te b/private/zygote.te
index c2c6e89..9038c4f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -78,6 +78,9 @@
# Goes into media directory and bind mount obb directory
allow zygote media_rw_data_file:dir { getattr search };
+# Bind mount on top of existing mounted obb and data directory
+allow zygote media_rw_data_file:dir { mounton };
+
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index 384533b..c5a93c9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -386,3 +386,6 @@
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
diff --git a/public/domain.te b/public/domain.te
index e1d6739..f46ca67 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -275,6 +275,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
@@ -1396,3 +1404,6 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 9614545..72ba65c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -49,8 +49,8 @@
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
allow fastbootd metadata_file:dir { search getattr };
- allow fastbootd gsi_metadata_file:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file:file create_file_perms;
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -103,7 +103,7 @@
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 243148f..c4c2a21 100644
--- a/public/file.te
+++ b/public/file.te
@@ -242,7 +242,9 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
-type gsi_metadata_file, file_type;
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
diff --git a/public/hal_audio.te b/public/hal_audio.te
index eb8155b..d1970b9 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,6 +3,7 @@
binder_call(hal_audio_server, hal_audio_client)
hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+hal_attribute_service(hal_audio, hal_audio_service)
allow hal_audio ion_device:chr_file r_file_perms;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 8c7816a..a379bb3 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -1,5 +1,7 @@
get_prop(hal_codec2_client, media_variant_prop)
get_prop(hal_codec2_server, media_variant_prop)
+get_prop(hal_codec2_client, codec2_config_prop)
+get_prop(hal_codec2_server, codec2_config_prop)
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
diff --git a/public/property.te b/public/property.te
index 01bd68e..e367ae4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -87,6 +87,7 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
+system_restricted_prop(suspend_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -122,6 +123,7 @@
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
system_vendor_config_prop(charger_config_prop)
+system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(drm_service_config_prop)
diff --git a/public/recovery.te b/public/recovery.te
index fd3c82a..63ba3ee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -127,7 +127,7 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file:dir search;
+ allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
diff --git a/public/service.te b/public/service.te
index 229131c..a69118e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -40,6 +40,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
+type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vpnprofilestore_service, service_manager_type;
@@ -240,8 +241,9 @@
### HAL Services
###
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 1d919eb..1ce5541 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -687,11 +687,11 @@
###########################################
# hal_attribute_service(attribute, service)
-# Ability for domain to get a service to hwservice_manager
+# Ability for domain to get a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
-# Used to pair hal_foo_client with hal_foo_hwservice
+# Used to pair hal_foo_client with hal_foo_service
define(`hal_attribute_service', `
allow $1_client $2:service_manager find;
add_service($1_server, $2)
@@ -965,3 +965,12 @@
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 46bcfaa..79f3b4c 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -39,5 +39,5 @@
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt gsi_metadata_file_type:dir search;
dontaudit uncrypt metadata_file:dir search;
diff --git a/public/update_engine.te b/public/update_engine.te
index b7cf827..962ca99 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -69,7 +69,7 @@
# device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
-dontaudit update_engine gsi_metadata_file:dir search;
+dontaudit update_engine gsi_metadata_file_type:dir search;
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c8b8b12..db99b9e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,7 +57,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@@ -75,7 +75,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
@@ -91,7 +91,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -107,7 +107,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
@@ -122,7 +122,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 98ec3b4..7025652 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,7 +8,7 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
+dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/public/vold.te b/public/vold.te
index fb16b7e..d1731cc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -294,8 +294,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file:dir r_dir_perms;
-allow vold gsi_metadata_file:file r_file_perms;
+allow vold gsi_metadata_file_type:dir r_dir_perms;
+allow vold gsi_metadata_file_type:file r_file_perms;
# vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms;