sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
diff --git a/reqd_mask/access_vectors b/reqd_mask/access_vectors
new file mode 120000
index 0000000..8312c07
--- /dev/null
+++ b/reqd_mask/access_vectors
@@ -0,0 +1 @@
+../private/access_vectors
\ No newline at end of file
diff --git a/reqd_mask/initial_sid_contexts b/reqd_mask/initial_sid_contexts
new file mode 100644
index 0000000..aa465cd
--- /dev/null
+++ b/reqd_mask/initial_sid_contexts
@@ -0,0 +1 @@
+sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/reqd_mask/initial_sids b/reqd_mask/initial_sids
new file mode 100644
index 0000000..366cfb1
--- /dev/null
+++ b/reqd_mask/initial_sids
@@ -0,0 +1,3 @@
+sid reqd_mask
+
+# FLASK
diff --git a/reqd_mask/mls b/reqd_mask/mls
new file mode 100644
index 0000000..d276924
--- /dev/null
+++ b/reqd_mask/mls
@@ -0,0 +1 @@
+mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/reqd_mask/mls_decl b/reqd_mask/mls_decl
new file mode 120000
index 0000000..5c505c9
--- /dev/null
+++ b/reqd_mask/mls_decl
@@ -0,0 +1 @@
+../private/mls_decl
\ No newline at end of file
diff --git a/reqd_mask/mls_macros b/reqd_mask/mls_macros
new file mode 120000
index 0000000..323dd57
--- /dev/null
+++ b/reqd_mask/mls_macros
@@ -0,0 +1 @@
+../private/mls_macros
\ No newline at end of file
diff --git a/reqd_mask/reqd_mask.te b/reqd_mask/reqd_mask.te
new file mode 100644
index 0000000..f77eef4
--- /dev/null
+++ b/reqd_mask/reqd_mask.te
@@ -0,0 +1 @@
+type reqd_mask_type;
diff --git a/reqd_mask/roles b/reqd_mask/roles
new file mode 100644
index 0000000..926cb7a
--- /dev/null
+++ b/reqd_mask/roles
@@ -0,0 +1 @@
+role r types reqd_mask_type;
diff --git a/reqd_mask/roles_decl b/reqd_mask/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/reqd_mask/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/reqd_mask/security_classes b/reqd_mask/security_classes
new file mode 120000
index 0000000..40c1d1d
--- /dev/null
+++ b/reqd_mask/security_classes
@@ -0,0 +1 @@
+../private/security_classes
\ No newline at end of file
diff --git a/reqd_mask/users b/reqd_mask/users
new file mode 100644
index 0000000..51b7b57
--- /dev/null
+++ b/reqd_mask/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;