Merge changes from topic "boringssl-kmsg"
* changes:
Redirect boringssl_self_test stdio to kmsg
allow init to open kmsg_debug
diff --git a/Android.mk b/Android.mk
index a58ecbe..0c17c16 100644
--- a/Android.mk
+++ b/Android.mk
@@ -244,11 +244,15 @@
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
- $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
$(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-endif
-endif
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
+LOCAL_REQUIRED_MODULES += \
+ $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+
+endif # PRODUCT_SEPOLICY_SPLIT
+endif # SELINUX_IGNORE_NEVERALLOWS
+endif # with_asan
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
@@ -1331,6 +1335,7 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
version_under_treble_tests := 26.0
@@ -1341,6 +1346,7 @@
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+endif # PRODUCT_SEPOLICY_SPLIT
version_under_treble_tests := 26.0
include $(LOCAL_PATH)/compat.mk
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 7b2bea3..3509cfc 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -111,8 +111,11 @@
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
diff --git a/private/bug_map b/private/bug_map
index 5d42ad1..7f8bdcf 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,30 +1,30 @@
-dnsmasq netd fifo_file 77868789
-dnsmasq netd unix_stream_socket 77868789
-init app_data_file file 77873135
-init cache_file blk_file 77873135
-init logpersist file 77873135
-init nativetest_data_file dir 77873135
-init pstorefs dir 77873135
-init shell_data_file dir 77873135
-init shell_data_file file 77873135
-init shell_data_file lnk_file 77873135
-init shell_data_file sock_file 77873135
-init system_data_file chr_file 77873135
-isolated_app privapp_data_file dir 119596573
-isolated_app app_data_file dir 120394782
-mediaextractor app_data_file file 77923736
-mediaextractor radio_data_file file 77923736
-mediaprovider cache_file blk_file 77925342
-mediaprovider mnt_media_rw_file dir 77925342
-mediaprovider shell_data_file dir 77925342
-netd priv_app unix_stream_socket 77870037
-netd untrusted_app unix_stream_socket 77870037
-netd untrusted_app_25 unix_stream_socket 77870037
-netd untrusted_app_27 unix_stream_socket 77870037
-platform_app nfc_data_file dir 74331887
-system_server crash_dump process 73128755
-system_server sdcardfs file 77856826
-system_server storage_stub_file dir 112609936
-system_server zygote process 77856826
-vold system_data_file file 124108085
-zygote untrusted_app_25 process 77925912
+dnsmasq netd fifo_file b/77868789
+dnsmasq netd unix_stream_socket b/77868789
+init app_data_file file b/77873135
+init cache_file blk_file b/77873135
+init logpersist file b/77873135
+init nativetest_data_file dir b/77873135
+init pstorefs dir b/77873135
+init shell_data_file dir b/77873135
+init shell_data_file file b/77873135
+init shell_data_file lnk_file b/77873135
+init shell_data_file sock_file b/77873135
+init system_data_file chr_file b/77873135
+isolated_app privapp_data_file dir b/119596573
+isolated_app app_data_file dir b/120394782
+mediaextractor app_data_file file b/77923736
+mediaextractor radio_data_file file b/77923736
+mediaprovider cache_file blk_file b/77925342
+mediaprovider mnt_media_rw_file dir b/77925342
+mediaprovider shell_data_file dir b/77925342
+netd priv_app unix_stream_socket b/77870037
+netd untrusted_app unix_stream_socket b/77870037
+netd untrusted_app_25 unix_stream_socket b/77870037
+netd untrusted_app_27 unix_stream_socket b/77870037
+platform_app nfc_data_file dir b/74331887
+system_server crash_dump process b/73128755
+system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/112609936
+system_server zygote process b/77856826
+vold system_data_file file b/124108085
+zygote untrusted_app_25 process b/77925912
diff --git a/private/domain.te b/private/domain.te
index 8d63fbe..98251d0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -261,7 +261,6 @@
dumpstate
init
installd
- install_recovery
userdebug_or_eng(`llkd')
lmkd
migrate_legacy_obb_data
diff --git a/private/incident.te b/private/incident.te
index 98101e0..db9ae86 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -4,10 +4,17 @@
# switch to incident domain for incident command
domain_auto_trans(shell, incident_exec, incident)
+domain_auto_trans(dumpstate, incident_exec, incident)
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
+# allow incident to communicate with dumpstate, and write incident report to
+# /data/data/com.android.shell/files/bugreports/tmp_incident_report
+allow incident dumpstate:fd use;
+allow incident dumpstate:unix_stream_socket { read write };
+allow incident shell_data_file:file write;
+
# allow incident be able to output data for CTS to fetch.
allow incident devpts:chr_file { read write };
@@ -26,5 +33,5 @@
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
-# only allow incident being called by shell
-neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
+# only allow incident being called by shell or dumpstate
+neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 0aee9ab..00caf25 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,8 +2,6 @@
type install_recovery, domain;
type install_recovery_exec, system_file_type, exec_type, file_type;
-allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
-
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
allow install_recovery shell_exec:file rx_file_perms;
@@ -19,9 +17,5 @@
allow install_recovery boot_block_device:blk_file r_file_perms;
allow install_recovery recovery_block_device:blk_file rw_file_perms;
-# Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
-
# Write to /proc/sys/vm/drop_caches
allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/public/property_contexts b/public/property_contexts
index e16b374..4418bbf 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -110,8 +110,11 @@
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 3d9bca4..5e8e054 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -91,18 +91,8 @@
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-# TODO(b/113124961): account for PRODUCT_SHIPPING_API_LEVEL when determining
-# fake treble status once emulator is no longer fake treble.
-#ifdef PRODUCT_SHIPPING_API_LEVEL
-# These requirements were originally added in Android Oreo. Devices
-# launching after this should not distinguish between
-# PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE since this could
-# lead to release problems where they think they pass this test but
-# fail it when it actually gets runned for compliance.
-#ifeq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
+# TODO(b/113124961): remove fake-treble
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
-#endif # if PRODUCT_SHIPPING_API_LEVEL < 26 (Android Oreo)
-#endif # PRODUCT_SHIPPING_API_LEVEL defined
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \