Merge "Revert "sepolicy: allow surfaceflinger to read device_config_aconfig_flags_prop"" into main
diff --git a/Android.bp b/Android.bp
index dedcf63..3c53931 100644
--- a/Android.bp
+++ b/Android.bp
@@ -753,33 +753,6 @@
}
se_policy_conf {
- name: "base_system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_sepolicy.cil",
- src: ":base_system_ext_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- system_ext_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_system_ext_sepolicy",
- srcs: [":base_system_ext_sepolicy.cil"],
- system_ext_specific: true,
- installable: false,
-}
-
-se_policy_conf {
name: "base_product_sepolicy.conf",
srcs: plat_public_policy +
plat_private_policy +
@@ -828,25 +801,6 @@
}
se_policy_conf {
- name: "base_system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_pub_policy.cil",
- src: ":base_system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_conf {
name: "base_product_pub_policy.conf",
srcs: plat_public_policy +
system_ext_public_policy +
diff --git a/Android.mk b/Android.mk
index b39ee44..5ce31d2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,13 +1,7 @@
LOCAL_PATH:= $(call my-dir)
-include $(LOCAL_PATH)/definitions.mk
-include $(LOCAL_PATH)/policy_version.mk
-
include $(CLEAR_VARS)
-MLS_SENS=1
-MLS_CATS=1024
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -73,7 +67,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@@ -81,7 +74,6 @@
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
It does not work in user builds and using it will \
not stop you from failing CTS.)
-NEVERALLOW_ARG := -N
endif
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@@ -170,36 +162,11 @@
endif
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-# CIL files which contain workarounds for current limitation of human-readable
-# module policy language. These files are appended to the CIL files produced
-# from module language files.
-sepolicy_build_cil_workaround_files := technical_debt.cil
-
-my_target_arch := $(TARGET_ARCH)
-ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
- my_target_arch := mips
-endif
-
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
-
with_asan := false
ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true
endif
-with_native_coverage := false
-ifeq ($(NATIVE_COVERAGE),true)
- with_native_coverage := true
-endif
-ifeq ($(CLANG_COVERAGE),true)
- with_native_coverage := true
-endif
-
-treble_sysprop_neverallow := true
-ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
- treble_sysprop_neverallow := false
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -208,16 +175,6 @@
endif
endif
-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
- enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -226,13 +183,6 @@
endif
endif
-# Library extension for host-side tests
-ifeq ($(HOST_OS),darwin)
-SHAREDLIB_EXT=dylib
-else
-SHAREDLIB_EXT=so
-endif
-
#################################
include $(CLEAR_VARS)
@@ -306,7 +256,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test
+ se_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -480,16 +430,6 @@
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
#
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
@@ -542,6 +482,23 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
+
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@@ -581,11 +538,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-built_fc := $(LOCAL_BUILT_MODULE)
local_fc_files :=
-local_fcfiles_with_nl :=
device_fc_files :=
-device_fcfiles_with_nl :=
file_contexts.concat.tmp :=
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
@@ -593,45 +547,28 @@
file_contexts.modules.tmp :=
##################################
-
-all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
-all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
-endif
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
-endif
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
-endif
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-
-##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
-built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
-built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
-
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+ver := $(PLATFORM_SEPOLICY_VERSION)
+ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
+# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
+else
+# If not, use ToT for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+endif
+ver :=
$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
)
-built_plat_sepolicy :=
-built_system_ext_sepolicy :=
-built_product_sepolicy :=
base_plat_pub_policy.cil :=
-base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil :=
-all_fc_files :=
-all_fc_args :=
#################################
@@ -639,19 +576,7 @@
build_vendor_policy :=
build_odm_policy :=
build_policy :=
-built_plat_cil :=
-built_system_ext_cil :=
-built_product_cil :=
built_sepolicy :=
built_sepolicy_neverallows :=
-built_plat_svc :=
-built_vendor_svc :=
-treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
-my_target_arch :=
sepolicy_build_files :=
-sepolicy_build_cil_workaround_files :=
with_asan :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/apex/Android.bp b/apex/Android.bp
index 37b6171..9929c24 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -38,13 +38,6 @@
}
filegroup {
- name: "com.android.threadnetwork-file_contexts",
- srcs: [
- "com.android.threadnetwork-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.sdkext-file_contexts",
srcs: [
"com.android.sdkext-file_contexts",
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index af366d8..53843ea 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
deleted file mode 100644
index 412c555..0000000
--- a/apex/com.android.threadnetwork-file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/ot-daemon u:object_r:ot_daemon_exec:s0
-/bin/ot-ctl u:object_r:ot_ctl_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index d8c3ffb..0793e2a 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -27,7 +27,6 @@
)
const (
- // TODO: sync with Android.mk
MlsSens = 1
MlsCats = 1024
PolicyVers = 30
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 345a9d2..9a3396e 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -70,6 +70,8 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
diff --git a/definitions.mk b/definitions.mk
deleted file mode 100644
index 63c4d94..0000000
--- a/definitions.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-# Command to turn collection of policy files into a policy.conf file to be
-# processed by checkpolicy
-define transform-policy-to-conf
-@mkdir -p $(dir $@)
-$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
- -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
- -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
- -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
- -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
- -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
- -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
- $(PRIVATE_TGT_RECOVERY) \
- -s $(PRIVATE_POLICY_FILES) > $@
-endef
-.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
diff --git a/policy_version.mk b/policy_version.mk
deleted file mode 100644
index e6bb747..0000000
--- a/policy_version.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
index 34052a2..fd2099f 100644
--- a/prebuilts/api/29.0/Android.bp
+++ b/prebuilts/api/29.0/Android.bp
@@ -26,3 +26,53 @@
secilc_check: false,
installable: false,
}
+
+se_policy_conf {
+ name: "29.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_product_pub_policy.cil",
+ src: ":29.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.plat_private_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.system_ext_private_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.product_private_29.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_policy.cil",
+ src: ":29.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "29.0_plat_policy",
+ srcs: [":29.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
index 0e51bb7..b958de0 100644
--- a/prebuilts/api/30.0/Android.bp
+++ b/prebuilts/api/30.0/Android.bp
@@ -26,3 +26,53 @@
secilc_check: false,
installable: false,
}
+
+se_policy_conf {
+ name: "30.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_product_pub_policy.cil",
+ src: ":30.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.plat_private_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.system_ext_private_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.product_private_30.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_policy.cil",
+ src: ":30.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "30.0_plat_policy",
+ srcs: [":30.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
index 5697173..dbb07b4 100644
--- a/prebuilts/api/31.0/Android.bp
+++ b/prebuilts/api/31.0/Android.bp
@@ -26,3 +26,53 @@
secilc_check: false,
installable: false,
}
+
+se_policy_conf {
+ name: "31.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_product_pub_policy.cil",
+ src: ":31.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.plat_private_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.system_ext_private_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.product_private_31.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_policy.cil",
+ src: ":31.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "31.0_plat_policy",
+ srcs: [":31.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
index 723f743..39722b4 100644
--- a/prebuilts/api/32.0/Android.bp
+++ b/prebuilts/api/32.0/Android.bp
@@ -26,3 +26,53 @@
secilc_check: false,
installable: false,
}
+
+se_policy_conf {
+ name: "32.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_product_pub_policy.cil",
+ src: ":32.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.plat_private_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.system_ext_private_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.product_private_32.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_policy.cil",
+ src: ":32.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "32.0_plat_policy",
+ srcs: [":32.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
index df4da89..9bc68c6 100644
--- a/prebuilts/api/33.0/Android.bp
+++ b/prebuilts/api/33.0/Android.bp
@@ -26,3 +26,53 @@
secilc_check: false,
installable: false,
}
+
+se_policy_conf {
+ name: "33.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_product_pub_policy.cil",
+ src: ":33.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.plat_private_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.system_ext_private_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.product_private_33.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_policy.cil",
+ src: ":33.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "33.0_plat_policy",
+ srcs: [":33.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
index e962848..499a342 100644
--- a/prebuilts/api/34.0/Android.bp
+++ b/prebuilts/api/34.0/Android.bp
@@ -26,3 +26,53 @@
secilc_check: false,
installable: false,
}
+
+se_policy_conf {
+ name: "34.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_product_pub_policy.cil",
+ src: ":34.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.plat_private_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.system_ext_private_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.product_private_34.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_policy.cil",
+ src: ":34.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "34.0_plat_policy",
+ srcs: [":34.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/private/bootstat.te b/private/bootstat.te
index 016292e..99d8c6d 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -17,6 +17,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
-init
+ -platform_app
-recovery
-shell
-system_server
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 7315687..408cf33 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,13 +1,15 @@
;; types removed from current policy
(type ashmemd)
+(type clatd_exec)
+(type clatd)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_vold_prop)
(type exported2_config_prop)
(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
-(type install_recovery)
(type install_recovery_exec)
+(type install_recovery)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 83d83ff..f95488c 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,11 +1,16 @@
;; types removed from current policy
+(type adbd_prop)
(type cgroup_bpf)
+(type device_config_configuration_prop)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
(type exported_radio_prop)
+(type exported_system_radio_prop)
(type exported_vold_prop)
(type exported_wifi_prop)
(type exported2_config_prop)
@@ -16,8 +21,19 @@
(type exported3_default_prop)
(type exported3_radio_prop)
(type ffs_prop)
+(type gsid_prop)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type last_boot_reason_prop)
+(type mediatranscoding_exec)
+(type netd_stable_secret_prop)
+(type pm_prop)
+(type system_adbd_prop)
(type system_radio_prop)
(type thermalcallback_hwservice)
+(type traced_perf_enabled_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)
(typeattribute binder_in_vendor_violators)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index e16be89..3bdb37b 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,9 +9,11 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_codec2_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
remote_auth_service
threadnetwork_service
+ device_config_aconfig_flags_prop
))
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a74..5d4070d 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+hal_client_domain(isolated_compute_app, hal_codec2)
+
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
# Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
deleted file mode 100644
index 12e7ce2..0000000
--- a/private/ot_ctl.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
-#
-
-type ot_ctl, domain, coredomain;
-type ot_ctl_exec, exec_type, system_file_type, file_type;
-
-init_daemon_domain(ot_ctl)
-
-# Allow the ot_ctl to read/write the socket file.
-allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/platform_app.te b/private/platform_app.te
index 1bd0020..cd95353 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -116,6 +116,9 @@
# allow platform apps to read qemu.hw.mainkeys
get_prop(platform_app, qemu_hw_prop)
+# allow platform apps to read sys.boot.reason.last
+get_prop(platform_app, last_boot_reason_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 52077ef..b911bc0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -176,6 +176,9 @@
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
get_prop(priv_app, incremental_prop)
+# allow privileged apps to read the device config flags.
+get_prop(priv_app, device_config_aconfig_flags_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 90cfad2..5f8f044 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,7 +2,6 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_aconfig_flags_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
diff --git a/private/service_contexts b/private/service_contexts
index 71bd7e4..746cde1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,8 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
diff --git a/private/shell.te b/private/shell.te
index 1b859d1..aa6bef8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -250,3 +250,6 @@
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
+# Allow shell to read the build properties for attestation feature
+get_prop(shell, build_attestation_prop)
+
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 3bed3c6..1b553e9 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -20,11 +20,11 @@
allow vfio_handler sysfs:dir r_dir_perms;
allow vfio_handler sysfs:file rw_file_perms;
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
-allow vfio_handler virtualizationmanager:fd use;
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+allow vfio_handler virtualizationservice:fd use;
allow vfio_handler virtualizationservice_data_file:file write;
-# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+# vfio_handler can only use fd from virtualizationservice, and can't open files itself
neverallow vfio_handler virtualizationservice_data_file:file { open create };
# Allow vfio_handler to search /dev/block for accessing dtbo.img
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 2d20195..93cd04c 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -34,8 +34,8 @@
# Let virtualizationservice create and delete temporary directories of VMs. To remove old
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
-allow virtualizationservice virtualizationservice_data_file:file write;
+allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
diff --git a/public/domain.te b/public/domain.te
index 4e4730a..bed0d7d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -57,6 +57,9 @@
allow domain method_trace_data_file:file create_file_perms;
')
+# Allow everyone to read aconfig flags
+get_prop(domain, device_config_aconfig_flags_prop);
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..f05e00a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
diff --git a/public/hal_face.te b/public/hal_face.te
index 0134576..e14666a 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_face, hal_face_hwservice)
hal_attribute_service(hal_face, hal_face_service)
-binder_call(hal_face_server, servicemanager)
+binder_use(hal_face_server)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/property.te b/public/property.te
index 17a9845..67463a5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(composd_vm_art_prop)
+system_restricted_prop(device_config_aconfig_flags_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_media_native_prop)
diff --git a/public/service.te b/public/service.te
index d2e6ca3..8cc5acc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -285,6 +285,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
diff --git a/tests/Android.bp b/tests/Android.bp
index 544db37..2c2c9a6 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -50,9 +50,7 @@
},
libs: [
"mini_cil_parser",
- "pysepolwrap",
],
- data: [":libsepolwrap"],
}
python_binary_host {
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 518ebbc..3c51b67 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -65,7 +65,13 @@
scontext: set[str]
-Rule = AllowRead
+@dataclass
+class ResolveType:
+ """Rule checking if type can be resolved"""
+ pass
+
+
+Rule = AllowRead | ResolveType
def match_path(path: str, matcher: Matcher) -> bool:
@@ -94,10 +100,18 @@
continue # no errors
errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ case ResolveType():
+ if tcontext not in pol.GetAllTypes(False):
+ errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
return errors
-rules = [
+target_specific_rules = [
+ (Glob('*'), ResolveType()),
+]
+
+
+generic_rules = [
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -114,7 +128,10 @@
]
-def check_line(pol: policy.Policy, line: str) -> List[str]:
+all_rules = target_specific_rules + generic_rules
+
+
+def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
"""Parses a file_contexts line and runs checks"""
# skip empty/comment line
line = line.strip()
@@ -151,6 +168,7 @@
def do_main(work_dir):
"""Do testing"""
parser = argparse.ArgumentParser()
+ parser.add_argument('--all', action='store_true', help='tests ALL aspects')
parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
args = parser.parse_args()
@@ -158,10 +176,15 @@
policy_path = extract_data('precompiled_sepolicy', work_dir)
pol = policy.Policy(policy_path, None, lib_path)
+ if args.all:
+ rules = all_rules
+ else:
+ rules = generic_rules
+
errors = []
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
for line in file_contexts:
- errors.extend(check_line(pol, line))
+ errors.extend(check_line(pol, line, rules))
if len(errors) > 0:
sys.exit('\n'.join(errors))
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 9c87a00..6e719ed 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -43,12 +43,12 @@
return self.__class__.pol
def assert_ok(self, line: str):
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
self.assertEqual(errors, [], "Should be no errors")
def assert_error(self, line: str, expected_error: str):
pattern = re.compile(expected_error)
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
for err in errors:
if re.search(pattern, err):
return
@@ -76,17 +76,19 @@
r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
def test_initscripts(self):
+ # here, netd_service is chosen randomly for invalid label for a file
+
# init reads .rc file
self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init reads .#rc file
self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.32rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init skips file with unknown extension => no errors
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
- self.assert_ok('./etc/init.x32rc u:object_r:unknown:s0')
+ self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
def test_linkerconfig(self):
self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
@@ -96,5 +98,9 @@
self.assert_error('./ u:object_r:apex_data_file:s0',
r'Error: .*linkerconfig.* can\'t read')
+ def test_unknown_label(self):
+ self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
+ r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index b2792a0..ff1a348 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,17 +16,11 @@
from optparse import Option, OptionValueError
import os
import mini_parser
-import pkgutil
-import policy
-from policy import MatchPathPrefix
import re
import shutil
import sys
import tempfile
-DEBUG=False
-SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
-
'''
Verify that Treble compatibility are not broken.
'''
@@ -39,13 +33,13 @@
###
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
- newt = test_policy.alltypes - test_policy.oldalltypes
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
+ newt = base_pub_policy.types - old_pub_policy.types
ret = ""
violators = []
for n in newt:
- if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+ if mapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
@@ -62,13 +56,13 @@
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
- rmt = test_policy.oldalltypes - test_policy.alltypes
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
+ rmt = old_pub_policy.types - base_pub_policy.types
ret = ""
violators = []
for o in rmt:
- if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+ if o in mapping.pubtypes and not o in mapping.types:
violators.append(o)
if len(violators) > 0:
@@ -81,9 +75,9 @@
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
-def TestTrebleCompatMapping(test_policy):
- ret = TestNoUnmappedNewTypes(test_policy)
- ret += TestNoUnmappedRmTypes(test_policy)
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
+ ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
+ ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
return ret
###
@@ -103,73 +97,38 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-def do_main(libpath):
- """
- Args:
- libpath: string, path to libsepolwrap.so
- """
- test_policy = policy.TestPolicy()
-
+def do_main():
usage = "treble_sepolicy_tests "
- usage += "-p curr_policy -b base_policy -o old_policy "
+ usage += "-b base_pub_policy -o old_pub_policy "
usage += "-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
- parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
- parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+ parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
- parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
- parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
+ parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
+ metavar="FILE")
(options, args) = parser.parse_args()
- if not options.policy:
- sys.exit("Must specify current monolithic policy file\n" + parser.usage)
- if not os.path.exists(options.policy):
- sys.exit("Error: policy file " + options.policy + " does not exist\n"
- + parser.usage)
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
- if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n"
- + parser.usage)
if not options.mapping:
sys.exit("Must specify a compatibility mapping file\n"
+ parser.usage)
- if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n"
+ if not options.old_pub_policy:
+ sys.exit("Must specify the previous public policy .cil file\n"
+ parser.usage)
if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, libpath)
- oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
- pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
- test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+ base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
+ old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
- pol = policy.Policy(options.policy, None, libpath)
- test_policy.setup(pol)
-
- if DEBUG:
- test_policy.PrintScontexts()
-
- results = TestTrebleCompatMapping(test_policy)
+ results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
if len(results) > 0:
sys.exit(results)
if __name__ == '__main__':
- temp_dir = tempfile.mkdtemp()
- try:
- libname = "libsepolwrap" + SHARED_LIB_EXTENSION
- libpath = os.path.join(temp_dir, libname)
- with open(libpath, "wb") as f:
- blob = pkgutil.get_data("treble_sepolicy_tests", libname)
- if not blob:
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
- f.write(blob)
- do_main(libpath)
- finally:
- shutil.rmtree(temp_dir)
+ do_main()
diff --git a/tools/Android.mk b/tools/Android.mk
deleted file mode 100644
index 34f4385..0000000
--- a/tools/Android.mk
+++ /dev/null
@@ -1,3 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
index 33ce861..f82c53d 100755
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
if [ "$MK" != "$BP" ]; then
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 45845ab..9d6960b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,15 +11,9 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@@ -30,59 +24,7 @@
# built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
-$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
-$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$($(version)_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-policy_files :=
-
-built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
-$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
-$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
-
-# TODO(b/214336258): move to Soong
-$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
-
-$(version)_plat_policy.conf :=
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
@@ -106,44 +48,31 @@
# combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for
# these tests.
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
mkdir -p $(dir $@)
cat $^ > $@
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
public_cil_files := $(base_product_pub_policy.cil)
else
-built_sepolicy_files := $(built_plat_sepolicy)
public_cil_files := $(base_plat_pub_policy.cil)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) \
- $(built_sepolicy_files) \
$(public_cil_files) \
- $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+ $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY)
+ -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD)
$(hide) touch $@
-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
-$(version)_PLAT_PUBLIC_POLICY :=
-$(version)_PLAT_PRIVATE_POLICY :=
built_sepolicy_files :=
public_cil_files :=
-cil_files :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 564ca9d..efe0b71 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0