Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4bd043ca67831ceaa9bbd55aad1ababa70ab85dd^2..4bd043ca67831ceaa9bbd55aad1ababa70ab85dd / .
commit4bd043ca67831ceaa9bbd55aad1ababa70ab85dd[log] [tgz]
authorKeith Mok <keithmok@google.com>Tue Nov 07 21:40:41 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Nov 07 21:40:41 2023 +0000
treedef5b2bab8456387dfce9ecc582bb3b1f56d8674
parent6f789851e9c6ce453958e302d864635a6c77b96d [diff]
parentdf794b45901a8565b0b38717b7f82d69cfe43aee [diff]
Merge "SEPolicy for AIDL MACSEC HAL" into main
diff --git a/Android.mk b/Android.mk
index 5ce31d2..384c416 100644
--- a/Android.mk
+++ b/Android.mk

@@ -94,13 +94,6 @@
 $(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
 endef
 
-# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
-# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-
-# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
-build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
-
 sepolicy_build_files := security_classes \
                         initial_sids \
                         access_vectors \
@@ -465,21 +458,14 @@
 #  Note: That a newline file is placed between each file_context file found to
 #        ensure a proper build when an fc file is missing an ending newline.
 
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
 
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
 endif
 
 ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
-endif
-
-ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
-endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
-  local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
+local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
 endif
 
 ###########################################################
@@ -506,10 +492,10 @@
 # it gathers LOCAL_FILE_CONTEXTS from product_MODULES
 file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
 
-device_fc_files := $(call build_vendor_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
 
 ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call build_odm_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
 endif
 
 file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -573,8 +559,6 @@
 #################################
 
 
-build_vendor_policy :=
-build_odm_policy :=
 build_policy :=
 built_sepolicy :=
 built_sepolicy_neverallows :=

diff --git a/private/bug_map b/private/bug_map
index 53cb8b1..3a78a40 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -19,7 +19,9 @@
 mediaprovider cache_file blk_file b/77925342
 mediaprovider mnt_media_rw_file dir b/77925342
 mediaprovider shell_data_file dir b/77925342
+mediaprovider_app device_config_media_native_prop file b/308043377
 mediaswcodec ashmem_device chr_file b/142679232
+nfc device_config_media_native_prop file b/308043377
 platform_app device_config_media_native_prop file b/308043377
 platform_app nfc_data_file dir b/74331887
 platform_app system_data_file dir b/306090533

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 236a337..ddaa7e2 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -26,4 +26,5 @@
     next_boot_prop
     binderfs_logs_stats
     drm_forcel3_prop
+    proc_percpu_pagelist_high_fraction
   ))

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 17db46a..41c60df 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -92,6 +92,7 @@
 genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
 genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
 genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
+genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
 genfscon proc /timer_list u:object_r:proc_timer:s0
 genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0

diff --git a/public/file.te b/public/file.te
index 9496c02..091c557 100644
--- a/public/file.te
+++ b/public/file.te

@@ -16,6 +16,7 @@
 type proc_min_free_order_shift, fs_type, proc_type;
 type proc_kpageflags, fs_type, proc_type;
 type proc_watermark_boost_factor, fs_type, proc_type;
+type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, proc_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;