Merge "SEPolicy for Staged Installs."
diff --git a/OWNERS b/OWNERS
index 5a25bcc..194acf3 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+adamshih@google.com
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 35ef891..507d665 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 207704d..286d698 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/profman u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/private/adbd.te b/private/adbd.te
index 23f3c92..0b42672 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -167,6 +167,11 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:fd use;
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7c266a5..6f92ef5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b8fd22e..be155c9 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index f2d600a..0851d3b 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -242,7 +242,10 @@
ret += "policy without an entry into the compatibility mapping file(s) "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/781036\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/852612\n"
return ret
###
@@ -265,7 +268,9 @@
ret += "policy without a declaration in the compatibility mapping "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/822743\n"
return ret
def TestTrebleCompatMapping():