Merge "Add policy for new AIDL IR hal"
diff --git a/Android.bp b/Android.bp
index d22010c..21916b8 100644
--- a/Android.bp
+++ b/Android.bp
@@ -661,6 +661,11 @@
],
}
+se_build_files {
+ name: "sepolicy_technical_debt",
+ srcs: ["technical_debt.cil"],
+}
+
reqd_mask_policy = [":se_build_files{.reqd_mask}"]
plat_public_policy = [":se_build_files{.plat_public}"]
plat_private_policy = [":se_build_files{.plat_private}"]
@@ -775,7 +780,7 @@
se_policy_cil {
name: "plat_sepolicy.cil",
src: ":plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
@@ -790,7 +795,7 @@
se_policy_cil {
name: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
debug_ramdisk: true,
dist: {
targets: ["droidcore"],
@@ -815,7 +820,7 @@
name: "system_ext_userdebug_plat_sepolicy.cil",
stem: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
system_ext_specific: true,
enabled: false,
installable: false,
@@ -898,24 +903,193 @@
product_specific: true,
}
+// vendor/odm sepolicy
+//
+// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+// policy files of platform (system, system_ext, product) can't be mixed with
+// policy files of vendor (vendor, odm). If it's the case, platform policies and
+// vendor policies are separately built. More specifically,
+//
+// - Platform policy files needed to build vendor policies, such as plat_policy,
+// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+//
+// - sepolicy_neverallows only checks platform policies, and a new module
+// sepolicy_neverallows_vendor checks vendor policies.
+//
+// - neverallow checks are turned off while compiling precompiled_sepolicy
+// module and sepolicy module.
+//
+// - Vendor policies are not checked on the compat test (compat.mk).
+//
+// In such scenario, we can grab platform policy files from the prebuilts/api
+// directory. But we need more than that: prebuilts of system_ext, product,
+// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
+// variables are introduced to specify such prebuilts.
+//
+// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+//
+// Vendors are responsible for copying policy files from the old version of the
+// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
+// can be used to build vendor policies.
+//
+// To support both mixed build and normal build, platform policy files are
+// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
+// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
+// Otherwise, they will be equal to the Makefile variables above.
+
+plat_public_policies_for_vendor = [
+ ":se_build_files{.plat_public_for_vendor}",
+ ":se_build_files{.system_ext_public_for_vendor}",
+ ":se_build_files{.product_public_for_vendor}",
+ ":se_build_files{.reqd_mask_for_vendor}",
+]
+
+plat_policies_for_vendor = [
+ ":se_build_files{.plat_public_for_vendor}",
+ ":se_build_files{.plat_private_for_vendor}",
+ ":se_build_files{.system_ext_public_for_vendor}",
+ ":se_build_files{.system_ext_private_for_vendor}",
+ ":se_build_files{.product_public_for_vendor}",
+ ":se_build_files{.product_private_for_vendor}",
+]
+
+se_policy_conf {
+ name: "plat_policy_for_vendor.conf",
+ srcs: plat_policies_for_vendor,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_policy_for_vendor.cil",
+ src: ":plat_policy_for_vendor.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "reqd_policy_mask_for_vendor.conf",
+ srcs: [":se_build_files{.reqd_mask_for_vendor}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "reqd_policy_mask_for_vendor.cil",
+ src: ":reqd_policy_mask_for_vendor.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "pub_policy_for_vendor.conf",
+ srcs: plat_public_policies_for_vendor,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy_for_vendor.cil",
+ src: ":pub_policy_for_vendor.conf",
+ filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "plat_mapping_file_for_vendor",
+ base: ":pub_policy_for_vendor.cil",
+ mapping: true,
+ version: "vendor",
+ installable: false,
+}
+
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy.cil",
- target_policy: ":pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":pub_policy_for_vendor.cil",
+ version: "vendor",
vendor: true,
}
+// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+// policy and the platform public policy files in order to use checkpolicy.
+se_policy_conf {
+ name: "vendor_sepolicy.conf",
+ srcs: plat_public_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "vendor_sepolicy.cil.raw",
+ src: ":vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "vendor_sepolicy.cil",
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":vendor_sepolicy.cil.raw",
+ version: "vendor",
+ dependent_cils: [
+ ":plat_policy_for_vendor.cil",
+ ":plat_pub_versioned.cil",
+ ":plat_mapping_file_for_vendor",
+ ],
+ filter_out: [":plat_pub_versioned.cil"],
+ vendor: true,
+}
+
+// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
+// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+// policy and the platform public policy files in order to use checkpolicy.
+se_policy_conf {
+ name: "odm_sepolicy.conf",
+ srcs: plat_public_policies_for_vendor + [
+ ":se_build_files{.plat_vendor_for_vendor}",
+ ":se_build_files{.vendor}",
+ ":se_build_files{.odm}",
+ ],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "odm_sepolicy.cil.raw",
+ src: ":odm_sepolicy.conf",
+ filter_out: [
+ ":reqd_policy_mask_for_vendor.cil",
+ ":vendor_sepolicy.cil",
+ ],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "odm_sepolicy.cil",
+ base: ":pub_policy_for_vendor.cil",
+ target_policy: ":odm_sepolicy.cil.raw",
+ version: "vendor",
+ dependent_cils: [
+ ":plat_policy_for_vendor.cil",
+ ":plat_pub_versioned.cil",
+ ":plat_mapping_file_for_vendor",
+ ":vendor_sepolicy.cil",
+ ],
+ filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
+ device_specific: true,
+}
+
//////////////////////////////////
// Precompiled sepolicy is loaded if and only if:
// - plat_sepolicy_and_mapping.sha256 equals
@@ -979,15 +1153,15 @@
}
soong_config_module_type {
- name: "precompiled_sepolicy_defaults",
+ name: "precompiled_sepolicy_prebuilts_defaults",
module_type: "prebuilt_defaults",
config_namespace: "ANDROID",
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
}
-precompiled_sepolicy_defaults {
- name: "precompiled_sepolicy",
+precompiled_sepolicy_prebuilts_defaults {
+ name: "precompiled_sepolicy_prebuilts",
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
@@ -1003,7 +1177,7 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
src: ":plat_sepolicy_and_mapping.sha256_gen",
@@ -1015,7 +1189,7 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
@@ -1027,13 +1201,58 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
+ defaults: ["precompiled_sepolicy_prebuilts"],
name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
src: ":product_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
+soong_config_module_type {
+ name: "precompiled_se_policy_binary",
+ module_type: "se_policy_binary",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
+ value_variables: ["MIXED_SEPOLICY_VERSION"],
+ properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+}
+
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+}
//////////////////////////////////
// SELinux policy embedded into CTS.
diff --git a/Android.mk b/Android.mk
index d700fbf..160df1c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -81,45 +81,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-# policy files of platform (system, system_ext, product) can't be mixed with
-# policy files of vendor (vendor, odm). If it's the case, platform policies and
-# vendor policies are separately built. More specifically,
-#
-# - Platform policy files needed to build vendor policies, such as plat_policy,
-# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-#
-# - sepolicy_neverallows only checks platform policies, and a new module
-# sepolicy_neverallows_vendor checks vendor policies.
-#
-# - neverallow checks are turned off while compiling precompiled_sepolicy module
-# and sepolicy module.
-#
-# - Vendor policies are not checked on the compat test (compat.mk).
-#
-# In such scenario, we can grab platform policy files from the prebuilts/api
-# directory. But we need more than that: prebuilts of system_ext, product,
-# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
-# are introduced to specify such prebuilts.
-#
-# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-#
-# Vendors are responsible for copying policy files from the old version of the
-# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
-# be used to build vendor policies. See prebuilt_policy.mk for more details.
-#
-# To support both mixed build and normal build, platform policy files are
-# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
-# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
-# for more details.
-#
-# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
mixed_sepolicy_build := true
else
@@ -569,7 +530,15 @@
#################################
ifeq ($(mixed_sepolicy_build),true)
-include $(LOCAL_PATH)/prebuilt_policy.mk
+ver := $(BOARD_SEPOLICY_VERS)
+reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
+plat_public_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/public
+plat_private_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/private
+system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
+system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
+product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
+product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
+ver :=
else
reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
@@ -741,249 +710,38 @@
endif # ifeq ($(mixed_sepolicy_build),true)
##################################
-# plat policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of plat policy files.
+# Policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of policy files.
#
reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
-reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
-pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-
system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
-system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-
plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
-plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-#################################
-include $(CLEAR_VARS)
-
-# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
-# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := vendor_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-vendor_policy.conf := $(intermediates)/vendor_policy.conf
-$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(vendor_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
- -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
- -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
- -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-
-built_vendor_cil := $(LOCAL_BUILT_MODULE)
-vendor_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
+built_vendor_cil := $(call intermediates-dir-for,ETC,vendor_sepolicy.cil)/vendor_sepolicy.cil
ifdef BOARD_ODM_SEPOLICY_DIRS
-# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
-# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := odm_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-odm_policy.conf := $(intermediates)/odm_policy.conf
-$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(odm_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
- -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
- -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
- -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-
-built_odm_cil := $(LOCAL_BUILT_MODULE)
-odm_policy.conf :=
-odm_policy_raw :=
+built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
endif
#################################
include $(CLEAR_VARS)
-
-LOCAL_MODULE := precompiled_sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
- $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
-
-#################################
-# Precompiled sepolicy is loaded if and only if:
-# - plat_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-# AND
-# - system_ext_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-# AND
-# - product_sepolicy_and_mapping.sha256 equals
-# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-# See system/core/init/selinux.cpp for details.
-#################################
-
-#################################
-include $(CLEAR_VARS)
# build this target so that we can still perform neverallow checks
LOCAL_MODULE := sepolicy
@@ -999,7 +757,7 @@
all_cil_files := \
$(built_plat_cil) \
$(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1321,7 +1079,6 @@
built_product_mapping_cil :=
built_vendor_cil :=
built_odm_cil :=
-built_precompiled_sepolicy :=
built_sepolicy :=
built_sepolicy_neverallows :=
built_plat_svc :=
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 8f77e4f..865dbb4 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -95,8 +95,33 @@
b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)
+ b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
+ b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
+
+ if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
+ // vendor uses the same source with plat policy
+ b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
+ b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
+ b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
+ b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
+ b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
+ b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
+ b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
+ b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
+ } else {
+ // use vendor-supplied plat prebuilts
+ b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
+ b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
+ b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+ b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+ b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
+ b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
+ b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
+ b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
+ }
}
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 47fd14c..59d1172 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -181,7 +181,15 @@
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
+var _ android.OutputFileProducer = (*cilCompatMap)(nil)
func (c *cilCompatMap) GeneratedMapFile() android.Path {
return c.installSource
}
+
+func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index d4bdd74..dc07910 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -35,8 +35,8 @@
// Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
Stem *string
- // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
- // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R), "current"
+ // (PLATFORM_SEPOLICY_VERSION), or "vendor" (BOARD_SEPOLICY_VERS). Defaults to "current"
Version *string
// If true, generate mapping file from given base cil file. Cannot be set with target_policy.
@@ -90,6 +90,8 @@
version := proptools.StringDefault(m.properties.Version, "current")
if version == "current" {
version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ } else if version == "vendor" {
+ version = ctx.DeviceConfig().BoardSepolicyVers()
}
var stem string
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 5ec418c..cca95c2 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -98,3 +98,6 @@
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
get_prop(apexd, cold_boot_done_prop)
+
+# apexd uses this to determine where there metadata partition is.
+get_prop(apexd, apexd_payload_metadata_prop)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 7866b20..cbf09ad 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -19,20 +19,12 @@
use
};
-# Although the compos should not really read/write the FD on authfs_fuse, this
-# is apparently required for the binder driver to pass the FDs to compos from
-# authfs_service.
-allow compos authfs_fuse:file { read write };
-
-# Allow getattr (in fact, getxattr) as a workaround to retrieve fs-verity
-# metadata. See b/196635431.
-allow compos authfs_fuse:file getattr;
-
-# Allow creating the odrefresh output directory in authfs.
-allow compos authfs_fuse:dir create_dir_perms;
+# Read artifacts created by odrefresh and create signature files.
+allow compos authfs_fuse:dir rw_dir_perms;
+allow compos authfs_fuse:file create_file_perms;
# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir { search };
+allow compos authfs_data_file:dir search;
# Allow domain transition into odrefresh and dex2oat.
# TODO(b/209008712): Remove dex2oat once the migration is done.
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 221de96..c7c53c2 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -12,6 +12,10 @@
# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
allow dex2oat authfs_fuse:file { read write getattr map };
+# Allow to search in authfs directories.
+allow dex2oat authfs_data_file:dir { search };
+allow dex2oat authfs_fuse:dir { search };
+
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c281896..d8b4392 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -25,5 +25,8 @@
# supported on Android.
allow odrefresh compos:fifo_file read;
-# Do not audit unused resources from parent processes.
-dontaudit odrefresh compos:fd use;
+# Allow using FDs from the parent. It's possible that this could be avoided,
+# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
+# (unless specified otherwise). Without allowing the use, the execution will
+# fail immediately. See b/210909688.
+allow odrefresh compos:fd use;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index c36875c..7911753 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -41,3 +41,9 @@
-microdroid_manager
-apkdmverity
} microdroid_manager_roothash_prop:file no_rw_file_perms;
+
+# apexd_payload_metadata_prop can only set by init
+neverallow {
+ domain
+ -init
+} apexd_payload_metadata_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 20994e5..7b63cae 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -165,3 +165,5 @@
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f92face..c62e091 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,5 +1,6 @@
type adbd_prop, property_type;
type apex_config_prop, property_type;
+type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
deleted file mode 100644
index e46f92a..0000000
--- a/prebuilt_policy.mk
+++ /dev/null
@@ -1,321 +0,0 @@
-# Copyright (C) 2020 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
-# The policy files will only be used to compile vendor and odm policies.
-#
-# Specifically, the following prebuilts are used...
-# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
-# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
-# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
-#
-# ... to generate following policy files.
-#
-# - reqd policy mask
-# - plat, system_ext, product public policy
-# - plat, system_ext, product policy
-# - plat, system_ext, product versioned policy
-#
-# These generated policy files will be used only when building vendor policies.
-# They are not installed to system, system_ext, or product partition.
-ver := $(BOARD_SEPOLICY_VERS)
-prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
-plat_public_policy_$(ver) := $(prebuilt_dir)/public
-plat_private_policy_$(ver) := $(prebuilt_dir)/private
-system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
-system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
-product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
-product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
-
-##################################
-# policy-to-conf-rule: a helper macro to transform policy files to conf file.
-#
-# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
-# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
-#
-# $(1): output path (.conf file)
-define policy-to-conf-rule
-$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
-$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
-$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
-$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
-$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
-$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
-$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
-$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
-$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
-$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
-$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
-$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
-$(1): PRIVATE_POLICY_FILES := $$(policy_files)
-$(1): $$(policy_files) $$(M4)
- $$(transform-policy-to-conf)
-endef
-
-##################################
-# reqd_policy_mask_$(ver).cil
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
-reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
-
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
-$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask_$(ver).conf :=
-
-reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
-
-##################################
-# plat_pub_policy_$(ver).cil: exported plat policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
-plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
-
-plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
-$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
-$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-plat_pub_policy_$(ver).conf :=
-
-##################################
-# plat_mapping_cil_$(ver).cil: versioned exported system policy
-#
-plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
-$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
-
-##################################
-# plat_policy_$(ver).cil: system policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
-plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
-
-plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
-$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
-$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-plat_policy_$(ver).conf :=
-
-built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-##################################
-# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
-system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
-
-system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-system_ext_pub_policy_$(ver).conf :=
-
-##################################
-# system_ext_policy_$(ver).cil: system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
-system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
-
-system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
-$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
-$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-system_ext_policy_$(ver).conf :=
-
-built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
-
-##################################
-# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
-#
-system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
-
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_policy_$(ver).cil: product policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
-product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
-
-product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
-$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
-$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-product_policy_$(ver).conf :=
-
-built_product_cil_$(ver) := $(product_policy_$(ver).cil)
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
-pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
-
-pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
-$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
-$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-pub_policy_$(ver).conf :=
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_mapping_cil_$(ver).cil: versioned exported product policy
-#
-product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
-$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# plat_pub_versioned_$(ver).cil - the exported platform policy
-#
-plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
-$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
-$(built_product_mapping_cil_$(ver))
-$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
- $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/prebuilts/api/32.0/private/zygote.te b/prebuilts/api/32.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/32.0/private/zygote.te
+++ b/prebuilts/api/32.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/private/apexd.te b/private/apexd.te
index 2e890a0..9dfe45f 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -158,6 +158,9 @@
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 5bd2e76..d7e8601 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -9,6 +9,7 @@
artd_service
attestation_verification_service
charger_vendor
+ cloudsearch_service
device_config_nnapi_native_prop
dice_maintenance_service
dice_node_service
diff --git a/private/composd.te b/private/composd.te
index 88c4e4a..5b8f586 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,16 +13,19 @@
# Start a VM
virtualizationservice_use(composd)
-# Allow preparing staging directory for odrefresh
+# Prepare staging directory for odrefresh
allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+# Delete files in the odrefresh target directory
+allow composd apex_art_data_file:file unlink;
+
# Access our APEX data files
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Removed these when we run odrefresh in the VM
+# TODO(b/209008712): Remove these when we run odrefresh in the VM
# Run odrefresh to refresh ART artifacts, and kill it if we need to
domain_auto_trans(composd, odrefresh_exec, odrefresh)
allow composd odrefresh:process sigkill;
@@ -33,3 +36,6 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+
+# We never create any artifact files directly
+neverallow composd apex_art_data_file:file ~unlink;
diff --git a/private/domain.te b/private/domain.te
index ba26ddf..d12cbc7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -304,7 +304,8 @@
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
- # art processes
+ # art-related processes
+ -composd
-compos_fd_server
-odrefresh
-odsign
@@ -317,10 +318,10 @@
neverallow {
domain
# art-related processes
+ -composd
-compos_fd_server
-odrefresh
-odsign
- -composd # TODO: Remove
# others
-apexd
-init
diff --git a/private/file_contexts b/private/file_contexts
index 895b579..41bc184 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -19,6 +19,7 @@
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:rootfs:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
diff --git a/private/property.te b/private/property.te
index b196a1b..7033a06 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -376,6 +377,15 @@
}:property_service set;
neverallow {
+ # Only allow init to set apexd_payload_metadata_prop
+ domain
+ -init
+} {
+ apexd_payload_metadata_prop
+}:property_service set;
+
+
+neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 10735a5..3650a44 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -607,6 +607,7 @@
vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
odsign.key.done u:object_r:odsign_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 27d6b35..1d8b64d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -112,6 +112,7 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
diff --git a/private/zygote.te b/private/zygote.te
index 8e2b15a..ea983fd 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/public/service.te b/public/service.te
index 8be2eea..493017f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -80,6 +80,7 @@
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;