Merge "[Thread] add sepolicy rules for Thread system service" into main
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index c9daf7c..eb7cb06 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -20,7 +20,6 @@
import (
"android/soong/android"
"fmt"
- "io"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -67,18 +66,21 @@
Bottom_half []string `android:"path"`
// name of the output
Stem *string
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
type cilCompatMap struct {
android.ModuleBase
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
type CilCompatMapGenerator interface {
- GeneratedMapFile() android.Path
+ GeneratedMapFile() android.OptionalPath
}
func expandTopHalf(ctx android.ModuleContext) android.OptionalPath {
@@ -87,7 +89,7 @@
depTag := ctx.OtherModuleDependencyTag(dep)
switch depTag {
case TopHalfDepTag:
- topHalf = android.OptionalPathForPath(dep.(CilCompatMapGenerator).GeneratedMapFile())
+ topHalf = dep.(CilCompatMapGenerator).GeneratedMapFile()
}
})
return topHalf
@@ -97,7 +99,15 @@
return android.PathsForModuleSrc(ctx, srcFiles)
}
+func (c *cilCompatMap) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
@@ -130,9 +140,9 @@
"bottomHalf": bottomHalf.String(),
},
})
- c.installSource = out
+ c.installSource = android.OptionalPathForPath(out)
} else {
- c.installSource = bottomHalf
+ c.installSource = android.OptionalPathForPath(bottomHalf)
}
}
@@ -142,30 +152,38 @@
}
}
-func (c *cilCompatMap) AndroidMk() android.AndroidMkData {
- ret := android.AndroidMkData{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
+func (c *cilCompatMap) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
}
- ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
- if c.properties.Stem != nil {
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
- }
- })
- return ret
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: c.installSource,
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ if c.properties.Stem != nil {
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", String(c.properties.Stem))
+ }
+ },
+ },
+ }}
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
var _ android.OutputFileProducer = (*cilCompatMap)(nil)
-func (c *cilCompatMap) GeneratedMapFile() android.Path {
+func (c *cilCompatMap) GeneratedMapFile() android.OptionalPath {
return c.installSource
}
func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
if tag == "" {
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
}
return nil, fmt.Errorf("Unknown tag %q", tag)
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 881f7da..1f7901b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -43,7 +43,7 @@
type compatCil struct {
android.ModuleBase
properties compatCilProperties
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
@@ -53,6 +53,10 @@
// Output file name. Defaults to module name if unspecified.
Stem *string
+
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
func (c *compatCil) stem() string {
@@ -63,11 +67,19 @@
return android.PathsForModuleSrc(ctx, c.properties.Srcs)
}
+func (c *compatCil) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
}
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
ctx.Build(pctx, android.BuildParams{
@@ -78,14 +90,17 @@
})
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
- c.installSource = out
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+ c.installSource = android.OptionalPathForPath(out)
+ ctx.InstallFile(c.installPath, c.stem(), out)
}
func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
+ }
return []android.AndroidMkEntries{android.AndroidMkEntries{
Class: "ETC",
- OutputFile: android.OptionalPathForPath(c.installSource),
+ OutputFile: c.installSource,
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
@@ -98,7 +113,11 @@
func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
switch tag {
case "":
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
default:
return nil, fmt.Errorf("unsupported module reference tag %q", tag)
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 644a2dd..f3fb33c 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -440,8 +440,10 @@
Inputs(inputs).
Input(neverallowFile)
- if ctx.SocSpecific() || ctx.DeviceSpecific() {
- checkCmd.Flag("-c") // check coredomain
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelU := android.ApiLevelOrPanic(ctx, "UpsideDownCake")
+ if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThan(ApiLevelU) {
+ checkCmd.Flag("-c") // check coredomain for V (or later) launching devices
}
rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
diff --git a/compat/Android.bp b/compat/Android.bp
index 39da7fd..9768eb1 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -133,6 +133,7 @@
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map{.plat_private}"],
top_half: "plat_30.0.cil",
+ version: "29.0",
}
se_cil_compat_map {
@@ -140,6 +141,7 @@
stem: "30.0.cil",
bottom_half: [":30.0.board.compat.map{.plat_private}"],
top_half: "plat_31.0.cil",
+ version: "30.0",
}
se_cil_compat_map {
@@ -147,6 +149,7 @@
stem: "31.0.cil",
bottom_half: [":31.0.board.compat.map{.plat_private}"],
top_half: "plat_32.0.cil",
+ version: "31.0",
}
se_cil_compat_map {
@@ -154,6 +157,7 @@
stem: "32.0.cil",
bottom_half: [":32.0.board.compat.map{.plat_private}"],
top_half: "plat_33.0.cil",
+ version: "32.0",
}
se_cil_compat_map {
@@ -161,6 +165,7 @@
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.plat_private}"],
top_half: "plat_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -169,6 +174,7 @@
bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_30.0.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -177,6 +183,7 @@
bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_31.0.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -185,6 +192,7 @@
bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_32.0.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -193,6 +201,7 @@
bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_33.0.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -201,6 +210,7 @@
bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
top_half: "system_ext_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -209,6 +219,7 @@
bottom_half: [":29.0.board.compat.map{.product_private}"],
top_half: "product_30.0.cil",
product_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -217,6 +228,7 @@
bottom_half: [":30.0.board.compat.map{.product_private}"],
top_half: "product_31.0.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -225,6 +237,7 @@
bottom_half: [":31.0.board.compat.map{.product_private}"],
top_half: "product_32.0.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -233,6 +246,7 @@
bottom_half: [":32.0.board.compat.map{.product_private}"],
top_half: "product_33.0.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -241,36 +255,42 @@
bottom_half: [":33.0.board.compat.map{.product_private}"],
product_specific: true,
top_half: "product_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
name: "29.0.ignore.cil",
bottom_half: [":29.0.board.ignore.map{.plat_private}"],
top_half: "30.0.ignore.cil",
+ version: "29.0",
}
se_cil_compat_map {
name: "30.0.ignore.cil",
bottom_half: [":30.0.board.ignore.map{.plat_private}"],
top_half: "31.0.ignore.cil",
+ version: "30.0",
}
se_cil_compat_map {
name: "31.0.ignore.cil",
bottom_half: [":31.0.board.ignore.map{.plat_private}"],
top_half: "32.0.ignore.cil",
+ version: "31.0",
}
se_cil_compat_map {
name: "32.0.ignore.cil",
bottom_half: [":32.0.board.ignore.map{.plat_private}"],
top_half: "33.0.ignore.cil",
+ version: "32.0",
}
se_cil_compat_map {
name: "33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.plat_private}"],
top_half: "34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -278,6 +298,7 @@
bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_31.0.ignore.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -285,6 +306,7 @@
bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_32.0.ignore.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -292,6 +314,7 @@
bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_33.0.ignore.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -299,6 +322,7 @@
bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
top_half: "system_ext_34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -306,6 +330,7 @@
bottom_half: [":30.0.board.ignore.map{.product_private}"],
top_half: "product_31.0.ignore.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -313,6 +338,7 @@
bottom_half: [":31.0.board.ignore.map{.product_private}"],
top_half: "product_32.0.ignore.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -320,6 +346,7 @@
bottom_half: [":32.0.board.ignore.map{.product_private}"],
top_half: "product_33.0.ignore.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -327,31 +354,37 @@
bottom_half: [":33.0.board.ignore.map{.product_private}"],
product_specific: true,
top_half: "product_34.0.ignore.cil",
+ version: "33.0",
}
se_compat_cil {
name: "29.0.compat.cil",
srcs: [":29.0.board.compat.cil{.plat_private}"],
+ version: "29.0",
}
se_compat_cil {
name: "30.0.compat.cil",
srcs: [":30.0.board.compat.cil{.plat_private}"],
+ version: "30.0",
}
se_compat_cil {
name: "31.0.compat.cil",
srcs: [":31.0.board.compat.cil{.plat_private}"],
+ version: "31.0",
}
se_compat_cil {
name: "32.0.compat.cil",
srcs: [":32.0.board.compat.cil{.plat_private}"],
+ version: "32.0",
}
se_compat_cil {
name: "33.0.compat.cil",
srcs: [":33.0.board.compat.cil{.plat_private}"],
+ version: "33.0",
}
se_compat_cil {
@@ -359,6 +392,7 @@
srcs: [":29.0.board.compat.cil{.system_ext_private}"],
stem: "29.0.compat.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_compat_cil {
@@ -366,6 +400,7 @@
srcs: [":30.0.board.compat.cil{.system_ext_private}"],
stem: "30.0.compat.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_compat_cil {
@@ -373,6 +408,7 @@
srcs: [":31.0.board.compat.cil{.system_ext_private}"],
stem: "31.0.compat.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_compat_cil {
@@ -380,6 +416,7 @@
srcs: [":32.0.board.compat.cil{.system_ext_private}"],
stem: "32.0.compat.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_compat_cil {
@@ -387,6 +424,7 @@
srcs: [":33.0.board.compat.cil{.system_ext_private}"],
stem: "33.0.compat.cil",
system_ext_specific: true,
+ version: "33.0",
}
se_compat_test {
@@ -412,6 +450,7 @@
name: "plat_34.0.cil",
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.plat_private}"],
+ version: "34.0",
}
se_cil_compat_map {
@@ -419,6 +458,7 @@
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
@@ -426,11 +466,13 @@
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.product_private}"],
product_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
name: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.plat_private}"],
+ version: "34.0",
}
se_cil_compat_map {
@@ -438,6 +480,7 @@
stem: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
@@ -445,11 +488,13 @@
stem: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.product_private}"],
product_specific: true,
+ version: "34.0",
}
se_compat_cil {
name: "34.0.compat.cil",
srcs: [":34.0.board.compat.cil{.plat_private}"],
+ version: "34.0",
}
se_compat_cil {
@@ -457,4 +502,5 @@
stem: "34.0.compat.cil",
srcs: [":34.0.board.compat.cil{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 13dd259..fa6712f 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -47,7 +47,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 258c6b4..ac2ab12 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -233,9 +233,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 106cb21..618bb11 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -49,7 +49,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
diff --git a/private/file_contexts b/private/file_contexts
index 6acaf9d..11e4922 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -234,9 +234,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 2e5089c..a3765ec 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -14,8 +14,3 @@
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/private/system_server.te b/private/system_server.te
index 452f4bb..136db38 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -147,9 +147,6 @@
sys_tty_config
};
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
# Allow alarmtimers to be set
allow system_server self:global_capability2_class_set wake_alarm;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 86f1eb1..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,6 +23,3 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8452b97..788a76f 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -87,7 +87,6 @@
allow fastbootd cache_file:dir search;
allow fastbootd proc_filesystems:file { getattr open read };
allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index e21796a..306d459 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b531a22..498469d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -11,7 +11,6 @@
r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)
-allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
diff --git a/public/netd.te b/public/netd.te
index a5c27f9..41ae9ec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -185,6 +185,4 @@
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
-dontaudit netd kernel:system module_request;
-
dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..00d10a4 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -13,7 +13,6 @@
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
diff --git a/public/update_engine.te b/public/update_engine.te
index ab7090b..f879013 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -29,9 +29,6 @@
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index cd61c9a..a941d6f 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -223,6 +223,7 @@
name: "plat_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -230,6 +231,7 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -237,11 +239,13 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
name: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -249,6 +253,7 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -256,11 +261,13 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_compat_cil {{
name: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
+ version: "{ver}",
}}
se_compat_cil {{
@@ -268,6 +275,7 @@
stem: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
"""
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
index 0da517a..b1f57a7 100644
--- a/vendor/ot_rcp.te
+++ b/vendor/ot_rcp.te
@@ -10,7 +10,7 @@
allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
allow ot_rcp hal_threadnetwork_default:fd use;
allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
-allow ot_rcp devpts:chr_file {read write};
+allow ot_rcp devpts:chr_file {read write ioctl};
allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
allow ot_rcp node:udp_socket node_bind;
allow ot_rcp port:udp_socket name_bind;