Merge "Define access to AVF chosen node properties"

commit: 629e12499a63a1da1a5fdadd55c814284727acd3 [log] [tgz]
author: Andrew Scull <ascull@google.com> Mon Mar 14 17:06:24 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Mar 14 17:06:24 2022 +0000
tree: 598b444ceddf9a1c6ff2cacb19123bfe698f7c00
parent: aaf65c2d6503a422a258c80cdaf4307873e9265d [diff]
parent: 2dba72540cc2ef058ae9f7e8eec2ef42fcab9dd1 [diff]
diff --git a/apex/Android.bp b/apex/Android.bp
index b85b1f5..5d61303 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp

@@ -263,3 +263,10 @@
     "com.android.car.framework-file_contexts",
   ],
 }
+
+filegroup {
+  name: "com.android.ondevicepersonalization-file_contexts",
+  srcs: [
+    "com.android.ondevicepersonalization-file_contexts",
+  ],
+}

diff --git a/apex/com.android.ondevicepersonalization-file_contexts b/apex/com.android.ondevicepersonalization-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.ondevicepersonalization-file_contexts

@@ -0,0 +1 @@
+(/.*)?           u:object_r:system_file:s0

diff --git a/build/soong/policy.go b/build/soong/policy.go
index 390c439..b1840da 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go

@@ -88,6 +88,9 @@
 
 	// Whether this module is directly installable to one of the partitions. Default is true
 	Installable *bool
+
+	// Desired number of MLS categories. Defaults to 1024
+	Mls_cats *int64
 }
 
 type policyConf struct {
@@ -189,6 +192,10 @@
 	return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
 }
 
+func (c *policyConf) mlsCats() int {
+	return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
+}
+
 func findPolicyConfOrder(name string) int {
 	for idx, pattern := range policyConfOrder {
 		if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
@@ -212,7 +219,7 @@
 		Flag("--fatal-warnings").
 		FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
 		FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
-		FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
+		FlagWithArg("-D mls_num_cats=", strconv.Itoa(c.mlsCats())).
 		FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
 		FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
 		FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).

diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0600207..0628a5b 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp

@@ -109,6 +109,7 @@
     name: "microdroid_reqd_policy_mask.conf",
     srcs: reqd_mask_files,
     installable: false,
+    mls_cats: 1,
 }
 
 se_policy_cil {
@@ -122,6 +123,7 @@
     name: "microdroid_plat_sepolicy.conf",
     srcs: system_policy_files,
     installable: false,
+    mls_cats: 1,
 }
 
 se_policy_cil {
@@ -135,6 +137,7 @@
     name: "microdroid_plat_pub_policy.conf",
     srcs: system_public_policy_files,
     installable: false,
+    mls_cats: 1,
 }
 
 se_policy_cil {
@@ -171,6 +174,7 @@
     name: "microdroid_vendor_sepolicy.conf",
     srcs: vendor_policy_files,
     installable: false,
+    mls_cats: 1,
 }
 
 se_policy_cil {
@@ -287,4 +291,5 @@
     srcs: system_policy_files,
     exclude_build_test: true,
     installable: false,
+    mls_cats: 1,
 }

diff --git a/private/dumpstate.te b/private/dumpstate.te
index ed3e996..149d389 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -120,3 +120,6 @@
 # /dev/null.
 allow perfetto dumpstate_tmpfs:file rw_file_perms;
 allow perfetto dumpstate:fd use;
+
+# system_dlkm_file for /system_dlkm partition
+allow dumpstate system_dlkm_file:dir getattr;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index d0c474c..0cfb7cf 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -32,7 +32,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example    u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy       u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service            u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy       u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example      u:object_r:hal_dumpstate_default_exec:s0
commit	629e12499a63a1da1a5fdadd55c814284727acd3	[log] [tgz]
author	Andrew Scull <ascull@google.com>	Mon Mar 14 17:06:24 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Mar 14 17:06:24 2022 +0000
tree	598b444ceddf9a1c6ff2cacb19123bfe698f7c00
parent	aaf65c2d6503a422a258c80cdaf4307873e9265d [diff]
parent	2dba72540cc2ef058ae9f7e8eec2ef42fcab9dd1 [diff]