Expose starting_at_board_api to access_vectors
It is useful to call the starting_at_board_api macro in access_vectors,
when a new permission is added.
Update the order expected by Soong for the build files to accept
flagging_macros as the first entry (once processed by m4, it is expected
that this file only contains comments).
Guard the recently added checkpoint_restore and bpf permissions behind
the starting_at_board_api macro.
Test: build
Bug: 353121021
Change-Id: Ic26af97aa0c99e4166e993900e1645a7709d7904
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 7b2122c..6b7bd5f 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -33,6 +33,7 @@
// This order should be kept. checkpolicy syntax requires it.
var policyConfOrder = []string{
+ "flagging_macros",
"security_classes",
"initial_sids",
"access_vectors",
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 26e8989..268670c 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -55,5 +55,5 @@
filegroup {
name: "sepolicy_flagging_macros",
- srcs: ["te_macros"],
+ srcs: ["flagging_macros"],
}
diff --git a/flagging/te_macros b/flagging/flagging_macros
similarity index 100%
rename from flagging/te_macros
rename to flagging/flagging_macros
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index dce4898..e9b4b1e 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -107,6 +107,7 @@
se_policy_conf {
name: "microdroid_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_files,
installable: false,
mls_cats: 1,
@@ -121,6 +122,7 @@
se_policy_conf {
name: "microdroid_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: system_policy_files,
installable: false,
mls_cats: 1,
@@ -135,6 +137,7 @@
se_policy_conf {
name: "microdroid_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: system_public_policy_files,
installable: false,
mls_cats: 1,
@@ -172,6 +175,7 @@
se_policy_conf {
name: "microdroid_vendor_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: vendor_policy_files,
installable: false,
mls_cats: 1,
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
index 8acca29..797b4b5 100644
--- a/prebuilts/api/29.0/Android.bp
+++ b/prebuilts/api/29.0/Android.bp
@@ -14,6 +14,7 @@
se_policy_conf {
name: "29.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.reqd_mask}",
@@ -32,6 +33,7 @@
se_policy_conf {
name: "29.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.system_ext_public_29.0}",
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
index 6f3254d..30be837 100644
--- a/prebuilts/api/30.0/Android.bp
+++ b/prebuilts/api/30.0/Android.bp
@@ -14,6 +14,7 @@
se_policy_conf {
name: "30.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.reqd_mask}",
@@ -32,6 +33,7 @@
se_policy_conf {
name: "30.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.system_ext_public_30.0}",
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
index caf1c10..cf8de96 100644
--- a/prebuilts/api/31.0/Android.bp
+++ b/prebuilts/api/31.0/Android.bp
@@ -14,6 +14,7 @@
se_policy_conf {
name: "31.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.reqd_mask}",
@@ -32,6 +33,7 @@
se_policy_conf {
name: "31.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.system_ext_public_31.0}",
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
index 9a2b4e2..92c694b 100644
--- a/prebuilts/api/32.0/Android.bp
+++ b/prebuilts/api/32.0/Android.bp
@@ -14,6 +14,7 @@
se_policy_conf {
name: "32.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.reqd_mask}",
@@ -32,6 +33,7 @@
se_policy_conf {
name: "32.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.system_ext_public_32.0}",
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
index 0a01a44..211445f 100644
--- a/prebuilts/api/33.0/Android.bp
+++ b/prebuilts/api/33.0/Android.bp
@@ -14,6 +14,7 @@
se_policy_conf {
name: "33.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.reqd_mask}",
@@ -32,6 +33,7 @@
se_policy_conf {
name: "33.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.system_ext_public_33.0}",
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
index b3be5bb..b52801f 100644
--- a/prebuilts/api/34.0/Android.bp
+++ b/prebuilts/api/34.0/Android.bp
@@ -14,6 +14,7 @@
se_policy_conf {
name: "34.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.reqd_mask}",
@@ -32,6 +33,7 @@
se_policy_conf {
name: "34.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.system_ext_public_34.0}",
diff --git a/private/access_vectors b/private/access_vectors
index 7a280c5..9d82ac8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -139,8 +139,8 @@
block_suspend
audit_read
perfmon
- checkpoint_restore
- bpf
+ starting_at_board_api(202504, `checkpoint_restore')
+ starting_at_board_api(202504, `bpf')
}
#