Merge "Remove /sys/devices/virtual/net labeling from core."
diff --git a/Android.mk b/Android.mk
index c12cea7..cece346 100644
--- a/Android.mk
+++ b/Android.mk
@@ -2,30 +2,6 @@
include $(LOCAL_PATH)/definitions.mk
-# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
-# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
-# changes independent of PLATFORM_SDK_VERSION. This value will be set to
-# 10000.0 to represent tip-of-tree development that is inherently unstable and
-# thus designed not to work with any shipping vendor policy. This is similar in
-# spirit to how DEFAULT_APP_TARGET_SDK is set.
-# The minor version ('m' component) must be updated every time a platform release
-# is made which breaks compatibility with the previous platform sepolicy version,
-# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
-# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
-sepolicy_major_vers := 27
-sepolicy_minor_vers := 0
-
-ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
-$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
-endif
-ifneq (REL,$(PLATFORM_VERSION_CODENAME))
- sepolicy_major_vers := 10000
- sepolicy_minor_vers := 0
-endif
-PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
-sepolicy_major_vers :=
-sepolicy_minor_vers :=
-
include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
@@ -215,8 +191,7 @@
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
- 26.0.cil \
- 27.0.cil \
+ $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_pub_versioned.cil \
vendor_sepolicy.cil \
plat_sepolicy.cil \
diff --git a/private/bug_map b/private/bug_map
index 10b188c..86cfade 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -3,6 +3,7 @@
crash_dump bluetooth_data_file dir 68319037
crash_dump resourcecache_data_file dir 68319037
crash_dump vendor_overlay_file dir 68319037
+hal_fingerprint_default system_data_file dir 73068008
hal_graphics_allocator_default unlabeled dir 70180742
hal_graphics_composer_default unlabeled dir 68864350
priv_app sysfs dir 72749888
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 78fa5f0..9a3a7a3 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -47,6 +47,10 @@
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;
+# TODO (b/72957399) remove this when webview_zygote is reparented to
+# app_process zygote
+dontaudit webview_zygote dex2oat_exec:file execute;
+
# Get seapp_contexts
allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
diff --git a/public/domain.te b/public/domain.te
index b175ed4..67eafc2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -912,6 +912,7 @@
neverallow {
coredomain
-init
+ -shell
-system_executes_vendor_violators
} {
vendor_file_type
@@ -922,6 +923,7 @@
neverallow {
coredomain
+ -shell
-system_executes_vendor_violators
} vendor_file_type:file execute_no_trans;
')
diff --git a/public/shell.te b/public/shell.te
index 32ad770..5e2745b 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -190,8 +190,6 @@
allow shell sepolicy_file:file r_file_perms;
# Allow shell to start up vendor shell
-# TODO(b/62041836): system processes should not run vendor executables.
-typeattribute shell system_executes_vendor_violators;
allow shell vendor_shell_exec:file rx_file_perms;
###