Merge "Set context for files in the com.android.bootanimation apex"
diff --git a/Android.mk b/Android.mk
index 55a2f81..c1cc51a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -194,6 +194,10 @@
include $(BUILD_PHONY_PACKAGE)
+# selinux_policy is a main goal and triggers lots of tests.
+# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
+# By setting as droidcore's dependency, tests will run on normal builds.
+droidcore: selinux_policy
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system
@@ -329,9 +333,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
-LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1199,8 +1202,8 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1214,10 +1217,9 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-sepolicy_tests := $(intermediates)/sepolicy_tests
-$(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
-$(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
$(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
@@ -1309,8 +1311,8 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_freeze_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
diff --git a/compat.mk b/compat.mk
index 8594751..30904ef 100644
--- a/compat.mk
+++ b/compat.mk
@@ -6,7 +6,10 @@
#
LOCAL_MODULE := $(version)_compat_test
LOCAL_REQUIRED_MODULES := $(version).compat.cil
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \
$(built_plat_cil) \
@@ -26,16 +29,11 @@
all_cil_files += $(built_odm_cil)
endif
-compat_test := $(intermediates)/$(LOCAL_MODULE)
-droidcore: $(compat_test)
-$(version)_compat_test: $(compat_test)
-.PHONY: $(version)_compat_test
-$(compat_test): PRIVATE_CIL_FILES := $(all_cil_files)
-$(compat_test): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
$(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-compat_test :=
all_cil_files :=
version :=
version_under_treble_tests :=
diff --git a/contexts_tests.mk b/contexts_tests.mk
index b229c50..5756d8f 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -21,14 +21,12 @@
# $(2): path to the host tool
# $(3): additional argument to be passed to the tool
define run_contexts_test
-test_out := $$(intermediates)/$$(LOCAL_MODULE)
-$$(test_out): PRIVATE_CONTEXTS := $(1)
-$$(test_out): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(test_out): $(2) $(1) $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $(1)
+$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
$$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
$$(hide) mkdir -p $$(dir $$@)
$$(hide) touch $$@
-test_out :=
endef
system_out := $(TARGET_OUT)/etc/selinux
@@ -41,8 +39,8 @@
##################################
LOCAL_MODULE := plat_file_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -52,9 +50,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_file_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_PRODUCT_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -64,9 +61,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_file_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_VENDOR_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -76,9 +72,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_file_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_ODM_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -89,8 +84,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_hwservice_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -100,9 +95,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_hwservice_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_PRODUCT_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -112,9 +106,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_hwservice_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_VENDOR_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -124,9 +117,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_hwservice_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_ODM_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -139,8 +131,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_property_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -153,9 +145,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_VENDOR_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -170,9 +161,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_property_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_ODM_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -189,9 +179,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_property_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_PRODUCT_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -205,8 +194,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_service_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -216,9 +205,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_service_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_PRODUCT_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -231,9 +219,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_service_contexts_test
-LOCAL_MODULE_CLASS := ETC
-LOCAL_VENDOR_MODULE := true
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 889795c..5f472a1 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -18,7 +18,7 @@
# Should be synced with keys.conf.
all_plat_keys := platform media shared testkey
-all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
+all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e841832..4d32997 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -123,6 +123,7 @@
su_tmpfs
super_block_device
sysfs_fs_f2fs
+ system_ashmem_hwservice
system_bootstrap_lib_file
system_event_log_tags_file
system_lmk_prop
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index f3745a3..9259202 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -76,6 +76,7 @@
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.ashmem::IAshmem u:object_r:system_ashmem_hwservice:s0
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
diff --git a/public/app.te b/public/app.te
index 5c48e71..36dd5e3 100644
--- a/public/app.te
+++ b/public/app.te
@@ -357,8 +357,8 @@
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
-# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
-binder_call({ appdomain -coredomain }, ashmemd)
+# Allow vendor apps access to ashmem_server to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmem_server)
###
### Neverallow rules
diff --git a/public/ashmem_server.te b/public/ashmem_server.te
new file mode 100644
index 0000000..e36a987
--- /dev/null
+++ b/public/ashmem_server.te
@@ -0,0 +1,3 @@
+hwbinder_use(ashmem_server)
+get_prop(ashmem_server, hwservicemanager_prop)
+add_hwservice(ashmem_server, system_ashmem_hwservice)
diff --git a/public/ashmemd.te b/public/ashmemd.te
index 542f093..9ead477 100644
--- a/public/ashmemd.te
+++ b/public/ashmemd.te
@@ -1 +1,3 @@
-type ashmemd, domain;
+# TODO(b/133869224): Make private once ashmemd
+# is cleaned up from vendor sepolicy.
+type ashmemd, domain, ashmem_server;
diff --git a/public/attributes b/public/attributes
index 67979da..d296a46 100644
--- a/public/attributes
+++ b/public/attributes
@@ -303,6 +303,7 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
+attribute ashmem_server;
attribute camera_service_server;
attribute display_service_server;
attribute mediaswcodec_server;
diff --git a/public/domain.te b/public/domain.te
index c68f5ab..0611892 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,7 @@
} ashmem_device:chr_file rw_file_perms;
# Allow using fds to /dev/ashmem.
-allow domain ashmemd:fd use;
+allow domain ashmem_server:fd use;
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
diff --git a/public/hwservice.te b/public/hwservice.te
index 7425878..670b8b8 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -65,6 +65,7 @@
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/installd.te b/public/installd.te
index 04922f5..cec3d91 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -170,7 +170,7 @@
neverallow { domain -system_server -dumpstate } installd:binder call;
neverallow installd {
domain
- -ashmemd
+ -ashmem_server
-system_server
-servicemanager
userdebug_or_eng(`-su')
diff --git a/public/vold.te b/public/vold.te
index 2a278eb..3a38ba5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -302,7 +302,7 @@
neverallow vold {
domain
- -ashmemd
+ -ashmem_server
-hal_health_storage_server
-hal_keymaster_server
-system_suspend_server
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index bc6d685..39bff10 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -5,8 +5,8 @@
# permissions granted do not violate the treble model. Also ensure that treble
# compatibility guarantees are upheld between SELinux version bumps.
LOCAL_MODULE := treble_sepolicy_tests_$(version)
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
@@ -80,14 +80,13 @@
mkdir -p $(dir $@)
cat $^ > $@
-treble_sepolicy_tests_$(version) := $(intermediates)/treble_sepolicy_tests_$(version)
-$(treble_sepolicy_tests_$(version)): ALL_FC_ARGS := $(all_fc_args)
-$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
-$(treble_sepolicy_tests_$(version)): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
-$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE :=
+$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
# TODO(b/113124961): account for PRODUCT_SHIPPING_API_LEVEL when determining
# fake treble status once emulator is no longer fake treble.
@@ -98,11 +97,11 @@
# lead to release problems where they think they pass this test but
# fail it when it actually gets runned for compliance.
#ifeq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
-$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE := --fake-treble
+$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
#endif # if PRODUCT_SHIPPING_API_LEVEL < 26 (Android Oreo)
#endif # PRODUCT_SHIPPING_API_LEVEL defined
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
-$(treble_sepolicy_tests_$(version)): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
$(base_plat_pub_policy.cil) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)