Merge "Show bug_map links on user builds"
diff --git a/Android.mk b/Android.mk
index 9568ab7..b516fa1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -58,7 +58,7 @@
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
-HAS_SYSTEM_EXT_SEPOLICY := true
+HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
# TODO(b/119305624): Currently if the device doesn't have a product partition,
@@ -68,7 +68,7 @@
# it so that if no product partition is present, product sepolicy artifacts are
# not built and installed at all.
ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY := true
+HAS_PRODUCT_SEPOLICY_DIR := true
endif
# TODO: move to README when doing the README update and finalizing versioning.
@@ -145,6 +145,32 @@
genfs_contexts \
port_contexts
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+ # Checks if there are public system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_SEPOLICY := true
+ endif
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+ # Checks if there are public product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_SEPOLICY := true
+ endif
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
# CIL files which contain workarounds for current limitation of human-readable
# module policy language. These files are appended to the CIL files produced
# from module language files.
@@ -312,8 +338,15 @@
endif
ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_mapping_file
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
LOCAL_REQUIRED_MODULES += \
- system_ext_sepolicy.cil \
system_ext_file_contexts \
system_ext_file_contexts_test \
system_ext_hwservice_contexts \
@@ -324,13 +357,19 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
- system_ext_mapping_file \
endif
ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_mapping_file
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
LOCAL_REQUIRED_MODULES += \
- product_sepolicy.cil \
product_file_contexts \
product_file_contexts_test \
product_hwservice_contexts \
@@ -341,7 +380,6 @@
product_service_contexts \
product_service_contexts_test \
product_mac_permissions.xml \
- product_mapping_file \
endif
@@ -804,7 +842,7 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_MODULE := system_ext_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -825,12 +863,12 @@
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_SYSTEM_EXT_SEPOLICY
+endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_MODULE := product_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -851,7 +889,7 @@
-f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_PRODUCT_SEPOLICY
+endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
@@ -1015,17 +1053,19 @@
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1172,17 +1212,19 @@
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1320,11 +1362,11 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
endif
@@ -1456,10 +1498,10 @@
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
diff --git a/compat.mk b/compat.mk
index 9604403..5e6dc41 100644
--- a/compat.mk
+++ b/compat.mk
@@ -19,17 +19,19 @@
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
diff --git a/contexts_tests.mk b/contexts_tests.mk
index ac1c341..da5dd83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -163,7 +163,7 @@
##################################
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
pc_files += $(system_ext_out)/system_ext_property_contexts
@@ -213,7 +213,7 @@
##################################
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
pc_files += $(product_out)/product_property_contexts
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5be5c06..edf38c7 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,6 +1,8 @@
;; types removed from current policy
(type ashmemd)
(type hal_wifi_offload_hwservice)
+(type install_recovery)
+(type install_recovery_exec)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1d31dbb..88257f1 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -23,5 +23,7 @@
system_passwd_file
vendor_apex_file
vendor_boringssl_self_test
+ vendor_install_recovery
+ vendor_install_recovery_exec
virtual_ab_prop
wifi_stack_service))
diff --git a/private/file_contexts b/private/file_contexts
index 6393f72..8c67e1f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -284,7 +284,6 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
@@ -367,6 +366,8 @@
/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
#############################
# OEM and ODM files
#
diff --git a/private/install_recovery.te b/private/install_recovery.te
deleted file mode 100644
index b79d683..0000000
--- a/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/public/install_recovery.te b/public/install_recovery.te
deleted file mode 100644
index 00caf25..0000000
--- a/public/install_recovery.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/vendor/vendor_install_recovery.te b/vendor/vendor_install_recovery.te
new file mode 100644
index 0000000..ff63f75
--- /dev/null
+++ b/vendor/vendor_install_recovery.te
@@ -0,0 +1,24 @@
+init_daemon_domain(vendor_install_recovery)
+
+# service vendor_flash_recovery in
+# bootable/recovery/applypatch/vendor_flash_recovery.rc
+type vendor_install_recovery, domain;
+type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
+
+# /vendor/bin/install-recovery.sh is a shell script.
+# Needs to execute /vendor/bin/sh
+allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
+
+# Execute /vendor/bin/applypatch
+allow vendor_install_recovery vendor_file:file rx_file_perms;
+not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
+
+allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow vendor_install_recovery block_device:dir search;
+allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
+allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vendor_install_recovery proc_drop_caches:file w_file_perms;