Merge "sepolicy_version: change current version to NN.m format" into oc-dev
diff --git a/Android.mk b/Android.mk
index 804677e..ff3d20d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -654,6 +654,9 @@
nonplat_policy_nvr.recovery :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
@@ -673,28 +676,10 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=false \
+ -D target_full_treble=cts \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
@@ -1097,7 +1082,7 @@
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -v $(PRIVATE_SEPOLICY) -e $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
vnd_svcfiles :=
vndservice_contexts.tmp :=
@@ -1170,8 +1155,6 @@
build_policy :=
built_plat_fc :=
built_nonplat_fc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
built_nl :=
built_plat_cil :=
built_mapping_cil :=
diff --git a/private/app.te b/private/app.te
index 73d7729..f7c060b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -101,6 +101,10 @@
# Allow apps access to /vendor/overlay
r_dir_file(appdomain, vendor_overlay_file)
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 83792ed..f6e8e6b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -266,6 +266,8 @@
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/vndk-stable(/.*)? u:object_r:vndk_stable_file:s0
+
# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
diff --git a/public/domain.te b/public/domain.te
index f16d277..1fb648b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -119,6 +119,11 @@
allow domain same_process_hal_file:dir r_dir_perms;
allow domain same_process_hal_file:file { execute read open getattr };
+# Any process can load vndk-stable libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_stable_file:dir r_dir_perms;
+allow domain vndk_stable_file:file { execute read open getattr };
+
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr };
diff --git a/public/file.te b/public/file.te
index 6468d16..2d02e86 100644
--- a/public/file.te
+++ b/public/file.te
@@ -94,6 +94,8 @@
# Default type for all *same process* HALs.
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-stable libs. /vendor/lib/vndk-stable
+type vndk_stable_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
diff --git a/public/te_macros b/public/te_macros
index bc67278..020bdc5 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -387,7 +387,12 @@
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
#####################################
# Not full TREBLE