Merge "Delete mdns_service_fuzzer" into main
diff --git a/Android.bp b/Android.bp
index 6c8fa2a..038d92f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -103,6 +103,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@@ -138,6 +139,7 @@
//
se_policy_conf {
name: "pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -157,6 +159,7 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
@@ -175,6 +178,7 @@
se_policy_conf {
name: "plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@@ -195,6 +199,7 @@
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
installable: false,
@@ -210,6 +215,7 @@
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "userdebug",
@@ -260,6 +266,7 @@
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -280,6 +287,7 @@
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -348,6 +356,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -389,6 +398,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -598,6 +608,7 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -634,6 +645,7 @@
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -650,6 +662,7 @@
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -675,6 +688,7 @@
se_policy_conf {
name: "base_product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -704,6 +718,7 @@
se_policy_conf {
name: "base_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@@ -723,6 +738,7 @@
se_policy_conf {
name: "base_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -770,6 +786,7 @@
se_neverallow_test {
name: "sepolicy_neverallows",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 83b31b4..0abfdf6 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,6 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
+ "flags.go",
"mac_permissions.go",
"policy.go",
"selinux.go",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 1f7901b..baad413 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -129,6 +129,7 @@
// current policy.
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
+ f.AddProperties(&f.properties)
android.InitAndroidModule(f)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
@@ -138,6 +139,10 @@
type compatTestModule struct {
android.SingletonModuleBase
+ properties struct {
+ // Default modules for conf
+ Defaults []string
+ }
compatTestTimestamp android.ModuleOutPath
}
@@ -157,6 +162,10 @@
":se_build_files{.reqd_mask}",
},
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: f.properties.Defaults,
})
ctx.CreateModule(policyCilFactory, &nameProperties{
diff --git a/build/soong/flags.go b/build/soong/flags.go
new file mode 100644
index 0000000..b1aebac
--- /dev/null
+++ b/build/soong/flags.go
@@ -0,0 +1,54 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "android/soong/android"
+)
+
+type flagsProperties struct {
+ // List of flags to be passed to M4 macro.
+ Flags []string
+}
+
+type flaggableModule interface {
+ android.Module
+ flagModuleBase() *flaggableModuleBase
+ getBuildFlags(ctx android.ModuleContext) map[string]string
+}
+
+type flaggableModuleBase struct {
+ properties flagsProperties
+}
+
+func initFlaggableModule(m flaggableModule) {
+ base := m.flagModuleBase()
+ m.AddProperties(&base.properties)
+}
+
+func (f *flaggableModuleBase) flagModuleBase() *flaggableModuleBase {
+ return f
+}
+
+// getBuildFlags returns a map from flag names to flag values.
+func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
+ ret := make(map[string]string)
+ for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
+ if val, ok := ctx.Config().GetBuildFlag(flag); ok {
+ ret[flag] = val
+ }
+ }
+ return ret
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 0793e2a..9d87275 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -58,6 +58,7 @@
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
+ android.RegisterModuleType("se_policy_conf_defaults", policyConfDefaultFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
@@ -93,6 +94,8 @@
type policyConf struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties policyConfProperties
@@ -100,12 +103,35 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*policyConf)(nil)
+
// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
// checkpolicy.
func policyConfFactory() android.Module {
c := &policyConf{}
c.AddProperties(&c.properties)
+ initFlaggableModule(c)
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(c)
+ return c
+}
+
+type policyConfDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// se_policy_conf_defaults provides a set of properties that can be inherited by other
+// se_policy_conf_defaults modules. A module can use the properties from a se_policy_conf_defaults
+// using `defaults: ["<:default_module_name>"]`. Properties of both modules are merged (when
+// possible) by prepending the default module's values to the depending module's values.
+func policyConfDefaultFactory() android.Module {
+ c := &policyConfDefaults{}
+ c.AddProperties(
+ &policyConfProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(c)
return c
}
@@ -216,6 +242,7 @@
return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
})
+ flags := c.getBuildFlags(ctx)
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
@@ -234,6 +261,7 @@
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
+ Flags(flagsToM4Macros(flags)).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@@ -242,10 +270,6 @@
return conf
}
-func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !c.installable() {
c.SkipInstall()
diff --git a/build/soong/selinux.go b/build/soong/selinux.go
index 5fbe01eb..f811231 100644
--- a/build/soong/selinux.go
+++ b/build/soong/selinux.go
@@ -40,3 +40,13 @@
return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
}
+
+// flagsToM4Macros converts given map to a list of M4's -D parameters to guard te files and contexts
+// files.
+func flagsToM4Macros(flags map[string]string) []string {
+ flagMacros := []string{}
+ for _, flag := range android.SortedKeys(flags) {
+ flagMacros = append(flagMacros, "-D target_flag_"+flag+"="+flags[flag])
+ }
+ return flagMacros
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index de7355c..5cc9c70 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,7 +17,6 @@
import (
"fmt"
"io"
- "os"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -59,6 +58,8 @@
type selinuxContextsModule struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties selinuxContextsProperties
seappProperties seappProperties
@@ -68,6 +69,8 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*selinuxContextsModule)(nil)
+
var (
reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
@@ -76,6 +79,7 @@
func init() {
pctx.HostBinToolVariable("fc_sort", "fc_sort")
+ android.RegisterModuleType("contexts_defaults", contextsDefaultsFactory)
android.RegisterModuleType("file_contexts", fileFactory)
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
@@ -155,13 +159,35 @@
&m.properties,
&m.seappProperties,
)
+ initFlaggableModule(m)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(m)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
m.selinuxContextsHook(ctx)
})
return m
}
+type contextsDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// contexts_defaults provides a set of properties that can be inherited by other contexts modules.
+// (file_contexts, property_contexts, seapp_contexts, etc.) A module can use the properties from a
+// contexts_defaults using `defaults: ["<:default_module_name>"]`. Properties of both modules are
+// erged (when possible) by prepending the default module's values to the depending module's values.
+func contextsDefaultsFactory() android.Module {
+ m := &contextsDefaults{}
+ m.AddProperties(
+ &selinuxContextsProperties{},
+ &seappProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(m)
+ return m
+}
+
func (m *selinuxContextsModule) selinuxContextsHook(ctx android.LoadHookContext) {
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
@@ -245,10 +271,12 @@
inputsWithNewline = append(inputsWithNewline, input, newlineFile)
}
+ flags := m.getBuildFlags(ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
@@ -309,7 +337,7 @@
return m.buildGeneralContexts(ctx, inputs)
}
-func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, input android.Path) android.Path {
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
@@ -350,37 +378,33 @@
}
}
- var ret android.Paths
- for _, input := range inputs {
- cmd := rule.Command().
- BuiltTool("check_prop_prefix").
- FlagWithInput("--property-contexts ", input).
- FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
- FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
- if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
- cmd.Flag("--strict")
- }
-
- out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
- rule.Command().Text("cp -f").Input(input).Output(out)
- ret = append(ret, out)
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
}
+
+ out := pathForModuleOut(ctx, ctx.ModuleName()+"_namespace_checked")
+ rule.Command().Text("cp -f").Input(input).Output(out)
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
- return ret
+ return out
}
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
// vendor/odm, make sure that only vendor/odm properties exist.
+ builtCtxFile := m.buildGeneralContexts(ctx, inputs)
+
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
- inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ builtCtxFile = m.checkVendorPropertyNamespace(ctx, builtCtxFile)
}
- builtCtxFile := m.buildGeneralContexts(ctx, inputs)
-
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
@@ -429,23 +453,39 @@
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
- ret := pathForModuleOut(ctx, m.stem())
+ ret := pathForModuleOut(ctx, "checkseapp", m.stem())
+ // Step 1. Generate a M4 processed neverallow file
+ flags := m.getBuildFlags(ctx)
+ m4NeverallowFile := pathForModuleOut(ctx, "neverallow.m4out")
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("(grep").
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Flag("--fatal-warnings").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ FlagWithOutput("> ", m4NeverallowFile)
+
+ rule.Temporary(m4NeverallowFile)
+ rule.Command().
+ Text("( grep").
Flag("-ihe").
Text("'^neverallow'").
- Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
- Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Input(m4NeverallowFile).
Text(">").
Output(neverallowFile).
- Text("|| true)") // to make ninja happy even when result is empty
+ Text("|| true )") // to make ninja happy even when result is empty
+ // Step 2. Generate a M4 processed contexts file
+ builtCtx := m.buildGeneralContexts(ctx, inputs)
+
+ // Step 3. checkseapp
rule.Temporary(neverallowFile)
checkCmd := rule.Command().BuiltTool("checkseapp").
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
FlagWithOutput("-o ", ret).
- Inputs(inputs).
+ Input(builtCtx).
Input(neverallowFile)
if m.shouldCheckCoredomain(ctx) {
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index fc47ab3..6e159e9 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -29,6 +29,9 @@
}
type neverallowTestProperties struct {
+ // Default modules for conf
+ Defaults []string
+
// Policy files to be tested.
Srcs []string `android:"path"`
}
@@ -79,6 +82,10 @@
Srcs: n.properties.Srcs,
Build_variant: proptools.StringPtr("user"),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
@@ -89,6 +96,10 @@
Build_variant: proptools.StringPtr("user"),
Exclude_build_test: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
}
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 540c5cf..e2a35f9 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -115,7 +115,7 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
- "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": []string{"android.hardware.authgraph-service.nonsecure_fuzzer"},
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
diff --git a/compat/Android.bp b/compat/Android.bp
index 9768eb1..2c6239f 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -429,6 +429,7 @@
se_compat_test {
name: "sepolicy_compat_test",
+ defaults: ["se_policy_conf_flags_defaults"],
}
se_build_files {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 914232a..464c772 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -70,6 +70,7 @@
file_contexts {
name: "plat_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
product_variables: {
address_sanitize: {
@@ -83,6 +84,7 @@
file_contexts {
name: "plat_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
stem: "plat_file_contexts",
product_variables: {
@@ -98,6 +100,7 @@
file_contexts {
name: "vendor_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
@@ -108,6 +111,7 @@
file_contexts {
name: "vendor_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
@@ -119,12 +123,14 @@
file_contexts {
name: "system_ext_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
file_contexts {
name: "system_ext_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
@@ -132,12 +138,14 @@
file_contexts {
name: "product_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
}
file_contexts {
name: "product_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
@@ -145,6 +153,7 @@
file_contexts {
name: "odm_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
fc_sort: true,
@@ -152,6 +161,7 @@
file_contexts {
name: "odm_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
@@ -160,23 +170,27 @@
hwservice_contexts {
name: "plat_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.plat_private}"],
}
hwservice_contexts {
name: "system_ext_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
hwservice_contexts {
name: "product_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.product_private}"],
product_specific: true,
}
hwservice_contexts {
name: "vendor_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
@@ -187,17 +201,20 @@
hwservice_contexts {
name: "odm_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.odm}"],
device_specific: true,
}
property_contexts {
name: "plat_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
}
property_contexts {
name: "plat_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
stem: "plat_property_contexts",
recovery: true,
@@ -205,6 +222,7 @@
property_contexts {
name: "system_ext_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -212,6 +230,7 @@
property_contexts {
name: "product_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -219,6 +238,7 @@
property_contexts {
name: "vendor_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
@@ -230,6 +250,7 @@
property_contexts {
name: "odm_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
recovery_available: true,
@@ -237,11 +258,13 @@
service_contexts {
name: "plat_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
}
service_contexts {
name: "plat_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
stem: "plat_service_contexts",
recovery: true,
@@ -249,6 +272,7 @@
service_contexts {
name: "system_ext_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -256,6 +280,7 @@
service_contexts {
name: "product_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -263,6 +288,7 @@
service_contexts {
name: "vendor_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
@@ -274,6 +300,7 @@
service_contexts {
name: "odm_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.odm}",
],
@@ -283,23 +310,27 @@
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.plat_private}"],
}
keystore2_key_contexts {
name: "system_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
keystore2_key_contexts {
name: "product_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.product_private}"],
product_specific: true,
}
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
@@ -310,12 +341,14 @@
seapp_contexts {
name: "plat_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.plat_private}"],
sepolicy: ":precompiled_sepolicy",
}
seapp_contexts {
name: "system_ext_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.system_ext_private}"],
neverallow_files: [":seapp_contexts_files{.plat_private}"],
system_ext_specific: true,
@@ -324,6 +357,7 @@
seapp_contexts {
name: "product_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.product_private}"],
neverallow_files: [
":seapp_contexts_files{.plat_private}",
@@ -335,6 +369,7 @@
seapp_contexts {
name: "vendor_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
@@ -351,6 +386,7 @@
seapp_contexts {
name: "odm_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.odm}",
],
@@ -365,6 +401,7 @@
vndservice_contexts {
name: "vndservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 50d9de4..d9767ed 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -538,6 +538,8 @@
/vendor/framework/test vendor_framework_file
/system/vendor/framework vendor_framework_file
/system/vendor/framework/test vendor_framework_file
+/vendor/etc/avf/microdroid vendor_microdroid_file
+/vendor/etc/avf/microdroid/test vendor_microdroid_file
/vendor/apex vendor_apex_file
/vendor/apex/test vendor_apex_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
new file mode 100644
index 0000000..babd034
--- /dev/null
+++ b/flagging/Android.bp
@@ -0,0 +1,32 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains a list of flags for sepolicy.
+se_policy_conf_defaults {
+ name: "se_policy_conf_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ flags: [],
+}
+
+contexts_defaults {
+ name: "contexts_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
+ flags: [],
+}
+
+filegroup {
+ name: "sepolicy_flagging_macros",
+ srcs: ["te_macros"],
+}
diff --git a/flagging/te_macros b/flagging/te_macros
new file mode 100644
index 0000000..3464502
--- /dev/null
+++ b/flagging/te_macros
@@ -0,0 +1,9 @@
+####################################
+# is_flag_enabled(flag, rules)
+# SELinux rules which apply only if given feature is turned on
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
+
+####################################
+# is_flag_disabled(flag, rules)
+# SELinux rules which apply only if given feature is turned off
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 5d4a73c..e4315a2 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -57,6 +57,9 @@
allow microdroid_payload encryptedstore_file:dir create_dir_perms;
allow microdroid_payload encryptedstore_file:file create_file_perms;
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 1a64b62..dfae6f9 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -12,6 +12,7 @@
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ddaa7e2..1af6750 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -18,6 +18,7 @@
ot_daemon_service
remote_auth_service
security_state_service
+ setupwizard_mode_prop
sysfs_sync_on_suspend
threadnetwork_service
device_config_aconfig_flags_prop
@@ -27,4 +28,5 @@
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
))
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..dfb08b1 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
@@ -39,6 +39,7 @@
apex_compos_data_file
apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -126,6 +127,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 0861fa5..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -610,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index 2481c07..32092da 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -1,4 +1,25 @@
###########################################
+# Entries in this file describe the security context associated with a file
+# path. They are used when building the device image, to include the security
+# context within the extended file attributes of the file system. They are also
+# used at runtime when calling restorecon.
+#
+# Entries are merged with other file_contexts from other partitions (e.g.,
+# vendor or odm, see the full list at libselinux/src/android/android.c).
+#
+# The entries are evaluated by the following rules:
+# - Static entries (that is, not using regular expressions) are always
+# evaluated first.
+# - The first matching entry is used.
+# - Entries are evaluated from the bottom to the top.
+#
+# Based on these rules, it is recommended that the less specific entries appear
+# first. For instance:
+# /dev(/.*)? u:object_r:device:s0
+# /dev/block(/.*)? u:object_r:block_device:s0
+# /dev/block/my_dev u:object_r:my_dev:s0
+#
+
# Root
/ u:object_r:rootfs:s0
@@ -391,6 +412,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -741,16 +763,7 @@
# Expanded data files
#
/mnt/expand u:object_r:mnt_expand_file:s0
-# CAREFUL: the two system_data_file patterns below can't be replaced with one
-# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
-# "/mnt/expand/[^/]+/user". This is because when a path is matched by two
-# patterns that contain regex meta-characters, SELinux just chooses the longer
-# pattern (or the later pattern if the patterns are the same length), rather
-# than the pattern containing fewer regex meta-characters. Splitting the
-# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
-# problem, except for 1-character filenames which we aren't using.
-/mnt/expand/[^/]+ u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/.* u:object_r:system_data_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
diff --git a/private/property.te b/private/property.te
index e1b42a0..9eed4de 100644
--- a/private/property.te
+++ b/private/property.te
@@ -605,6 +605,12 @@
neverallow {
domain
-init
+ -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
diff --git a/private/property_contexts b/private/property_contexts
index 69e4ec2..6d1c2f6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -338,6 +338,10 @@
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -862,9 +866,8 @@
persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
-persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -1133,9 +1136,10 @@
ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
-# GRF property for the first api level of the vendor partition
+# Vendor API level properties for the vFRC and GRF
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1430,6 +1434,8 @@
ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+ro.vulkan.apex u:object_r:graphics_config_prop:s0 exact string
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1480,6 +1486,8 @@
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.mode u:object_r:setupwizard_mode_prop:s0 exact string
+
setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 74701df..9a76f69 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -56,6 +56,12 @@
# as the current dessert release, with additional auditing rules for the accesses
# we are considering forbidding in the upcoming release.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
# An unspecified isSdkSandboxNext defaults to false.
@@ -64,6 +70,10 @@
# sdk_sandbox_audit sepolicy applied to them.
# An unspecified isSdkSandboxAudit defaults to false.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
diff --git a/private/shell.te b/private/shell.te
index aa6bef8..e410862 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..871d3f2 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -94,6 +94,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/public/file.te b/public/file.te
index 091c557..142e167 100644
--- a/public/file.te
+++ b/public/file.te
@@ -255,6 +255,8 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/public/property.te b/public/property.te
index 1a5b105..44b0aef 100644
--- a/public/property.te
+++ b/public/property.te
@@ -197,6 +197,7 @@
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 3c51b67..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,10 +59,11 @@
Matcher = Is | Glob | Regex
@dataclass
-class AllowRead:
- """Rule checking if scontext can read the entity"""
+class AllowPerm:
+ """Rule checking if scontext has 'perm' to the entity"""
tclass: str
scontext: set[str]
+ perm: str
@dataclass
@@ -71,7 +72,12 @@
pass
-Rule = AllowRead | ResolveType
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+ return AllowPerm(tclass, scontext, 'read')
def match_path(path: str, matcher: Matcher) -> bool:
@@ -89,17 +95,17 @@
"""Returns error message if scontext can't read the target"""
errors = []
match rule:
- case AllowRead(tclass, scontext):
+ case AllowPerm(tclass, scontext, perm):
# Test every source in scontext(set)
for s in scontext:
te_rules = list(pol.QueryTERule(scontext={s},
tcontext={tcontext},
tclass={tclass},
- perms={'read'}))
+ perms={perm}))
if len(te_rules) > 0:
continue # no errors
- errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
@@ -122,7 +128,7 @@
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
- (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
# linker.config.pb
(Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 6e719ed..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -96,7 +96,7 @@
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
r'Error: .*linkerconfig.* can\'t read')
self.assert_error('./ u:object_r:apex_data_file:s0',
- r'Error: .*linkerconfig.* can\'t read')
+ r'Error: .*linkerconfig.* can\'t search')
def test_unknown_label(self):
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
index 68511ce..13a7b99 100644
--- a/tests/check_prop_prefix.py
+++ b/tests/check_prop_prefix.py
@@ -76,7 +76,7 @@
print('%d violations found:' % len(violations))
print('\n'.join(violations))
print('******************************')
- print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print("vendor's and odm's property_contexts MUST use ONLY vendor-prefixed properties.")
print('This is enforced by VTS, so please fix such offending properties.')
if args.allowed_property_prefix:
print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 28613c9..1c393f1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -171,7 +171,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0