Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main
diff --git a/Android.bp b/Android.bp
index 1d8e5dd..88107cc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -337,36 +337,6 @@
product_specific: true,
}
-// HACK to support vendor blobs using 1000000.0
-// TODO(b/314010177): remove after new ToT (202404) fully propagates
-se_versioned_policy {
- name: "plat_mapping_file_1000000.0",
- base: ":plat_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
- name: "system_ext_mapping_file_1000000.0",
- base: ":system_ext_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [":plat_mapping_file"],
- relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
- system_ext_specific: true,
-}
-
-se_versioned_policy {
- name: "product_mapping_file_1000000.0",
- base: ":pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
- relative_install_path: "mapping", // install to /product/etc/selinux/mapping
- product_specific: true,
-}
-
//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index 37acb75..2e327c2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -210,12 +210,6 @@
plat_sepolicy.cil \
secilc \
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += plat_mapping_file_1000000.0
-endif
-
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
endif
@@ -254,10 +248,10 @@
endif # SELINUX_IGNORE_NEVERALLOWS
endif # with_asan
-ifeq ($(BOARD_API_LEVEL_FROZEN),true)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
se_freeze_test
-endif
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -284,12 +278,6 @@
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file_1000000.0
-endif
-
system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -338,12 +326,6 @@
LOCAL_REQUIRED_MODULES += \
product_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += product_mapping_file_1000000.0
-endif
-
product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 08fe7a4..2055e4f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -409,6 +409,7 @@
"security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
+ "sensitive_content_protection_service": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
"sensor_privacy": EXCEPTION_NO_FUZZER,
"serial": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 3dbb9fd..74ab9e5 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -29,6 +29,7 @@
pm_archiving_enabled_prop
remote_auth_service
security_state_service
+ sensitive_content_protection_service
setupwizard_mode_prop
sysfs_sync_on_suspend
tv_ad_service
diff --git a/private/service_contexts b/private/service_contexts
index f981f25..299bb6f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -388,6 +388,7 @@
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
+sensitive_content_protection_service u:object_r:sensitive_content_protection_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
diff --git a/public/service.te b/public/service.te
index c9333bd..b480d3e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -219,6 +219,7 @@
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensitive_content_protection_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;