commit 9b32308a797dd1a46a8b3d0e450baf038e64fdc6
author Inseob Kim <inseob@google.com> Wed Nov 06 17:10:09 2024 +0900
committer Inseob Kim <inseob@google.com> Fri Nov 08 15:43:11 2024 +0900
tree 2aacf3355e27c3e75e3613836318c5aec70e2dba
parent 171c5c63afc4c30efded0f3830438525d6cdf88c

Add BOARD_GENFS_LABELS_VERSION

If it's 202504 or later, /sys/class/udc will be labeled as sysfs_udc. If
it's not set, /sys/class/udc will stay at the label sysfs. This is to
support GRF vendors older than 202504.

202404 or old vendors can choose either way. If they want to customize
permissions to /sys/class/udc, they can turn off
BOARD_GENFS_LABELS_VERSION and assign their own label to /sys/class/udc
/sys/class/udc with vendor sepolicy.

202504 or newer vendors must set BOARD_GENFS_LABELS_VERSION to a version
greater than or equal to 202504.

For now there's only one node /sys/class/udc, but more labels can be
added until 202504 freeze.

Bug: 361985697
Test: boot with and without BOARD_GENFS_LABELS_VERSION
Change-Id: Ifd8f5aa994373c64301430d551f62b6b1f997e16

Android.bp

diff --git a/Android.bp b/Android.bp
index db1ea27..b81820a 100644
--- a/Android.bp
+++ b/Android.bp
@@ -102,6 +102,7 @@
         "plat_property_contexts",
         "plat_seapp_contexts",
         "plat_sepolicy.cil",
+        "plat_sepolicy_genfs_202504.cil",
         "plat_service_contexts",
         "secilc",
         "plat_29.0.cil",
@@ -568,6 +569,22 @@
     vendor: true,
 }
 
+genrule {
+    name: "genfs_labels_version.txt.gen",
+    out: ["genfs_labels_version.txt"],
+    cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+        any @ value: "echo " + value + " > $(out)",
+        default: "echo > $(out)",
+    }),
+}
+
+prebuilt_etc {
+    name: "genfs_labels_version.txt",
+    src: ":genfs_labels_version.txt.gen",
+    relative_install_path: "selinux",
+    vendor: true,
+}
+
 soong_config_module_type {
     name: "precompiled_sepolicy_prebuilts_defaults",
     module_type: "prebuilt_defaults",
@@ -651,6 +668,10 @@
         ":system_ext_mapping_file",
         ":product_mapping_file",
     ],
+    device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+        "202504": [":plat_sepolicy_genfs_202504.cil"],
+        default: [],
+    }),
     // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
     // Useful when some partitions need to be bind mounted across VM boundaries.
     visibility: ["//visibility:public"],
@@ -1058,6 +1079,7 @@
 phony {
     name: "selinux_policy_vendor",
     required: [
+        "genfs_labels_version.txt",
         "plat_pub_versioned.cil",
         "vendor_sepolicy.cil",
         "plat_sepolicy_vers.txt",
@@ -1135,6 +1157,7 @@
         "plat_property_contexts_test",
         "plat_seapp_contexts",
         "plat_sepolicy.cil",
+        "plat_sepolicy_genfs_202504.cil",
         "plat_service_contexts",
         "plat_service_contexts_test",
         "searchpolicy",

compat/Android.bp

diff --git a/compat/Android.bp b/compat/Android.bp
index f09fb21..28936dd 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -585,3 +585,9 @@
     system_ext_specific: true,
     version: "202404",
 }
+
+prebuilt_etc {
+    name: "plat_sepolicy_genfs_202504.cil",
+    src: "plat_sepolicy_genfs_202504.cil",
+    relative_install_path: "selinux",
+}

compat/plat_sepolicy_genfs_202504.cil

diff --git a/compat/plat_sepolicy_genfs_202504.cil b/compat/plat_sepolicy_genfs_202504.cil
new file mode 100644
index 0000000..79cc732
--- /dev/null
+++ b/compat/plat_sepolicy_genfs_202504.cil
@@ -0,0 +1 @@
+(genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))

public/file.te

diff --git a/public/file.te b/public/file.te
index 9cc76c0..4a2fc9f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -647,6 +647,10 @@
 # Deprecated in SDK version 28
 type audiohal_data_file, file_type, data_file_type, core_data_file_type;
 
+starting_at_board_api(202504, `
+    type sysfs_udc, fs_type, sysfs_type;
+')
+
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.