Merge "Allow app to get dck_prop"
diff --git a/Android.bp b/Android.bp
index 21916b8..f22a1ac 100644
--- a/Android.bp
+++ b/Android.bp
@@ -149,482 +149,41 @@
],
}
-se_cil_compat_map {
- name: "plat_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "plat_29.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "plat_30.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "plat_31.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "plat_32.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "plat_33.0.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "system_ext_29.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "system_ext_30.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "system_ext_31.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "system_ext_32.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "system_ext_33.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "product_29.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "product_30.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "product_31.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "product_32.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "product_33.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "28.0.ignore.cil",
- bottom_half: [":28.0.board.ignore.map"],
- top_half: "29.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "29.0.ignore.cil",
- bottom_half: [":29.0.board.ignore.map"],
- top_half: "30.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "31.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "32.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "33.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "system_ext_31.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "system_ext_32.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "system_ext_33.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "product_31.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "product_32.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "product_33.0.ignore.cil",
- product_specific: true,
-}
-
-se_compat_cil {
- name: "28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "system_ext_28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
- stem: "28.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
- stem: "29.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
- stem: "30.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
- stem: "31.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
- stem: "32.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_filegroup {
+se_build_files {
name: "file_contexts_files",
srcs: ["file_contexts"],
}
-se_filegroup {
+se_build_files {
name: "file_contexts_asan_files",
srcs: ["file_contexts_asan"],
}
-se_filegroup {
+se_build_files {
name: "file_contexts_overlayfs_files",
srcs: ["file_contexts_overlayfs"],
}
-se_filegroup {
+se_build_files {
name: "hwservice_contexts_files",
srcs: ["hwservice_contexts"],
}
-se_filegroup {
+se_build_files {
name: "property_contexts_files",
srcs: ["property_contexts"],
}
-se_filegroup {
+se_build_files {
name: "service_contexts_files",
srcs: ["service_contexts"],
}
-se_filegroup {
+se_build_files {
name: "keystore2_key_contexts_files",
srcs: ["keystore2_key_contexts"],
}
-file_contexts {
- name: "plat_file_contexts",
- srcs: [":file_contexts_files"],
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files"],
- },
- },
-
- flatten_apex: {
- srcs: ["apex/*-file_contexts"],
- },
-}
-
-file_contexts {
- name: "plat_file_contexts.recovery",
- srcs: [":file_contexts_files"],
- stem: "plat_file_contexts",
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files"],
- },
- },
-
- flatten_apex: {
- srcs: ["apex/*-file_contexts"],
- },
-
- recovery: true,
-}
-
-file_contexts {
- name: "vendor_file_contexts",
- srcs: [":file_contexts_files"],
- soc_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "system_ext_file_contexts",
- srcs: [":file_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "product_file_contexts",
- srcs: [":file_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-file_contexts {
- name: "odm_file_contexts",
- srcs: [":file_contexts_files"],
- device_specific: true,
- recovery_available: true,
-}
-
-hwservice_contexts {
- name: "plat_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
-}
-
-hwservice_contexts {
- name: "system_ext_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- system_ext_specific: true,
-}
-
-hwservice_contexts {
- name: "product_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- product_specific: true,
-}
-
-hwservice_contexts {
- name: "vendor_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
-hwservice_contexts {
- name: "odm_hwservice_contexts",
- srcs: [":hwservice_contexts_files"],
- device_specific: true,
-}
-
-property_contexts {
- name: "plat_property_contexts",
- srcs: [":property_contexts_files"],
-}
-
-property_contexts {
- name: "plat_property_contexts.recovery",
- srcs: [":property_contexts_files"],
- stem: "plat_property_contexts",
- recovery: true,
-}
-
-property_contexts {
- name: "system_ext_property_contexts",
- srcs: [":property_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "product_property_contexts",
- srcs: [":property_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "vendor_property_contexts",
- srcs: [":property_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "odm_property_contexts",
- srcs: [":property_contexts_files"],
- device_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "plat_service_contexts",
- srcs: [":service_contexts_files"],
-}
-
-service_contexts {
- name: "plat_service_contexts.recovery",
- srcs: [":service_contexts_files"],
- stem: "plat_service_contexts",
- recovery: true,
-}
-
-service_contexts {
- name: "system_ext_service_contexts",
- srcs: [":service_contexts_files"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "product_service_contexts",
- srcs: [":service_contexts_files"],
- product_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "vendor_service_contexts",
- srcs: [":service_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
- recovery_available: true,
-}
-
-keystore2_key_contexts {
- name: "plat_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
-}
-
-keystore2_key_contexts {
- name: "system_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- system_ext_specific: true,
-}
-
-keystore2_key_contexts {
- name: "product_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- product_specific: true,
-}
-
-keystore2_key_contexts {
- name: "vendor_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
diff --git a/Android.mk b/Android.mk
index 160df1c..0ef4f0b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -740,9 +740,12 @@
built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
endif
+built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
+
#################################
+# sepolicy is also built with Android.bp.
+# This module is to keep compatibility with monolithic sepolicy devices.
include $(CLEAR_VARS)
-# build this target so that we can still perform neverallow checks
LOCAL_MODULE := sepolicy
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
@@ -754,51 +757,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-built_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
+$(LOCAL_BUILT_MODULE): $(built_sepolicy)
+ $(copy-file-to-target)
#################################
include $(CLEAR_VARS)
diff --git a/apex/Android.bp b/apex/Android.bp
index 5276cca..166c2d3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -22,6 +22,11 @@
}
filegroup {
+ name: "apex_file_contexts_files",
+ srcs: ["*-file_contexts"],
+}
+
+filegroup {
name: "apex.test-file_contexts",
srcs: [
"apex.test-file_contexts",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8d0e1a4..3308e2c 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -452,7 +452,7 @@
ctx.PropertyErrorf("srcs", "must be specified")
return
}
- bin := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
rule := android.NewRuleBuilder(pctx, ctx)
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls
@@ -466,7 +466,39 @@
if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
secilcCmd.Flag("-N")
}
+ rule.Temporary(bin)
+ // permissive check is performed only in user build (not debuggable).
+ if !ctx.Config().Debuggable() {
+ permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
+ rule.Command().BuiltTool("sepolicy-analyze").
+ Input(bin).
+ Text("permissive").
+ Text(" > ").
+ Output(permissiveDomains)
+ rule.Temporary(permissiveDomains)
+
+ msg := `==========\n` +
+ `ERROR: permissive domains not allowed in user builds\n` +
+ `List of invalid domains:`
+
+ rule.Command().Text("if test").
+ FlagWithInput("-s ", permissiveDomains).
+ Text("; then echo").
+ Flag("-e").
+ Text(`"` + msg + `"`).
+ Text("&& cat ").
+ Input(permissiveDomains).
+ Text("; exit 1; fi")
+ }
+
+ out := android.PathForModuleOut(ctx, c.stem())
+ rule.Command().Text("cp").
+ Flag("-f").
+ Input(bin).
+ Output(out)
+
+ rule.DeleteTemporaryFiles()
rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
if !c.Installable() {
@@ -474,7 +506,7 @@
}
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- c.installSource = bin
+ c.installSource = out
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a40716a..71de38a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -34,18 +34,11 @@
Stem *string
Product_variables struct {
- Debuggable struct {
- Srcs []string
- }
-
Address_sanitize struct {
- Srcs []string
+ Srcs []string `android:"path"`
}
}
- // Whether reqd_mask directory is included to sepolicy directories or not.
- Reqd_mask *bool
-
// Whether the comments in generated contexts file will be removed or not.
Remove_comment *bool
@@ -61,7 +54,7 @@
// Apex paths, /system/apex/{apex_name}, will be amended to the paths of file_contexts
// entries.
Flatten_apex struct {
- Srcs []string
+ Srcs []string `android:"path"`
}
}
@@ -145,51 +138,7 @@
}
}
- var inputs android.Paths
-
- ctx.VisitDirectDeps(func(dep android.Module) {
- depTag := ctx.OtherModuleDependencyTag(dep)
- if !android.IsSourceDepTagWithOutputTag(depTag, "") {
- return
- }
- segroup, ok := dep.(*fileGroup)
- if !ok {
- ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup",
- ctx.OtherModuleName(dep))
- return
- }
-
- if ctx.ProductSpecific() {
- inputs = append(inputs, segroup.ProductPrivateSrcs()...)
- } else if ctx.SocSpecific() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
- inputs = append(inputs, segroup.VendorSrcs()...)
- } else if ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.OdmSrcs()...)
- } else if ctx.SystemExtSpecific() {
- inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemPrivateSrcs()...)
- inputs = append(inputs, segroup.SystemPublicSrcs()...)
- }
-
- if proptools.Bool(m.properties.Reqd_mask) {
- if ctx.SocSpecific() || ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
- }
- }
- })
-
- for _, src := range m.properties.Srcs {
- // Module sources are handled above with VisitDirectDepsWithTag
- if android.SrcIsModule(src) == "" {
- inputs = append(inputs, android.PathForModuleSrc(ctx, src))
- }
- }
-
- m.outputPath = m.build(ctx, inputs)
+ m.outputPath = m.build(ctx, android.PathsForModuleSrc(ctx, m.properties.Srcs))
ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
}
@@ -197,6 +146,7 @@
m := &selinuxContextsModule{}
m.AddProperties(
&m.properties,
+ &m.fileContextsProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -209,10 +159,6 @@
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
- if ctx.Config().Debuggable() {
- srcs = append(srcs, m.properties.Product_variables.Debuggable.Srcs...)
- }
-
for _, sanitize := range ctx.Config().SanitizeDevice() {
if sanitize == "address" {
srcs = append(srcs, m.properties.Product_variables.Address_sanitize.Srcs...)
@@ -333,25 +279,18 @@
rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
- for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- ctx.ModuleErrorf(
- "Module srcs dependency %q is not supported for flatten_apex.srcs", m)
- return nil
- }
- for _, path := range android.PathsForModuleSrcExcludes(ctx, []string{src}, nil) {
- out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
- apex_path := "/system/apex/" + strings.Replace(
- strings.TrimSuffix(path.Base(), "-file_contexts"),
- ".", "\\\\.", -1)
+ for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
+ out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
+ apex_path := "/system/apex/" + strings.Replace(
+ strings.TrimSuffix(path.Base(), "-file_contexts"),
+ ".", "\\\\.", -1)
- rule.Command().
- Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
- Input(path).
- FlagWithOutput("> ", out)
+ rule.Command().
+ Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
+ Input(path).
+ FlagWithOutput("> ", out)
- inputs = append(inputs, out)
- }
+ inputs = append(inputs, out)
}
}
@@ -361,7 +300,6 @@
func fileFactory() android.Module {
m := newModule()
- m.AddProperties(&m.fileContextsProperties)
m.build = m.buildFileContexts
return m
}
diff --git a/compat/Android.bp b/compat/Android.bp
new file mode 100644
index 0000000..715e4b3
--- /dev/null
+++ b/compat/Android.bp
@@ -0,0 +1,262 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for compatibility files.
+
+se_cil_compat_map {
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "plat_29.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ top_half: "plat_31.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map"],
+ top_half: "plat_32.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map"],
+ // top_half: "plat_33.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ top_half: "system_ext_31.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map"],
+ top_half: "system_ext_32.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map"],
+ // top_half: "system_ext_33.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "product_30.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ top_half: "product_31.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_31.0.cil",
+ stem: "31.0.cil",
+ bottom_half: [":31.0.board.compat.map"],
+ top_half: "product_32.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_32.0.cil",
+ stem: "32.0.cil",
+ bottom_half: [":32.0.board.compat.map"],
+ // top_half: "product_33.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "28.0.ignore.cil",
+ bottom_half: [":28.0.board.ignore.map"],
+ top_half: "29.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "29.0.ignore.cil",
+ bottom_half: [":29.0.board.ignore.map"],
+ top_half: "30.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ top_half: "31.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map"],
+ top_half: "32.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map"],
+ // top_half: "33.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ top_half: "system_ext_31.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map"],
+ top_half: "system_ext_32.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map"],
+ // top_half: "system_ext_33.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ top_half: "product_31.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_31.0.ignore.cil",
+ bottom_half: [":31.0.board.ignore.map"],
+ top_half: "product_32.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_32.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map"],
+ // top_half: "product_33.0.ignore.cil",
+ product_specific: true,
+}
+
+se_compat_cil {
+ name: "28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "31.0.compat.cil",
+ srcs: [":31.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "32.0.compat.cil",
+ srcs: [":32.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_31.0.compat.cil",
+ srcs: [":31.0.board.compat.cil"],
+ stem: "31.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_32.0.compat.cil",
+ srcs: [":32.0.board.compat.cil"],
+ stem: "32.0.compat.cil",
+ system_ext_specific: true,
+}
diff --git a/contexts/Android.bp b/contexts/Android.bp
new file mode 100644
index 0000000..ed98683
--- /dev/null
+++ b/contexts/Android.bp
@@ -0,0 +1,224 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for various contexts files.
+
+file_contexts {
+ name: "plat_file_contexts",
+ srcs: [":file_contexts_files{.plat_private}"],
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files{.plat_private}"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files{.plat_private}"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: [":apex_file_contexts_files"],
+ },
+}
+
+file_contexts {
+ name: "plat_file_contexts.recovery",
+ srcs: [":file_contexts_files{.plat_private}"],
+ stem: "plat_file_contexts",
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files{.plat_private}"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files{.plat_private}"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: [":apex_file_contexts_files"],
+ },
+
+ recovery: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts",
+ srcs: [":file_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts",
+ srcs: [":file_contexts_files{.odm}"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+hwservice_contexts {
+ name: "plat_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.plat_private}"],
+}
+
+hwservice_contexts {
+ name: "system_ext_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+hwservice_contexts {
+ name: "product_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+hwservice_contexts {
+ name: "vendor_hwservice_contexts",
+ srcs: [
+ ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.vendor}",
+ ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
+hwservice_contexts {
+ name: "odm_hwservice_contexts",
+ srcs: [":hwservice_contexts_files{.odm}"],
+ device_specific: true,
+}
+
+property_contexts {
+ name: "plat_property_contexts",
+ srcs: [":property_contexts_files{.plat_private}"],
+}
+
+property_contexts {
+ name: "plat_property_contexts.recovery",
+ srcs: [":property_contexts_files{.plat_private}"],
+ stem: "plat_property_contexts",
+ recovery: true,
+}
+
+property_contexts {
+ name: "system_ext_property_contexts",
+ srcs: [":property_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "product_property_contexts",
+ srcs: [":property_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "vendor_property_contexts",
+ srcs: [
+ ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.vendor}",
+ ":property_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "odm_property_contexts",
+ srcs: [":property_contexts_files{.odm}"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "plat_service_contexts",
+ srcs: [":service_contexts_files{.plat_private}"],
+}
+
+service_contexts {
+ name: "plat_service_contexts.recovery",
+ srcs: [":service_contexts_files{.plat_private}"],
+ stem: "plat_service_contexts",
+ recovery: true,
+}
+
+service_contexts {
+ name: "system_ext_service_contexts",
+ srcs: [":service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "product_service_contexts",
+ srcs: [":service_contexts_files{.product_private}"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "vendor_service_contexts",
+ srcs: [
+ ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.vendor}",
+ ":service_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.plat_private}"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [
+ ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index d7e8601..f796813 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -11,6 +11,7 @@
charger_vendor
cloudsearch_service
device_config_nnapi_native_prop
+ device_config_surface_flinger_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/private/property.te b/private/property.te
index 7033a06..5d5869c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -12,7 +12,6 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
-system_internal_prop(device_config_surface_flinger_native_boot_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/public/property.te b/public/property.te
index 3a8dcd5..83dfc36 100644
--- a/public/property.te
+++ b/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(hypervisor_prop)