Merge "Add SEPolicy for fingerprint2.2 example HAL"
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime-file_contexts
index eed0981..d090d50 100644
--- a/apex/com.android.runtime-file_contexts
+++ b/apex/com.android.runtime-file_contexts
@@ -4,4 +4,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crash_dump(32|64) u:object_r:crash_dump_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
+/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 26e8246..8e2d1da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -279,7 +279,7 @@
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
@@ -314,7 +314,7 @@
ret = sorted_output
}
- rule.Build(pctx, ctx, "selinux_contexts", "building contexts: "+m.Name())
+ rule.Build("selinux_contexts", "building contexts: "+m.Name())
rule.DeleteTemporaryFiles()
@@ -326,7 +326,7 @@
m.properties.Fc_sort = proptools.BoolPtr(true)
}
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
@@ -351,7 +351,7 @@
}
}
- rule.Build(pctx, ctx, m.Name(), "flattened_apex_file_contexts")
+ rule.Build(m.Name(), "flattened_apex_file_contexts")
return m.buildGeneralContexts(ctx, inputs)
}
@@ -385,7 +385,7 @@
// check compatibility with sysprop_library
if len(apiFiles) > 0 {
out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
msg := `\n******************************\n` +
`API of sysprop_library doesn't match with property_contexts\n` +
@@ -394,7 +394,7 @@
rule.Command().
Text("( ").
- BuiltTool(ctx, "sysprop_type_checker").
+ BuiltTool("sysprop_type_checker").
FlagForEachInput("--api ", apiFiles).
FlagWithInput("--context ", builtCtxFile).
Text(" || ( echo").Flag("-e").
@@ -402,7 +402,7 @@
Text("; exit 38) )")
rule.Command().Text("cp -f").Input(builtCtxFile).Output(out)
- rule.Build(pctx, ctx, "property_contexts_check_api", "checking API: "+m.Name())
+ rule.Build("property_contexts_check_api", "checking API: "+m.Name())
builtCtxFile = out
}
diff --git a/contexts_tests.mk b/contexts_tests.mk
index da5dd83..076408a 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -17,24 +17,20 @@
# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
# Run host-side test with contexts files and the sepolicy file.
-# $(1): paths to contexts files
+# $(1): names of modules containing context files
# $(2): path to the host tool
# $(3): additional argument to be passed to the tool
define run_contexts_test
-$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $(1)
+my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
$$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
$$(hide) mkdir -p $$(dir $$@)
$$(hide) touch $$@
+my_contexts :=
endef
-system_out := $(TARGET_OUT)/etc/selinux
-system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
-vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
-odm_out := $(TARGET_OUT_ODM)/etc/selinux
-
checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
@@ -44,8 +40,7 @@
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(system_out)/plat_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -56,7 +51,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -67,7 +62,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -78,7 +73,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -89,7 +84,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
##################################
@@ -101,7 +96,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -112,7 +107,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -123,7 +118,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -134,7 +129,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -145,11 +140,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
##################################
-pc_files := $(system_out)/plat_property_contexts
+pc_modules := plat_property_contexts
include $(CLEAR_VARS)
@@ -159,13 +154,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-pc_files += $(system_ext_out)/system_ext_property_contexts
+pc_modules += system_ext_property_contexts
include $(CLEAR_VARS)
@@ -175,13 +170,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
##################################
-pc_files += $(vendor_out)/vendor_property_contexts
+pc_modules += vendor_property_contexts
include $(CLEAR_VARS)
@@ -191,13 +186,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef BOARD_ODM_SEPOLICY_DIRS
-pc_files += $(odm_out)/odm_property_contexts
+pc_modules += odm_property_contexts
include $(CLEAR_VARS)
@@ -207,7 +202,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
@@ -215,7 +210,7 @@
ifdef HAS_PRODUCT_SEPOLICY_DIR
-pc_files += $(product_out)/product_property_contexts
+pc_modules += product_property_contexts
include $(CLEAR_VARS)
@@ -225,11 +220,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
-pc_files :=
+pc_modules :=
##################################
include $(CLEAR_VARS)
@@ -240,7 +235,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
@@ -251,7 +246,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
@@ -262,7 +257,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
@@ -276,14 +271,10 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
endif
-system_out :=
-product_out :=
-vendor_out :=
-odm_out :=
checkfc :=
property_info_checker :=
run_contexts_test :=
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 65a9cc3..13c2c5e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -51,7 +51,12 @@
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate update_engine:binder call;
-allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# Read files in /proc
+allow dumpstate {
+ proc_net_tcp_udp
+ proc_pid_max
+}:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
diff --git a/private/file_contexts b/private/file_contexts
index d39b349..633a6ce 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index f10173b..0731dec 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -67,6 +67,7 @@
# Read files in /proc
allow incidentd {
proc_cmdline
+ proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 7e58740..0560947 100644
--- a/public/service.te
+++ b/public/service.te
@@ -132,7 +132,7 @@
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, system_server_service, service_manager_type;
+type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;