Merge "Allow "adb shell tradeinmode" on userdebug/eng builds." into main
diff --git a/Android.bp b/Android.bp
index 9905e73..f68e7fa 100644
--- a/Android.bp
+++ b/Android.bp
@@ -509,7 +509,7 @@
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
-genrule {
+java_genrule {
name: "plat_sepolicy_and_mapping.sha256_gen",
srcs: [
":plat_sepolicy.cil",
@@ -526,7 +526,7 @@
relative_install_path: "selinux",
}
-genrule {
+java_genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [
":system_ext_sepolicy.cil",
@@ -544,7 +544,7 @@
system_ext_specific: true,
}
-genrule {
+java_genrule {
name: "product_sepolicy_and_mapping.sha256_gen",
srcs: [
":product_sepolicy.cil",
@@ -640,7 +640,7 @@
filegroup {
name: "precompiled_sepolicy_srcs",
- srcs: [
+ device_common_srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
@@ -890,7 +890,7 @@
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
-genrule {
+java_genrule {
name: "sepolicy_test",
srcs: [
":plat_file_contexts",
@@ -918,7 +918,7 @@
soong_config_module_type {
name: "dev_type_test_genrule",
- module_type: "genrule",
+ module_type: "java_genrule",
config_namespace: "ANDROID",
bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
properties: ["cmd"],
@@ -1040,6 +1040,7 @@
"product_202404.cil",
],
}),
+ product_specific: true,
}
phony {
@@ -1086,6 +1087,7 @@
],
default: [],
}),
+ vendor: true,
}
phony {
@@ -1204,7 +1206,7 @@
//---
// 1. Collect all file_contexts files in THIS repository and process them with
// m4 into a tmp file called file_contexts.local.tmp.
-genrule {
+java_genrule {
name: "file_contexts.local.tmp",
srcs: [
":plat_file_contexts",
@@ -1225,7 +1227,7 @@
any @ m4defs: m4defs,
default: "",
})
-genrule {
+java_genrule {
name: "file_contexts.device.tmp",
srcs: [
":vendor_file_contexts",
@@ -1242,7 +1244,7 @@
// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-genrule {
+java_genrule {
name: "file_contexts.device.sorted.tmp",
srcs: [
":file_contexts.device.tmp",
@@ -1263,7 +1265,7 @@
// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
// into file_contexts.concat.tmp.
-genrule {
+java_genrule {
name: "file_contexts.concat.tmp",
srcs: [
":file_contexts.local.tmp",
@@ -1280,7 +1282,7 @@
// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
// file_contexts.bin.
-genrule {
+java_genrule {
name: "file_contexts_bin_gen",
srcs: [
":file_contexts.concat.tmp",
diff --git a/Android.mk b/Android.mk
deleted file mode 100644
index 6474b2a..0000000
--- a/Android.mk
+++ /dev/null
@@ -1,178 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-ifdef BOARD_SEPOLICY_UNION
-$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-# sepolicy is now divided into multiple portions:
-# public - policy exported on which non-platform policy developers may write
-# additional policy. types and attributes are versioned and included in
-# delivered non-platform policy, which is to be combined with platform policy.
-# private - platform-only policy required for platform functionality but which
-# is not exported to vendor policy developers and as such may not be assumed
-# to exist.
-# vendor - vendor-only policy required for vendor functionality. This policy can
-# reference the public policy but cannot reference the private policy. This
-# policy is for components which are produced from the core/non-vendor tree and
-# placed into a vendor partition.
-# mapping - This contains policy statements which map the attributes
-# exposed in the public policy of previous versions to the concrete types used
-# in this policy to ensure that policy targeting attributes from public
-# policy from an older platform version continues to work.
-
-# build process for device:
-# 1) convert policies to CIL:
-# - private + public platform policy to CIL
-# - mapping file to CIL (should already be in CIL form)
-# - non-platform public policy to CIL
-# - non-platform public + private policy to CIL
-# 2) attributize policy
-# - run script which takes non-platform public and non-platform combined
-# private + public policy and produces attributized and versioned
-# non-platform policy
-# 3) combine policy files
-# - combine mapping, platform and non-platform policy.
-# - compile output binary policy file
-
-PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
-PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
-PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
-REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-
-SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-
-PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
-PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-
-ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
-HAS_SYSTEM_EXT_SEPOLICY_DIR := true
-endif
-
-# TODO(b/119305624): Currently if the device doesn't have a product partition,
-# we install product sepolicy into /system/product. We do that because bits of
-# product sepolicy that's still in /system might depend on bits that have moved
-# to /product. Once we finish migrating product sepolicy out of system, change
-# it so that if no product partition is present, product sepolicy artifacts are
-# not built and installed at all.
-ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY_DIR := true
-endif
-
-ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
-ifeq ($(TARGET_BUILD_VARIANT),user)
-$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
-endif
-$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
- It does not work in user builds and using it will \
- not stop you from failing CTS.)
-endif
-
-# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
-# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
-# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
-# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
-ifdef BOARD_SEPOLICY_DIRS
-BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
-endif
-
-###########################################################
-# Compute policy files to be used in policy build.
-# $(1): files to include
-# $(2): directories in which to find files
-###########################################################
-
-define build_policy
-$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
-endef
-
-sepolicy_build_files := security_classes \
- initial_sids \
- access_vectors \
- global_macros \
- neverallow_macros \
- mls_macros \
- mls_decl \
- mls \
- policy_capabilities \
- te_macros \
- attributes \
- ioctl_defines \
- ioctl_macros \
- *.te \
- roles_decl \
- roles \
- users \
- initial_sid_contexts \
- fs_use \
- genfs_contexts \
- port_contexts
-
-sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
-
-# Security classes and permissions defined outside of system/sepolicy.
-security_class_extension_files := $(call build_policy, security_classes access_vectors, \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-ifneq (,$(strip $(security_class_extension_files)))
- $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
- # Checks if there are public system_ext policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
- endif
- # Checks if there are public/private system_ext policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_SYSTEM_EXT_SEPOLICY := true
- endif
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
- # Checks if there are public product policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_PRODUCT_PUBLIC_SEPOLICY := true
- endif
- # Checks if there are public/private product policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_PRODUCT_SEPOLICY := true
- endif
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-with_asan := false
-ifneq (,$(filter address,$(SANITIZE_TARGET)))
- with_asan := true
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
- $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
- endif
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
- $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
- endif
-endif
-
-#################################
-
-
-build_policy :=
-sepolicy_build_files :=
-with_asan :=
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index fd1cd34..330e02f 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -228,46 +228,46 @@
}
}
-func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.ImageInterfaceContext) {
if proptools.Bool(m.properties.Recovery_available) && m.ModuleBase.InstallInRecovery() {
ctx.PropertyErrorf("recovery_available",
"doesn't make sense at the same time as `recovery: true`")
}
}
-func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.ImageInterfaceContext) bool {
return !m.ModuleBase.InstallInRecovery()
}
-func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.ImageInterfaceContext) bool {
return m.ModuleBase.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
-func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.ImageInterfaceContext) []string {
return nil
}
-func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string) {
+func (m *selinuxContextsModule) SetImageVariation(ctx android.ImageInterfaceContext, variation string) {
}
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
@@ -716,42 +716,42 @@
// contextsTestModule implements ImageInterface to be able to include recovery_available contexts
// modules as its sources.
-func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+func (m *contextsTestModule) ImageMutatorBegin(ctx android.ImageInterfaceContext) {
}
-func (m *contextsTestModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) VendorVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) ProductVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) CoreVariantNeeded(ctx android.ImageInterfaceContext) bool {
return true
}
-func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+func (m *contextsTestModule) ExtraImageVariations(ctx android.ImageInterfaceContext) []string {
return nil
}
-func (m *contextsTestModule) SetImageVariation(ctx android.BaseModuleContext, variation string) {
+func (m *contextsTestModule) SetImageVariation(ctx android.ImageInterfaceContext, variation string) {
}
var _ android.ImageInterface = (*contextsTestModule)(nil)
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e81e8c8..0065c49 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -139,6 +139,7 @@
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.mediaquality.IMediaQuality/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index b303bbb..ee85695 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -435,8 +435,8 @@
/system/bin/hw/android.system.suspend-service system_suspend_exec
/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file
-/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
-/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_file
/system/etc/event-log-tags system_event_log_tags_file
/system/etc/font_fallback.xml system_font_fallback_file
/system/etc/group system_group_file
@@ -460,8 +460,8 @@
/system/etc/selinux/plat_sepolicy.cil sepolicy_file
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
/system/etc/task_profiles.json task_profiles_file
-/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
-/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_file
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index bd97a16..5466d2a 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -23,6 +23,7 @@
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_AVF_ENABLE_MICROFUCHSIA",
+ "RELEASE_AVF_ENABLE_WIDEVINE_PVM",
"RELEASE_RANGING_STACK",
"RELEASE_READ_FROM_NEW_STORAGE",
"RELEASE_SUPERVISION_SERVICE",
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e9b4b1e..a20ce93 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -212,7 +212,7 @@
}
// sepolicy sha256 for vendor
-genrule {
+java_genrule {
name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
srcs: [
":microdroid_plat_sepolicy.cil",
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7361462..40cfe5b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -230,7 +230,6 @@
allow { domain } cgroup_v2:file w_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 6414f76..8416087 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -113,7 +113,7 @@
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -127,7 +127,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
#############################
# Vendor files
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 67af209..9a0345f 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -114,7 +114,6 @@
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 0ea67a7..ba88770 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -43,7 +43,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 8d3f76a..8551bb6 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -6,7 +6,9 @@
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
type authfs_service_socket, file_type, coredomain_socket;
-type cgroup_desc_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type cgroup_desc_api_file, file_type, system_file_type;
+')
type cgroup_desc_file, file_type, system_file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
@@ -30,7 +32,9 @@
type system_passwd_file, file_type, system_file_type;
type system_seccomp_policy_file, file_type, system_file_type;
type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type task_profiles_api_file, file_type, system_file_type;
+')
type task_profiles_file, file_type, system_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type;
type unlabeled, file_type;
diff --git a/private/attributes b/private/attributes
index 2d6181d..c89d0c7 100644
--- a/private/attributes
+++ b/private/attributes
@@ -11,6 +11,11 @@
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+# HALs
+until_board_api(202504, `
+ hal_attribute(mediaquality);
+')
+
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 8bb0a2d..014270b 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -19,6 +19,7 @@
virtual_fingerprint_exec
virtual_face
virtual_face_exec
+ hal_mediaquality_service
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 3132c5a..3f5cb68 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -19,6 +19,7 @@
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
+ hal_mediaquality_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
hidl_memory_prop
diff --git a/private/crosvm.te b/private/crosvm.te
index ccfffa0..d9faf10 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -184,11 +184,12 @@
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
- is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
+ -same_process_hal_file
}:file *;
')
diff --git a/private/domain.te b/private/domain.te
index 75bcdf9..3376537 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -424,10 +424,11 @@
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+allow domain cgroup_desc_file:file r_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
+allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -1231,6 +1232,7 @@
-vendor_init
} {
system_file_type
+ -cgroup_desc_file
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
@@ -1245,7 +1247,6 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
- -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
# Vendor components still can invoke shell commands via /system/bin/sh
@@ -2072,6 +2073,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
diff --git a/private/file_contexts b/private/file_contexts
index f605e66..3f9efd9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -365,7 +365,7 @@
/system/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/font_fallback.xml u:object_r:system_font_fallback_file:s0
/system/etc/group u:object_r:system_group_file:s0
@@ -385,7 +385,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
diff --git a/private/hal_mediaquality.te b/private/hal_mediaquality.te
new file mode 100644
index 0000000..5bcdbbc
--- /dev/null
+++ b/private/hal_mediaquality.te
@@ -0,0 +1,9 @@
+starting_at_board_api(202504, `
+ binder_call(hal_mediaquality_client, hal_mediaquality_server)
+ binder_call(hal_mediaquality_server, hal_mediaquality_client)
+
+ hal_attribute_service(hal_mediaquality, hal_mediaquality_service)
+
+ binder_call(hal_mediaquality_server, servicemanager)
+ binder_call(hal_mediaquality_client, servicemanager)
+')
diff --git a/private/init.te b/private/init.te
index dbb3f02..a3adab5 100644
--- a/private/init.te
+++ b/private/init.te
@@ -237,7 +237,6 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
diff --git a/private/property.te b/private/property.te
index fc44117..17e6d6e 100644
--- a/private/property.te
+++ b/private/property.te
@@ -863,5 +863,6 @@
neverallow {
domain
-init
+ -shell
userdebug_or_eng(`-su')
} bionic_linker_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 7664d75..d417a5b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -574,6 +574,7 @@
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
media.c2.hal.selection u:object_r:codec2_config_prop:s0 exact enum aidl hidl
+media.c2.remove_rendering_depth u:object_r:codec2_config_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
diff --git a/private/service.te b/private/service.te
index 08a032a..eee98d0 100644
--- a/private/service.te
+++ b/private/service.te
@@ -32,6 +32,10 @@
type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
+until_board_api(202504, `
+ type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
+')
+
is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
diff --git a/private/service_contexts b/private/service_contexts
index 8cab6ea..7c3c5de 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -115,6 +115,7 @@
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
+android.hardware.tv.mediaquality.IMediaQuality/default u:object_r:hal_mediaquality_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
diff --git a/private/shell.te b/private/shell.te
index 1b8fb8a..38c5ac8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -113,6 +113,9 @@
# Allow shell to set RKP properties for testing purposes
set_prop(shell, remote_prov_prop)
+# Allow shell to enable 16 KB backcompat globally.
+set_prop(shell, bionic_linker_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -402,7 +405,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
diff --git a/private/su.te b/private/su.te
index 2d4b0c6..1e2adef 100644
--- a/private/su.te
+++ b/private/su.te
@@ -106,6 +106,7 @@
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
+ typeattribute su hal_mediaquality_client;
typeattribute su hal_memtrack_client;
typeattribute su hal_neuralnetworks_client;
typeattribute su hal_nfc_client;
diff --git a/private/system_app.te b/private/system_app.te
index 0b6ffe2..93be46f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -199,3 +199,7 @@
allow system_app vendor_boot_ota_file:dir { r_dir_perms };
allow system_app vendor_boot_ota_file:file { r_file_perms };
+
+# allow system_app to read system_dlkm_file for /system_dlkm/etc/NOTICE.xml.gz
+allow system_app system_dlkm_file:dir search;
+allow system_app system_dlkm_file:file { getattr open read };
diff --git a/private/system_server.te b/private/system_server.te
index f39668e..5fb5346 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -198,6 +198,8 @@
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
+# Set scheduling info for VMs (b/375058190)
+allow system_server { virtualizationmanager crosvm }:process { getsched setsched };
# Set scheduling info for psi monitor thread.
# TODO: delete this line b/131761776
@@ -324,6 +326,7 @@
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_keymint)
hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_mediaquality)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index bc29e39..1acf734 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -131,7 +131,7 @@
-virtualizationmanager
-virtualizationservice
# TODO(b/332677707): remove them when display service uses binder RPC.
- is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
+ -crosvm
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
diff --git a/public/attributes b/public/attributes
index 759b773..0503450 100644
--- a/public/attributes
+++ b/public/attributes
@@ -366,6 +366,9 @@
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(macsec);
+starting_at_board_api(202504, `
+ hal_attribute(mediaquality);
+')
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
diff --git a/public/file.te b/public/file.te
index 4f187ec..c158492 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,16 +224,22 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
+# Cgroups description file under /system/etc/cgroups.json or
+# API file under /system/etc/task_profiles/cgroups_*.json
type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+ type cgroup_desc_api_file, system_file_type, file_type;
+')
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
+# Task profiles file under /system/etc/task_profiles.json or
+# API file under /system/etc/task_profiles/task_profiles_*.json
type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+ type task_profiles_api_file, system_file_type, file_type;
+')
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
diff --git a/public/service.te b/public/service.te
index cc9b1ab..f54df00 100644
--- a/public/service.te
+++ b/public/service.te
@@ -330,6 +330,9 @@
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
+starting_at_board_api(202504, `
+ type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
+')
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
diff --git a/tests/Android.bp b/tests/Android.bp
index 3dda11a..81e7927 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -83,6 +83,8 @@
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
+ ],
+ device_common_data: [
":precompiled_sepolicy",
],
}
@@ -96,6 +98,8 @@
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
+ ],
+ device_common_data: [
":precompiled_sepolicy",
],
test_options: {
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
index 7256deb..7756cbb 100644
--- a/treble_sepolicy_tests_for_release/Android.bp
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -23,7 +23,7 @@
// Tests for Treble compatibility of current platform policy and vendor policy of
// given release version.
//////////////////////////////////
-genrule {
+java_genrule {
name: "29.0_mapping.combined.cil",
srcs: [
":plat_29.0.cil",
@@ -33,7 +33,7 @@
cmd: "cat $(location :plat_29.0.cil) $(location :29.0.ignore.cil) > $(out)",
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_29.0",
srcs: [
":29.0_plat_policy.cil",
@@ -49,7 +49,7 @@
"touch $(out)",
}
-genrule {
+java_genrule {
name: "30.0_mapping.combined.cil",
srcs: [
":plat_30.0.cil",
@@ -83,7 +83,7 @@
"> $(out)",
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_30.0",
srcs: [
":30.0_plat_policy.cil",
@@ -114,7 +114,7 @@
}),
}
-genrule {
+java_genrule {
name: "31.0_mapping.combined.cil",
srcs: [
":plat_31.0.cil",
@@ -148,7 +148,7 @@
"> $(out)",
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_31.0",
srcs: [
":31.0_plat_policy.cil",
@@ -179,7 +179,7 @@
}),
}
-genrule {
+java_genrule {
name: "32.0_mapping.combined.cil",
srcs: [
":plat_32.0.cil",
@@ -213,7 +213,7 @@
"> $(out)",
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_32.0",
srcs: [
":32.0_plat_policy.cil",
@@ -244,7 +244,7 @@
}),
}
-genrule {
+java_genrule {
name: "33.0_mapping.combined.cil",
srcs: [
":plat_33.0.cil",
@@ -278,7 +278,7 @@
"> $(out)",
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_33.0",
srcs: [
":33.0_plat_policy.cil",
@@ -309,7 +309,7 @@
}),
}
-genrule {
+java_genrule {
name: "34.0_mapping.combined.cil",
srcs: [
":plat_34.0.cil",
@@ -343,7 +343,7 @@
"> $(out)",
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_34.0",
srcs: [
":34.0_plat_policy.cil",
@@ -374,7 +374,7 @@
}),
}
-genrule {
+java_genrule {
name: "202404_mapping.combined.cil",
srcs: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
"202404": [
@@ -413,7 +413,7 @@
}),
}
-genrule {
+java_genrule {
name: "treble_sepolicy_tests_202404",
srcs: [
":202404_plat_policy.cil",
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6f99d90..1e89895 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -82,6 +82,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
+starting_at_board_api(202504, `
+ /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.mediaquality-service\.example u:object_r:hal_mediaquality_default_exec:s0
+')
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
diff --git a/vendor/hal_mediaquality_default.te b/vendor/hal_mediaquality_default.te
new file mode 100644
index 0000000..8f604c4
--- /dev/null
+++ b/vendor/hal_mediaquality_default.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type hal_mediaquality_default, domain;
+ hal_server_domain(hal_mediaquality_default, hal_mediaquality)
+
+ type hal_mediaquality_default_exec, exec_type, vendor_file_type, file_type;
+ init_daemon_domain(hal_mediaquality_default)
+')
\ No newline at end of file