Merge "init: enable init to relabel symlinks for system_block_devices"

commit: a3e83d0a456ac464e74804a3a2b3078b6ed9c4b8 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Feb 28 00:01:43 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Feb 28 00:01:44 2017 +0000
tree: a733aafded42d6971c61a53aefbf609022866696
parent: 5251ad1aa69fa77a8e56582666994dbca1830c53 [diff]
parent: df32f3e82b45278f5817226b3f2576b0612f6103 [diff]
diff --git a/Android.mk b/Android.mk
index 712a0ad..cdfb554 100644
--- a/Android.mk
+++ b/Android.mk

@@ -238,10 +238,17 @@
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
 
-$(LOCAL_BUILT_MODULE): $(plat_policy_nvr)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
 	@mkdir -p $(dir $@)
-	grep -v neverallow $< > $@
+	# Strip out neverallow statements. They aren't needed on-device and their presence
+	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
+	# sailfish-eng).
+	grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
+	# Confirm that the resulting policy compiles
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
 
+built_plat_cil := $(LOCAL_BUILT_MODULE)
 plat_policy.conf :=
 
 #################################
@@ -269,8 +276,12 @@
 endif
 
 $(LOCAL_BUILT_MODULE): $(mapping_policy_nvr)
-	grep -v neverallow $< > $@
+	# Strip out neverallow statements. They aren't needed on-device and their presence
+	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
+	# sailfish-eng).
+	grep -v '^(neverallow' $< > $@
 
+built_mapping_cil := $(LOCAL_BUILT_MODULE)
 current_mapping.cil :=
 
 #################################
@@ -321,9 +332,18 @@
 	@mkdir -p $(dir $@)
 	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
 
-$(LOCAL_BUILT_MODULE): $(nonplat_policy_nvr)
+$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr) $(built_plat_cil) \
+$(built_mapping_cil)
 	@mkdir -p $(dir $@)
-	grep -v neverallow $< > $@
+	# Strip out neverallow statements. They aren't needed on-device and their presence
+	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
+	# sailfish-eng).
+	grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
+	# Confirm that the resulting policy compiles combined with platform and mapping policies
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
 
 nonplat_policy.conf :=
 nonplat_policy_raw :=
@@ -421,10 +441,17 @@
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
 
-$(LOCAL_BUILT_MODULE): $(plat_policy_nvr.recovery)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr.recovery)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr.recovery)
 	@mkdir -p $(dir $@)
-	grep -v neverallow $< > $@
+	# Strip out neverallow statements. They aren't needed on-device and their presence
+	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
+	# sailfish-eng).
+	grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
+	# Confirm that the resulting policy compiles
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
 
+built_plat_cil.recovery := $(LOCAL_BUILT_MODULE)
 plat_policy.recovery.conf :=
 
 #################################
@@ -453,8 +480,12 @@
 endif
 
 $(LOCAL_BUILT_MODULE): $(mapping_policy_nvr.recovery)
-	grep -v neverallow $< > $@
+	# Strip out neverallow statements. They aren't needed on-device and their presence
+	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
+	# sailfish-eng).
+	grep -v '^(neverallow' $< > $@
 
+built_mapping_cil.recovery := $(LOCAL_BUILT_MODULE)
 current_mapping.recovery.cil :=
 
 #################################
@@ -467,6 +498,12 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
+# nonplat_policy.recovery.conf - A combination of the non-platform private,
+# vendor and the exported platform policy associated with the version the
+# non-platform policy targets.  This needs attributization and to be combined
+# with the platform-provided policy.  Like plat_pub_policy.recovery.conf, this
+# needs to make use of the reqd_policy_mask files from private policy in order
+# to use checkpolicy.
 nonplat_policy.recovery.conf := $(intermediates)/nonplat_policy.recovery.conf
 $(nonplat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(nonplat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -501,9 +538,19 @@
 	@mkdir -p $(dir $@)
 	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
 
-$(LOCAL_BUILT_MODULE): $(nonplat_policy_nvr.recovery)
+$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr.recovery)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil.recovery) \
+$(built_mapping_cil.recovery)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr.recovery) \
+$(built_plat_cil.recovery) $(built_mapping_cil.recovery)
 	@mkdir -p $(dir $@)
-	grep -v neverallow $< > $@
+	# Strip out neverallow statements. They aren't needed on-device and their presence
+	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
+	# sailfish-eng).
+	grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
+	# Confirm that the resulting policy compiles combined with platform and mapping policies
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
 
 nonplat_policy.recovery.conf :=
 nonplat_policy_raw.recovery :=
@@ -975,6 +1022,10 @@
 built_general_sepolicy :=
 built_general_sepolicy.conf :=
 built_nl :=
+built_plat_cil :=
+built_plat_cil.recovery :=
+built_mapping_cil :=
+built_mapping_cil.recovery :=
 built_plat_pc :=
 built_nonplat_pc :=
 built_nonplat_sc :=

diff --git a/private/adbd.te b/private/adbd.te
index 5b0b8f2..1865b2a 100644
--- a/private/adbd.te
+++ b/private/adbd.te

@@ -70,6 +70,9 @@
 allow adbd gpu_device:chr_file rw_file_perms;
 allow adbd ion_device:chr_file rw_file_perms;
 r_dir_file(adbd, system_file)
+# Needed for Android Studio screenshot
+hwbinder_use(adbd)
+allow adbd hal_graphics_allocator:fd use;
 
 # Read /data/misc/adb/adb_keys.
 allow adbd adb_keys_file:dir search;

diff --git a/public/netd.te b/public/netd.te
index df18203..81f4af4 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -72,7 +72,12 @@
 allow netd netd_listener_service:service_manager find;
 
 # Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
+allow netd netdomain:{
+  tcp_socket
+  udp_socket
+  rawip_socket
+  tun_socket
+} { read write getattr setattr getopt setopt };
 allow netd netdomain:fd use;
 
 ###
commit	a3e83d0a456ac464e74804a3a2b3078b6ed9c4b8	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Feb 28 00:01:43 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Feb 28 00:01:44 2017 +0000
tree	a733aafded42d6971c61a53aefbf609022866696
parent	5251ad1aa69fa77a8e56582666994dbca1830c53 [diff]
parent	df32f3e82b45278f5817226b3f2576b0612f6103 [diff]