Merge "Add this rule allows incidentd CTS tests be able to use incident command to fetch data from shell."
diff --git a/Android.bp b/Android.bp
index 9952a8f..1785342 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1 +1,4 @@
-subdirs = ["tests"]
+subdirs = [
+ "tests",
+ "build",
+]
diff --git a/Android.mk b/Android.mk
index 6756d40..0d4d67f 100644
--- a/Android.mk
+++ b/Android.mk
@@ -124,6 +124,13 @@
NEVERALLOW_ARG := -N
endif
+# BOARD_SEPOLICY_DIRS was used for vendor sepolicy customization before.
+# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS. BOARD_SEPOLICY_DIRS is
+# still allowed for backward compatibility, which will be merged into
+# BOARD_VENDOR_SEPOLICY_DIRS.
+ifdef BOARD_SEPOLICY_DIRS
+BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
+endif
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
@@ -137,9 +144,9 @@
$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
endef
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
+# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_device_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
@@ -209,11 +216,13 @@
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
26.0.cil \
- nonplat_sepolicy.cil \
+ plat_pub_versioned.cil \
+ vendor_sepolicy.cil \
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
secilc \
plat_sepolicy_vers.txt \
+ vendor_service_contexts \
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -225,11 +234,12 @@
endif
LOCAL_REQUIRED_MODULES += \
- nonplat_file_contexts \
- nonplat_mac_permissions.xml \
- nonplat_property_contexts \
- nonplat_seapp_contexts \
- nonplat_hwservice_contexts \
+ build_sepolicy \
+ vendor_file_contexts \
+ vendor_mac_permissions.xml \
+ vendor_property_contexts \
+ vendor_seapp_contexts \
+ vendor_hwservice_contexts \
plat_file_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
@@ -239,10 +249,6 @@
searchpolicy \
vndservice_contexts \
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_REQUIRED_MODULES += nonplat_service_contexts
-endif
-
ifneq ($(TARGET_BUILD_VARIANT), user)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
@@ -483,7 +489,9 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_sepolicy.cil
+# plat_pub_versioned.cil - the exported platform policy associated with the version
+# that non-platform policy targets.
+LOCAL_MODULE := plat_pub_versioned.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -491,47 +499,62 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# nonplat_policy.conf - A combination of the non-platform private, vendor and
-# the exported platform policy associated with the version the non-platform
-# policy targets. This needs attributization and to be combined with the
-# platform-provided policy. Like plat_pub_policy.conf, this needs to make use
-# of the reqd_policy_mask files from private policy in order to use checkpolicy.
-nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
-$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(nonplat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
-$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
-$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
-$(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-built_nonplat_cil := $(LOCAL_BUILT_MODULE)
-nonplat_policy.conf :=
-nonplat_policy_raw :=
+built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+
+#################################
+include $(CLEAR_VARS)
+
+# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_policy.conf := $(intermediates)/vendor_policy.conf
+$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
+ $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
+
+built_vendor_cil := $(LOCAL_BUILT_MODULE)
+vendor_policy.conf :=
#################################
include $(CLEAR_VARS)
@@ -544,16 +567,20 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_plat_pub_vers_cil) \
+ $(built_vendor_cil)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil) \
-$(built_sepolicy_neverallows)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+all_cil_files :=
#################################
# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
@@ -586,7 +613,8 @@
all_cil_files := \
$(built_plat_cil) \
$(built_mapping_cil) \
- $(built_nonplat_cil)
+ $(built_plat_pub_vers_cil) \
+ $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
@@ -630,7 +658,7 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
@@ -716,7 +744,7 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $^ > $@
-device_fc_files := $(call build_device_policy, file_contexts)
+device_fc_files := $(call build_vendor_policy, file_contexts)
device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -727,7 +755,8 @@
file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
+$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
+ $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
@@ -808,7 +837,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_file_contexts
+LOCAL_MODULE := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -819,22 +848,22 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_fc_files := $(call build_device_policy, file_contexts)
-nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
+vendor_fc_files := $(call build_vendor_policy, file_contexts)
+vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl))
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(nonplat_fcfiles_with_nl) $(built_sepolicy)
+$(vendor_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-built_nonplat_fc := $(LOCAL_BUILT_MODULE)
-nonplat_fc_files :=
-nonplat_fcfiles_with_nl :=
+built_vendor_fc := $(LOCAL_BUILT_MODULE)
+vendor_fc_files :=
+vendor_fcfiles_with_nl :=
##################################
include $(CLEAR_VARS)
@@ -852,15 +881,15 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_file_contexts.recovery
-LOCAL_MODULE_STEM := nonplat_file_contexts
+LOCAL_MODULE := vendor_file_contexts.recovery
+LOCAL_MODULE_STEM := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_nonplat_fc)
+$(LOCAL_BUILT_MODULE): $(built_vendor_fc)
$(hide) cp -f $< $@
##################################
@@ -889,7 +918,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_seapp_contexts
+LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -900,19 +929,19 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
@mkdir -p $(dir $@)
$(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-built_nonplat_sc := $(LOCAL_BUILT_MODULE)
-nonplat_sc_files :=
+built_vendor_sc := $(LOCAL_BUILT_MODULE)
+vendor_sc_files :=
##################################
include $(CLEAR_VARS)
@@ -965,7 +994,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_property_contexts
+LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -977,24 +1006,24 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
-$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
-$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
+vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp
+$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
+$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_property_contexts.tmp): $(vendor_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
+$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
$(hide) cp -f $< $@
$(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $@
-built_nonplat_pc := $(LOCAL_BUILT_MODULE)
-nonplat_pcfiles :=
-nonplat_property_contexts.tmp :=
+built_vendor_pc := $(LOCAL_BUILT_MODULE)
+vendor_pcfiles :=
+vendor_property_contexts.tmp :=
##################################
include $(CLEAR_VARS)
@@ -1012,15 +1041,15 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_property_contexts.recovery
-LOCAL_MODULE_STEM := nonplat_property_contexts
+LOCAL_MODULE := vendor_property_contexts.recovery
+LOCAL_MODULE_STEM := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_nonplat_pc)
+$(LOCAL_BUILT_MODULE): $(built_vendor_pc)
$(hide) cp -f $< $@
##################################
@@ -1062,31 +1091,31 @@
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_service_contexts
+LOCAL_MODULE := vendor_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
-$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
-$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
+vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp
+$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
+$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_service_contexts.tmp): $(vendor_svcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-built_nonplat_svc := $(LOCAL_BUILT_MODULE)
-nonplat_svcfiles :=
-nonplat_service_contexts.tmp :=
+built_vendor_svc := $(LOCAL_BUILT_MODULE)
+vendor_svcfiles :=
+vendor_service_contexts.tmp :=
endif
@@ -1125,7 +1154,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -1136,23 +1165,24 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
-$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
-$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp
+$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
+$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-nonplat_hwsvcfiles :=
-nonplat_hwservice_contexts.tmp :=
+vendor_hwsvcfiles :=
+vendor_hwservice_contexts.tmp :=
+
##################################
include $(CLEAR_VARS)
@@ -1168,7 +1198,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
@@ -1222,7 +1252,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_mac_permissions.xml
+LOCAL_MODULE := vendor_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1230,22 +1260,22 @@
include $(BUILD_SYSTEM)/base_rules.mk
# Build keys.conf
-nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
-$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
+$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_nonplat_mac_perms_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_vendor_mac_perms_files)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-nonplat_mac_perms_keys.tmp :=
-all_nonplat_mac_perms_files :=
+vendor_mac_perms_keys.tmp :=
+all_vendor_mac_perms_files :=
#################################
include $(CLEAR_VARS)
@@ -1255,15 +1285,16 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
+
sepolicy_tests := $(intermediates)/sepolicy_tests
-$(sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
-$(sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
$(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
+$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
@@ -1368,9 +1399,11 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
+
treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
-$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
-$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(treble_sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
$(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
$(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
@@ -1381,12 +1414,11 @@
$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE :=
endif
$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
-$(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
+ $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+ $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
$(PRIVATE_FAKE_TREBLE)
@@ -1409,23 +1441,24 @@
#################################
add_nl :=
-build_device_policy :=
+build_vendor_policy :=
build_policy :=
built_plat_fc :=
-built_nonplat_fc :=
+built_vendor_fc :=
built_nl :=
built_plat_cil :=
+built_plat_pub_vers_cil :=
built_mapping_cil :=
built_plat_pc :=
-built_nonplat_cil :=
-built_nonplat_pc :=
-built_nonplat_sc :=
+built_vendor_cil :=
+built_vendor_pc :=
+built_vendor_sc :=
built_plat_sc :=
built_precompiled_sepolicy :=
built_sepolicy :=
built_sepolicy_neverallows :=
built_plat_svc :=
-built_nonplat_svc :=
+built_vendor_svc :=
mapping_policy :=
my_target_arch :=
plat_pub_policy.cil :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 42d451c..3a302bb 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -74,3 +74,12 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_service_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/ETC/nonplat_service_contexts_intermediates)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/NOTICE_FILES/src/vendor/etc/selinux/nonplat_service_contexts.txt)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
diff --git a/build/Android.bp b/build/Android.bp
new file mode 100644
index 0000000..d3f1fc3
--- /dev/null
+++ b/build/Android.bp
@@ -0,0 +1,34 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+python_binary_host {
+ name: "build_sepolicy",
+ srcs: [
+ "build_sepolicy.py",
+ "file_utils.py",
+ ],
+ required: [
+ "checkpolicy",
+ "secilc",
+ "version_policy",
+ ],
+ version: {
+ py2: {
+ enabled: true,
+ },
+ py3: {
+ enabled: false,
+ },
+ },
+}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
new file mode 100644
index 0000000..ff2ff07
--- /dev/null
+++ b/build/build_sepolicy.py
@@ -0,0 +1,140 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Command-line tool to build SEPolicy files."""
+
+import argparse
+import os
+import subprocess
+import sys
+
+import file_utils
+
+
+# All supported commands in this module.
+# For each command, need to add two functions. Take 'build_cil' for example:
+# - setup_build_cil()
+# - Sets up command parsers and sets default function to do_build_cil().
+# - do_build_cil()
+_SUPPORTED_COMMANDS = ('build_cil',)
+
+
+def run_host_command(args, **kwargs):
+ """Runs a host command and prints output."""
+ if kwargs.get('shell'):
+ command_log = args
+ else:
+ command_log = ' '.join(args) # For args as a sequence.
+
+ try:
+ subprocess.check_call(args, **kwargs)
+ except subprocess.CalledProcessError as err:
+ sys.stderr.write(
+ 'build_sepolicy - failed to run command: {!r} (ret:{})\n'.format(
+ command_log, err.returncode))
+ sys.exit(err.returncode)
+
+
+def do_build_cil(args):
+ """Builds a sepolicy CIL (Common Intermediate Language) file.
+
+ This functions invokes some host utils (e.g., secilc, checkpolicy,
+ version_sepolicy) to generate a .cil file.
+
+ Args:
+ args: the parsed command arguments.
+ """
+ # Determines the raw CIL file name.
+ input_file_name = os.path.splitext(args.input_policy_conf)[0]
+ raw_cil_file = input_file_name + '_raw.cil'
+ # Builds the raw CIL.
+ file_utils.make_parent_dirs(raw_cil_file)
+ checkpolicy_cmd = [args.checkpolicy_env]
+ checkpolicy_cmd += [os.path.join(args.android_host_path, 'checkpolicy'),
+ '-C', '-M', '-c', args.policy_vers,
+ '-o', raw_cil_file, args.input_policy_conf]
+ # Using shell=True to setup args.checkpolicy_env variables.
+ run_host_command(' '.join(checkpolicy_cmd), shell=True)
+ file_utils.filter_out([args.reqd_mask], raw_cil_file)
+
+ # Builds the output CIL by versioning the above raw CIL.
+ output_file = args.output_cil
+ if output_file is None:
+ output_file = input_file_name + '.cil'
+ file_utils.make_parent_dirs(output_file)
+
+ run_host_command([os.path.join(args.android_host_path, 'version_policy'),
+ '-b', args.base_policy, '-t', raw_cil_file,
+ '-n', args.treble_sepolicy_vers, '-o', output_file])
+ if args.filter_out_files:
+ file_utils.filter_out(args.filter_out_files, output_file)
+
+ # Tests that the output file can be merged with the given CILs.
+ if args.dependent_cils:
+ merge_cmd = [os.path.join(args.android_host_path, 'secilc'),
+ '-m', '-M', 'true', '-G', '-N', '-c', args.policy_vers]
+ merge_cmd += args.dependent_cils # the give CILs to merge
+ merge_cmd += [output_file, '-o', '/dev/null', '-f', '/dev/null']
+ run_host_command(merge_cmd)
+
+
+def setup_build_cil(subparsers):
+ """Sets up command args for 'build_cil' command."""
+
+ # Required arguments.
+ parser = subparsers.add_parser('build_cil', help='build CIL files')
+ parser.add_argument('-i', '--input_policy_conf', required=True,
+ help='source policy.conf')
+ parser.add_argument('-m', '--reqd_mask', required=True,
+ help='the bare minimum policy.conf to use checkpolicy')
+ parser.add_argument('-b', '--base_policy', required=True,
+ help='base policy for versioning')
+ parser.add_argument('-t', '--treble_sepolicy_vers', required=True,
+ help='the version number to use for Treble-OTA')
+ parser.add_argument('-p', '--policy_vers', required=True,
+ help='SELinux policy version')
+
+ # Optional arguments.
+ parser.add_argument('-c', '--checkpolicy_env',
+ help='environment variables passed to checkpolicy')
+ parser.add_argument('-f', '--filter_out_files', nargs='+',
+ help='the pattern files to filter out the output cil')
+ parser.add_argument('-d', '--dependent_cils', nargs='+',
+ help=('check the output file can be merged with '
+ 'the dependent cil files'))
+ parser.add_argument('-o', '--output_cil', help='the output cil file')
+
+ # The function that performs the actual works.
+ parser.set_defaults(func=do_build_cil)
+
+
+def run(argv):
+ """Sets up command parser and execuates sub-command."""
+ parser = argparse.ArgumentParser()
+
+ # Adds top-level arguments.
+ parser.add_argument('-a', '--android_host_path', default='',
+ help='a path to host out executables')
+
+ # Adds subparsers for each COMMAND.
+ subparsers = parser.add_subparsers(title='COMMAND')
+ for command in _SUPPORTED_COMMANDS:
+ globals()['setup_' + command](subparsers)
+
+ args = parser.parse_args(argv[1:])
+ args.func(args)
+
+
+if __name__ == '__main__':
+ run(sys.argv)
diff --git a/build/file_utils.py b/build/file_utils.py
new file mode 100644
index 0000000..1559a9b
--- /dev/null
+++ b/build/file_utils.py
@@ -0,0 +1,49 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""File-related utilities."""
+
+
+import os
+import shutil
+import tempfile
+
+
+def make_parent_dirs(file_path):
+ """Creates parent directories for the file_path."""
+ if os.path.exists(file_path):
+ return
+
+ parent_dir = os.path.dirname(file_path)
+ if parent_dir and not os.path.exists(parent_dir):
+ os.makedirs(parent_dir)
+
+
+def filter_out(pattern_files, input_file):
+ """"Removes lines in input_file that match any line in pattern_files."""
+
+ # Prepares patterns.
+ patterns = []
+ for f in pattern_files:
+ patterns.extend(open(f).readlines())
+
+ # Copy lines that are not in the pattern.
+ tmp_output = tempfile.NamedTemporaryFile()
+ with open(input_file, 'r') as in_file:
+ tmp_output.writelines(line for line in in_file.readlines()
+ if line not in patterns)
+ tmp_output.flush()
+
+ # Replaces the input_file.
+ shutil.copyfile(tmp_output.name, input_file)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bb9142d..df14019 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -199,6 +199,7 @@
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
+ hal_secure_element_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
diff --git a/private/bug_map b/private/bug_map
index 2b970dd..ce9ab81 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,11 +1,13 @@
-priv_app firstboot_prop file 63801215
-vold system_data_file file 62140539
-system_server vendor_framework_file dir 68826235
+bootanim unlabeled dir 68864350
crash_dump app_data_file dir 68319037
crash_dump bluetooth_data_file dir 68319037
+crash_dump resourcecache_data_file dir 68319037
crash_dump vendor_overlay_file dir 68319037
-statsd statsd capability 71537285
hal_graphics_allocator_default unlabeled dir 70180742
-surfaceflinger unlabeled dir 68864350
hal_graphics_composer_default unlabeled dir 68864350
-bootanim unlabeled dir 68864350
+priv_app sysfs dir 72749888
+surfaceflinger unlabeled dir 68864350
+system_server vendor_framework_file dir 68826235
+untrusted_app_27 system_data_file dir 72550646
+usbd usbd capability 72472544
+vold system_data_file file 62140539
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ca26357..7769b65 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -40,6 +40,7 @@
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
+ hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
@@ -59,8 +60,15 @@
network_watchlist_data_file
network_watchlist_service
package_native_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
perfprofd_service
property_info
+ secure_element
+ secure_element_tmpfs
+ secure_element_service
slice_service
stats
stats_data_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 84d7a8f..23224c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -10,7 +10,6 @@
# generic access to sysfs_type
-ueventd
- -vendor_init
-vold
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index dae40d2..46d3189 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
neverallow {
coredomain
-vold
- -vendor_init
} proc:file no_rw_file_perms;
# /sys
@@ -34,7 +33,6 @@
-init
-ueventd
-vold
- -vendor_init
} sysfs:file no_rw_file_perms;
# /dev
@@ -43,7 +41,6 @@
-fsck
-init
-ueventd
- -vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
@@ -52,7 +49,6 @@
-dumpstate
-init
-system_server
- -vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
@@ -65,14 +61,12 @@
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
- -vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
- -vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
@@ -89,7 +83,6 @@
-recovery_refresh
-shell
-system_server
- -vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
@@ -97,7 +90,6 @@
coredomain
-init
-system_server
- -vendor_init
} configfs:file no_rw_file_perms;
# functionfs
@@ -106,13 +98,11 @@
-adbd
-init
-mediaprovider
- -vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
- -vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
diff --git a/private/file.te b/private/file.te
index 5ff7768..0dcf254 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,3 +9,6 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 0afca24..25d0d9d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -46,14 +46,20 @@
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+# Use nonplat_service_contexts_file to allow servicemanager to read it
+# on non full-treble devices.
+/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
@@ -167,6 +173,7 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
@@ -246,6 +253,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
@@ -391,6 +399,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 5a65580..96233fc 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -38,6 +38,7 @@
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
diff --git a/private/keystore.te b/private/keystore.te
index 90c4727..7f71028 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -14,3 +14,6 @@
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
+
+# Allow to check whether security logging is enabled.
+get_prop(keystore, device_logging_prop)
diff --git a/private/nfc.te b/private/nfc.te
index 56446f4..5e85672 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
set_prop(nfc, nfc_prop);
diff --git a/private/perfetto.te b/private/perfetto.te
new file mode 100644
index 0000000..389fdf4
--- /dev/null
+++ b/private/perfetto.te
@@ -0,0 +1,60 @@
+# Perfetto command-line client. Can be used only from the domains that are
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# This command line client accesses the privileged socket of the traced
+# daemon.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, exec_type, file_type;
+
+tmpfs_domain(perfetto);
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow to access binder to pass the traces to Dropbox.
+binder_use(perfetto)
+binder_call(perfetto, system_server)
+allow perfetto dropbox_service:service_manager find;
+
+# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
+# print out on stdout/stderr.
+allow perfetto statsd:fd use;
+allow perfetto statsd:fifo_file { getattr read write };
+allow perfetto shell:fd use;
+allow perfetto shell:fifo_file { getattr read write };
+
+# Allow to communicate use, read and write over the adb connection.
+allow perfetto adbd:fd use;
+allow perfetto adbd:unix_stream_socket { read write };
+
+# allow adbd to reap perfetto
+allow perfetto adbd:process { sigchld };
+
+# Allow to access /dev/pts when launched in an adb shell.
+allow perfetto devpts:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### perfetto should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow perfetto self:process execmem;
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
diff --git a/private/priv_app.te b/private/priv_app.te
index dcf7572..565aa4a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -140,6 +140,7 @@
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app wifi_prop:file read;
dontaudit priv_app net_dns_prop:file read;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 76f2998..6efd59f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -99,6 +99,7 @@
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000..57f512b
--- /dev/null
+++ b/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/private/service_contexts b/private/service_contexts
index 373c7cc..71d4845 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -134,6 +134,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
diff --git a/private/shell.te b/private/shell.te
index ded9d1f..7a7ebf4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -38,3 +38,12 @@
unix_socket_connect(shell, traced_producer, traced)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+
+# Allow shell binaries to exec the perfetto cmdline util and have that
+# transition into its own domain, so that it behaves consistently to
+# when exec()-d by statsd.
+domain_auto_trans(shell, perfetto_exec, perfetto)
+
+# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
+allow shell perfetto_traces_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 073c38b..a51a547 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -37,8 +37,11 @@
read_logd(statsd)
control_logd(statsd)
-# Allow to control Perfetto traced and consume its traces.
-unix_socket_connect(statsd, traced_consumer, traced)
+# Allow to exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. It allows statsd to capture traces and hand them
+# to Android dropbox.
+allow statsd perfetto_exec:file rx_file_perms;
+domain_auto_trans(statsd, perfetto_exec, perfetto)
# Grant statsd with permissions to register the services.
allow statsd {
diff --git a/private/su.te b/private/su.te
index 6e7fc37..16e47bb 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_server.te b/private/system_server.te
index f8f5e3e..6ba98f5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -371,6 +371,11 @@
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# binder.
+allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto:fd use;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -821,4 +826,3 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
-
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 5d97f72..50efc22 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,5 +1,3 @@
-typeattribute vendor_init coredomain;
-
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
diff --git a/public/app.te b/public/app.te
index 3c29946..1fd8186 100644
--- a/public/app.te
+++ b/public/app.te
@@ -169,15 +169,7 @@
allow appdomain heapdump_data_file:file append;
')
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
@@ -550,3 +542,8 @@
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps cannot access proc/net/xt_qtaguid/ files anymore since P.
+neverallow { appdomain -shell } qtaguid_proc:file rw_file_perms;
+neverallow { appdomain -shell } proc_qtaguid_stat:{ file lnk_file } r_file_perms;
+neverallow { appdomain -shell } qtaguid_device:chr_file r_file_perms;
diff --git a/public/attributes b/public/attributes
index 66ce7d0..77823cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -32,6 +32,7 @@
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+expandattribute core_data_file_type false;
# All types in /vendor
attribute vendor_file_type;
@@ -130,6 +131,7 @@
# All socket devices owned by core domain components
attribute coredomain_socket;
+expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
@@ -229,6 +231,7 @@
hal_attribute(nfc);
hal_attribute(oemlock);
hal_attribute(power);
+hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
diff --git a/public/domain.te b/public/domain.te
index 5879e26..24514bf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -670,7 +670,6 @@
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
-full_treble_only(`
# Most general rules first, more specific rules below.
# Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -678,6 +677,7 @@
# to obtain an already established socket via some public/official/stable API and then exchange
# data with its peer over that socket. The wire format in this scenario is dicatated by the API
# and thus does not break the core-vendor separation.
+full_treble_only(`
neverallow_establish_socket_comms({
coredomain
-init
@@ -687,7 +687,9 @@
-coredomain
-socket_between_core_and_vendor_violators
});
+')
# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
@@ -703,26 +705,34 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+')
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-netdomain
-socket_between_core_and_vendor_violators
}, netd);
+')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
unlabeled # used only by core domains
}:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
neverallow {
appdomain
-coredomain
@@ -734,14 +744,15 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+')
# Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
neverallow {
coredomain
-init
-ueventd
-socket_between_core_and_vendor_violators
- -vendor_init
} {
file_type
dev_type
@@ -767,7 +778,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -777,7 +787,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -838,7 +847,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -851,7 +859,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -863,7 +870,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -874,7 +880,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -882,7 +887,6 @@
neverallow {
coredomain
-init
- -vendor_init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
@@ -908,7 +912,6 @@
coredomain
-init
-system_executes_vendor_violators
- -vendor_init
} {
vendor_file_type
-same_process_hal_file
@@ -1040,7 +1043,6 @@
-system_server
-system_app
-init
- -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -1218,6 +1220,31 @@
-ueventd
-crash_dump
-perfprofd
- -vendor_init
} vendor_file:file { create_file_perms x_file_perms };
')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+ domain
+ -dnsmasq
+ -dumpstate
+ -init
+ -installd
+ -install_recovery
+ -lmkd
+ -netd
+ -perfprofd
+ -postinstall_dexopt
+ -recovery
+ -sdcardd
+ -tee
+ -ueventd
+ -uncrypt
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+ -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;
diff --git a/public/file.te b/public/file.te
index 02a4360..932ecbf 100644
--- a/public/file.te
+++ b/public/file.te
@@ -317,7 +317,7 @@
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
@@ -327,7 +327,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 4265b8a..8fe7442 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -5,6 +5,7 @@
add_hwservice(hal_camera_server, hal_camera_hwservice)
allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
new file mode 100644
index 0000000..e3046d1
--- /dev/null
+++ b/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index f6ab621..436ec68 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -31,6 +31,7 @@
type hal_omx_hwservice, hwservice_manager_type;
type hal_power_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
type hal_tetheroffload_hwservice, hwservice_manager_type;
diff --git a/public/property.te b/public/property.te
index 0578ed6..5c34264 100644
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@
}:file no_rw_file_perms;
compatible_property_only(`
+# Prevent properties from being set
neverallow {
domain
-coredomain
@@ -129,23 +130,47 @@
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
- exported_radio_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported2_config_prop
exported2_default_prop
- exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_system_prop
- }:file no_w_file_perms;
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
neverallow {
domain
-coredomain
-appdomain
+ -hal_nfc
+ -vendor_init
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
-vendor_init
} {
core_property_type
@@ -158,10 +183,19 @@
exported3_default_prop
exported3_system_prop
-debug_prop
- -fingerprint_prop
-logd_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
')
diff --git a/public/secure_element.te b/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/public/service.te b/public/service.te
index 6f9d47c..e13b6d5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,6 +23,7 @@
type nfc_service, service_manager_type;
type perfprofd_service, service_manager_type;
type radio_service, service_manager_type;
+type secure_element_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index edc62c3..fd90ebe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -81,6 +81,7 @@
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
+ typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 275debb..ea9ba10 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -23,6 +23,10 @@
def TestVendorTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+def TestCoreDataTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/",
+ "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type")
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -40,7 +44,9 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators"]
+Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations", "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations"]
if __name__ == '__main__':
usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +93,8 @@
results += TestDebugfsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
+ if options.test is None or "TestCoreDataTypeViolations" in options.test:
+ results += TestCoreDataTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 3c5c535..2f9e994 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain
diff --git a/tools/README b/tools/README
index 6035c03..5e340a0 100644
--- a/tools/README
+++ b/tools/README
@@ -3,6 +3,15 @@
available for help in auditing and analyzing policy. The tools are
described further below.
+build_policies.sh
+ A tool to build SELinux policy for multiple targets in parallel.
+ This is useful for quickly testing a new test or neverallow rule
+ on multiple targets.
+
+ Usage:
+ ./build_policies.sh ~/android/master ~/tmp/build_policies
+ ./build_policies.sh ~/android/master ~/tmp/build_policies sailfish-eng walleye-eng
+
checkfc
A utility for checking the validity of a file_contexts or a
property_contexts configuration file. Used as part of the policy
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
new file mode 100755
index 0000000..77f0fc6
--- /dev/null
+++ b/tools/build_policies.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Ensure that GNU parallel is installed.
+# We use this to build multiple targets at the same time.
+if [[ -z $(command -v parallel) ]]; then
+ echo "Please install GNU Parallel."
+ exit
+fi
+
+if [[ $# -lt 2 ]]; then
+ echo "Usage: $0 <Android root directory> <output directory> [specific targets to build]"
+ exit
+fi
+
+android_root_dir=$1
+export out_dir=$2
+shift 2
+all_targets="$@"
+
+echo "Android tree: $android_root_dir"
+echo "Output directory: $out_dir"
+
+mkdir -p $out_dir
+
+cd $android_root_dir
+source build/envsetup.sh > /dev/null
+
+# Collect the list of targets by parsing the output of lunch.
+# TODO: This misses some targets.
+if [[ "$all_targets" = "" ]]; then
+ all_targets=`lunch 2>/dev/null <<< _ | grep "[0-9]" | sed 's/^.* //'`
+fi
+
+# Clean up targets by replacing eng with userdebug using non-aosp variants.
+declare -A targets_map
+for target in $all_targets; do
+ targets_map[$target]=$target
+done
+targets=""
+for target in $all_targets; do
+ clean_target=$(echo $target | sed 's/-eng/-userdebug/' | sed 's/aosp_//')
+ if [[ $clean_target != $target ]] && [[ ${targets_map[$clean_target]} == $clean_target ]]; then
+ echo "Ignoring $target in favor of $clean_target"
+ else
+ if [[ -z $targets ]]; then
+ targets=$target
+ else
+ targets="$targets $target"
+ fi
+ fi
+done
+
+# Calculate the number of targets to build at once.
+# This heuristic could probably be improved.
+cores=$(nproc --all)
+num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
+parallel_jobs=$(expr $cores / 2)
+if [[ $num_targets -lt $parallel_jobs ]]; then
+ export mmma_jobs=$(expr $cores / $num_targets \* 2)
+else
+ export mmma_jobs=4
+fi
+
+echo "$num_targets target(s): $(echo $targets | paste -sd' ')"
+
+compile_target () {
+ target=$1
+ source build/envsetup.sh > /dev/null
+ lunch $target &> /dev/null
+ # Some targets can't lunch properly.
+ if [ $? -ne 0 ]; then
+ echo "$target cannot be lunched"
+ return 1
+ fi
+ my_out_file="$out_dir/log.$target"
+ rm -f $my_out_file
+ # Build the policy.
+ OUT_DIR=$out_dir/out.$target mmma -j$mmma_jobs system/sepolicy &>> $my_out_file
+ if [ $? -ne 0 ]; then
+ echo "$target failed to build"
+ return 2
+ fi
+ return 0
+}
+export -f compile_target
+
+parallel --no-notice -j $parallel_jobs --bar --joblog $out_dir/joblog compile_target ::: $targets
+
+echo "Failed to lunch: $(grep "\s1\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
+echo "Failed to build: $(grep "\s2\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
diff --git a/vendor/bug_map b/vendor/bug_map
index 708e32e..e69de29 100644
--- a/vendor/bug_map
+++ b/vendor/bug_map
@@ -1 +0,0 @@
-system_server vendor_framework_file dir 67860706
diff --git a/vendor/file.te b/vendor/file.te
index 3350b1e..6bebfb5 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
# Socket types
-type hostapd_socket, file_type, data_file_type;
+type hostapd_socket, file_type, data_file_type, core_data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5be6424..cdaf695 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -27,10 +27,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000..86fe0b9
--- /dev/null
+++ b/vendor/hal_secure_element_default.te
@@ -0,0 +1,5 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_secure_element_default)