Merge "Build contexts files with Soong"
diff --git a/Android.mk b/Android.mk
index bd93326..4e4a641 100644
--- a/Android.mk
+++ b/Android.mk
@@ -316,6 +316,11 @@
selinux_denial_metadata \
endif
+
+# Builds an addtional userdebug sepolicy into the debug ramdisk.
+LOCAL_REQUIRED_MODULES += \
+ userdebug_plat_sepolicy.cil \
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -517,6 +522,47 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
+$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
+$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+userdebug_plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
diff --git a/private/apexd.te b/private/apexd.te
index b3aabea..d0ec9f4 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -50,6 +50,10 @@
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
+# allow apexd to read files from /vendor/apex
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
+
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/private/bug_map b/private/bug_map
index a69fc52..4b29fde 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -26,8 +26,6 @@
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
system_server zygote process 77856826
-untrusted_app_27 mnt_user_file dir 118185801
usbd usbd capability 72472544
vold system_data_file file 124108085
-vrcore_app mnt_user_file dir 118185801
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 45e1dd9..3c6ba08 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -195,6 +195,7 @@
usbd
usbd_exec
usbd_tmpfs
+ vendor_apex_file
vendor_init
vendor_shell
vold_metadata_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0e830f8..3b9bd52 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -171,6 +171,7 @@
usbd
usbd_exec
usbd_tmpfs
+ vendor_apex_file
vendor_default_prop
vendor_init
vendor_security_patch_level_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2ea4d2c..f07103d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -137,6 +137,7 @@
traced_lazy_prop
uri_grants_service
use_memfd_prop
+ vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
diff --git a/private/file_contexts b/private/file_contexts
index 4f0690b..9e7bba7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -352,6 +352,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index a773f96..ca3b515 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -15,8 +15,10 @@
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+allow netutils_wrapper netd_service:service_manager find;
+allow netutils_wrapper dnsresolver_service:service_manager find;
+binder_use(netutils_wrapper);
+binder_call(netutils_wrapper, netd);
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
diff --git a/public/domain.te b/public/domain.te
index 634a5c5..a415646 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1003,6 +1003,7 @@
vendor_file_type
-same_process_hal_file
-vendor_app_file
+ -vendor_apex_file
-vendor_configs_file
-vendor_framework_file
-vendor_idc_file
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 1db4694..2906b5b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,8 +82,10 @@
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_server
hal_power_stats_server
hal_sensors_server
+ hal_thermal_server
hal_vr_server
}:process signal;
diff --git a/public/file.te b/public/file.te
index c8953de..d906b7f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -286,6 +286,8 @@
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c2549ff..1ef6cad 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -8,6 +8,7 @@
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
diff --git a/public/idmap.te b/public/idmap.te
index d76558a..92c649c 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,7 +2,7 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
-# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
+# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file create_file_perms;
@@ -15,6 +15,10 @@
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
diff --git a/public/init.te b/public/init.te
index bde7ac6..c5b88d2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -52,8 +52,8 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
diff --git a/public/kernel.te b/public/kernel.te
index 50e72c2..99ad014 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -85,8 +85,11 @@
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
-allow kernel apex_data_file:file read;
-allow kernel staging_data_file:file read;
+allow kernel {
+ apex_data_file
+ staging_data_file
+ vendor_apex_file
+}:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 77aefe1..dbdb051 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -68,6 +68,7 @@
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index 859cb65..c4a9136 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -138,6 +138,7 @@
-dumpstate
-network_stack
-netd
+ -netutils_wrapper
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -147,6 +148,7 @@
-dumpstate
-network_stack
-netd
+ -netutils_wrapper
} dnsresolver_service:service_manager find;
# only netd can create the bpf maps
diff --git a/public/property_contexts b/public/property_contexts
index 5bf95e5..0884f87 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -270,6 +270,7 @@
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 8890ca0..390ec0b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -39,6 +39,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0