Merge "Add bluetooth sniff and LE connection sysprops"
diff --git a/Android.bp b/Android.bp
index 467f80e..5909f8d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -388,6 +388,21 @@
stem: "apex_sepolicy.cil",
}
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -896,6 +911,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/apex/Android.bp b/apex/Android.bp
index 8f11771..937ed96 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -263,3 +263,10 @@
"com.android.ondevicepersonalization-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.healthconnect-file_contexts",
+ srcs: [
+ "com.android.healthconnect-file_contexts",
+ ],
+}
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthconnect-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.healthconnect-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 3946a04..4161bb3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -287,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -338,17 +342,15 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
+ checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
Flag("-M"). // Enable MLS
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", cil).
Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ checkpolicyCmd.Flag("-b") // Read binary
}
if len(c.properties.Filter_out) > 0 {
@@ -359,6 +361,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..9b35268
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,8 @@
+(sid apex)
+(sidorder (apex))
+
+(classorder (file))
+
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 37ffadb..8f4b2c1 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -36,12 +36,6 @@
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below rule
-userdebug_or_eng(`
- r_dir_file(microdroid_manager, fuse)
-')
-
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -12,10 +12,6 @@
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox activity_service:service_manager find;
allow sdk_sandbox activity_task_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 9ccd22d..7164a2c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -604,12 +604,9 @@
allow system_server textclassifier_data_file:dir create_dir_perms;
allow system_server textclassifier_data_file:file create_file_perms;
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
+# Manage /data/tombstones.
+allow system_server tombstone_data_file:dir rw_dir_perms;
+allow system_server tombstone_data_file:file create_file_perms;
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;