Merge "Add device_state_service to SEPolicy."
diff --git a/Android.mk b/Android.mk
index b9043d7..69cfe69 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,8 +52,18 @@
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+
+SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
+ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+ # TODO: Disallow BOARD_PLAT_*
+ SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
+SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
+ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+ # TODO: Disallow BOARD_PLAT_*
+ SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
+
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
diff --git a/README b/README
index 43d9bbc..f14ac67 100644
--- a/README
+++ b/README
@@ -34,6 +34,17 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+variables have been deprecated in favour of SYSTEM_EXT_*.
+
Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
definitions during the build. A definition consists of a string in the form
of macro-name=value. Spaces must NOT be present. This is useful for building modular
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index a45b427..63873d2 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -135,8 +135,8 @@
fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPublicSepolicyDirs())
- fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPrivateSepolicyDirs())
+ fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
+ fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6404bd6..2953731 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -31,7 +31,6 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
- ramdisk_boot_file
shell_test_data_file
sysfs_devices_cs_etm
update_engine_stable_service
diff --git a/private/domain.te b/private/domain.te
index b1f968f..5cc313a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -437,6 +437,3 @@
-vndk_sp_file
}:file *;
')
-
-# Only first_stage_init can read files under /boot.
-neverallow domain ramdisk_boot_file:dir_file_class_set *;
diff --git a/private/file_contexts b/private/file_contexts
index e7cc906..84fb2a7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -762,7 +762,3 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
-
-#############################
-# Ramdisk files under /boot
-/boot(/.*)? u:object_r:ramdisk_boot_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7bd60a4..7e16b9b 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -45,6 +45,7 @@
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+ r_dir_file(heapprofd, shell_data_file)
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/property_contexts b/private/property_contexts
index ae85610..0b7be8c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -842,7 +842,7 @@
ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.update_edid_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/public/domain.te b/public/domain.te
index 35f03ee..1c47a7e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1189,6 +1189,7 @@
domain
-shell
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
-installd
} shell_data_file:lnk_file read;
@@ -1216,6 +1217,7 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
@@ -1227,6 +1229,7 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
} shell_data_file:file open;
# servicemanager and vndservicemanager are the only processes which handle the
diff --git a/public/file.te b/public/file.te
index b9b5fef3..3d10999 100644
--- a/public/file.te
+++ b/public/file.te
@@ -560,6 +560,3 @@
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
-
-# /boot
-type ramdisk_boot_file, file_type;
diff --git a/public/init.te b/public/init.te
index 077816f..f84bacb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -179,7 +179,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-system_app_data_file
-system_file_type
-vendor_file_type
@@ -194,7 +193,6 @@
-keystore_data_file
-misc_logd_file
-nativetest_data_file
- -ramdisk_boot_file
-privapp_data_file
-shell_data_file
-system_app_data_file
@@ -215,7 +213,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
@@ -235,7 +232,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -255,7 +251,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -272,7 +267,6 @@
-exec_type
-app_data_file
-privapp_data_file
- -ramdisk_boot_file
}:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c729370..0bdf632 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -52,7 +52,6 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -69,7 +68,6 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -87,7 +85,6 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -104,7 +101,6 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -121,7 +117,6 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-system_file_type
-vendor_file_type
-vold_metadata_file