Collapse task_profiles_api_file into task_profiles_file
If ro.product.first_api_level is set, we first attempt to read
task_profiles_api_file before also reading task_profiles_file. There is
currently no point distinguishing between the API file and the regular
file in sepolicy.
Bug: 349105928
Change-Id: I7cc45fd994fd122bbd82fe0b27e0f0d7708e6149
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c9c7c5..21c6795 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -459,8 +459,8 @@
/system/etc/selinux/plat_sepolicy.cil sepolicy_file
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
/system/etc/task_profiles.json task_profiles_file
-/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
-/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_file
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7361462..40cfe5b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -230,7 +230,6 @@
allow { domain } cgroup_v2:file w_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 0955797..8416087 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -127,7 +127,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
#############################
# Vendor files
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index a6b3122..8551bb6 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -32,7 +32,9 @@
type system_passwd_file, file_type, system_file_type;
type system_seccomp_policy_file, file_type, system_file_type;
type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type task_profiles_api_file, file_type, system_file_type;
+')
type task_profiles_file, file_type, system_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type;
type unlabeled, file_type;
diff --git a/private/domain.te b/private/domain.te
index 5b1364d..cbe706f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -428,7 +428,6 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
@@ -1247,7 +1246,6 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
- -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
# Vendor components still can invoke shell commands via /system/bin/sh
diff --git a/private/file_contexts b/private/file_contexts
index a70e143..37bdfef 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -385,7 +385,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
diff --git a/public/file.te b/public/file.te
index 457974e..c158492 100644
--- a/public/file.te
+++ b/public/file.te
@@ -233,10 +233,13 @@
')
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
+# Task profiles file under /system/etc/task_profiles.json or
+# API file under /system/etc/task_profiles/task_profiles_*.json
type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+ type task_profiles_api_file, system_file_type, file_type;
+')
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art