Collapse task_profiles_api_file into task_profiles_file

If ro.product.first_api_level is set, we first attempt to read
task_profiles_api_file before also reading task_profiles_file. There is
currently no point distinguishing between the API file and the regular
file in sepolicy.

Bug: 349105928
Change-Id: I7cc45fd994fd122bbd82fe0b27e0f0d7708e6149
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c9c7c5..21c6795 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -459,8 +459,8 @@
 /system/etc/selinux/plat_sepolicy.cil                             sepolicy_file
 /system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256          sepolicy_file
 /system/etc/task_profiles.json                                    task_profiles_file
-/system/etc/task_profiles/task_profiles_0.json                    task_profiles_api_file
-/system/etc/task_profiles/task_profiles_99.json                   task_profiles_api_file
+/system/etc/task_profiles/task_profiles_0.json                    task_profiles_file
+/system/etc/task_profiles/task_profiles_99.json                   task_profiles_file
 /system/usr/share/zoneinfo                                        system_zoneinfo_file
 /system/usr/share/zoneinfo/0                                      system_zoneinfo_file
 /system/bin/adbd                                                  adbd_exec
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7361462..40cfe5b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -230,7 +230,6 @@
 allow { domain } cgroup_v2:file w_file_perms;
 
 allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
 
 # Allow all processes to connect to PRNG seeder daemon.
 unix_socket_connect(domain, prng_seeder, prng_seeder)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 0955797..8416087 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -127,7 +127,7 @@
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/etc/task_profiles\.json  u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json  u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json  u:object_r:task_profiles_file:s0
 
 #############################
 # Vendor files
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index a6b3122..8551bb6 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -32,7 +32,9 @@
 type system_passwd_file, file_type, system_file_type;
 type system_seccomp_policy_file, file_type, system_file_type;
 type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
+until_board_api(202504, `
+    type task_profiles_api_file, file_type, system_file_type;
+')
 type task_profiles_file, file_type, system_file_type;
 type trace_data_file, file_type, data_file_type, core_data_file_type;
 type unlabeled, file_type;
diff --git a/private/domain.te b/private/domain.te
index 5b1364d..cbe706f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -428,7 +428,6 @@
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
 allow domain vendor_cgroup_desc_file:file r_file_perms;
 allow domain vendor_task_profiles_file:file r_file_perms;
 
@@ -1247,7 +1246,6 @@
     -system_seccomp_policy_file
     -system_security_cacerts_file
     -system_zoneinfo_file
-    -task_profiles_api_file
     -task_profiles_file
     userdebug_or_eng(`-tcpdump_exec')
     # Vendor components still can invoke shell commands via /system/bin/sh
diff --git a/private/file_contexts b/private/file_contexts
index a70e143..37bdfef 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -385,7 +385,7 @@
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/etc/task_profiles\.json  u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json  u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json  u:object_r:task_profiles_file:s0
 /system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
 /system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
diff --git a/public/file.te b/public/file.te
index 457974e..c158492 100644
--- a/public/file.te
+++ b/public/file.te
@@ -233,10 +233,13 @@
 ')
 # Vendor cgroups description file under /vendor/etc/cgroups.json
 type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
+# Task profiles file under /system/etc/task_profiles.json or
+# API file under /system/etc/task_profiles/task_profiles_*.json
 type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
+until_board_api(202504, `
+    # Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+    type task_profiles_api_file, system_file_type, file_type;
+')
 # Vendor task profiles file under /vendor/etc/task_profiles.json
 type vendor_task_profiles_file, vendor_file_type, file_type;
 # Type for /system/apex/com.android.art