Merge "Move rkp_cert_processor to system_ext." into main
diff --git a/Android.bp b/Android.bp
index 9ef7e5a..f68e7fa 100644
--- a/Android.bp
+++ b/Android.bp
@@ -509,7 +509,7 @@
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
-genrule {
+java_genrule {
name: "plat_sepolicy_and_mapping.sha256_gen",
srcs: [
":plat_sepolicy.cil",
@@ -526,7 +526,7 @@
relative_install_path: "selinux",
}
-genrule {
+java_genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [
":system_ext_sepolicy.cil",
@@ -544,7 +544,7 @@
system_ext_specific: true,
}
-genrule {
+java_genrule {
name: "product_sepolicy_and_mapping.sha256_gen",
srcs: [
":product_sepolicy.cil",
@@ -640,7 +640,7 @@
filegroup {
name: "precompiled_sepolicy_srcs",
- srcs: [
+ device_common_srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
@@ -890,7 +890,7 @@
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
-genrule {
+java_genrule {
name: "sepolicy_test",
srcs: [
":plat_file_contexts",
@@ -918,7 +918,7 @@
soong_config_module_type {
name: "dev_type_test_genrule",
- module_type: "genrule",
+ module_type: "java_genrule",
config_namespace: "ANDROID",
bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
properties: ["cmd"],
@@ -1004,6 +1004,7 @@
"system_ext_202404.compat.cil",
],
}),
+ system_ext_specific: true,
}
phony {
@@ -1039,6 +1040,7 @@
"product_202404.cil",
],
}),
+ product_specific: true,
}
phony {
@@ -1085,4 +1087,220 @@
],
default: [],
}),
+ vendor: true,
+}
+
+phony {
+ name: "selinux_policy_system",
+ required: [
+ "29.0.compat.cil",
+ "30.0.compat.cil",
+ "31.0.compat.cil",
+ "32.0.compat.cil",
+ "33.0.compat.cil",
+ "34.0.compat.cil",
+ "build_sepolicy",
+ "fuzzer_bindings_test",
+ "plat_29.0.cil",
+ "plat_30.0.cil",
+ "plat_31.0.cil",
+ "plat_32.0.cil",
+ "plat_33.0.cil",
+ "plat_34.0.cil",
+ "plat_bug_map",
+ "plat_file_contexts",
+ "plat_file_contexts_data_test",
+ "plat_file_contexts_test",
+ "plat_hwservice_contexts",
+ "plat_hwservice_contexts_test",
+ "plat_keystore2_key_contexts",
+ "plat_mac_permissions.xml",
+ "plat_mapping_file",
+ "plat_property_contexts",
+ "plat_property_contexts_test",
+ "plat_seapp_contexts",
+ "plat_sepolicy.cil",
+ "plat_service_contexts",
+ "plat_service_contexts_test",
+ "searchpolicy",
+ "secilc",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "202404.compat.cil",
+ "plat_202404.cil",
+ ],
+ }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: ["plat_sepolicy_and_mapping.sha256"],
+ default: [],
+ }) + select((
+ soong_config_variable("ANDROID", "ASAN_ENABLED"),
+ product_variable("selinux_ignore_neverallows"),
+ ), {
+ (true, true): [
+ ],
+ (default, default): [
+ "sepolicy_compat_test",
+ "sepolicy_test",
+ "sepolicy_dev_type_test",
+ "treble_sepolicy_tests_29.0",
+ "treble_sepolicy_tests_30.0",
+ "treble_sepolicy_tests_31.0",
+ "treble_sepolicy_tests_32.0",
+ "treble_sepolicy_tests_33.0",
+ "treble_sepolicy_tests_34.0",
+ ],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "ASAN_ENABLED"),
+ product_variable("selinux_ignore_neverallows"),
+ ), {
+ ("202404", true, true): [],
+ (default, true, true): [],
+ (default, default, default): [
+ "treble_sepolicy_tests_202404",
+ ],
+ }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
+ true: ["se_freeze_test"],
+ default: [],
+ }),
+}
+
+phony {
+ name: "selinux_policy",
+ required: [
+ // Runs checkfc against merged service_contexts files
+ "merged_hwservice_contexts_test",
+ "merged_service_contexts_test",
+ "selinux_policy_nonsystem",
+ "selinux_policy_system",
+ ],
+}
+
+// selinux_policy is a main goal and triggers lots of tests.
+// Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
+// By setting as droidcore's dependency, tests will run on normal builds.
+phony_rule {
+ name: "droidcore",
+ phony_deps: ["selinux_policy"],
+}
+
+//-----------------------------------------------------------------------------
+// TODO - remove this. Keep around until we get the filesystem creation stuff
+// taken care of.
+//
+// The file_contexts.bin is built in the following way:
+// 1. Collect all file_contexts files in THIS repository and process them with
+// m4 into a tmp file called file_contexts.local.tmp.
+// 2. Collect all device specific file_contexts files and process them with m4
+// into a tmp file called file_contexts.device.tmp.
+// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
+// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+// into file_contexts.concat.tmp.
+// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+// file_contexts.bin.
+//
+// Note: That a newline file is placed between each file_context file found to
+// ensure a proper build when an fc file is missing an ending newline.
+//---
+// 1. Collect all file_contexts files in THIS repository and process them with
+// m4 into a tmp file called file_contexts.local.tmp.
+java_genrule {
+ name: "file_contexts.local.tmp",
+ srcs: [
+ ":plat_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.local.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s $(in) > $(out)",
+}
+
+// 2. Collect all device specific file_contexts files and process them with m4
+// into a tmp file called file_contexts.device.tmp.
+PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), {
+ any @ m4defs: m4defs,
+ default: "",
+})
+java_genrule {
+ name: "file_contexts.device.tmp",
+ srcs: [
+ ":vendor_file_contexts",
+ ":odm_file_contexts",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.device.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s " + PRIVATE_ADDITIONAL_M4DEFS +
+ " $(in) > $(out)",
+}
+
+// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
+java_genrule {
+ name: "file_contexts.device.sorted.tmp",
+ srcs: [
+ ":file_contexts.device.tmp",
+ ":precompiled_sepolicy",
+ ],
+ tools: [
+ "checkfc",
+ "fc_sort",
+ ],
+ out: ["file_contexts.device.sorted.tmp"],
+ cmd: "$(location checkfc) " +
+ "-e $(location :precompiled_sepolicy) " +
+ "$(location :file_contexts.device.tmp) && " +
+ "$(location fc_sort) " +
+ "-i $(location :file_contexts.device.tmp) " +
+ "-o $(out)",
+}
+
+// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+// into file_contexts.concat.tmp.
+java_genrule {
+ name: "file_contexts.concat.tmp",
+ srcs: [
+ ":file_contexts.local.tmp",
+ ":file_contexts.device.sorted.tmp",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.concat.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s $(location :file_contexts.local.tmp) " +
+ "$(location :file_contexts.device.sorted.tmp) > $(out)",
+}
+
+// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+// file_contexts.bin.
+java_genrule {
+ name: "file_contexts_bin_gen",
+ srcs: [
+ ":file_contexts.concat.tmp",
+ ":precompiled_sepolicy",
+ ],
+ tools: [
+ "checkfc",
+ "sefcontext_compile",
+ ],
+ out: ["file_contexts.bin"],
+ cmd: "$(location checkfc) " +
+ "$(location :precompiled_sepolicy) " +
+ "$(location :file_contexts.concat.tmp) && " +
+ "$(location sefcontext_compile) " +
+ "-o $(out) $(location :file_contexts.concat.tmp)",
+}
+
+prebuilt_etc {
+ name: "file_contexts.bin",
+ src: ":file_contexts_bin_gen",
}
diff --git a/Android.mk b/Android.mk
deleted file mode 100644
index 6655919..0000000
--- a/Android.mk
+++ /dev/null
@@ -1,398 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-ifdef BOARD_SEPOLICY_UNION
-$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_M4DEFS
-LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
-else
-LOCAL_ADDITIONAL_M4DEFS :=
-endif
-
-# sepolicy is now divided into multiple portions:
-# public - policy exported on which non-platform policy developers may write
-# additional policy. types and attributes are versioned and included in
-# delivered non-platform policy, which is to be combined with platform policy.
-# private - platform-only policy required for platform functionality but which
-# is not exported to vendor policy developers and as such may not be assumed
-# to exist.
-# vendor - vendor-only policy required for vendor functionality. This policy can
-# reference the public policy but cannot reference the private policy. This
-# policy is for components which are produced from the core/non-vendor tree and
-# placed into a vendor partition.
-# mapping - This contains policy statements which map the attributes
-# exposed in the public policy of previous versions to the concrete types used
-# in this policy to ensure that policy targeting attributes from public
-# policy from an older platform version continues to work.
-
-# build process for device:
-# 1) convert policies to CIL:
-# - private + public platform policy to CIL
-# - mapping file to CIL (should already be in CIL form)
-# - non-platform public policy to CIL
-# - non-platform public + private policy to CIL
-# 2) attributize policy
-# - run script which takes non-platform public and non-platform combined
-# private + public policy and produces attributized and versioned
-# non-platform policy
-# 3) combine policy files
-# - combine mapping, platform and non-platform policy.
-# - compile output binary policy file
-
-PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
-PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
-PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
-REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-
-SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-
-PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
-PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-
-ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
-HAS_SYSTEM_EXT_SEPOLICY_DIR := true
-endif
-
-# TODO(b/119305624): Currently if the device doesn't have a product partition,
-# we install product sepolicy into /system/product. We do that because bits of
-# product sepolicy that's still in /system might depend on bits that have moved
-# to /product. Once we finish migrating product sepolicy out of system, change
-# it so that if no product partition is present, product sepolicy artifacts are
-# not built and installed at all.
-ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY_DIR := true
-endif
-
-ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
-ifeq ($(TARGET_BUILD_VARIANT),user)
-$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
-endif
-$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
- It does not work in user builds and using it will \
- not stop you from failing CTS.)
-endif
-
-# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
-# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
-# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
-# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
-ifdef BOARD_SEPOLICY_DIRS
-BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
-endif
-
-###########################################################
-# Compute policy files to be used in policy build.
-# $(1): files to include
-# $(2): directories in which to find files
-###########################################################
-
-define build_policy
-$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
-endef
-
-sepolicy_build_files := security_classes \
- initial_sids \
- access_vectors \
- global_macros \
- neverallow_macros \
- mls_macros \
- mls_decl \
- mls \
- policy_capabilities \
- te_macros \
- attributes \
- ioctl_defines \
- ioctl_macros \
- *.te \
- roles_decl \
- roles \
- users \
- initial_sid_contexts \
- fs_use \
- genfs_contexts \
- port_contexts
-
-sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
-
-# Security classes and permissions defined outside of system/sepolicy.
-security_class_extension_files := $(call build_policy, security_classes access_vectors, \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-ifneq (,$(strip $(security_class_extension_files)))
- $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
- # Checks if there are public system_ext policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
- endif
- # Checks if there are public/private system_ext policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_SYSTEM_EXT_SEPOLICY := true
- endif
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
- # Checks if there are public product policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_PRODUCT_PUBLIC_SEPOLICY := true
- endif
- # Checks if there are public/private product policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_PRODUCT_SEPOLICY := true
- endif
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-with_asan := false
-ifneq (,$(filter address,$(SANITIZE_TARGET)))
- with_asan := true
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
- $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
- endif
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
- $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
- endif
-endif
-
-#################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_TAGS := optional
-LOCAL_REQUIRED_MODULES += \
- selinux_policy_nonsystem \
- selinux_policy_system \
-
-# Runs checkfc against merged service_contexts files
-LOCAL_REQUIRED_MODULES += \
- merged_service_contexts_test \
- merged_hwservice_contexts_test
-
-include $(BUILD_PHONY_PACKAGE)
-
-# selinux_policy is a main goal and triggers lots of tests.
-# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
-# By setting as droidcore's dependency, tests will run on normal builds.
-droidcore: selinux_policy
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy_system
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# These build targets are not used on non-Treble devices. However, we build these to avoid
-# divergence between Treble and non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
- plat_mapping_file \
- $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
- $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
- plat_sepolicy.cil \
- secilc \
-
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
-endif
-
-LOCAL_REQUIRED_MODULES += \
- build_sepolicy \
- plat_file_contexts \
- plat_file_contexts_test \
- plat_file_contexts_data_test \
- plat_keystore2_key_contexts \
- plat_mac_permissions.xml \
- plat_property_contexts \
- plat_property_contexts_test \
- plat_seapp_contexts \
- plat_service_contexts \
- plat_service_contexts_test \
- plat_hwservice_contexts \
- plat_hwservice_contexts_test \
- fuzzer_bindings_test \
- plat_bug_map \
- searchpolicy \
-
-ifneq ($(with_asan),true)
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
-LOCAL_REQUIRED_MODULES += \
- sepolicy_compat_test \
-
-# HACK: sepolicy_test is implemented as genrule
-# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
-# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
-
-LOCAL_REQUIRED_MODULES += \
- $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-
-endif # SELINUX_IGNORE_NEVERALLOWS
-endif # with_asan
-
-ifeq ($(RELEASE_BOARD_API_LEVEL_FROZEN),true)
-LOCAL_REQUIRED_MODULES += \
- se_freeze_test
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-##################################
-# Policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of policy files.
-#
-built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
-
-##################################
-# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
-#
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := file_contexts.bin
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# The file_contexts.bin is built in the following way:
-# 1. Collect all file_contexts files in THIS repository and process them with
-# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
-# into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
-# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
-# into file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
-# file_contexts.bin.
-#
-# Note: That a newline file is placed between each file_context file found to
-# ensure a proper build when an fc file is missing an ending newline.
-
-local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
-endif
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
-
-file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-
-device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
-endif
-
-file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
-$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files)
-$(file_contexts.device.tmp): $(device_fc_files) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@
-
-file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
-$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
- $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
-
-file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-
-local_fc_files :=
-device_fc_files :=
-file_contexts.concat.tmp :=
-file_contexts.device.sorted.tmp :=
-file_contexts.device.tmp :=
-file_contexts.local.tmp :=
-
-##################################
-# Tests for Treble compatibility of current platform policy and vendor policy of
-# given release version.
-
-ver := $(PLATFORM_SEPOLICY_VERSION)
-ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
-# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
-else
-# If not, use ToT for compat test
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
-endif
-ver :=
-
-$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(eval version_under_treble_tests := $(v)) \
- $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
-)
-
-base_plat_pub_policy.cil :=
-base_product_pub_policy.cil :=
-
-#################################
-
-
-build_policy :=
-built_sepolicy :=
-sepolicy_build_files :=
-with_asan :=
diff --git a/apex/Android.bp b/apex/Android.bp
index a6d0853..304eb85 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -314,3 +314,10 @@
"com.android.biometrics.virtual.face-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.documentsuibundle-file_contexts",
+ srcs: [
+ "com.android.documentsuibundle-file_contexts",
+ ],
+}
diff --git a/apex/com.android.documentsuibundle-file_contexts b/apex/com.android.documentsuibundle-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.documentsuibundle-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.uprobestats-file_contexts b/apex/com.android.uprobestats-file_contexts
index 01de3e2..994951b 100644
--- a/apex/com.android.uprobestats-file_contexts
+++ b/apex/com.android.uprobestats-file_contexts
@@ -1,3 +1,3 @@
(/.*)? u:object_r:system_file:s0
/bin/uprobestats u:object_r:uprobestats_exec:s0
-
+/bin/uprobestatsbpfload u:object_r:bpfloader_exec:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index fd1cd34..330e02f 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -228,46 +228,46 @@
}
}
-func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.ImageInterfaceContext) {
if proptools.Bool(m.properties.Recovery_available) && m.ModuleBase.InstallInRecovery() {
ctx.PropertyErrorf("recovery_available",
"doesn't make sense at the same time as `recovery: true`")
}
}
-func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.ImageInterfaceContext) bool {
return !m.ModuleBase.InstallInRecovery()
}
-func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.ImageInterfaceContext) bool {
return m.ModuleBase.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
-func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.ImageInterfaceContext) []string {
return nil
}
-func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string) {
+func (m *selinuxContextsModule) SetImageVariation(ctx android.ImageInterfaceContext, variation string) {
}
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
@@ -716,42 +716,42 @@
// contextsTestModule implements ImageInterface to be able to include recovery_available contexts
// modules as its sources.
-func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+func (m *contextsTestModule) ImageMutatorBegin(ctx android.ImageInterfaceContext) {
}
-func (m *contextsTestModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) VendorVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) ProductVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) CoreVariantNeeded(ctx android.ImageInterfaceContext) bool {
return true
}
-func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+func (m *contextsTestModule) ExtraImageVariations(ctx android.ImageInterfaceContext) []string {
return nil
}
-func (m *contextsTestModule) SetImageVariation(ctx android.BaseModuleContext, variation string) {
+func (m *contextsTestModule) SetImageVariation(ctx android.ImageInterfaceContext, variation string) {
}
var _ android.ImageInterface = (*contextsTestModule)(nil)
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 4e2a0da..0065c49 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -139,6 +139,7 @@
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.mediaquality.IMediaQuality/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
@@ -350,6 +351,7 @@
"media_communication": EXCEPTION_NO_FUZZER,
"media_metrics": EXCEPTION_NO_FUZZER,
"media_projection": EXCEPTION_NO_FUZZER,
+ "media_quality": EXCEPTION_NO_FUZZER,
"media_resource_monitor": EXCEPTION_NO_FUZZER,
"media_router": EXCEPTION_NO_FUZZER,
"media_session": EXCEPTION_NO_FUZZER,
@@ -473,6 +475,7 @@
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
"tracing.proxy": EXCEPTION_NO_FUZZER,
+ "tradeinmode": EXCEPTION_NO_FUZZER,
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index a99be31..eab7697 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -409,6 +409,7 @@
/system/bin/traced_perf traced_perf_exec
/system/bin/traced_probes traced_probes_exec
/system/bin/traced_relay traced_exec
+/system/bin/tradeinmode tradeinmode_exec
/system/bin/heapprofd heapprofd_exec
/system/bin/uncrypt uncrypt_exec
/system/bin/update_verifier update_verifier_exec
@@ -433,8 +434,8 @@
/system/bin/hw/android.system.suspend-service system_suspend_exec
/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file
-/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
-/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_file
/system/etc/event-log-tags system_event_log_tags_file
/system/etc/font_fallback.xml system_font_fallback_file
/system/etc/group system_group_file
@@ -458,8 +459,8 @@
/system/etc/selinux/plat_sepolicy.cil sepolicy_file
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
/system/etc/task_profiles.json task_profiles_file
-/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
-/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_file
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
@@ -781,8 +782,7 @@
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
-/system_ext/bin/linux_vm_setup linux_vm_setup_exec
-/system/system_ext/bin/linux_vm_setup linux_vm_setup_exec
+/system/bin/linux_vm_setup linux_vm_setup_exec
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
@@ -1280,6 +1280,8 @@
/metadata/watchdog/test watchdog_metadata_file
/metadata/repair-mode repair_mode_metadata_file
/metadata/repair-mode/test repair_mode_metadata_file
+/metadata/tradeinmode tradeinmode_metadata_file
+/metadata/tradeinmode/test tradeinmode_metadata_file
/mnt/asec asec_apk_file
/mnt/asec/test asec_apk_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index bd97a16..5466d2a 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -23,6 +23,7 @@
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_AVF_ENABLE_MICROFUCHSIA",
+ "RELEASE_AVF_ENABLE_WIDEVINE_PVM",
"RELEASE_RANGING_STACK",
"RELEASE_READ_FROM_NEW_STORAGE",
"RELEASE_SUPERVISION_SERVICE",
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e9b4b1e..a20ce93 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -212,7 +212,7 @@
}
// sepolicy sha256 for vendor
-genrule {
+java_genrule {
name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
srcs: [
":microdroid_plat_sepolicy.cil",
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7361462..40cfe5b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -230,7 +230,6 @@
allow { domain } cgroup_v2:file w_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 6414f76..8416087 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -113,7 +113,7 @@
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -127,7 +127,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
#############################
# Vendor files
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 67af209..9a0345f 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -114,7 +114,6 @@
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 0ea67a7..ba88770 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -43,7 +43,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 8d3f76a..8551bb6 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -6,7 +6,9 @@
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
type authfs_service_socket, file_type, coredomain_socket;
-type cgroup_desc_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type cgroup_desc_api_file, file_type, system_file_type;
+')
type cgroup_desc_file, file_type, system_file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
@@ -30,7 +32,9 @@
type system_passwd_file, file_type, system_file_type;
type system_seccomp_policy_file, file_type, system_file_type;
type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type task_profiles_api_file, file_type, system_file_type;
+')
type task_profiles_file, file_type, system_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type;
type unlabeled, file_type;
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 97e7493..1601e61 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,15 +1,9 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain;
+type aconfigd, domain, coredomain;
type aconfigd_exec, exec_type, file_type, system_file_type;
-typeattribute aconfigd coredomain;
-
init_daemon_domain(aconfigd)
-# only init is allowed to enter the aconfigd domain
-neverallow { domain -init } aconfigd:process transition;
-neverallow * aconfigd:process dyntransition;
-
allow aconfigd metadata_file:dir search;
allow aconfigd {
@@ -22,17 +16,15 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
-allow aconfigd aconfigd_socket:sock_file rw_file_perms;
-
# allow aconfigd to access shell_data_file for atest
userdebug_or_eng(`
allow aconfigd shell_data_file:dir search;
allow aconfigd shell_data_file:file { getattr read open map };
')
-# allow aconfigd to log to the kernel.
-allow aconfigd kmsg_device:chr_file w_file_perms;
+# allow aconfigd to log to the kernel dmesg via a file descriptor
+# passed from init to aconfigd
+allow aconfigd kmsg_device:chr_file write;
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
@@ -41,3 +33,11 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
diff --git a/private/adbd.te b/private/adbd.te
index a298f08..b87b319 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -2,13 +2,17 @@
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
+typeattribute adbd adbd_common;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
+# Allow adb to setcon() to tradeinmode.
+allow adbd self:process setcurrent;
+allow adbd adbd_tradeinmode:process dyntransition;
+
userdebug_or_eng(`
- allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
@@ -78,6 +82,7 @@
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
+set_prop(adbd, adbd_tradeinmode_prop)
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
@@ -182,6 +187,10 @@
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
# Allow pull /vendor/apex files for CTS tests
r_dir_file(adbd, vendor_apex_file)
@@ -206,10 +215,15 @@
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+# transitions to the shell or tradeinmode domain (except when it crashes). In
+# particular, we never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell -adbd_tradeinmode }:process transition;
+neverallow adbd {
+ domain
+ userdebug_or_eng(`-su')
+ recovery_only(`-shell')
+ -adbd_tradeinmode
+}:process dyntransition;
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
diff --git a/private/adbd_common.te b/private/adbd_common.te
index 6cf8e49..c24b029 100644
--- a/private/adbd_common.te
+++ b/private/adbd_common.te
@@ -2,34 +2,30 @@
### Put things here that are needed for both adbd proper and adbd in trade-in mode.
# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(adbd, mdnsd, mdnsd)
+unix_socket_connect(adbd_common, mdnsd, mdnsd)
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
-dontaudit { adbd } self:{ socket vsock_socket } create;
+dontaudit adbd_common self:{ socket vsock_socket } create;
# Allow adbd inside vm to forward vm's vsock.
-allow { adbd } self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+allow adbd_common self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Access device logging gating property
-get_prop(adbd, device_logging_prop)
+get_prop(adbd_common, device_logging_prop)
# Use a pseudo tty.
-allow { adbd } devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow { adbd } shell_data_file:dir create_dir_perms;
-allow { adbd } shell_data_file:file create_file_perms;
+allow adbd_common devpts:chr_file rw_file_perms;
# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
+get_prop(adbd_common, system_adbd_prop)
# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
+get_prop(adbd_common, test_harness_prop)
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
+set_prop(adbd_common, adbd_prop)
+set_prop(adbd_common, adbd_config_prop)
# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
+get_prop(adbd_common, serialno_prop)
diff --git a/private/adbd_tradeinmode.te b/private/adbd_tradeinmode.te
new file mode 100644
index 0000000..42fdec4
--- /dev/null
+++ b/private/adbd_tradeinmode.te
@@ -0,0 +1,26 @@
+### ADB in trade-in mode
+type adbd_tradeinmode, domain, coredomain, adbd_common;
+
+# Create and use network sockets.
+net_domain(adbd_tradeinmode)
+
+# Run /system/bin/tradeinmode
+domain_auto_trans(adbd_tradeinmode, tradeinmode_exec, tradeinmode)
+
+# Baseline rules to make adbd work after setcon().
+allow adbd_tradeinmode adbd:unix_stream_socket {
+ rw_socket_perms_no_ioctl
+ listen
+ accept
+};
+allow adbd_tradeinmode adbd:fd use;
+allow adbd_tradeinmode adbd:unix_dgram_socket { connect write };
+allow adbd_tradeinmode functionfs:dir r_dir_perms;
+allow adbd_tradeinmode functionfs:file rw_file_perms;
+allow adbd_tradeinmode proc_uptime:file r_file_perms;
+allow adbd_tradeinmode rootfs:dir r_dir_perms;
+
+set_prop(adbd_tradeinmode, ffs_control_prop)
+
+# Allow changing persist.adb.tradeinmode when testing.
+userdebug_or_eng(`set_prop(adbd_tradeinmode, shell_prop)')
diff --git a/private/apexd.te b/private/apexd.te
index c87c5ef..450b563 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -191,6 +191,9 @@
# Allow apexd to write to statsd.
unix_socket_send(apexd, statsdw, statsd)
+# Allow apexd to call
+allow apexd statsbootstrap_service:service_manager find;
+binder_call(apexd, system_server) # system_server serves statsbootstrap_service
###
### Neverallow rules
diff --git a/private/app.te b/private/app.te
index 6362c7d..b9a6d85 100644
--- a/private/app.te
+++ b/private/app.te
@@ -159,7 +159,7 @@
control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info grant rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
diff --git a/private/attributes b/private/attributes
index fe50b0d..c89d0c7 100644
--- a/private/attributes
+++ b/private/attributes
@@ -11,7 +11,14 @@
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+# HALs
+until_board_api(202504, `
+ hal_attribute(mediaquality);
+')
+
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;
+# Common to adbd and adbd_tradeinmode.
+attribute adbd_common;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 9ac4963..014270b 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -19,6 +19,8 @@
virtual_fingerprint_exec
virtual_face
virtual_face_exec
+ hal_mediaquality_service
+ media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 6c52dba..3f5cb68 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -19,6 +19,7 @@
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
+ hal_mediaquality_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
hidl_memory_prop
@@ -52,4 +53,5 @@
aconfigd_socket
enable_16k_pages_prop
proc_cgroups
+ media_quality_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 93cbff5..8a46a08 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -220,6 +220,7 @@
neverallow {
coredomain
-adbd
+ -adbd_tradeinmode
-init
-mediaprovider
-system_server
diff --git a/private/crash_dump.te b/private/crash_dump.te
index b2d3bd5..a9a802c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -19,13 +19,7 @@
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump {
- apexd
- keystore
- llkd
- logd
- vold
- }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
# Read ART APEX data directory
@@ -135,7 +129,6 @@
init
kernel
keystore
- userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
diff --git a/private/crosvm.te b/private/crosvm.te
index ccfffa0..71a35d9 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -112,9 +112,23 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
+ # Allow crosvm to mount Terminal app internal storage directory
+ # to guest VM over virtiofs
+ allow crosvm privapp_data_file:dir { getattr open read search };
+ allow crosvm privapp_data_file:file { open };
+
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
+
+ # Allow crosvm to mount fuse path in guest VM through virtiofs
+ allow crosvm fuse:file create_file_perms;
+ allow crosvm fuse:dir create_dir_perms;
+ allow crosvm mnt_user_file:dir search;
+
+ # Allow crosvm to create unix socket for vhost-user-fs
+ allow crosvm virtualizationservice_data_file:dir { add_name write remove_name };
+ allow crosvm virtualizationservice_data_file:sock_file { create write unlink };
')
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
@@ -165,12 +179,14 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
+#
+# crosvm requires access to terminal app internal storage; the directory
+# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
- privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -184,11 +200,12 @@
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
- is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
+ -same_process_hal_file
}:file *;
')
diff --git a/private/domain.te b/private/domain.te
index 03bcb85..38dab17 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -424,10 +424,11 @@
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+allow domain cgroup_desc_file:file r_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
+allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -816,6 +817,7 @@
neverallow {
domain
-adbd
+ -adbd_tradeinmode
-dumpstate
-fastbootd
-hal_camera_server
@@ -1160,6 +1162,7 @@
} {
system_file_type
-system_lib_file
+ -system_bootstrap_lib_file
-system_linker_exec
-crash_dump_exec
-netutils_wrapper_exec
@@ -1230,6 +1233,7 @@
-vendor_init
} {
system_file_type
+ -cgroup_desc_file
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
@@ -1237,6 +1241,7 @@
-system_event_log_tags_file
-system_group_file
-system_lib_file
+ -system_bootstrap_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
-system_linker_config_file
@@ -1244,7 +1249,6 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
- -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
# Vendor components still can invoke shell commands via /system/bin/sh
@@ -1363,10 +1367,17 @@
} shell:process { transition dyntransition };
# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
+# the appdomain attribute.
+#
+# simpleperf is excluded as a domain transitioned to when running an app-scoped
+# profiling session.
+#
+# tradeinmode is excluded; it is only run when adbd is in trade-in mode,
+# transitioned from the limited adbd_tradeinmode context. It is a wrapper
+# around "am" to avoid exposing the shell context when adbd is in trade-in
+# mode.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su') -tradeinmode
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
@@ -1647,6 +1658,7 @@
-runas
-system_server
-zygote
+ -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1712,6 +1724,7 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
+ -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1815,6 +1828,7 @@
file_type
-system_file_type
-system_lib_file
+ -system_bootstrap_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
@@ -2064,6 +2078,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 66dd2b1..a62cc47 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -159,6 +159,9 @@
allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Fastbootd uses liblogwrap to write mke2fs logs to kmsg, liblogwrap requires devpts.
+ allow fastbootd devpts:chr_file rw_file_perms;
')
# This capability allows fastbootd to circumvent memlock rlimits while using
diff --git a/private/ferrochrome_app.te b/private/ferrochrome_app.te
deleted file mode 100644
index e12c84c..0000000
--- a/private/ferrochrome_app.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type ferrochrome_app, domain;
-typeattribute ferrochrome_app coredomain;
-
-app_domain(ferrochrome_app)
-
-allow ferrochrome_app app_api_service:service_manager find;
-allow ferrochrome_app system_api_service:service_manager find;
-
-# TODO(b/348113995): after remove sysprop usage, we can use just (priv_)app.te
-set_prop(ferrochrome_app, debug_prop);
-get_prop(ferrochrome_app, debug_prop);
diff --git a/private/file.te b/private/file.te
index 662d5cc..60aa5d5 100644
--- a/private/file.te
+++ b/private/file.te
@@ -218,6 +218,8 @@
# /data/misc_ce/userId/storage_area_keys
type storage_area_key_file, file_type, data_file_type, core_data_file_type;
+# /metadata/tradeinmode files
+type tradeinmode_metadata_file, file_type;
# Types added in 202504 in public/file.te
until_board_api(202504, `
diff --git a/private/file_contexts b/private/file_contexts
index b7c0480..2e67c35 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -364,7 +364,7 @@
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/font_fallback.xml u:object_r:system_font_fallback_file:s0
/system/etc/group u:object_r:system_group_file:s0
@@ -384,7 +384,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
@@ -408,6 +408,8 @@
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
/system/bin/bert_collector u:object_r:bert_collector_exec:s0
+/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
+/system/bin/tradeinmode u:object_r:tradeinmode_exec:s0
#############################
# Vendor files
@@ -536,8 +538,6 @@
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/(system_ext|system/system_ext)/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
-/(system_ext|system/system_ext)/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
-
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
@@ -889,6 +889,7 @@
/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
+/metadata/tradeinmode(/.*)? u:object_r:tradeinmode_metadata_file:s0
############################
# mount point for ota metadata
diff --git a/private/hal_mediaquality.te b/private/hal_mediaquality.te
new file mode 100644
index 0000000..5bcdbbc
--- /dev/null
+++ b/private/hal_mediaquality.te
@@ -0,0 +1,9 @@
+starting_at_board_api(202504, `
+ binder_call(hal_mediaquality_client, hal_mediaquality_server)
+ binder_call(hal_mediaquality_server, hal_mediaquality_client)
+
+ hal_attribute_service(hal_mediaquality, hal_mediaquality_service)
+
+ binder_call(hal_mediaquality_server, servicemanager)
+ binder_call(hal_mediaquality_client, servicemanager)
+')
diff --git a/private/init.te b/private/init.te
index dd84ae8..a3adab5 100644
--- a/private/init.te
+++ b/private/init.te
@@ -237,7 +237,6 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
@@ -580,6 +579,7 @@
allow init {
sysfs_android_usb
sysfs_dm_verity
+ sysfs_firmware_acpi_tables
sysfs_leds
sysfs_power
sysfs_fs_f2fs
diff --git a/private/keystore.te b/private/keystore.te
index 3a1c242..50542b0 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -93,8 +93,7 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+neverallow * keystore:process ptrace;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.
diff --git a/private/platform_app.te b/private/platform_app.te
index 320624c..e60dcdd 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,7 @@
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app tradeinmode_service:service_manager find;
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
diff --git a/private/priv_app.te b/private/priv_app.te
index bb5da7c..1ef5be1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -136,6 +136,9 @@
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
+# Allow privileged apps to read trade in mode property
+get_prop(priv_app, adbd_tradeinmode_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/property.te b/private/property.te
index 40beca5..17e6d6e 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,7 +1,9 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(ctl_uprobestats_prop)
system_internal_prop(crashrecovery_prop)
system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
@@ -509,6 +511,7 @@
-init
-vendor_init
-adbd
+ -adbd_tradeinmode
-system_server
} {
adbd_config_prop
@@ -519,6 +522,7 @@
domain
-init
-adbd
+ -adbd_tradeinmode
} {
adbd_prop
}:property_service set;
@@ -859,5 +863,6 @@
neverallow {
domain
-init
+ -shell
userdebug_or_eng(`-su')
} bionic_linker_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 24462cb..d417a5b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -51,6 +51,7 @@
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
+persist.adb.tradeinmode u:object_r:adbd_tradeinmode_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -202,6 +203,11 @@
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+# Restrict access to control uprobestats
+ctl.start$uprobestats u:object_r:ctl_uprobestats_prop:s0
+ctl.stop$uprobestats u:object_r:ctl_uprobestats_prop:s0
+ctl.restart$uprobestats u:object_r:ctl_uprobestats_prop:s0
+
# Restrict access to starting/stopping artd_pre_reboot.
ctl.start$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
ctl.stop$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
@@ -568,6 +574,7 @@
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
media.c2.hal.selection u:object_r:codec2_config_prop:s0 exact enum aidl hidl
+media.c2.remove_rendering_depth u:object_r:codec2_config_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
@@ -597,6 +604,12 @@
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.leaudio.allow_list u:object_r:bluetooth_prop:s0 exact string
+bluetooth.a2dp.source.sbc_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.aac_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.aptx_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.aptx_hd_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.ldac_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+
bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
@@ -1015,6 +1028,7 @@
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.critical_issues.fixed_issues.long_list u:object_r:build_prop:s0 exact string
ro.build.flavor u:object_r:build_prop:s0 exact string
ro.build.host u:object_r:build_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index b4c655b..41b2799 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -124,3 +124,25 @@
# Only dirs should be created at sdk_sandbox_all_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+# Restrict unix stream sockets for IPC.
+neverallow sdk_sandbox_all {
+ domain
+ -sdk_sandbox_all
+ -netd
+ -logd
+ -adbd
+ userdebug_or_eng(`-su')
+ # needed for profiling
+ -traced
+ -traced_perf
+ -heapprofd
+ # fallback crash handling for processes that can't exec crash_dump.
+ -tombstoned
+ # needed to connect to PRNG seeder daemon.
+ -prng_seeder
+}:unix_stream_socket connectto;
+neverallow {
+ domain
+ -adbd
+ -sdk_sandbox_all
+} sdk_sandbox_all:unix_stream_socket connectto;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 0b857de..ce49fc4 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -225,5 +225,3 @@
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.virtualization.linuxinstaller domain=ferrochrome_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.virtualization.ferrochrome domain=ferrochrome_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 1f31477..eee98d0 100644
--- a/private/service.te
+++ b/private/service.te
@@ -28,11 +28,19 @@
type statsbootstrap_service, system_server_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+until_board_api(202504, `
+ type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
+
+until_board_api(202504, `
+ type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
+')
is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
type tracingproxy_service, system_server_service, service_manager_type;
+type tradeinmode_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
diff --git a/private/service_contexts b/private/service_contexts
index 37652ae..7c3c5de 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -115,6 +115,7 @@
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
+android.hardware.tv.mediaquality.IMediaQuality/default u:object_r:hal_mediaquality_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
@@ -337,6 +338,7 @@
media_communication u:object_r:media_communication_service:s0
media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
+media_quality u:object_r:media_quality_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
@@ -466,6 +468,7 @@
thermalservice u:object_r:thermal_service:s0
thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
+tradeinmode u:object_r:tradeinmode_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
diff --git a/private/shell.te b/private/shell.te
index a6e9975..38c5ac8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -42,6 +42,11 @@
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+# Allow shell to execute tradeinmode on userdebug builds, for testing.
+userdebug_or_eng(`
+ domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
+')
+
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
@@ -108,6 +113,9 @@
# Allow shell to set RKP properties for testing purposes
set_prop(shell, remote_prov_prop)
+# Allow shell to enable 16 KB backcompat globally.
+set_prop(shell, bionic_linker_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -273,12 +281,6 @@
# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
-# Allow shell access to socket for test
-userdebug_or_eng(`
- allow shell aconfigd_socket:sock_file write;
- allow shell aconfigd:unix_stream_socket connectto;
-')
-
# Create and use network sockets.
net_domain(shell)
@@ -403,7 +405,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
diff --git a/private/statsd.te b/private/statsd.te
index b932bc6..8b77c1e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,6 +41,8 @@
# Allow statsd to trigger uprobestats via property.
set_prop(statsd, uprobestats_start_with_config_prop);
+# Allow statsd to start the uprobestats service.
+set_prop(statsd, ctl_uprobestats_prop)
binder_use(statsd)
# Allow statsd to scan through /proc/pid for all processes.
diff --git a/private/su.te b/private/su.te
index 2d4b0c6..1e2adef 100644
--- a/private/su.te
+++ b/private/su.te
@@ -106,6 +106,7 @@
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
+ typeattribute su hal_mediaquality_client;
typeattribute su hal_memtrack_client;
typeattribute su hal_neuralnetworks_client;
typeattribute su hal_nfc_client;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f6f1d9b..1e0e1ef 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -85,9 +85,14 @@
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-# Allow reading and writing to sockets used for BLAST buffer releases
+# Allow reading and writing to sockets used for BLAST buffer releases.
+# SurfaceFlinger never reads from these sockets but needs read permissions in order to receive
+# the file descriptors over binder. There's no mechanism to mark a socket as write-only.
+# shutdown is used to close the read-end of the sockets that are sent to SurfaceFlinger. See
+# b/353597444
allow surfaceflinger { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:unix_stream_socket { read write };
allow surfaceflinger bootanim:unix_stream_socket { read write };
+allow surfaceflinger automotive_display_service:unix_stream_socket { read write };
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
@@ -135,6 +140,8 @@
allow surfaceflinger statsmanager_service:service_manager find;
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow pushing atoms to the stats bootstrap atom service
+allow surfaceflinger statsbootstrap_service:service_manager find;
# Allow to use files supplied by hal_evs
allow surfaceflinger hal_evs:fd use;
@@ -142,10 +149,6 @@
# Allow to use release fence fds supplied by hal_camera
allow surfaceflinger hal_camera:fd use;
-# Allow pushing jank event atoms to statsd
-userdebug_or_eng(`
- unix_socket_send(surfaceflinger, statsdw, statsd)
-')
# Surfaceflinger should not be reading default vendor-defined properties.
dontaudit surfaceflinger vendor_default_prop:file read;
diff --git a/private/system_app.te b/private/system_app.te
index 0b6ffe2..93be46f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -199,3 +199,7 @@
allow system_app vendor_boot_ota_file:dir { r_dir_perms };
allow system_app vendor_boot_ota_file:file { r_file_perms };
+
+# allow system_app to read system_dlkm_file for /system_dlkm/etc/NOTICE.xml.gz
+allow system_app system_dlkm_file:dir search;
+allow system_app system_dlkm_file:file { getattr open read };
diff --git a/private/system_server.te b/private/system_server.te
index fc4faef..5fb5346 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -198,6 +198,8 @@
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
+# Set scheduling info for VMs (b/375058190)
+allow system_server { virtualizationmanager crosvm }:process { getsched setsched };
# Set scheduling info for psi monitor thread.
# TODO: delete this line b/131761776
@@ -324,6 +326,7 @@
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_keymint)
hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_mediaquality)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
@@ -1134,9 +1137,9 @@
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow system_server adbd_common:unix_stream_socket connectto;
+allow system_server adbd_common:fd use;
+allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Read service.adb.tls.port, persist.adb.wifi. properties
get_prop(system_server, adbd_prop)
@@ -1144,6 +1147,9 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
+# Set service.adbd.tradeinmode from ITradeInService.
+set_prop(system_server, adbd_tradeinmode_prop)
+
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -1447,6 +1453,9 @@
# Allow system server to read /apex/apex-info-list.xml
allow system_server apex_info_file:file r_file_perms;
+# Allow system_server to communicate with tradeinmode.
+binder_call(system_server, tradeinmode)
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
@@ -1498,6 +1507,10 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow TradeInMode service rw access to /metadata/tradeinmode.
+allow system_server tradeinmode_metadata_file:dir rw_dir_perms;
+allow system_server tradeinmode_metadata_file:file create_file_perms;
+
allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
allow system_server userspace_reboot_metadata_file:file create_file_perms;
@@ -1673,6 +1686,9 @@
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
+# Do not allow anything other than system_server and init to touch /metadata/tradeinmode.
+neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms;
+
neverallow {
domain
-init
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
new file mode 100644
index 0000000..821faf4
--- /dev/null
+++ b/private/tradeinmode.te
@@ -0,0 +1,32 @@
+### trade-in mode
+
+type tradeinmode, domain, coredomain;
+type tradeinmode_exec, exec_type, file_type, system_file_type;
+
+allow tradeinmode adbd_tradeinmode:fd use;
+allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
+
+# Allow running from normal shell on userdebug/eng.
+userdebug_or_eng(`
+ allow tradeinmode { adbd shell }:fd use;
+ allow tradeinmode adbd:unix_stream_socket { read write ioctl };
+')
+
+allow tradeinmode devpts:chr_file rw_file_perms;
+
+# Allow executing am/content without a domain transition.
+allow tradeinmode system_file:file rx_file_perms;
+allow tradeinmode zygote_exec:file rx_file_perms;
+allow tradeinmode apex_info_file:file r_file_perms;
+
+allow tradeinmode activity_service:service_manager find;
+
+get_prop(tradeinmode, odsign_prop)
+get_prop(tradeinmode, build_attestation_prop)
+
+# Needed to start activities through "am".
+binder_call(tradeinmode, system_server)
+binder_call(tradeinmode, servicemanager)
+
+# Needed to run "content".
+binder_call(tradeinmode, platform_app)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 84ec60e..0a2d62c 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -115,6 +115,7 @@
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
+ -tradeinmode_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index bc29e39..1acf734 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -131,7 +131,7 @@
-virtualizationmanager
-virtualizationservice
# TODO(b/332677707): remove them when display service uses binder RPC.
- is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
+ -crosvm
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index c76c117..71c9f3f 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -11,6 +11,8 @@
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)
+allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
@@ -24,3 +26,6 @@
# Allow other processes to access the pts.
allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr;
')
+
+# TODO(b/372664601): Remove this when we don't need linux_vm_setup
+set_prop(vmlauncher_app, debug_prop);
diff --git a/private/vold.te b/private/vold.te
index 339877d..c242040 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -364,6 +364,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
+dontaudit vold self:capability sys_rawio;
+
# Allow ReadDefaultFstab().
read_fstab(vold)
diff --git a/public/attributes b/public/attributes
index 759b773..0503450 100644
--- a/public/attributes
+++ b/public/attributes
@@ -366,6 +366,9 @@
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(macsec);
+starting_at_board_api(202504, `
+ hal_attribute(mediaquality);
+')
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
diff --git a/public/file.te b/public/file.te
index 4f187ec..c158492 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,16 +224,22 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
+# Cgroups description file under /system/etc/cgroups.json or
+# API file under /system/etc/task_profiles/cgroups_*.json
type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+ type cgroup_desc_api_file, system_file_type, file_type;
+')
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
+# Task profiles file under /system/etc/task_profiles.json or
+# API file under /system/etc/task_profiles/task_profiles_*.json
type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+ type task_profiles_api_file, system_file_type, file_type;
+')
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
diff --git a/public/service.te b/public/service.te
index 9d77fb9..f54df00 100644
--- a/public/service.te
+++ b/public/service.te
@@ -176,6 +176,9 @@
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
@@ -327,6 +330,9 @@
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
+starting_at_board_api(202504, `
+ type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
+')
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
diff --git a/tests/Android.bp b/tests/Android.bp
index 3dda11a..81e7927 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -83,6 +83,8 @@
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
+ ],
+ device_common_data: [
":precompiled_sepolicy",
],
}
@@ -96,6 +98,8 @@
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
+ ],
+ device_common_data: [
":precompiled_sepolicy",
],
test_options: {
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
deleted file mode 100644
index 2e9d68f..0000000
--- a/treble_sepolicy_tests_for_release.mk
+++ /dev/null
@@ -1,81 +0,0 @@
-version := $(version_under_treble_tests)
-
-include $(CLEAR_VARS)
-# For Treble builds run tests verifying that processes are properly labeled and
-# permissions granted do not violate the treble model. Also ensure that treble
-# compatibility guarantees are upheld between SELinux version bumps.
-LOCAL_MODULE := treble_sepolicy_tests_$(version)
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-IS_TREBLE_TEST_ENABLED_PARTNER := false
-ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
-IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
-endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
-# built to enable us to determine the diff between the current policy and the
-# $(version) policy, which will be used in tests to make sure that compatibility has
-# been maintained by our mapping files.
-built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
-
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
-$(version)_mapping.ignore.cil := \
- $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
-endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
-ifneq (,$(BOARD_PRODUCT_PREBUILT_DIR))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
-endif # (,$(BOARD_PRODUCT_PREBUILT_DIR))
-endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-
-# $(version)_mapping.combined.cil - a combination of the mapping file used when
-# combining the current platform policy with nonplatform policy based on the
-# $(version) policy release and also a special ignored file that exists purely for
-# these tests.
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
-$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
-$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
- mkdir -p $(dir $@)
- cat $^ > $@
-
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-public_cil_files := $(base_product_pub_policy.cil)
-else
-public_cil_files := $(base_plat_pub_policy.cil)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(public_cil_files) \
- $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD)
- $(hide) touch $@
-
-built_sepolicy_files :=
-public_cil_files :=
-$(version)_mapping.cil :=
-$(version)_mapping.combined.cil :=
-$(version)_mapping.ignore.cil :=
-built_$(version)_plat_sepolicy :=
-version :=
-version_under_treble_tests :=
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
new file mode 100644
index 0000000..7756cbb
--- /dev/null
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -0,0 +1,448 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: [
+ "Android-Apache-2.0",
+ "system_sepolicy_license",
+ ],
+}
+
+//////////////////////////////////
+// Tests for Treble compatibility of current platform policy and vendor policy of
+// given release version.
+//////////////////////////////////
+java_genrule {
+ name: "29.0_mapping.combined.cil",
+ srcs: [
+ ":plat_29.0.cil",
+ ":29.0.ignore.cil",
+ ],
+ out: ["29.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_29.0.cil) $(location :29.0.ignore.cil) > $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_29.0",
+ srcs: [
+ ":29.0_plat_policy.cil",
+ ":29.0_mapping.combined.cil",
+ ":29.0_plat_pub_policy.cil",
+ ],
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_29.0"],
+ cmd: "$(location treble_sepolicy_tests) " +
+ "-b $(location :29.0_plat_pub_policy.cil) " +
+ "-m $(location :29.0_mapping.combined.cil) " +
+ "-o $(location :29.0_plat_policy.cil) && " +
+ "touch $(out)",
+}
+
+java_genrule {
+ name: "30.0_mapping.combined.cil",
+ srcs: [
+ ":plat_30.0.cil",
+ ":30.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_30.0.cil",
+ ":system_ext_30.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_30.0.cil",
+ ":product_30.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["30.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_30.0.cil) " +
+ "$(location :30.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_30.0.cil) " +
+ "$(location :system_ext_30.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_30.0.cil) " +
+ "$(location :product_30.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_30.0",
+ srcs: [
+ ":30.0_plat_policy.cil",
+ ":30.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":30.0_plat_pub_policy.cil"],
+ (default, default): [":30.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_30.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :30.0_plat_pub_policy.cil) " +
+ "-m $(location :30.0_mapping.combined.cil) " +
+ "-o $(location :30.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :30.0_product_pub_policy.cil) " +
+ "-m $(location :30.0_mapping.combined.cil) " +
+ "-o $(location :30.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "31.0_mapping.combined.cil",
+ srcs: [
+ ":plat_31.0.cil",
+ ":31.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_31.0.cil",
+ ":system_ext_31.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_31.0.cil",
+ ":product_31.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["31.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_31.0.cil) " +
+ "$(location :31.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_31.0.cil) " +
+ "$(location :system_ext_31.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_31.0.cil) " +
+ "$(location :product_31.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_31.0",
+ srcs: [
+ ":31.0_plat_policy.cil",
+ ":31.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":31.0_plat_pub_policy.cil"],
+ (default, default): [":31.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_31.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :31.0_plat_pub_policy.cil) " +
+ "-m $(location :31.0_mapping.combined.cil) " +
+ "-o $(location :31.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :31.0_product_pub_policy.cil) " +
+ "-m $(location :31.0_mapping.combined.cil) " +
+ "-o $(location :31.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "32.0_mapping.combined.cil",
+ srcs: [
+ ":plat_32.0.cil",
+ ":32.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_32.0.cil",
+ ":system_ext_32.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_32.0.cil",
+ ":product_32.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["32.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_32.0.cil) " +
+ "$(location :32.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_32.0.cil) " +
+ "$(location :system_ext_32.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_32.0.cil) " +
+ "$(location :product_32.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_32.0",
+ srcs: [
+ ":32.0_plat_policy.cil",
+ ":32.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":32.0_plat_pub_policy.cil"],
+ (default, default): [":32.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_32.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :32.0_plat_pub_policy.cil) " +
+ "-m $(location :32.0_mapping.combined.cil) " +
+ "-o $(location :32.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :32.0_product_pub_policy.cil) " +
+ "-m $(location :32.0_mapping.combined.cil) " +
+ "-o $(location :32.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "33.0_mapping.combined.cil",
+ srcs: [
+ ":plat_33.0.cil",
+ ":33.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_33.0.cil",
+ ":system_ext_33.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_33.0.cil",
+ ":product_33.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["33.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_33.0.cil) " +
+ "$(location :33.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_33.0.cil) " +
+ "$(location :system_ext_33.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_33.0.cil) " +
+ "$(location :product_33.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_33.0",
+ srcs: [
+ ":33.0_plat_policy.cil",
+ ":33.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":33.0_plat_pub_policy.cil"],
+ (default, default): [":33.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_33.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :33.0_plat_pub_policy.cil) " +
+ "-m $(location :33.0_mapping.combined.cil) " +
+ "-o $(location :33.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :33.0_product_pub_policy.cil) " +
+ "-m $(location :33.0_mapping.combined.cil) " +
+ "-o $(location :33.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "34.0_mapping.combined.cil",
+ srcs: [
+ ":plat_34.0.cil",
+ ":34.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_34.0.cil",
+ ":system_ext_34.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_34.0.cil",
+ ":product_34.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["34.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_34.0.cil) " +
+ "$(location :34.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_34.0.cil) " +
+ "$(location :system_ext_34.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_34.0.cil) " +
+ "$(location :product_34.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_34.0",
+ srcs: [
+ ":34.0_plat_policy.cil",
+ ":34.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":34.0_plat_pub_policy.cil"],
+ (default, default): [":34.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_34.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :34.0_plat_pub_policy.cil) " +
+ "-m $(location :34.0_mapping.combined.cil) " +
+ "-o $(location :34.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :34.0_product_pub_policy.cil) " +
+ "-m $(location :34.0_mapping.combined.cil) " +
+ "-o $(location :34.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "202404_mapping.combined.cil",
+ srcs: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [
+ ],
+ default: [
+ ":plat_202404.cil",
+ ":202404.ignore.cil",
+ ],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ ), {
+ ("202404", true): [],
+ ("202404", default): [],
+ (default, true): [
+ ":system_ext_202404.cil",
+ ":system_ext_202404.ignore.cil",
+ ],
+ (default, default): [],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ ("202404", true): [],
+ ("202404", default): [],
+ (default, true): [
+ ":product_202404.cil",
+ ":product_202404.ignore.cil",
+ ],
+ (default, default): [],
+ }),
+ out: ["202404_mapping.combined.cil"],
+ cmd: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": "touch $(out)",
+ default: "cat $(in) > $(out)",
+ }),
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_202404",
+ srcs: [
+ ":202404_plat_policy.cil",
+ ":202404_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":202404_plat_pub_policy.cil"],
+ (default, default): [":202404_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_202404"],
+ cmd: select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ ("202404", false, false): "touch $(out)",
+ ("202404", default, default): "touch $(out)",
+ (default, false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :202404_plat_pub_policy.cil) " +
+ "-m $(location :202404_mapping.combined.cil) " +
+ "-o $(location :202404_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :202404_product_pub_policy.cil) " +
+ "-m $(location :202404_mapping.combined.cil) " +
+ "-o $(location :202404_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6f99d90..1e89895 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -82,6 +82,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
+starting_at_board_api(202504, `
+ /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.mediaquality-service\.example u:object_r:hal_mediaquality_default_exec:s0
+')
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
diff --git a/vendor/hal_mediaquality_default.te b/vendor/hal_mediaquality_default.te
new file mode 100644
index 0000000..8f604c4
--- /dev/null
+++ b/vendor/hal_mediaquality_default.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type hal_mediaquality_default, domain;
+ hal_server_domain(hal_mediaquality_default, hal_mediaquality)
+
+ type hal_mediaquality_default_exec, exec_type, vendor_file_type, file_type;
+ init_daemon_domain(hal_mediaquality_default)
+')
\ No newline at end of file