Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, this
patch introduces a build flag that can be set by vendors to enforce
additional debugfs restrictions for userdebug/eng builds. The same flag
will be used to enable sepolicy neverallow statements to prevent new
permissions added for debugfs access.
Bug: 184381659
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Change-Id: I9aff974da7ddce9bf1a7ec54153b161527b12062
After aosp/1184262 is submitted, PRODUCT_CHECK_ELF_FILES is deprecated
and nobody is using this variable anymore.
Bug: 149715904
Test: Presubmit; Should be noop
Change-Id: Iaf4a6ae1fe4062684a9699b7ef999030ff483e16
add_json_bool converts non-empty string to true, and empty string to
false. But some of boolean variables are meant to be set either "true"
or "false". In that case "false" may lead to a mismatch. This adds
filter to boolean variables which are directly compared to "true", like
ifeq ($(VAR),true)
Bug: 183483152
Test: build
Change-Id: I0dc4a05293a3233ae4958335781a19e6445a3799
It should be "filtered" by "true" because all non-empty values become
true when using add_json_bool.
Test: m selinux_policy on sc-arc
Change-Id: I35d5881d83746230793cf8ced76885607e82334a
PlatformSepolicyVersion and BoardSepolicyVers haven't assigned correctly
so far. Below is the reason why it hasn't been discovered yet.
DeviceConfig.PlatformSepolicyVersion() was added to support mixed
sepolicy build (setting BOARD_SEPOLICY_VERS and building vendor sepolicy
with old plat policy files). Soong compares PlatformSepolicyVersion()
and BoardSepolicyVers(), and used old vendor sources if both are
different. Back then, the only place where such logic played a role was
selinux contexts. Test codes were running as intended: after setting
BOARD_SEPOLICY_VERS the context files were built against old policies.
But there were two mistakes:
1) PlatformSepolicyVersion() was not added to soong_config.mk, so it was
always empty.
2) BOARD_SEPOLICY_VERS was set to default in system/sepolicy/Android.mk,
which was processed after soong_config. So if BOARD_SEPOLICY_VERS was
not set in BoardConfig.mk, BoardSepolicyVers() was empty, not
PLATFORM_SEPOLICY_VERSION.
And there were no issues as Soong only checked equality.
To fix the issue correctly, this commit adds the variable
PlatformSepolicyVersion, and then handles BoardSepolicyVers correctly by
returning PlatformSepolicyVersion if it's empty.
Test: set BOARD_SEPOLICY_VERS and see vendor_file_contexts changes
Change-Id: I4e306ec1f5225094a39f0c8d94f5e7683d70d60e
* changes:
Set BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE for goldfish
Add BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE to BoardConfig
Add PRODUCT_SHIPPING_API_LEVEL to productVariables
Use_lmkd_stats_log used to control LMKD_LOG_STATS when compiling lmkd.
However, for newer Android releases, we mandate that lmkd informs statsd of process kills (change id I8cb123b9488fbc6e88863c2f0e75f1422bcd282e)
After aosp/1555318 we compile lmkd with statsd by default, so this setting is a noop.
Change-Id: I91bd08198fe2275fb8aca77ae5ea637df360d416
Test: build
Bug: 177985094
By enabling these hiddenapi CSV files to be prebuilt, it
becomes possible to create a split build that supports
the hiddenapi encode dex step, but doesn't contain all
of the java sources needed to generate the CSV files.
Bug: 175048716
Test: m nothing
Test: new TestHiddenAPISingletonWithPrebuiltCsvFile
Test: local build without prebuilt hiddenapi
Test: local build with prebuilt hiddenapi
Change-Id: Ia38c5016d2aeba54aa537a5ce601898d46330730
Now that the feature guarded by this flag has landed in Linux 5.10
we no longer need the flag, so we can remove it.
Bug: 135772972
Change-Id: I02fa50848cbd0486c23c8a229bb8f1ab5dd5a56f
Vendors can now generate only needed modules by setting the following
Makefile variables:
- DIRECTED_VENDOR_SNAPSHOT: set to true
- VENDOR_SNAPSHOT_MODULES: list of snapshot candidates
e.g.
DIRECTED_VENDOR_SNAPSHOT := true
VENDOR_SNAPSHOT_MODULES := toybox_vendor sh_vendor libbase libcutils ...
Bug: 157967325
Test: m dist vendor-snapshot after setting those in BoardConfig.mk
Change-Id: Iea1ddbe78e143316fb6cb5027de90b9c83252f80
Now newer system policy and older vendor policy can be built together by
setting following variables:
- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
older system_ext and product policies)
Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: I4e2890c96cab69e60c83c60f8c396cfe049ec05b
The APEX symlink optimization is a build-time trick to save the
storage/RAM usage of APEX by replacing some files in APEX with symlinks
to the files in the system partition. The optimization however is
automatically turned off for 'updatable: true' APEXes because doing the
optimization for them will hide the sys-health implication until when
the APEXes are built unbundled (i.e. prebuilt) and thus the
optimization is impossible.
TARGET_FORCE_APEX_SYMLINK_OPTIMIZATION forcibly disables the safety net.
When it is set to true, the symlink optimization is done regardless of
the 'updatable' property. This is useful for some of the devices like Go
where most APEXes (even the 'updatable: true' ones) should be
effectively non-updatable.
Bug: 175630508
Test: TARGET_FORCE_APEX_SYMLINK_OPTIMIZATION=true m and check that
updatable APEXes have symlinks to system libs
Change-Id: I261fd4ab2dd8e62ff435306b11168121cbcf662a
Add a new TARGET_ARCH_SUITE which, when set to 'mainline_sdk' or 'ndk',
sets `Aml_abis: true` in soong.variables.
This is required to enable removing the custom soong.variables that
are being maintained for the ndk and mainline sdk builds.
Bug: 174315599
Test: TARGET_ARCH_SUITE=mainline-sdk m nothing; inspect soong.variables
(ditto for ndk)
Change-Id: Ib651a637457310270840d721cdccf50bede3ee58
The product flag is only defined in this CL. No device has been
configured to use this flag yet.
The flag is overridable using environment variable. This way, developers
can enable APEX compression on various targets.
Bug: 137802149
Test: build/soong/soong_ui.bash --dumpvar-mode PRODUCT_COMPRESSED_APEX #false
Test: export OVERRIDE_PRODUCT_COMPRESSED_APEX \
build/soong/soong_ui.bash --dumpvar-mode PRODUCT_COMPRESSED_APEX #true
Change-Id: I10e4909258cee9b4670bc3f10ff3a0ad5013c864
It's mandatory for devices launching with Android P or later.
Some makefiles still depend on PRODUCT_COMPATIBLE_PROPERTY, so rather
than aggressively removing all codes, this forces
PRODUCT_COMPATIBLE_PROPERTY to be true.
Bug: 170082975
Test: m
Change-Id: I49dab8d573c21781e6295a8581a5ad2944e165d7
Passes the SKIP_BOOT_JARS_CHECK property through to Soong and removes
the boot jars check. Moves the check_boot_jars directory containing the
script and data file into build/soong/scripts.
Test: m check-boot-jars - for failing and passing cases
verified manually that apart from path differences the same
files (same check sum) were checked in both old make checks and
the new Soong ones
Bug: 171479578
Change-Id: I61c128806065befce239bbdd5491567827e1b2f5
See corresponding build/soong change. This change sets the android
platform to zero all heap allocations by default. To give some
intuition for why this is no so underperformant, zeroing memory is one
way of priming caches.
The main goal of this is to prevent accidental reliance on allocations
being zero, which is UB in C++. In some situations, allocations are
almost always guaranteed to be 0, and so resulting flakes can be
extremely rare.
Bug: 131355925
Test: allocated memory successfully getting zerod
Change-Id: I8c27fbc8c06420a15d022eb810595599d1e56aa0
The new variable name reflects its actual usage.
Keep compatibility with BOARD_PLAT_* because it has been a
convention for years. Also add warning messages for BOARD_PLAT_*
variables via KATI_deprecated_var.
Test: `make selinux_policy` with
`SYSTEM_EXT_{PUBLIC,PRIVATE_SEPOLICY_DIRS}` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Signed-off-by: Felix Elsner <google@ix5.org>
Change-Id: I58c64839cc513ae082cd3ee3c1e108843ea7439e
Align with changes in build/soong and system/sepolicy.
Test: build
Signed-off-by: Felix Elsner <google@ix5.org>
Change-Id: I73b773a4fb0bd626a989251d5c61381fcafaa1eb
If BOARD_CURRENT_API_LEVEL_FOR_VENDOR_MODULES has a numeric value,
it replaces "current" or "system_current" with the version which
the flag indicates.
Bug: 163009188
Test: BOARD_CURRENT_API_LEVEL_FOR_VENDOR_MODULES=29 m, and then check if every vendor
java module's sdk_version is 29 if its sdk_version was current.
Change-Id: I8c7cf21563b984b8e9ef398192031b1f66d96494
This hasn't worked for a couple years, and continues to bitrot. Just
remove it.
Test: treehugger
Change-Id: Iea6caf3c08252a560155e095135c5ddaad712991
Merged-In: Iea6caf3c08252a560155e095135c5ddaad712991
This is a list of KMI versions used to filter gki_apex modules. Only
gki_apex modules with kmi_version field that are in the list are created.
Test: build GKI APEXes
Bug: 162888350
Change-Id: I0f582f6ea200d52482fd4065c8f4f8b32efc4dee
- TARGET_BUILD_UNBUNDLED_IMAGE is similar to TARGET_BUILD_APPS, but
its targets are the unbundled partitions instead of apps.
- Rename TARGET_BUILD_APPS_USE_PREBUILT_SDK to TARGET_BUILD_USE_PREBUILT_SDKS
because it is used even without TARGET_BUILD_APPS.
-Instead of TARGET_BUILD_APPS, use TARGET_BUILD_USE_PREBUILT_SDKS
to build java modules with prebuilt sdks, and propagate to Soong.
Bug: 160390776
Test: TARGET_BUILD_UNBUNDLED_IMAGE=true m vendorimage
Change-Id: Ie096212ccbcca0018baae55e106af693b002c9e5
