Add mapping files for 28.0.[ignore.]cil

Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c

Android.bp

@@ -26,6 +26,13 @@ se_filegroup {
     ],
 }
 
+se_filegroup {
+    name: "28.0.board.compat.map",
+    srcs: [
+        "compat/28.0/28.0.cil",
+    ],
+}
+
 se_cil_compat_map {
     name: "26.0.cil",
     srcs: [
@@ -39,3 +46,10 @@ se_cil_compat_map {
         ":27.0.board.compat.map",
     ],
 }
+
+se_cil_compat_map {
+    name: "28.0.cil",
+    srcs: [
+        ":28.0.board.compat.map",
+    ],
+}

Android.mk

@@ -232,8 +232,7 @@ ifneq ($(with_asan),true)
 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 LOCAL_REQUIRED_MODULES += \
     sepolicy_tests \
-    treble_sepolicy_tests_26.0 \
-    treble_sepolicy_tests_27.0 \
+    $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
 
 endif
 endif
@@ -1616,6 +1615,9 @@ include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
 version_under_treble_tests := 27.0
 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
 
+version_under_treble_tests := 28.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+
 BASE_PLAT_PUBLIC_POLICY :=
 BASE_PLAT_PRIVATE_POLICY :=
 base_plat_policy.conf :=

private/compat/28.0/28.0.ignore.cil

@@ -0,0 +1,15 @@
+;; new_objects - a collection of types that have been introduced that have no
+;;   analogue in older policy.  Thus, we do not need to map these types to
+;;   previous ones.  Add here to pass checkapi tests.
+(typeattribute new_objects)
+(typeattributeset new_objects
+  ( activity_task_service
+    adb_service
+    llkd
+    llkd_exec
+    llkd_tmpfs
+    mnt_product_file
+    time_prop
+    timedetector_service
+    timezonedetector_service
+    vrflinger_vsync_service))

treble_sepolicy_tests_for_release.mk

@@ -53,7 +53,16 @@ $(version)_plat_policy.conf :=
 $(version)_compat := $(intermediates)/$(version)_compat
 $(version)_mapping.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).cil
 $(version)_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).ignore.cil
-$(version)_nonplat := $(LOCAL_PATH)/prebuilts/api/$(version)/nonplat_sepolicy.cil
+$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
+
+# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
+# nonplat_sepolicy.cil.
+$(version)_nonplat := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
+$($(version)_prebuilts_dir)/plat_pub_versioned.cil
+ifeq (,$(wildcard $($(version)_nonplat)))
+$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
+endif
+
 $($(version)_compat): PRIVATE_CIL_FILES := \
 $(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
 $($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
@@ -99,6 +108,7 @@ $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=
 $(version)_mapping.ignore.cil :=
 $(version)_nonplat :=
+$(version)_prebuilts_dir :=
 built_$(version)_plat_sepolicy :=
 version :=
 version_under_treble_tests :=