Add mapping files for 28.0.[ignore.]cil
Steps taken to produce the mapping files: 1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil] from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil] files built on pi-dev with lunch target aosp_arm64-eng 2. Add new file private/compat/28.0/28.0.cil by doing the following: - copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng device to private/compat/28.0/28.0.cil - remove all attribute declaration statement (typeattribute ...) and sort lines alphabetically - some selinux types were added/renamed/deleted w.r.t 28 sepolicy. Find all such types using treble_sepolicy_tests_28.0 test. - for all these types figure out where to map them by looking at 27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil. This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil mapping onto the device. Bug: 72458734 Test: m selinux_policy Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
This commit is contained in:
parent
d07ab2fe93
commit
1fa9634896
7 changed files with 11926 additions and 3 deletions
14
Android.bp
14
Android.bp
|
@ -26,6 +26,13 @@ se_filegroup {
|
|||
],
|
||||
}
|
||||
|
||||
se_filegroup {
|
||||
name: "28.0.board.compat.map",
|
||||
srcs: [
|
||||
"compat/28.0/28.0.cil",
|
||||
],
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "26.0.cil",
|
||||
srcs: [
|
||||
|
@ -39,3 +46,10 @@ se_cil_compat_map {
|
|||
":27.0.board.compat.map",
|
||||
],
|
||||
}
|
||||
|
||||
se_cil_compat_map {
|
||||
name: "28.0.cil",
|
||||
srcs: [
|
||||
":28.0.board.compat.map",
|
||||
],
|
||||
}
|
||||
|
|
|
@ -232,8 +232,7 @@ ifneq ($(with_asan),true)
|
|||
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
|
||||
LOCAL_REQUIRED_MODULES += \
|
||||
sepolicy_tests \
|
||||
treble_sepolicy_tests_26.0 \
|
||||
treble_sepolicy_tests_27.0 \
|
||||
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
|
||||
|
||||
endif
|
||||
endif
|
||||
|
@ -1616,6 +1615,9 @@ include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
|||
version_under_treble_tests := 27.0
|
||||
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
||||
|
||||
version_under_treble_tests := 28.0
|
||||
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
|
||||
|
||||
BASE_PLAT_PUBLIC_POLICY :=
|
||||
BASE_PLAT_PRIVATE_POLICY :=
|
||||
base_plat_policy.conf :=
|
||||
|
|
8871
prebuilts/api/28.0/plat_pub_versioned.cil
Normal file
8871
prebuilts/api/28.0/plat_pub_versioned.cil
Normal file
File diff suppressed because one or more lines are too long
1300
prebuilts/api/28.0/vendor_sepolicy.cil
Normal file
1300
prebuilts/api/28.0/vendor_sepolicy.cil
Normal file
File diff suppressed because one or more lines are too long
1711
private/compat/28.0/28.0.cil
Normal file
1711
private/compat/28.0/28.0.cil
Normal file
File diff suppressed because it is too large
Load diff
15
private/compat/28.0/28.0.ignore.cil
Normal file
15
private/compat/28.0/28.0.ignore.cil
Normal file
|
@ -0,0 +1,15 @@
|
|||
;; new_objects - a collection of types that have been introduced that have no
|
||||
;; analogue in older policy. Thus, we do not need to map these types to
|
||||
;; previous ones. Add here to pass checkapi tests.
|
||||
(typeattribute new_objects)
|
||||
(typeattributeset new_objects
|
||||
( activity_task_service
|
||||
adb_service
|
||||
llkd
|
||||
llkd_exec
|
||||
llkd_tmpfs
|
||||
mnt_product_file
|
||||
time_prop
|
||||
timedetector_service
|
||||
timezonedetector_service
|
||||
vrflinger_vsync_service))
|
|
@ -53,7 +53,16 @@ $(version)_plat_policy.conf :=
|
|||
$(version)_compat := $(intermediates)/$(version)_compat
|
||||
$(version)_mapping.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).cil
|
||||
$(version)_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).ignore.cil
|
||||
$(version)_nonplat := $(LOCAL_PATH)/prebuilts/api/$(version)/nonplat_sepolicy.cil
|
||||
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
|
||||
|
||||
# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
|
||||
# nonplat_sepolicy.cil.
|
||||
$(version)_nonplat := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
|
||||
$($(version)_prebuilts_dir)/plat_pub_versioned.cil
|
||||
ifeq (,$(wildcard $($(version)_nonplat)))
|
||||
$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
|
||||
endif
|
||||
|
||||
$($(version)_compat): PRIVATE_CIL_FILES := \
|
||||
$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
|
||||
$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
|
||||
|
@ -99,6 +108,7 @@ $(version)_mapping.cil :=
|
|||
$(version)_mapping.combined.cil :=
|
||||
$(version)_mapping.ignore.cil :=
|
||||
$(version)_nonplat :=
|
||||
$(version)_prebuilts_dir :=
|
||||
built_$(version)_plat_sepolicy :=
|
||||
version :=
|
||||
version_under_treble_tests :=
|
||||
|
|
Loading…
Reference in a new issue