Merge changes Ib43d8e17,Ibb124fbb into main

* changes: Reland "Check added types/attributes on freeze test too" Guard new types with starting_at_board_api macro
2024-04-23 14:44:05 +00:00 · 2024-04-23 14:44:05 +00:00 · 221da46b16
commit 221da46b16
parent 150b800c90 68b071e4b9
3 changed files with 45 additions and 8 deletions
--- a/public/file.te
+++ b/public/file.te
@ -8,7 +8,11 @@ type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
 type binderfs_logs_stats, fs_type;
-type binderfs_logs_transactions, fs_type;
+
+starting_at_board_api(202504, `
+    type binderfs_logs_transactions, fs_type;
+')
+
 type binderfs_features, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type, proc_type;
@ -18,6 +22,7 @@ type proc_min_free_order_shift, fs_type, proc_type;
 type proc_kpageflags, fs_type, proc_type;
 type proc_watermark_boost_factor, fs_type, proc_type;
 type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
+# TODO(b/330670954): guard this once all internal references are removed.
 type proc_compaction_proactiveness, fs_type, proc_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, proc_type;
@ -139,8 +144,13 @@ type fs_bpf, fs_type, bpffs_type;
 # TODO: S+ fs_bpf_tethering (used by mainline) should be private
 type fs_bpf_tethering, fs_type, bpffs_type;
 type fs_bpf_vendor, fs_type, bpffs_type;
-type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
-type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+
+starting_at_board_api(202504, `
+    type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+    type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+')
+
+
 type configfs, fs_type;
 # /sys/devices/cs_etm
 type sysfs_devices_cs_etm, fs_type, sysfs_type;
--- a/public/property.te
+++ b/public/property.te
@ -76,7 +76,6 @@ system_restricted_prop(device_config_surface_flinger_native_boot_prop)
 system_restricted_prop(device_config_vendor_system_native_prop)
 system_restricted_prop(device_config_vendor_system_native_boot_prop)
 system_restricted_prop(drm_forcel3_prop)
-system_restricted_prop(enable_16k_pages_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
@ -104,7 +103,11 @@ system_restricted_prop(usb_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
 system_restricted_prop(vold_status_prop)
 system_restricted_prop(vts_status_prop)
-system_restricted_prop(profcollectd_etr_prop)
+
+starting_at_board_api(202504, `
+    system_restricted_prop(enable_16k_pages_prop)
+    system_restricted_prop(profcollectd_etr_prop)
+')

 compatible_property_only(`
    # DO NOT ADD ANY PROPERTIES HERE
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@ -37,20 +37,44 @@ def do_main():

    current_policy = mini_parser.MiniCilParser(options.current)
    prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
+    current_policy.typeattributes = set(filter(lambda x: "base_typeattr_" not in x,
+                                               current_policy.typeattributes))
+    prebuilt_policy.typeattributes = set(filter(lambda x: "base_typeattr_" not in x,
+                                                prebuilt_policy.typeattributes))

    results = ""
    removed_types = prebuilt_policy.types - current_policy.types
+    added_types = current_policy.types - prebuilt_policy.types
    removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
-    removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
+    added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
+
+    # TODO(b/330670954): remove this once all internal references are removed.
+    if "proc_compaction_proactiveness" in added_types:
+        added_types.remove("proc_compaction_proactiveness")

    if removed_types:
        results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"

+    if added_types:
+        results += "The following public types were added:\n" + ", ".join(added_types) + "\n"
+
    if removed_attributes:
        results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"

-    if len(results) > 0:
-        sys.exit(results)
+    if added_attributes:
+        results += "The following public attributes were added:\n" + ", ".join(added_attributes) + "\n"
+
+    if results:
+        sys.exit(f'''{results}
+******************************
+You have tried to change system/sepolicy/public after vendor API freeze.
+To make these errors go away, you can guard types and attributes listed above,
+so they won't be included to the release build.
+
+See an example of how to guard them:
+    https://android-review.googlesource.com/3050544
+******************************
+''')

 if __name__ == '__main__':
    do_main()