Merge changes Ia2c07331,I93f0d222 into main am: f476f5c8f1

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2742356 Change-Id: If3a6af8553b6d645653ae38e898c3770b7dab868 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-09-07 09:14:47 +00:00 · 2023-09-07 09:14:47 +00:00 · 31406c242e
commit 31406c242e
parent 07bc7d3243 f476f5c8f1
18 changed files with 245 additions and 329 deletions
--- a/Android.bp
+++ b/Android.bp
@ -752,33 +752,6 @@ se_policy_binary {
    },
 }

-se_policy_conf {
-    name: "base_system_ext_sepolicy.conf",
-    srcs: plat_public_policy +
-        plat_private_policy +
-        system_ext_public_policy +
-        system_ext_private_policy,
-    build_variant: "user",
-    installable: false,
-    system_ext_specific: true,
-}
-
-se_policy_cil {
-    name: "base_system_ext_sepolicy.cil",
-    src: ":base_system_ext_sepolicy.conf",
-    additional_cil_files: ["private/technical_debt.cil"],
-    system_ext_specific: true,
-    installable: false,
-    secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
-    name: "base_system_ext_sepolicy",
-    srcs: [":base_system_ext_sepolicy.cil"],
-    system_ext_specific: true,
-    installable: false,
-}
-
 se_policy_conf {
    name: "base_product_sepolicy.conf",
    srcs: plat_public_policy +
@ -827,25 +800,6 @@ se_policy_cil {
    },
 }

-se_policy_conf {
-    name: "base_system_ext_pub_policy.conf",
-    srcs: plat_public_policy +
-        system_ext_public_policy +
-        reqd_mask_policy,
-    build_variant: "user",
-    installable: false,
-    system_ext_specific: true,
-}
-
-se_policy_cil {
-    name: "base_system_ext_pub_policy.cil",
-    src: ":base_system_ext_pub_policy.conf",
-    filter_out: [":reqd_policy_mask.cil"],
-    secilc_check: false,
-    installable: false,
-    system_ext_specific: true,
-}
-
 se_policy_conf {
    name: "base_product_pub_policy.conf",
    srcs: plat_public_policy +
--- a/Android.mk
+++ b/Android.mk
@ -1,13 +1,7 @@
 LOCAL_PATH:= $(call my-dir)

-include $(LOCAL_PATH)/definitions.mk
-include $(LOCAL_PATH)/policy_version.mk
-
 include $(CLEAR_VARS)

-MLS_SENS=1
-MLS_CATS=1024
-
 ifdef BOARD_SEPOLICY_UNION
 $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
 endif
@ -73,7 +67,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
 HAS_PRODUCT_SEPOLICY_DIR := true
 endif

-NEVERALLOW_ARG :=
 ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 ifeq ($(TARGET_BUILD_VARIANT),user)
 $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@ -81,7 +74,6 @@ endif
 $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
          It does not work in user builds and using it will \
          not stop you from failing CTS.)
-NEVERALLOW_ARG := -N
 endif

 # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@ -170,36 +162,11 @@ ifdef HAS_PRODUCT_SEPOLICY_DIR
  endif
 endif # ifdef HAS_PRODUCT_SEPOLICY_DIR

-# CIL files which contain workarounds for current limitation of human-readable
-# module policy language. These files are appended to the CIL files produced
-# from module language files.
-sepolicy_build_cil_workaround_files := technical_debt.cil
-
-my_target_arch := $(TARGET_ARCH)
-ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
-  my_target_arch := mips
-endif
-
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
-
 with_asan := false
 ifneq (,$(filter address,$(SANITIZE_TARGET)))
  with_asan := true
 endif

-with_native_coverage := false
-ifeq ($(NATIVE_COVERAGE),true)
-  with_native_coverage := true
-endif
-ifeq ($(CLANG_COVERAGE),true)
-  with_native_coverage := true
-endif
-
-treble_sysprop_neverallow := true
-ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
-  treble_sysprop_neverallow := false
-endif
-
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
  #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -208,16 +175,6 @@ else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
  endif
 endif

-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
-  enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
-  enforce_debugfs_restriction := true
-endif
-
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
  #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -226,13 +183,6 @@ else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
  endif
 endif

-# Library extension for host-side tests
-ifeq ($(HOST_OS),darwin)
-SHAREDLIB_EXT=dylib
-else
-SHAREDLIB_EXT=so
-endif
-
 #################################

 include $(CLEAR_VARS)
@ -480,16 +430,6 @@ include $(BUILD_PHONY_PACKAGE)
 # Policy files are now built with Android.bp. Grab them from intermediate.
 # See Android.bp for details of policy files.
 #
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
 built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
 built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows

@ -542,6 +482,23 @@ ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
  local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
 endif

+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+	$(hide) mkdir -p $$(dir $$@)
+	$(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
+
 file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
 $(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))

@ -581,32 +538,14 @@ $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<

-built_fc := $(LOCAL_BUILT_MODULE)
 local_fc_files :=
-local_fcfiles_with_nl :=
 device_fc_files :=
-device_fcfiles_with_nl :=
 file_contexts.concat.tmp :=
 file_contexts.device.sorted.tmp :=
 file_contexts.device.tmp :=
 file_contexts.local.tmp :=
 file_contexts.modules.tmp :=

-##################################
-
-all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
-all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
-endif
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
-endif
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
-endif
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-
 ##################################
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.
@ -630,8 +569,6 @@ built_product_sepolicy :=
 base_plat_pub_policy.cil :=
 base_system_ext_pub_polcy.cil :=
 base_product_pub_policy.cil :=
-all_fc_files :=
-all_fc_args :=

 #################################

@ -639,19 +576,7 @@ all_fc_args :=
 build_vendor_policy :=
 build_odm_policy :=
 build_policy :=
-built_plat_cil :=
-built_system_ext_cil :=
-built_product_cil :=
 built_sepolicy :=
 built_sepolicy_neverallows :=
-built_plat_svc :=
-built_vendor_svc :=
-treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
-my_target_arch :=
 sepolicy_build_files :=
-sepolicy_build_cil_workaround_files :=
 with_asan :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@ -27,7 +27,6 @@ import (
 )

 const (
-	// TODO: sync with Android.mk
 	MlsSens    = 1
 	MlsCats    = 1024
 	PolicyVers = 30
--- a/definitions.mk
+++ b/definitions.mk
@ -1,39 +0,0 @@
-# Command to turn collection of policy files into a policy.conf file to be
-# processed by checkpolicy
-define transform-policy-to-conf
-@mkdir -p $(dir $@)
-$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-	-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-	-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-	-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-	-D target_arch=$(PRIVATE_TGT_ARCH) \
-	-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-	-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-	-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-	-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-	-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-	-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
-	-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
-	$(PRIVATE_TGT_RECOVERY) \
-	-s $(PRIVATE_POLICY_FILES) > $@
-endef
-.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
-	$(hide) mkdir -p $$(dir $$@)
-	$(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
--- a/policy_version.mk
+++ b/policy_version.mk
@ -1,4 +0,0 @@
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
--- a/prebuilts/api/29.0/Android.bp
+++ b/prebuilts/api/29.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
+
+se_policy_conf {
+    name: "29.0_plat_policy.conf",
+    srcs: [
+        ":se_build_files{.plat_public_29.0}",
+        ":se_build_files{.plat_private_29.0}",
+        ":se_build_files{.system_ext_public_29.0}",
+        ":se_build_files{.system_ext_private_29.0}",
+        ":se_build_files{.product_public_29.0}",
+        ":se_build_files{.product_private_29.0}",
+    ],
+    installable: false,
+    build_variant: "user",
+}
+
+se_policy_cil {
+    name: "29.0_plat_policy.cil",
+    src: ":29.0_plat_policy.conf",
+    additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
+    installable: false,
+}
+
+se_policy_binary {
+    name: "29.0_plat_policy",
+    srcs: [":29.0_plat_policy.cil"],
+    installable: false,
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
--- a/prebuilts/api/30.0/Android.bp
+++ b/prebuilts/api/30.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
+
+se_policy_conf {
+    name: "30.0_plat_policy.conf",
+    srcs: [
+        ":se_build_files{.plat_public_30.0}",
+        ":se_build_files{.plat_private_30.0}",
+        ":se_build_files{.system_ext_public_30.0}",
+        ":se_build_files{.system_ext_private_30.0}",
+        ":se_build_files{.product_public_30.0}",
+        ":se_build_files{.product_private_30.0}",
+    ],
+    installable: false,
+    build_variant: "user",
+}
+
+se_policy_cil {
+    name: "30.0_plat_policy.cil",
+    src: ":30.0_plat_policy.conf",
+    additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
+    installable: false,
+}
+
+se_policy_binary {
+    name: "30.0_plat_policy",
+    srcs: [":30.0_plat_policy.cil"],
+    installable: false,
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
--- a/prebuilts/api/31.0/Android.bp
+++ b/prebuilts/api/31.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
+
+se_policy_conf {
+    name: "31.0_plat_policy.conf",
+    srcs: [
+        ":se_build_files{.plat_public_31.0}",
+        ":se_build_files{.plat_private_31.0}",
+        ":se_build_files{.system_ext_public_31.0}",
+        ":se_build_files{.system_ext_private_31.0}",
+        ":se_build_files{.product_public_31.0}",
+        ":se_build_files{.product_private_31.0}",
+    ],
+    installable: false,
+    build_variant: "user",
+}
+
+se_policy_cil {
+    name: "31.0_plat_policy.cil",
+    src: ":31.0_plat_policy.conf",
+    additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
+    installable: false,
+}
+
+se_policy_binary {
+    name: "31.0_plat_policy",
+    srcs: [":31.0_plat_policy.cil"],
+    installable: false,
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
--- a/prebuilts/api/32.0/Android.bp
+++ b/prebuilts/api/32.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
+
+se_policy_conf {
+    name: "32.0_plat_policy.conf",
+    srcs: [
+        ":se_build_files{.plat_public_32.0}",
+        ":se_build_files{.plat_private_32.0}",
+        ":se_build_files{.system_ext_public_32.0}",
+        ":se_build_files{.system_ext_private_32.0}",
+        ":se_build_files{.product_public_32.0}",
+        ":se_build_files{.product_private_32.0}",
+    ],
+    installable: false,
+    build_variant: "user",
+}
+
+se_policy_cil {
+    name: "32.0_plat_policy.cil",
+    src: ":32.0_plat_policy.conf",
+    additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
+    installable: false,
+}
+
+se_policy_binary {
+    name: "32.0_plat_policy",
+    srcs: [":32.0_plat_policy.cil"],
+    installable: false,
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
--- a/prebuilts/api/33.0/Android.bp
+++ b/prebuilts/api/33.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
+
+se_policy_conf {
+    name: "33.0_plat_policy.conf",
+    srcs: [
+        ":se_build_files{.plat_public_33.0}",
+        ":se_build_files{.plat_private_33.0}",
+        ":se_build_files{.system_ext_public_33.0}",
+        ":se_build_files{.system_ext_private_33.0}",
+        ":se_build_files{.product_public_33.0}",
+        ":se_build_files{.product_private_33.0}",
+    ],
+    installable: false,
+    build_variant: "user",
+}
+
+se_policy_cil {
+    name: "33.0_plat_policy.cil",
+    src: ":33.0_plat_policy.conf",
+    additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
+    installable: false,
+}
+
+se_policy_binary {
+    name: "33.0_plat_policy",
+    srcs: [":33.0_plat_policy.cil"],
+    installable: false,
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
--- a/prebuilts/api/34.0/Android.bp
+++ b/prebuilts/api/34.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
+
+se_policy_conf {
+    name: "34.0_plat_policy.conf",
+    srcs: [
+        ":se_build_files{.plat_public_34.0}",
+        ":se_build_files{.plat_private_34.0}",
+        ":se_build_files{.system_ext_public_34.0}",
+        ":se_build_files{.system_ext_private_34.0}",
+        ":se_build_files{.product_public_34.0}",
+        ":se_build_files{.product_private_34.0}",
+    ],
+    installable: false,
+    build_variant: "user",
+}
+
+se_policy_cil {
+    name: "34.0_plat_policy.cil",
+    src: ":34.0_plat_policy.conf",
+    additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
+    installable: false,
+}
+
+se_policy_binary {
+    name: "34.0_plat_policy",
+    srcs: [":34.0_plat_policy.cil"],
+    installable: false,
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@ -1,13 +1,15 @@
 ;; types removed from current policy
 (type ashmemd)
+(type clatd_exec)
+(type clatd)
 (type exported_audio_prop)
 (type exported_dalvik_prop)
 (type exported_vold_prop)
 (type exported2_config_prop)
 (type exported2_vold_prop)
 (type hal_wifi_offload_hwservice)
-(type install_recovery)
 (type install_recovery_exec)
+(type install_recovery)
 (type mediacodec_service)
 (type perfprofd_data_file)
 (type perfprofd_service)
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@ -1,11 +1,16 @@
 ;; types removed from current policy
+(type adbd_prop)
 (type cgroup_bpf)
+(type device_config_configuration_prop)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
 (type exported_audio_prop)
 (type exported_dalvik_prop)
 (type exported_ffs_prop)
 (type exported_fingerprint_prop)
-(type exported_system_radio_prop)
 (type exported_radio_prop)
+(type exported_system_radio_prop)
 (type exported_vold_prop)
 (type exported_wifi_prop)
 (type exported2_config_prop)
@ -16,8 +21,19 @@
 (type exported3_default_prop)
 (type exported3_radio_prop)
 (type ffs_prop)
+(type gsid_prop)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type last_boot_reason_prop)
+(type mediatranscoding_exec)
+(type netd_stable_secret_prop)
+(type pm_prop)
+(type system_adbd_prop)
 (type system_radio_prop)
 (type thermalcallback_hwservice)
+(type traced_perf_enabled_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)

 (typeattribute binder_in_vendor_violators)

--- a/tests/Android.bp
+++ b/tests/Android.bp
@ -50,9 +50,7 @@ python_binary_host {
    },
    libs: [
        "mini_cil_parser",
-        "pysepolwrap",
    ],
-    data: [":libsepolwrap"],
 }

 python_binary_host {
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@ -16,17 +16,11 @@ from optparse import OptionParser
 from optparse import Option, OptionValueError
 import os
 import mini_parser
-import pkgutil
-import policy
-from policy import MatchPathPrefix
 import re
 import shutil
 import sys
 import tempfile

-DEBUG=False
-SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
-
 '''
 Verify that Treble compatibility are not broken.
 '''
@ -39,13 +33,13 @@ Verify that Treble compatibility are not broken.
 ###
 # Make sure that any new public type introduced in the new policy that was not
 # present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
-    newt = test_policy.alltypes - test_policy.oldalltypes
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
+    newt = base_pub_policy.types - old_pub_policy.types
    ret = ""
    violators = []

    for n in newt:
-        if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+        if mapping.rTypeattributesets.get(n) is None:
            violators.append(n)

    if len(violators) > 0:
@ -62,13 +56,13 @@ def TestNoUnmappedNewTypes(test_policy):
 ###
 # Make sure that any public type removed in the current policy has its
 # declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
-    rmt = test_policy.oldalltypes - test_policy.alltypes
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
+    rmt = old_pub_policy.types - base_pub_policy.types
    ret = ""
    violators = []

    for o in rmt:
-        if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+        if o in mapping.pubtypes and not o in mapping.types:
            violators.append(o)

    if len(violators) > 0:
@ -81,9 +75,9 @@ def TestNoUnmappedRmTypes(test_policy):
        ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
    return ret

-def TestTrebleCompatMapping(test_policy):
-    ret = TestNoUnmappedNewTypes(test_policy)
-    ret += TestNoUnmappedRmTypes(test_policy)
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
+    ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
+    ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
    return ret

 ###
@ -103,73 +97,38 @@ class MultipleOption(Option):
        else:
            Option.take_action(self, action, dest, opt, value, values, parser)

-def do_main(libpath):
-    """
-    Args:
-        libpath: string, path to libsepolwrap.so
-    """
-    test_policy = policy.TestPolicy()
-
+def do_main():
    usage = "treble_sepolicy_tests "
-    usage += "-p curr_policy -b base_policy -o old_policy "
+    usage += "-b base_pub_policy -o old_pub_policy "
    usage += "-m mapping file [--test test] [--help]"
    parser = OptionParser(option_class=MultipleOption, usage=usage)
-    parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
-    parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+    parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
                      metavar="FILE")
    parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
-    parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
-    parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
+    parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
+                      metavar="FILE")

    (options, args) = parser.parse_args()

-    if not options.policy:
-        sys.exit("Must specify current monolithic policy file\n" + parser.usage)
-    if not os.path.exists(options.policy):
-        sys.exit("Error: policy file " + options.policy + " does not exist\n"
-                + parser.usage)
-
    # Mapping files and public platform policy are only necessary for the
    # TrebleCompatMapping test.
-    if not options.basepolicy:
-        sys.exit("Must specify the current platform-only policy file\n"
-                    + parser.usage)
    if not options.mapping:
        sys.exit("Must specify a compatibility mapping file\n"
                    + parser.usage)
-    if not options.oldpolicy:
-        sys.exit("Must specify the previous monolithic policy file\n"
+    if not options.old_pub_policy:
+        sys.exit("Must specify the previous public policy .cil file\n"
                    + parser.usage)
    if not options.base_pub_policy:
        sys.exit("Must specify the current platform-only public policy "
                    + ".cil file\n" + parser.usage)
-    basepol = policy.Policy(options.basepolicy, None, libpath)
-    oldpol = policy.Policy(options.oldpolicy, None, libpath)
    mapping = mini_parser.MiniCilParser(options.mapping)
-    pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
-    test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+    base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
+    old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)

-    pol = policy.Policy(options.policy, None, libpath)
-    test_policy.setup(pol)
-
-    if DEBUG:
-        test_policy.PrintScontexts()
-
-    results = TestTrebleCompatMapping(test_policy)
+    results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)

    if len(results) > 0:
        sys.exit(results)

 if __name__ == '__main__':
-    temp_dir = tempfile.mkdtemp()
-    try:
-        libname = "libsepolwrap" + SHARED_LIB_EXTENSION
-        libpath = os.path.join(temp_dir, libname)
-        with open(libpath, "wb") as f:
-            blob = pkgutil.get_data("treble_sepolicy_tests", libname)
-            if not blob:
-                sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-            f.write(blob)
-        do_main(libpath)
-    finally:
-        shutil.rmtree(temp_dir)
+    do_main()
--- a/tools/Android.mk
+++ b/tools/Android.mk
@ -1,3 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@ -1,6 +1,6 @@
 #!/bin/bash

-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
 BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')

 if [ "$MK" != "$BP" ]; then
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@ -11,15 +11,9 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := FAKE
 LOCAL_MODULE_TAGS := optional

-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
 IS_TREBLE_TEST_ENABLED_PARTNER := false
 ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
 IS_TREBLE_TEST_ENABLED_PARTNER := true
 endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
 endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@ -30,59 +24,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 # built to enable us to determine the diff between the current policy and the
 # $(version) policy, which will be used in tests to make sure that compatibility has
 # been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
-    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
-    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
-    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
-    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
-$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
-$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$($(version)_plat_policy.conf): $(policy_files) $(M4)
-	$(transform-policy-to-conf)
-	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-policy_files :=
-
-built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
-$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
-  $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
-$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-  $(HOST_OUT_EXECUTABLES)/secilc \
-  $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
-  $(built_sepolicy_neverallows)
-	@mkdir -p $(dir $@)
-	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
-		$(POLICYVERS) -o $@ $<
-	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
-
-# TODO(b/214336258): move to Soong
-$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
-
-$(version)_plat_policy.conf :=
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil

 $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
 $(version)_mapping.ignore.cil := \
@ -106,44 +48,31 @@ endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 # combining the current platform policy with nonplatform policy based on the
 # $(version) policy release and also a special ignored file that exists purely for
 # these tests.
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
 $(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
 $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
 	mkdir -p $(dir $@)
 	cat $^ > $@

 ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
 public_cil_files := $(base_product_pub_policy.cil)
 else
-built_sepolicy_files := $(built_plat_sepolicy)
 public_cil_files := $(base_plat_pub_policy.cil)
 endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-  $(all_fc_files) $(built_sepolicy) \
-  $(built_sepolicy_files) \
  $(public_cil_files) \
-  $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+  $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-                -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-                -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-                -u $(PRIVATE_PLAT_PUB_SEPOLICY)
+                -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+                -o $(PRIVATE_SEPOLICY_OLD)
 	$(hide) touch $@

-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
-$(version)_PLAT_PUBLIC_POLICY :=
-$(version)_PLAT_PRIVATE_POLICY :=
 built_sepolicy_files :=
 public_cil_files :=
-cil_files :=
 $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=
 $(version)_mapping.ignore.cil :=