Merge changes Ia2c07331,I93f0d222 into main am: f476f5c8f1 am: 31406c242e am: 0f0286303f am: 332e63bee5

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2742356 Change-Id: I057521eaa91d120a5131ec0a86d8b43de6889f0a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-09-07 10:43:34 +00:00 · 2023-09-07 10:43:34 +00:00 · 3149017ddb
commit 3149017ddb
parent 649a251012 332e63bee5
18 changed files with 245 additions and 329 deletions
--- a/Android.bp
+++ b/Android.bp
@ -752,33 +752,6 @@ se_policy_binary {
    },
 }
 se_policy_conf {
    name: "base_system_ext_sepolicy.conf",
    srcs: plat_public_policy +
        plat_private_policy +
        system_ext_public_policy +
        system_ext_private_policy,
    build_variant: "user",
    installable: false,
    system_ext_specific: true,
 }
 se_policy_cil {
    name: "base_system_ext_sepolicy.cil",
    src: ":base_system_ext_sepolicy.conf",
    additional_cil_files: ["private/technical_debt.cil"],
    system_ext_specific: true,
    installable: false,
    secilc_check: false, // done by se_policy_binary
 }
 se_policy_binary {
    name: "base_system_ext_sepolicy",
    srcs: [":base_system_ext_sepolicy.cil"],
    system_ext_specific: true,
    installable: false,
 }
 se_policy_conf {
    name: "base_product_sepolicy.conf",
    srcs: plat_public_policy +
@ -827,25 +800,6 @@ se_policy_cil {
    },
 }
 se_policy_conf {
    name: "base_system_ext_pub_policy.conf",
    srcs: plat_public_policy +
        system_ext_public_policy +
        reqd_mask_policy,
    build_variant: "user",
    installable: false,
    system_ext_specific: true,
 }
 se_policy_cil {
    name: "base_system_ext_pub_policy.cil",
    src: ":base_system_ext_pub_policy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false,
    installable: false,
    system_ext_specific: true,
 }
 se_policy_conf {
    name: "base_product_pub_policy.conf",
    srcs: plat_public_policy +
--- a/Android.mk
+++ b/Android.mk
@ -1,13 +1,7 @@
 LOCAL_PATH:= $(call my-dir)
 include $(LOCAL_PATH)/definitions.mk
 include $(LOCAL_PATH)/policy_version.mk
 include $(CLEAR_VARS)
 MLS_SENS=1
 MLS_CATS=1024
 ifdef BOARD_SEPOLICY_UNION
 $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
 endif
@ -73,7 +67,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
 HAS_PRODUCT_SEPOLICY_DIR := true
 endif
 NEVERALLOW_ARG :=
 ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 ifeq ($(TARGET_BUILD_VARIANT),user)
 $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@ -81,7 +74,6 @@ endif
 $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
          It does not work in user builds and using it will \
          not stop you from failing CTS.)
 NEVERALLOW_ARG := -N
 endif
 # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@ -170,36 +162,11 @@ ifdef HAS_PRODUCT_SEPOLICY_DIR
  endif
 endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
 # CIL files which contain workarounds for current limitation of human-readable
 # module policy language. These files are appended to the CIL files produced
 # from module language files.
 sepolicy_build_cil_workaround_files := technical_debt.cil
 my_target_arch := $(TARGET_ARCH)
 ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
  my_target_arch := mips
 endif
 intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
 with_asan := false
 ifneq (,$(filter address,$(SANITIZE_TARGET)))
  with_asan := true
 endif
 with_native_coverage := false
 ifeq ($(NATIVE_COVERAGE),true)
  with_native_coverage := true
 endif
 ifeq ($(CLANG_COVERAGE),true)
  with_native_coverage := true
 endif
 treble_sysprop_neverallow := true
 ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
  treble_sysprop_neverallow := false
 endif
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
  #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -208,16 +175,6 @@ else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
  endif
 endif
 enforce_sysprop_owner := true
 ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
  enforce_sysprop_owner := false
 endif
 enforce_debugfs_restriction := false
 ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
  enforce_debugfs_restriction := true
 endif
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
  #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -226,13 +183,6 @@ else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
  endif
 endif
 # Library extension for host-side tests
 ifeq ($(HOST_OS),darwin)
 SHAREDLIB_EXT=dylib
 else
 SHAREDLIB_EXT=so
 endif
 #################################
 include $(CLEAR_VARS)
@ -480,16 +430,6 @@ include $(BUILD_PHONY_PACKAGE)
 # Policy files are now built with Android.bp. Grab them from intermediate.
 # See Android.bp for details of policy files.
 #
 built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
 ifdef HAS_SYSTEM_EXT_SEPOLICY
 built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
 endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
 ifdef HAS_PRODUCT_SEPOLICY
 built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
 endif # ifdef HAS_PRODUCT_SEPOLICY
 built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
 built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
@ -542,6 +482,23 @@ ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
  local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
 endif
 ###########################################################
 ## Collect file_contexts files into a single tmp file with m4
 ##
 ## $(1): list of file_contexts files
 ## $(2): filename into which file_contexts files are merged
 ###########################################################
 define _merge-fc-files
 $(2): $(1) $(M4)
 	$(hide) mkdir -p $$(dir $$@)
 	$(hide) $(M4) --fatal-warnings -s $(1) > $$@
 endef
 define merge-fc-files
 $(eval $(call _merge-fc-files,$(1),$(2)))
 endef
 file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
 $(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@ -581,32 +538,14 @@ $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
 built_fc := $(LOCAL_BUILT_MODULE)
 local_fc_files :=
 local_fcfiles_with_nl :=
 device_fc_files :=
 device_fcfiles_with_nl :=
 file_contexts.concat.tmp :=
 file_contexts.device.sorted.tmp :=
 file_contexts.device.tmp :=
 file_contexts.local.tmp :=
 file_contexts.modules.tmp :=
 ##################################
 all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
 all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
 all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
 endif
 ifdef HAS_PRODUCT_SEPOLICY_DIR
 all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
 endif
 ifdef BOARD_ODM_SEPOLICY_DIRS
 all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
 endif
 all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
 ##################################
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.
@ -630,8 +569,6 @@ built_product_sepolicy :=
 base_plat_pub_policy.cil :=
 base_system_ext_pub_polcy.cil :=
 base_product_pub_policy.cil :=
 all_fc_files :=
 all_fc_args :=
 #################################
@ -639,19 +576,7 @@ all_fc_args :=
 build_vendor_policy :=
 build_odm_policy :=
 build_policy :=
 built_plat_cil :=
 built_system_ext_cil :=
 built_product_cil :=
 built_sepolicy :=
 built_sepolicy_neverallows :=
 built_plat_svc :=
 built_vendor_svc :=
 treble_sysprop_neverallow :=
 enforce_sysprop_owner :=
 enforce_debugfs_restriction :=
 my_target_arch :=
 sepolicy_build_files :=
 sepolicy_build_cil_workaround_files :=
 with_asan :=
 include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@ -27,7 +27,6 @@ import (
 )
 const (
 	// TODO: sync with Android.mk
 	MlsSens    = 1
 	MlsCats    = 1024
 	PolicyVers = 30
--- a/definitions.mk
+++ b/definitions.mk
@ -1,39 +0,0 @@
 # Command to turn collection of policy files into a policy.conf file to be
 # processed by checkpolicy
 define transform-policy-to-conf
@mkdir -p $(dir $@)
 $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
 	-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 	-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
 	-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 	-D target_arch=$(PRIVATE_TGT_ARCH) \
 	-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
 	-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
 	-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
 	-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
 	-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
 	-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
 	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
 	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
 	-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef
 .KATI_READONLY := transform-policy-to-conf
 ###########################################################
 ## Collect file_contexts files into a single tmp file with m4
 ##
 ## $(1): list of file_contexts files
 ## $(2): filename into which file_contexts files are merged
 ###########################################################
 define _merge-fc-files
 $(2): $(1) $(M4)
 	$(hide) mkdir -p $$(dir $$@)
 	$(hide) $(M4) --fatal-warnings -s $(1) > $$@
 endef
 define merge-fc-files
 $(eval $(call _merge-fc-files,$(1),$(2)))
 endef
--- a/policy_version.mk
+++ b/policy_version.mk
@ -1,4 +0,0 @@
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
 POLICYVERS ?= 30
--- a/prebuilts/api/29.0/Android.bp
+++ b/prebuilts/api/29.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "29.0_plat_policy.conf",
    srcs: [
        ":se_build_files{.plat_public_29.0}",
        ":se_build_files{.plat_private_29.0}",
        ":se_build_files{.system_ext_public_29.0}",
        ":se_build_files{.system_ext_private_29.0}",
        ":se_build_files{.product_public_29.0}",
        ":se_build_files{.product_private_29.0}",
    ],
    installable: false,
    build_variant: "user",
 }
 se_policy_cil {
    name: "29.0_plat_policy.cil",
    src: ":29.0_plat_policy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
    installable: false,
 }
 se_policy_binary {
    name: "29.0_plat_policy",
    srcs: [":29.0_plat_policy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
 }
--- a/prebuilts/api/30.0/Android.bp
+++ b/prebuilts/api/30.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "30.0_plat_policy.conf",
    srcs: [
        ":se_build_files{.plat_public_30.0}",
        ":se_build_files{.plat_private_30.0}",
        ":se_build_files{.system_ext_public_30.0}",
        ":se_build_files{.system_ext_private_30.0}",
        ":se_build_files{.product_public_30.0}",
        ":se_build_files{.product_private_30.0}",
    ],
    installable: false,
    build_variant: "user",
 }
 se_policy_cil {
    name: "30.0_plat_policy.cil",
    src: ":30.0_plat_policy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
    installable: false,
 }
 se_policy_binary {
    name: "30.0_plat_policy",
    srcs: [":30.0_plat_policy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
 }
--- a/prebuilts/api/31.0/Android.bp
+++ b/prebuilts/api/31.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "31.0_plat_policy.conf",
    srcs: [
        ":se_build_files{.plat_public_31.0}",
        ":se_build_files{.plat_private_31.0}",
        ":se_build_files{.system_ext_public_31.0}",
        ":se_build_files{.system_ext_private_31.0}",
        ":se_build_files{.product_public_31.0}",
        ":se_build_files{.product_private_31.0}",
    ],
    installable: false,
    build_variant: "user",
 }
 se_policy_cil {
    name: "31.0_plat_policy.cil",
    src: ":31.0_plat_policy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
    installable: false,
 }
 se_policy_binary {
    name: "31.0_plat_policy",
    srcs: [":31.0_plat_policy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
 }
--- a/prebuilts/api/32.0/Android.bp
+++ b/prebuilts/api/32.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "32.0_plat_policy.conf",
    srcs: [
        ":se_build_files{.plat_public_32.0}",
        ":se_build_files{.plat_private_32.0}",
        ":se_build_files{.system_ext_public_32.0}",
        ":se_build_files{.system_ext_private_32.0}",
        ":se_build_files{.product_public_32.0}",
        ":se_build_files{.product_private_32.0}",
    ],
    installable: false,
    build_variant: "user",
 }
 se_policy_cil {
    name: "32.0_plat_policy.cil",
    src: ":32.0_plat_policy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
    installable: false,
 }
 se_policy_binary {
    name: "32.0_plat_policy",
    srcs: [":32.0_plat_policy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
 }
--- a/prebuilts/api/33.0/Android.bp
+++ b/prebuilts/api/33.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "33.0_plat_policy.conf",
    srcs: [
        ":se_build_files{.plat_public_33.0}",
        ":se_build_files{.plat_private_33.0}",
        ":se_build_files{.system_ext_public_33.0}",
        ":se_build_files{.system_ext_private_33.0}",
        ":se_build_files{.product_public_33.0}",
        ":se_build_files{.product_private_33.0}",
    ],
    installable: false,
    build_variant: "user",
 }
 se_policy_cil {
    name: "33.0_plat_policy.cil",
    src: ":33.0_plat_policy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
    installable: false,
 }
 se_policy_binary {
    name: "33.0_plat_policy",
    srcs: [":33.0_plat_policy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
 }
--- a/prebuilts/api/34.0/Android.bp
+++ b/prebuilts/api/34.0/Android.bp
@ -26,3 +26,33 @@ se_policy_cil {
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "34.0_plat_policy.conf",
    srcs: [
        ":se_build_files{.plat_public_34.0}",
        ":se_build_files{.plat_private_34.0}",
        ":se_build_files{.system_ext_public_34.0}",
        ":se_build_files{.system_ext_private_34.0}",
        ":se_build_files{.product_public_34.0}",
        ":se_build_files{.product_private_34.0}",
    ],
    installable: false,
    build_variant: "user",
 }
 se_policy_cil {
    name: "34.0_plat_policy.cil",
    src: ":34.0_plat_policy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
    installable: false,
 }
 se_policy_binary {
    name: "34.0_plat_policy",
    srcs: [":34.0_plat_policy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
 }
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@ -1,13 +1,15 @@
 ;; types removed from current policy
 (type ashmemd)
 (type clatd_exec)
 (type clatd)
 (type exported_audio_prop)
 (type exported_dalvik_prop)
 (type exported_vold_prop)
 (type exported2_config_prop)
 (type exported2_vold_prop)
 (type hal_wifi_offload_hwservice)
 (type install_recovery)
 (type install_recovery_exec)
 (type install_recovery)
 (type mediacodec_service)
 (type perfprofd_data_file)
 (type perfprofd_service)
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@ -1,11 +1,16 @@
 ;; types removed from current policy
 (type adbd_prop)
 (type cgroup_bpf)
 (type device_config_configuration_prop)
 (type device_config_storage_native_boot_prop)
 (type device_config_sys_traced_prop)
 (type device_config_window_manager_native_boot_prop)
 (type exported_audio_prop)
 (type exported_dalvik_prop)
 (type exported_ffs_prop)
 (type exported_fingerprint_prop)
 (type exported_system_radio_prop)
 (type exported_radio_prop)
 (type exported_system_radio_prop)
 (type exported_vold_prop)
 (type exported_wifi_prop)
 (type exported2_config_prop)
@ -16,8 +21,19 @@
 (type exported3_default_prop)
 (type exported3_radio_prop)
 (type ffs_prop)
 (type gsid_prop)
 (type init_perf_lsm_hooks_prop)
 (type init_svc_debug_prop)
 (type last_boot_reason_prop)
 (type mediatranscoding_exec)
 (type netd_stable_secret_prop)
 (type pm_prop)
 (type system_adbd_prop)
 (type system_radio_prop)
 (type thermalcallback_hwservice)
 (type traced_perf_enabled_prop)
 (type userspace_reboot_log_prop)
 (type userspace_reboot_test_prop)
 (typeattribute binder_in_vendor_violators)
--- a/tests/Android.bp
+++ b/tests/Android.bp
@ -50,9 +50,7 @@ python_binary_host {
    },
    libs: [
        "mini_cil_parser",
        "pysepolwrap",
    ],
    data: [":libsepolwrap"],
 }
 python_binary_host {
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@ -16,17 +16,11 @@ from optparse import OptionParser
 from optparse import Option, OptionValueError
 import os
 import mini_parser
 import pkgutil
 import policy
 from policy import MatchPathPrefix
 import re
 import shutil
 import sys
 import tempfile
 DEBUG=False
 SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
 '''
 Verify that Treble compatibility are not broken.
 '''
@ -39,13 +33,13 @@ Verify that Treble compatibility are not broken.
 ###
 # Make sure that any new public type introduced in the new policy that was not
 # present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
-    newt = test_policy.alltypes - test_policy.oldalltypes
+    newt = base_pub_policy.types - old_pub_policy.types
    ret = ""
    violators = []
    for n in newt:
-        if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+        if mapping.rTypeattributesets.get(n) is None:
            violators.append(n)
    if len(violators) > 0:
@ -62,13 +56,13 @@ def TestNoUnmappedNewTypes(test_policy):
 ###
 # Make sure that any public type removed in the current policy has its
 # declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
-    rmt = test_policy.oldalltypes - test_policy.alltypes
+    rmt = old_pub_policy.types - base_pub_policy.types
    ret = ""
    violators = []
    for o in rmt:
-        if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+        if o in mapping.pubtypes and not o in mapping.types:
            violators.append(o)
    if len(violators) > 0:
@ -81,9 +75,9 @@ def TestNoUnmappedRmTypes(test_policy):
        ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
    return ret
-def TestTrebleCompatMapping(test_policy):
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
-    ret = TestNoUnmappedNewTypes(test_policy)
+    ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
-    ret += TestNoUnmappedRmTypes(test_policy)
+    ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
    return ret
 ###
@ -103,73 +97,38 @@ class MultipleOption(Option):
        else:
            Option.take_action(self, action, dest, opt, value, values, parser)
-def do_main(libpath):
+def do_main():
    """
    Args:
        libpath: string, path to libsepolwrap.so
    """
    test_policy = policy.TestPolicy()
    usage = "treble_sepolicy_tests "
-    usage += "-p curr_policy -b base_policy -o old_policy "
+    usage += "-b base_pub_policy -o old_pub_policy "
    usage += "-m mapping file [--test test] [--help]"
    parser = OptionParser(option_class=MultipleOption, usage=usage)
-    parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
+    parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
    parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
                      metavar="FILE")
    parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
-    parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
+    parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
-    parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
+                      metavar="FILE")
    (options, args) = parser.parse_args()
    if not options.policy:
        sys.exit("Must specify current monolithic policy file\n" + parser.usage)
    if not os.path.exists(options.policy):
        sys.exit("Error: policy file " + options.policy + " does not exist\n"
                + parser.usage)
    # Mapping files and public platform policy are only necessary for the
    # TrebleCompatMapping test.
    if not options.basepolicy:
        sys.exit("Must specify the current platform-only policy file\n"
                    + parser.usage)
    if not options.mapping:
        sys.exit("Must specify a compatibility mapping file\n"
                    + parser.usage)
-    if not options.oldpolicy:
+    if not options.old_pub_policy:
-        sys.exit("Must specify the previous monolithic policy file\n"
+        sys.exit("Must specify the previous public policy .cil file\n"
                    + parser.usage)
    if not options.base_pub_policy:
        sys.exit("Must specify the current platform-only public policy "
                    + ".cil file\n" + parser.usage)
    basepol = policy.Policy(options.basepolicy, None, libpath)
    oldpol = policy.Policy(options.oldpolicy, None, libpath)
    mapping = mini_parser.MiniCilParser(options.mapping)
-    pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
+    base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
-    test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+    old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
-    pol = policy.Policy(options.policy, None, libpath)
+    results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
    test_policy.setup(pol)
    if DEBUG:
        test_policy.PrintScontexts()
    results = TestTrebleCompatMapping(test_policy)
    if len(results) > 0:
        sys.exit(results)
 if __name__ == '__main__':
-    temp_dir = tempfile.mkdtemp()
+    do_main()
    try:
        libname = "libsepolwrap" + SHARED_LIB_EXTENSION
        libpath = os.path.join(temp_dir, libname)
        with open(libpath, "wb") as f:
            blob = pkgutil.get_data("treble_sepolicy_tests", libname)
            if not blob:
                sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
            f.write(blob)
        do_main(libpath)
    finally:
        shutil.rmtree(temp_dir)
--- a/tools/Android.mk
+++ b/tools/Android.mk
@ -1,3 +0,0 @@
 LOCAL_PATH:= $(call my-dir)
 include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@ -1,6 +1,6 @@
 #!/bin/bash
-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
 BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
 if [ "$MK" != "$BP" ]; then
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@ -11,15 +11,9 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := FAKE
 LOCAL_MODULE_TAGS := optional
 # BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
 # make file of the system_ext partition.
 SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
 # BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
 # make file of the product partition.
 PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
 IS_TREBLE_TEST_ENABLED_PARTNER := false
 ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
 IS_TREBLE_TEST_ENABLED_PARTNER := true
 endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
 endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@ -30,59 +24,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 # built to enable us to determine the diff between the current policy and the
 # $(version) policy, which will be used in tests to make sure that compatibility has
 # been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
 $(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
 ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
 $(version)_PLAT_PUBLIC_POLICY += \
    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
 $(version)_PLAT_PRIVATE_POLICY += \
    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
 endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
 ifneq (,$(PRODUCT_PREBUILT_POLICY))
 $(version)_PLAT_PUBLIC_POLICY += \
    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
 $(version)_PLAT_PRIVATE_POLICY += \
    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
 endif # (,$(PRODUCT_PREBUILT_POLICY))
 endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
 $(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
 $($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
 $($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $($(version)_plat_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 policy_files :=
 built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
 $(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
  $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
 $(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
 $(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
  $(HOST_OUT_EXECUTABLES)/secilc \
  $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
  $(built_sepolicy_neverallows)
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
 		$(POLICYVERS) -o $@ $<
 	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
 $(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
 # TODO(b/214336258): move to Soong
 $(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
 $(version)_plat_policy.conf :=
 $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
 $(version)_mapping.ignore.cil := \
@ -106,44 +48,31 @@ endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 # combining the current platform policy with nonplatform policy based on the
 # $(version) policy release and also a special ignored file that exists purely for
 # these tests.
 intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
 $(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
 $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
 	mkdir -p $(dir $@)
 	cat $^ > $@
 ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 built_sepolicy_files := $(built_product_sepolicy)
 public_cil_files := $(base_product_pub_policy.cil)
 else
 built_sepolicy_files := $(built_plat_sepolicy)
 public_cil_files := $(base_plat_pub_policy.cil)
 endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
  $(all_fc_files) $(built_sepolicy) \
  $(built_sepolicy_files) \
  $(public_cil_files) \
-  $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+  $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-                -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+                -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-                -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+                -o $(PRIVATE_SEPOLICY_OLD)
                -u $(PRIVATE_PLAT_PUB_SEPOLICY)
 	$(hide) touch $@
 $(version)_SYSTEM_EXT_PUBLIC_POLICY :=
 $(version)_SYSTEM_EXT_PRIVATE_POLICY :=
 $(version)_PRODUCT_PUBLIC_POLICY :=
 $(version)_PRODUCT_PRIVATE_POLICY :=
 $(version)_PLAT_PUBLIC_POLICY :=
 $(version)_PLAT_PRIVATE_POLICY :=
 built_sepolicy_files :=
 public_cil_files :=
 cil_files :=
 $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=
 $(version)_mapping.ignore.cil :=
		`@ -1,3 +0,0 @@`
			`LOCAL_PATH:= $(call my-dir)`

			`include $(call all-makefiles-under,$(LOCAL_PATH))`