diff --git a/Android.bp b/Android.bp index eeca38d6f..2934cd98f 100644 --- a/Android.bp +++ b/Android.bp @@ -92,6 +92,24 @@ se_cil_compat_map { // top_half: "29.0.ignore.cil", } +prebuilt_etc { + name: "28.0.compat.cil", + src: "private/compat/28.0/28.0.compat.cil", + sub_dir: "selinux/mapping", +} + +prebuilt_etc { + name: "27.0.compat.cil", + src: "private/compat/27.0/27.0.compat.cil", + sub_dir: "selinux/mapping", +} + +prebuilt_etc { + name: "26.0.compat.cil", + src: "private/compat/26.0/26.0.compat.cil", + sub_dir: "selinux/mapping", +} + se_filegroup { name: "file_contexts_files", srcs: ["file_contexts"], diff --git a/Android.mk b/Android.mk index 4e4a6411d..55a2f8116 100644 --- a/Android.mk +++ b/Android.mk @@ -202,6 +202,7 @@ LOCAL_MODULE := selinux_policy_system LOCAL_REQUIRED_MODULES += \ plat_mapping_file \ $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ + $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ plat_sepolicy.cil \ plat_sepolicy_and_mapping.sha256 \ secilc \ @@ -235,6 +236,7 @@ ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) LOCAL_REQUIRED_MODULES += \ sepolicy_tests \ $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ + $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ endif endif @@ -1284,13 +1286,18 @@ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_polic # given release version. version_under_treble_tests := 26.0 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk - version_under_treble_tests := 27.0 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk - version_under_treble_tests := 28.0 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk +version_under_treble_tests := 26.0 +include $(LOCAL_PATH)/compat.mk +version_under_treble_tests := 27.0 +include $(LOCAL_PATH)/compat.mk +version_under_treble_tests := 28.0 +include $(LOCAL_PATH)/compat.mk + BASE_PLAT_PUBLIC_POLICY := BASE_PLAT_PRIVATE_POLICY := base_plat_policy.conf := diff --git a/compat.mk b/compat.mk new file mode 100644 index 000000000..b4f8de028 --- /dev/null +++ b/compat.mk @@ -0,0 +1,40 @@ +version := $(version_under_treble_tests) + +include $(CLEAR_VARS) +################################# +# build this target to ensure the compat permissions files all build against the current policy +# +LOCAL_MODULE := $(version)_compat_test +LOCAL_REQUIRED_MODULES := $(version).compat.cil +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := tests + +include $(BUILD_SYSTEM)/base_rules.mk + +all_cil_files := \ + $(built_plat_cil) \ + $(built_plat_mapping_cil) \ + $(built_pub_vers_cil) \ + $(built_vendor_cil) \ + $(ALL_MODULES.$(version).compat.cil.BUILT) \ + +ifdef HAS_PRODUCT_SEPOLICY +all_cil_files += \ + $(built_product_cil) \ + $(built_product_mapping_cil) \ + +endif + +ifdef BOARD_ODM_SEPOLICY_DIRS +all_cil_files += $(built_odm_cil) +endif + +$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) +$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) + @mkdir -p $(dir $@) + $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null + $(hide) mv $@.tmp $@ + +all_cil_files := +version := +version_under_treble_tests := diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil new file mode 100644 index 000000000..9031d15c7 --- /dev/null +++ b/private/compat/26.0/26.0.compat.cil @@ -0,0 +1,4 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) +(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil new file mode 100644 index 000000000..9031d15c7 --- /dev/null +++ b/private/compat/27.0/27.0.compat.cil @@ -0,0 +1,4 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) +(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil new file mode 100644 index 000000000..9031d15c7 --- /dev/null +++ b/private/compat/28.0/28.0.compat.cil @@ -0,0 +1,4 @@ +(typeattribute vendordomain) +(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) +(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) +(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))