From 8697fc80fdcf44f3f606418bb4bf05df81c0eb5b Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 16 Apr 2024 14:45:32 +0900
Subject: [PATCH] Add macro for board API level guard

'starting_at_board_api' macro is added to guard system/sepolicy/public
types and attributes. The macro will work only when compiling vendor/odm
sepolicy. When compiling platform sepolicy (system / system_ext /
product), rules will always be included, regardless of board API level.

Policy authors should guard new public types and attributes with this
macro, similar to LLNDK. The new types and attributes will be exposed
since next vFRC release.

Bug: 330671090
Test: manually build with various board API level, see output
Change-Id: I03c601ce8fe1f77c7608dc488317d20276fd2d47
---
 Android.bp            | 16 ++++++++--------
 build/soong/policy.go | 12 ++++++++++++
 flagging/Android.bp   |  7 +++++++
 flagging/te_macros    | 15 +++++++++++++++
 4 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/Android.bp b/Android.bp
index b47d72f9d..79a8f4d84 100644
--- a/Android.bp
+++ b/Android.bp
@@ -106,7 +106,7 @@ product_private_policy = [":se_build_files{.product_private}"]
 // policy and subsequent removal of CIL policy that should not be exported.
 se_policy_conf {
     name: "reqd_policy_mask.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: reqd_mask_policy,
     installable: false,
 }
@@ -142,7 +142,7 @@ se_policy_cil {
 //
 se_policy_conf {
     name: "pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
@@ -162,7 +162,7 @@ se_policy_cil {
 
 se_policy_conf {
     name: "system_ext_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         reqd_mask_policy,
@@ -181,7 +181,7 @@ se_policy_cil {
 
 se_policy_conf {
     name: "plat_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         reqd_mask_policy,
     installable: false,
@@ -403,7 +403,7 @@ se_versioned_policy {
 // policy and the platform public policy files in order to use checkpolicy.
 se_policy_conf {
     name: "vendor_sepolicy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
@@ -445,7 +445,7 @@ se_versioned_policy {
 // policy and the platform public policy files in order to use checkpolicy.
 se_policy_conf {
     name: "odm_sepolicy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
@@ -786,7 +786,7 @@ se_policy_binary {
 
 se_policy_conf {
     name: "base_plat_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         reqd_mask_policy,
     build_variant: "user",
@@ -806,7 +806,7 @@ se_policy_cil {
 
 se_policy_conf {
     name: "base_product_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
diff --git a/build/soong/policy.go b/build/soong/policy.go
index cbcc57ae6..be9d34e03 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -90,6 +90,9 @@ type policyConfProperties struct {
 
 	// Desired number of MLS categories. Defaults to 1024
 	Mls_cats *int64
+
+	// Whether to turn on board_api_level guard or not. Defaults to false
+	Board_api_level_guard *bool
 }
 
 type policyConf struct {
@@ -220,6 +223,14 @@ func (c *policyConf) mlsCats() int {
 	return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
 }
 
+func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
+	if proptools.Bool(c.properties.Board_api_level_guard) {
+		return ctx.Config().VendorApiLevel()
+	}
+	// aribtrary value greater than any other vendor API levels
+	return "1000000"
+}
+
 func findPolicyConfOrder(name string) int {
 	for idx, pattern := range policyConfOrder {
 		// We could use regexp but it seems like an overkill
@@ -261,6 +272,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
 		FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
 		FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
 		FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
+		FlagWithArg("-D target_board_api_level=", c.boardApiLevel(ctx)).
 		Flags(flagsToM4Macros(flags)).
 		Flag("-s").
 		Inputs(srcs).
diff --git a/flagging/Android.bp b/flagging/Android.bp
index b40a80aa9..a965f1f67 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -36,6 +36,13 @@ se_policy_conf_defaults {
     build_flags: ["all_selinux_flags"],
 }
 
+se_policy_conf_defaults {
+    name: "se_policy_conf_public_flags_defaults",
+    srcs: [":sepolicy_flagging_macros"],
+    build_flags: ["all_selinux_flags"],
+    board_api_level_guard: true,
+}
+
 contexts_defaults {
     name: "contexts_flags_defaults",
     srcs: [":sepolicy_flagging_macros"],
diff --git a/flagging/te_macros b/flagging/te_macros
index 34645023f..baf26c35d 100644
--- a/flagging/te_macros
+++ b/flagging/te_macros
@@ -7,3 +7,18 @@ define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
 # is_flag_disabled(flag, rules)
 # SELinux rules which apply only if given feature is turned off
 define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
+
+####################################
+# starting_at_board_api(api_level, rules)
+#
+# This macro conditionally exposes SELinux rules within system/sepolicy/public,
+# ensuring they are available to vendors only when the board API level is at or
+# above the specified 'api_level'.
+#
+# * Platform sepolicy: Rules are always enabled, regardless of API level.
+# * Vendor sepolicy: Rules are enabled only when the board API level meets or
+#                    exceeds the value provided in 'api_level'.
+#
+# Apply this macro to public types and attributes (in system/sepolicy/public) to
+# restrict vendor access based on board API level.
+define(`starting_at_board_api', `ifelse(eval(target_board_api_level >= $1), 1, `$2')')