Add 32.0 mapping files

Steps taken to produce the mapping files: 1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the /vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil as an empty file. When adding plat_pub_versioned.cil, leave only type and typeattribute statements, removing the other statements: allow, neverallow, role, etc. 2. Add new file private/compat/32.0/32.0.cil by doing the following: - copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev aosp_arm64-eng device to private/compat/32.0/32.0.cil - remove all attribute declaration statement (typeattribute ...) and sort lines alphabetically - some selinux types were added/renamed/deleted w.r.t 32 sepolicy. Find all such types using treble_sepolicy_tests_32.0 test. - for all these types figure out where to map them by looking at 31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil. This change also enables treble_sepolicy_tests_32.0 and installs 32.0.cil mapping file onto the device. Bug: 206330997 Test: m treble_sepolicy_tests_32.0 Test: m 32.0_compat_test Test: m selinux_policy Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
2021-11-30 14:58:10 +09:00 · 2021-11-30 14:58:10 +09:00 · bee558e4bb
commit bee558e4bb
parent 43b6a317bc
7 changed files with 5923 additions and 6 deletions
--- a/Android.bp
+++ b/Android.bp
@ -86,6 +86,13 @@ se_filegroup {
    ],
 }

+se_filegroup {
+    name: "32.0.board.compat.map",
+    srcs: [
+        "compat/32.0/32.0.cil",
+    ],
+}
+
 se_filegroup {
    name: "26.0.board.compat.cil",
    srcs: [
@ -128,6 +135,13 @@ se_filegroup {
    ],
 }

+se_filegroup {
+    name: "32.0.board.compat.cil",
+    srcs: [
+        "compat/32.0/32.0.compat.cil",
+    ],
+}
+
 se_filegroup {
    name: "26.0.board.ignore.map",
    srcs: [
@ -170,6 +184,13 @@ se_filegroup {
    ],
 }

+se_filegroup {
+    name: "32.0.board.ignore.map",
+    srcs: [
+        "compat/32.0/32.0.ignore.cil",
+    ],
+}
+
 se_cil_compat_map {
    name: "plat_26.0.cil",
    stem: "26.0.cil",
@ -209,7 +230,14 @@ se_cil_compat_map {
    name: "plat_31.0.cil",
    stem: "31.0.cil",
    bottom_half: [":31.0.board.compat.map"],
-    // top_half: "plat_32.0.cil",
+    top_half: "plat_32.0.cil",
+}
+
+se_cil_compat_map {
+    name: "plat_32.0.cil",
+    stem: "32.0.cil",
+    bottom_half: [":32.0.board.compat.map"],
+    // top_half: "plat_33.0.cil",
 }

 se_cil_compat_map {
@ -256,7 +284,15 @@ se_cil_compat_map {
    name: "system_ext_31.0.cil",
    stem: "31.0.cil",
    bottom_half: [":31.0.board.compat.map"],
-    // top_half: "system_ext_32.0.cil",
+    top_half: "system_ext_32.0.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_32.0.cil",
+    stem: "32.0.cil",
+    bottom_half: [":32.0.board.compat.map"],
+    // top_half: "system_ext_33.0.cil",
    system_ext_specific: true,
 }

@ -304,7 +340,15 @@ se_cil_compat_map {
    name: "product_31.0.cil",
    stem: "31.0.cil",
    bottom_half: [":31.0.board.compat.map"],
-    // top_half: "product_32.0.cil",
+    top_half: "product_32.0.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_32.0.cil",
+    stem: "32.0.cil",
+    bottom_half: [":32.0.board.compat.map"],
+    // top_half: "product_33.0.cil",
    product_specific: true,
 }

@ -341,7 +385,13 @@ se_cil_compat_map {
 se_cil_compat_map {
    name: "31.0.ignore.cil",
    bottom_half: [":31.0.board.ignore.map"],
-    // top_half: "32.0.ignore.cil",
+    top_half: "32.0.ignore.cil",
+}
+
+se_cil_compat_map {
+    name: "32.0.ignore.cil",
+    bottom_half: [":32.0.board.ignore.map"],
+    // top_half: "33.0.ignore.cil",
 }

 se_cil_compat_map {
@ -354,7 +404,14 @@ se_cil_compat_map {
 se_cil_compat_map {
    name: "system_ext_31.0.ignore.cil",
    bottom_half: [":31.0.board.ignore.map"],
-    // top_half: "system_ext_32.0.ignore.cil",
+    top_half: "system_ext_32.0.ignore.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_32.0.ignore.cil",
+    bottom_half: [":32.0.board.ignore.map"],
+    // top_half: "system_ext_33.0.ignore.cil",
    system_ext_specific: true,
 }

@ -368,7 +425,14 @@ se_cil_compat_map {
 se_cil_compat_map {
    name: "product_31.0.ignore.cil",
    bottom_half: [":31.0.board.ignore.map"],
-    // top_half: "product_32.0.ignore.cil",
+    top_half: "product_32.0.ignore.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_32.0.ignore.cil",
+    bottom_half: [":32.0.board.ignore.map"],
+    // top_half: "product_33.0.ignore.cil",
    product_specific: true,
 }

@ -402,6 +466,11 @@ se_compat_cil {
    srcs: [":31.0.board.compat.cil"],
 }

+se_compat_cil {
+    name: "32.0.compat.cil",
+    srcs: [":32.0.board.compat.cil"],
+}
+
 se_compat_cil {
    name: "system_ext_26.0.compat.cil",
    srcs: [":26.0.board.compat.cil"],
@ -444,6 +513,13 @@ se_compat_cil {
    system_ext_specific: true,
 }

+se_compat_cil {
+    name: "system_ext_32.0.compat.cil",
+    srcs: [":32.0.board.compat.cil"],
+    stem: "32.0.compat.cil",
+    system_ext_specific: true,
+}
+
 se_filegroup {
    name: "file_contexts_files",
    srcs: ["file_contexts"],
--- a/Android.mk
+++ b/Android.mk
@ -1308,6 +1308,8 @@ version_under_treble_tests := 30.0
 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
 version_under_treble_tests := 31.0
 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 32.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
 endif  # PRODUCT_SEPOLICY_SPLIT

 version_under_treble_tests := 26.0
@ -1322,6 +1324,8 @@ version_under_treble_tests := 30.0
 include $(LOCAL_PATH)/compat.mk
 version_under_treble_tests := 31.0
 include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 32.0
+include $(LOCAL_PATH)/compat.mk

 built_plat_sepolicy :=
 built_system_ext_sepolicy :=
--- a/prebuilts/api/32.0/plat_pub_versioned.cil
+++ b/prebuilts/api/32.0/plat_pub_versioned.cil
--- a/prebuilts/api/32.0/vendor_sepolicy.cil
+++ b/prebuilts/api/32.0/vendor_sepolicy.cil
@ -0,0 +1 @@
+;; empty stub
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
--- a/private/compat/32.0/32.0.compat.cil
+++ b/private/compat/32.0/32.0.compat.cil
@ -0,0 +1 @@
+;; This file can't be empty.
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -0,0 +1,49 @@
+;; new_objects - a collection of types that have been introduced that have no
+;;   analogue in older policy.  Thus, we do not need to map these types to
+;;   previous ones.  Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+  ( new_objects
+    apexd_select_prop
+    artd_service
+    attestation_verification_service
+    device_config_nnapi_native_prop
+    dice_maintenance_service
+    dice_node_service
+    diced
+    diced_exec
+    extra_free_kbytes
+    extra_free_kbytes_exec
+    hal_contexthub_service
+    hal_dice_service
+    hal_graphics_composer_service
+    hal_health_service
+    hal_nlinterceptor_service
+    hal_radio_config_service
+    hal_radio_data_service
+    hal_radio_messaging_service
+    hal_radio_modem_service
+    hal_radio_network_service
+    hal_radio_sim_service
+    hal_radio_voice_service
+    hal_sensors_service
+    hal_system_suspend_service
+    hal_tv_tuner_service
+    hal_uwb_service
+    hal_wifi_hostapd_service
+    hal_wifi_supplicant_service
+    locale_service
+    proc_watermark_boost_factor
+    proc_watermark_scale_factor
+    snapuserd_proxy_socket
+    supplemental_process_service
+    sysfs_fs_fuse_bpf
+    tare_service
+    tv_iapp_service
+    untrusted_app_30
+    vendor_uuid_mapping_config_file
+    vendor_vm_data_file
+    vendor_vm_file
+    virtual_device_service
+  ))