diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil index 321e9387e..d79d2f8c9 100644 --- a/private/compat/28.0/28.0.cil +++ b/private/compat/28.0/28.0.cil @@ -30,6 +30,7 @@ ;; mapping file compiles with vendor policies without exported_audio_prop type. (typeattribute exported_audio_prop_28_0) +;; mapping information from ToT policy's types to 28.0 policy's types. (expandtypeattribute (accessibility_service_28_0) true) (expandtypeattribute (account_service_28_0) true) (expandtypeattribute (activity_service_28_0) true) diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil index 2e85b23fc..783950ce5 100644 --- a/private/compat/28.0/28.0.compat.cil +++ b/private/compat/28.0/28.0.compat.cil @@ -1,3 +1,7 @@ +;; complement CIL file for compatibility between ToT policy and 28.0 vendors. +;; will be compiled along with other normal policy files, on 28.0 vendors. +;; + (typeattribute vendordomain) (typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) (allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index e7ddf4805..7213f9542 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -1,6 +1,6 @@ -;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to -;; previous ones. Add here to pass checkapi tests. +;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in 28.0 policy. Thus, we do not need to map +;; these types to previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) (typeattributeset new_objects diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil index 5dba02081..731568723 100644 --- a/private/compat/29.0/29.0.cil +++ b/private/compat/29.0/29.0.cil @@ -14,6 +14,7 @@ (type sysfs_mac_address) (type wificond_service) +;; mapping information from ToT policy's types to 29.0 policy's types. (expandtypeattribute (accessibility_service_29_0) true) (expandtypeattribute (account_service_29_0) true) (expandtypeattribute (activity_service_29_0) true) diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil index ccd9d1a05..0bb2ae838 100644 --- a/private/compat/29.0/29.0.compat.cil +++ b/private/compat/29.0/29.0.compat.cil @@ -1,3 +1,7 @@ +;; complement CIL file for compatibility between ToT policy and 29.0 vendors. +;; will be compiled along with other normal policy files, on 29.0 vendors. +;; + (typeattribute vendordomain) (typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) (allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 10790468f..e40888dcc 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -1,6 +1,6 @@ -;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to -;; previous ones. Add here to pass checkapi tests. +;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in 29.0 policy. Thus, we do not need to map +;; these types to previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) (typeattributeset new_objects diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil index 44044fb1e..83d83ff70 100644 --- a/private/compat/30.0/30.0.cil +++ b/private/compat/30.0/30.0.cil @@ -21,6 +21,7 @@ (typeattribute binder_in_vendor_violators) +;; mapping information from ToT policy's types to 30.0 policy's types. (expandtypeattribute (DockObserver_service_30_0) true) (expandtypeattribute (IProxyService_service_30_0) true) (expandtypeattribute (accessibility_service_30_0) true) diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil index 97c587489..b8bd755ca 100644 --- a/private/compat/30.0/30.0.compat.cil +++ b/private/compat/30.0/30.0.compat.cil @@ -1,3 +1,7 @@ +;; complement CIL file for compatibility between ToT policy and 30.0 vendors. +;; will be compiled along with other normal policy files, on 30.0 vendors. +;; + (typeattribute vendordomain) (typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index ba0a4946a..0a3d2e9a3 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -1,6 +1,6 @@ -;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to -;; previous ones. Add here to pass checkapi tests. +;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in 30.0 policy. Thus, we do not need to map +;; these types to previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) (typeattributeset new_objects diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil index 0e90912df..b0df31447 100644 --- a/private/compat/31.0/31.0.cil +++ b/private/compat/31.0/31.0.cil @@ -9,6 +9,7 @@ (type vr_hwc) (type vr_hwc_exec) +;; mapping information from ToT policy's types to 31.0 policy's types. (expandtypeattribute (DockObserver_service_31_0) true) (expandtypeattribute (IProxyService_service_31_0) true) (expandtypeattribute (aac_drc_prop_31_0) true) diff --git a/private/compat/31.0/31.0.compat.cil b/private/compat/31.0/31.0.compat.cil index 628abfcda..787c92a8c 100644 --- a/private/compat/31.0/31.0.compat.cil +++ b/private/compat/31.0/31.0.compat.cil @@ -1 +1,3 @@ -;; This file can't be empty. +;; complement CIL file for compatibility between ToT policy and 31.0 vendors. +;; will be compiled along with other normal policy files, on 31.0 vendors. +;; diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil index a5a347514..0e39f3ec3 100644 --- a/private/compat/31.0/31.0.ignore.cil +++ b/private/compat/31.0/31.0.ignore.cil @@ -1,6 +1,6 @@ -;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to -;; previous ones. Add here to pass checkapi tests. +;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in 31.0 policy. Thus, we do not need to map +;; these types to previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) (typeattributeset new_objects diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil index 36724369b..171f0ad2c 100644 --- a/private/compat/32.0/32.0.cil +++ b/private/compat/32.0/32.0.cil @@ -9,6 +9,7 @@ (type vr_hwc) (type vr_hwc_exec) +;; mapping information from ToT policy's types to 32.0 policy's types. (expandtypeattribute (DockObserver_service_32_0) true) (expandtypeattribute (IProxyService_service_32_0) true) (expandtypeattribute (aac_drc_prop_32_0) true) diff --git a/private/compat/32.0/32.0.compat.cil b/private/compat/32.0/32.0.compat.cil index 628abfcda..00ac11fd9 100644 --- a/private/compat/32.0/32.0.compat.cil +++ b/private/compat/32.0/32.0.compat.cil @@ -1 +1,3 @@ -;; This file can't be empty. +;; complement CIL file for compatibility between ToT policy and 32.0 vendors. +;; will be compiled along with other normal policy files, on 32.0 vendors. +;; diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index d810e0ae9..ec2a16d62 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -1,6 +1,6 @@ -;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to -;; previous ones. Add here to pass checkapi tests. +;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in 32.0 policy. Thus, we do not need to map +;; these types to previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) (typeattributeset new_objects diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil index d75b0fcf9..56da4964c 100644 --- a/private/compat/33.0/33.0.cil +++ b/private/compat/33.0/33.0.cil @@ -19,6 +19,7 @@ (type wpantund_service) (type zoneinfo_data_file) +;; mapping information from ToT policy's types to 33.0 policy's types. (expandtypeattribute (DockObserver_service_33_0) true) (expandtypeattribute (IProxyService_service_33_0) true) (expandtypeattribute (aac_drc_prop_33_0) true) diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil index 628abfcda..53ee8ff9c 100644 --- a/private/compat/33.0/33.0.compat.cil +++ b/private/compat/33.0/33.0.compat.cil @@ -1 +1,3 @@ -;; This file can't be empty. +;; complement CIL file for compatibility between ToT policy and 33.0 vendors. +;; will be compiled along with other normal policy files, on 33.0 vendors. +;; diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil index ede22842b..ffa7e4e94 100644 --- a/private/compat/33.0/33.0.ignore.cil +++ b/private/compat/33.0/33.0.ignore.cil @@ -1,6 +1,6 @@ -;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to -;; previous ones. Add here to pass checkapi tests. +;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in 33.0 policy. Thus, we do not need to map +;; these types to previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) (typeattributeset new_objects diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py index ca5ae91da..cd61c9aa8 100644 --- a/tools/sepolicy_generate_compat.py +++ b/tools/sepolicy_generate_compat.py @@ -29,9 +29,13 @@ import zipfile """This tool generates a mapping file for {ver} core sepolicy.""" temp_dir = '' -compat_cil_template = ";; This file can't be empty.\n" -ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no -;; analogue in older policy. Thus, we do not need to map these types to +mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n" +compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors. +;; will be compiled along with other normal policy files, on %s vendors. +;; +""" +ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy +;; that have no analogue in %s policy. Thus, we do not need to map these types to ;; previous ones. Add here to pass checkapi tests. (type new_objects) (typeattribute new_objects) @@ -484,16 +488,17 @@ def main(): f.write(';; types removed from current policy\n') f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types))) f.write('\n\n') + f.write(mapping_cil_footer % args.target_version) f.write(mapping_file_cil.unparse()) with open(target_compat_file, 'w') as f: logging.info('writing %s' % target_compat_file) - f.write(compat_cil_template) + f.write(compat_cil_template % (args.target_version, args.target_version)) with open(target_ignore_file, 'w') as f: logging.info('writing %s' % target_ignore_file) f.write(ignore_cil_template % - ('\n '.join(sorted(target_ignored_types)))) + (args.target_version, '\n '.join(sorted(target_ignored_types)))) finally: logging.info('Deleting temporary dir: {}'.format(temp_dir)) shutil.rmtree(temp_dir)