The module name is changed but it isn't applied to Android.mk
Bug: 296875906
Test: m selinux_policy and see se_freeze_test run
Change-Id: Ia25845a1aff2c2b5f910f8432a455ee93a157580
system/sepolicy should support both REL build and ToT build. That means
that system/sepolicy and prebuilts may differ. As the frozen sepolicy is
what vendor sepolicy uses, so we need to use prebuilts to run Treble
compat test.
Bug: 296875906
Test: m selinux_policy on REL
Change-Id: I4b290266ba87e3f011d640bec133fc88359ea52f
Rationale for this change:
1) Vendors use only public files, so we should be able to use only
public cil files for compatibility test.
2) treble_sepolicy_tests_for_release.mk is too complex, because it
requires compiled sepolicy. Reducing the complexity will help migrate
into REL build.
3) This fixes a tiny bug of treble_sepolicy_tests that it can't catch
public types being moved to private types, and then removed. 29.0.cil
and 30.0.cil change contains such missing public types.
Bug: 296875906
Test: m selinux_policy (with/without intentional breakage)
Change-Id: Ia2c0733176df898f268b5680195da25b588b09c7
... and remove redundant Makefile codes. This also updates commit hook
as we now only use Soong to build sepolicy.
Bug: 296875906
Test: m selinux_policy
Change-Id: I93f0d222a0c10e31c51c9380780a8927c47d62b1
"ot-ctl" is a command line tool which is useful for debugging or
testing with "ot-daemon". It's not required to be part of the
system image. It was previously added to the com.android.threadnetwork
apex package, and this commits removes it from the apex.
Test: ot-ctl is removed from /apex/com/android/threadnetwork/bin
Bug: 299224389
Change-Id: I607a02c9efb26f404ea9da2e5b7109094d3232b6
Contrast to its name, sepolicy_tests also contains tests related to
Treble. Also tests other than the compat mapping test in
treble_sepoliy_tests don't need to be run several times.
Moving tests except for compat mapping test to sepolicy_tests to
simplify treble_sepolicy_tests and to reduce build time.
Bug: 288807412
Test: m selinux_policy
Test: atest SELinuxHostTest
Change-Id: I102fa48faf49b7028dc1bb5f21de65fa99babe6f
For now, freeze_test compares prebuilts against sources with diff, to
ensure that sources are identical to prebuilts. However, it could be the
case that the branch should be able to build both REL and ToT. In that
case, changes to the sources are inevitable and the freeze test will
fail.
To fix the issue, freeze_test will now only check compatibility. To be
specific, it will check if any public types or attributes are removed.
Contexts files and neverallow rules are not checked, but they may be
added later. Also to support the new freeze_test
- build_files module is changed to use glob (because REL version won't
be in compat versions list)
- plat_pub_policy modules are added under prebuilts/api (because
freeze_test needs that)
Bug: 296875906
Test: m selinux_policy
Change-Id: I39c40992965b98664facea3b760d9d6be1f6b87e
This property will be used to set 16k dev options on device.
This will be product specific property and will be added on
specific devices.
Test: m, booted device with PRODUCT_16K_DEVELOPER_OPTION ON/OFF and
verified option visibility.
Bug: 297922563
Change-Id: I2be5e7236eb8259ef6d5893e70712a5c89aaad52
There is no one actively using mixed sepolicy build, and it made
sepolicy codes too complicated. As we are deprecating mixed build,
removing such code for cleanup.
Bug: 298305798
Test: boot cuttlefish
Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
This reverts commit 3bda1c9761.
Reason for revert: The fix ag/24590089 is verified with ABTD and merged
Change-Id: I17124df1ddfd52cbd2a17b1a90e0f332eb4e41f9
The binderservicedomain attribute grants further permissions than its
name suggests. Update the documentation to avoid its usage.
Bug: 297785784
Test: build, documentation update only.
Change-Id: I41bc6f32cf4d56bde320261fe221c3653cda945a
The artd daemon is not always active. When running, it exposes a binder
service which may be dumped when a bug report is triggered. The current
policy did not fully grant access which resulted in spurious denials if
a bugreport was triggered when the daemon was running.
Test: Run bugreport; observe correct dump of artd service
Bug: 282614147
Bug: 192197221
Change-Id: Ie0986d7716de33ec38ae09cfee14c629f5a414a6
Rather than PRODUCT_SHIPPING_API_LEVEL, use board api level
(BOARD_API_LEVEL or BOARD_SHIPPING_API_LEVEL) to determine whether we
check coredomain violations or not.
Bug: 280547417
Test: see build command of vendor_seapp_contexts
Change-Id: I20859d6054ab85f464b29631bdfd55ade3e78f53
