This reverts commit e3245a40df.
Reason for revert: Check for missing dependency is added now. It should fix builds on master-art branch.
Bug: 253648584
Change-Id: I1ecd4521a1038ace711a4abeb0964b764ad5bc94
Panic only if missing dependencies are not allowed while checking
fuzzer bindings. This fix should breakages on branches like master-art
where SOONG_ALLOW_MISSING_DEPENDENCIES is set.
Bug: 246590424
Test: m
Change-Id: I0f908f27de5f761495848f461c7d479117f9feda
This reverts commit f38fb73371.
Bug: 246590424
Reason for revert: Breaks projects which don't include a full tree (eg master-art)
Change-Id: I2a87bde5e959e9a700f0569d2ccf7894ea3dc7ab
Sepolicy changes for confirmationui while converting from hidl
to aidl.
Bug: b/205760172
Test: run vts -m VtsHalConfirmationUIV1_0Target
Change-Id: Ib21038fd89789755b978489f5293725b221d86c4
This is a part of changes to bring up Remote Key Provisioning Daemon
module. See packages/modules/RemoteKeyProvisioning for more info.
Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616
Test: atest rkpd_client_test
Will add fuzzer once the service is implemented.
Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
Add selinux policy so the healthconnect system service
can be accessed by other processes.
Bug: 246961138
Test: build
Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850
Conversion of the gatekeeper hidl interface to stable aidl interface.
Bug: 205760843
Test: run vts -m VtsHalGatekeeperTarget
Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c
Adding soong module and tool to check if there is fuzzer present
for every service in private/service_contexts. Whenever a service is
added, its is recommended to update
$ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go
with service name and its corresponding fuzzer.
Test: m
Bug: 242104782
Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
This is a roll-forward of some of the changes rolled back in
aosp/2170746. I am rolling forward in smaller chunks so that it is
easier to identify and avoid possible breakages.
Bug: 236691128
Test: atest SeamendcHostTest
Change-Id: Ibe451325d471fe04cd52683ba90a22543fa84c7c
Revert "Add java SeamendcHostTest in cts"
Revert submission 2111065-seamendc
Reason for revert: b/240731742, b/240462388 and b/240463116
Reverted Changes:
I3ce2845f2:Move parts of sdk_sandbox from private to apex pol...
I0c10106e2:Add java SeamendcHostTest in cts
Test: revert cl
Change-Id: If9981796694b22b7cbfe1368cd815889c741e69d
Partners should be able to add hal_attributes to system_ext or product's
public/attributes file. However, if system_ext or product's
public/attributes contain any domain sets, numbers for base_typeattr
become inconsistent. It's because the order is now:
...
te_macros
attributes
ioctl_defines
ioctl_macros
*.te
roles_decl
...
That is, system_ext/public/attributes and product/public/attributes are
included prior to system/sepolicy/**/*.te. Thus, plat_sepolicy.cil and
system_ext_sepolicy.cil/product_sepolicy.cil can conflict.
This change fixes this issue by making attributes and *.te files have
the same rank. This way, system_ext/public/attributes is included after
system/sepolicy/**/*.te.
Bug: 234137981
Test: m selinux_policy after adding hal_attribute to
system_ext/public/attributes
Change-Id: I85e1f6b8e4ab47c723724684d1938297a3305fe8
se_build_files is a replacement for se_filegroup module. se_build_files
can be used with the normal Soong convention ":module_name{.tag}" by
implementing android.OutputFileProducer. It's better than implementing
ad-hoc logics across various modules, which is the case for se_filegroup
module.
Test: build and boot
Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
Treble sepolicy tests check whether previous versions are compatible to
ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it,
but it also includes a compat test whether ToT sepolicy + {ver} mapping
+ {ver} plat_pub_versioned.cil can be built together or not. We
definitely need such tests, but we already have a test called "compat
test" which does exactly that, and testing it again with Treble sepolicy
tests is just redundant. The only difference between those two is that
Treble sepolicy tests can also test system_ext and product compat files,
which was contributed by a partner.
The ultimate goal here is to migrate *.mk to Soong, thus merging these
two tests (compat, Treble) into one. As we've already migrated the
compat test to Soong, this change removes the compat test part from
treble sepolicy tests. Instead, the compat test will be extended so it
can test system_ext and product compat files too.
prebuilts/api/{ver}/plat_pub_versioned.cil and
prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't
used anymore: vendor_sepolicy.cil is an empty stub, and
plat_pub_versioned.cil can be built from the prebuilt source files.
Bug: 33691272
Test: m selinux_policy
Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
OutputFileProducer interface has been returning "conf", not the
designated stem.
Test: try including se_policy_conf module as other module's srcs
Change-Id: I17de5e10ed9bd1d45dc9a8b1be11ea6f5290c179
sepolicy_neverallow is based on a combination of calling checkpolicy
followed by sepolicy-analyze. If the first tool fails, the error message
associated with the second is returned, which is misleading.
Separate both part of the rule using a new build command.
Bug: 175911415
Test: Modify policy to trigger neverallow (checkpolicy); no misleading
messages from sepolicy-analyze
Change-Id: I5977ced23dee09a28c7df334e4790d212e0db0c1
Now that we have sepolicy module in Android.bp, we can migrate contexts
tests. Also vendor_service_contexts_test will be run, as we now include
vendor_service_contexts unconditionally.
Unfortunately, vendor_service_contexts_test is now broken, due to a
malformed type hal_power_stats_vendor_service. We will temporarily
exempt the type from the test, to speed up migrating to Android.bp.
Bug: 33691272
Test: m selinux_policy and see tests running
Test: add a malformed type other than hal_power_stats_vendor_service and
run tests
Change-Id: Ic60eb38b9a7c79006f0b5ff4453768e03006604b
compat_test tests whether {ver}.compat.cil is compatible to current
policy or not. This commit migrates all tests into a single module named
"sepolicy_compat_tests".
A minor issue is also resolved with this migration. Suppose that the
vendor's speolicy version is {VER}. Then the following cil files are
compiled in runtime.
- system/etc/selinux/plat_sepolicy.cil
- system/etc/selinux/mapping/{VER}.cil
- system/etc/selinux/mapping/{VER}.compat.cil (optional)
- system_ext/etc/selinux/system_ext_sepolicy.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.compat.cil (optional)
- product/etc/selinux/product_sepolicy.cil (optional)
- product/etc/selinux/mapping/{VER}.cil (optional)
- product/etc/selinux/mapping/{VER}.compat.cil (optional)
- vendor/etc/selinux/vendor_sepolicy.cil
- vendor/etc/selinux/plat_pub_versioned.cil
- odm/etc/selinux/odm_sepolicy.cil (optional)
That is, the vendor policy of version {VER} (vendor_sepolicy.cil,
plat_pub_versioned.cil, and odm_sepolicy.cil) is required to be
compatible only to {VER}.compat.cil. So, the vendor policy is included
only to $(BOARD_SEPOLICY_VERS)_compat_test. The other tests will be
built only with platform side policies.
Bug: 33691272
Test: boot
Test: manually edit {ver}.compat.cil files and try build
Change-Id: I16b30a9171f10ee8f08fc03b7bd7c047eec12b19
