Without this check, a release build may accidentally include additional
public types and attributes after "freeze".
Also this adds a detailed error message for how to fix.
Bug: 296875906
Bug: 330670954
Test: m selinux_policy
Change-Id: Ib43d8e1759ee7426f523042f44e7120e97ae0dd9
To prevent these types from being released in 24Q3, which must be same
as 202404 release.
Bug: 330670954
Test: build
Change-Id: Ibb124fbb069f2025a572bc09c73c241f808676c3
selinux_policy_system is in Android.mk. selinux_policy_system_soong is a
phony module in Android.bp for Soong built system images.
Bug: 329208946
Test: m aosp_cf_system_x86_64
Change-Id: If101155c5a706925d52593bab648b878b075f7f2
'starting_at_board_api' macro is added to guard system/sepolicy/public
types and attributes. The macro will work only when compiling vendor/odm
sepolicy. When compiling platform sepolicy (system / system_ext /
product), rules will always be included, regardless of board API level.
Policy authors should guard new public types and attributes with this
macro, similar to LLNDK. The new types and attributes will be exposed
since next vFRC release.
Bug: 330671090
Test: manually build with various board API level, see output
Change-Id: I03c601ce8fe1f77c7608dc488317d20276fd2d47
These three files, general_sepolicy.conf / mapping.cil /
plat_sepolicy.cil will be used to test vendor sepolicy's neverallow
rules.
Bug: 330671085
Test: build
Change-Id: I763c9a1e647d614b84c0f7fe3d69affbe64f6153
Merged-In: I763c9a1e647d614b84c0f7fe3d69affbe64f6153
(cherry picked from commit 6f18a17ff8)
Since Android S, we started to enforce the debugfs restrictions. However,
GSI had it turned off (PRODUCT_SET_DEBUGFS_RESTRICTIONS := false) in order
to support pre-S vendor images.
This has an undesirable side effect that the restriction is turned off even
for S+ vendors.
This CL fixes it by
1) re-enabling the restriction for GSI and
2) manually adding the debugfs permissions only to the compat cil for the
pre-S (29 and 30) vendors, effectively turning the restriction off for
them.
Bug: 330671086
Test: build
Test: run neverallow CTS
Change-Id: I5cd554b1b9f729a540e6b0f2aa0662091b691f0c
sepolicy_neverallows hasn't been running on `m droid` because of
LOCAL_UNINSTALLED_MODULE := true.
Test: m selinux_policy
Change-Id: Ia7a79723a0f92e659171f50a0829baf83f311661
Adding a property to store time at which reboot was triggered from
native watchdog.
Test: manual
Bug: 291137901
Change-Id: Ied48c3690d0481fd8b08c9789cbfcb205759876c
This reverts commit 840041d5d2.
Reason for revert: 202404 prebuilts must not be changed since freeze.
Change-Id: I320fde8de611ad4ae1546f4ce754871a0646dcc4
System server needs to create a file in /metadata/aconfig, and set its
permissions.
Bug: 328444881
Test: m
Change-Id: I30aa576e46d8963e78ff21ad328160a99bd5d523
Allow some services to control connection_timeout for testing purposes.
Test: atest RkpdAppUnitTests
Change-Id: Id70ed60c4f67e8f7910870a0b28a2b409fe97f62
Fixes a typo in the docs of seapp_contexts: previously they
referenced the wrong file for the order in which input selectors
are compared.
Change-Id: I5e7ca126cdc8b557d5e590eb863bdf4300ec1a18
They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES
Bug: 331708504
Test: check if the display shows
Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
Updates to allow profiling module to run new trace_redactor binary.
Allow the trace_redactor binary to read the input trace file and write
the output file.
Bug: 327423523
Test: build/flash and
atest CtsProfilingModuleTests#testRequestSystemTraceSuccess
Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097
* Since vFRC there are no more minor version, so combine_maps.py is
fixed to correctly handle both vFRC version and prior V.v version.
* treble_sepolicy_tests_for_release.mk uses incorrect variable
SYSTEM_EXT_PREBUILT_POLICY and PRODUCT_PREBUILT_POLICY, so fixing
them.
Bug: 331866470
Test: m selinux_policy
Change-Id: I7a3ab7cf3abf2155c1998e1972adee1202af8dff
