Add mechanism for granting permissions to old vendor images
This addresses Treble backwards compat issues introduced in
aosp/793958 and aosp/783669.
Bug: 122874820
Test: build/flash blueline with pi-dev vendor and generic_ab system
images.
Test: adb pull /sys/fs/selinux/policy;
sesearch policy --allowx -s vendordomain -t dev_type
Change-Id: Ic2b304472bb88051e03740dc387834056aba641a
diff --git a/Android.bp b/Android.bp
index eeca38d..2934cd9 100644
--- a/Android.bp
+++ b/Android.bp
@@ -92,6 +92,24 @@
// top_half: "29.0.ignore.cil",
}
+prebuilt_etc {
+ name: "28.0.compat.cil",
+ src: "private/compat/28.0/28.0.compat.cil",
+ sub_dir: "selinux/mapping",
+}
+
+prebuilt_etc {
+ name: "27.0.compat.cil",
+ src: "private/compat/27.0/27.0.compat.cil",
+ sub_dir: "selinux/mapping",
+}
+
+prebuilt_etc {
+ name: "26.0.compat.cil",
+ src: "private/compat/26.0/26.0.compat.cil",
+ sub_dir: "selinux/mapping",
+}
+
se_filegroup {
name: "file_contexts_files",
srcs: ["file_contexts"],
diff --git a/Android.mk b/Android.mk
index 4e4a641..55a2f81 100644
--- a/Android.mk
+++ b/Android.mk
@@ -202,6 +202,7 @@
LOCAL_REQUIRED_MODULES += \
plat_mapping_file \
$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
plat_sepolicy_and_mapping.sha256 \
secilc \
@@ -235,6 +236,7 @@
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
endif
endif
@@ -1284,13 +1286,18 @@
# given release version.
version_under_treble_tests := 26.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-
version_under_treble_tests := 27.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-
version_under_treble_tests := 28.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 26.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 27.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 28.0
+include $(LOCAL_PATH)/compat.mk
+
BASE_PLAT_PUBLIC_POLICY :=
BASE_PLAT_PRIVATE_POLICY :=
base_plat_policy.conf :=
diff --git a/compat.mk b/compat.mk
new file mode 100644
index 0000000..b4f8de0
--- /dev/null
+++ b/compat.mk
@@ -0,0 +1,40 @@
+version := $(version_under_treble_tests)
+
+include $(CLEAR_VARS)
+#################################
+# build this target to ensure the compat permissions files all build against the current policy
+#
+LOCAL_MODULE := $(version)_compat_test
+LOCAL_REQUIRED_MODULES := $(version).compat.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
+ $(built_vendor_cil) \
+ $(ALL_MODULES.$(version).compat.cil.BUILT) \
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += \
+ $(built_product_cil) \
+ $(built_product_mapping_cil) \
+
+endif
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
+ @mkdir -p $(dir $@)
+ $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) mv $@.tmp $@
+
+all_cil_files :=
+version :=
+version_under_treble_tests :=
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
new file mode 100644
index 0000000..9031d15
--- /dev/null
+++ b/private/compat/26.0/26.0.compat.cil
@@ -0,0 +1,4 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
+(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
new file mode 100644
index 0000000..9031d15
--- /dev/null
+++ b/private/compat/27.0/27.0.compat.cil
@@ -0,0 +1,4 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
+(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
new file mode 100644
index 0000000..9031d15
--- /dev/null
+++ b/private/compat/28.0/28.0.compat.cil
@@ -0,0 +1,4 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
+(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))