Merge "lmkd: Add ro.lmkd.lowmem_min_oom_score property policies" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f403f8b..c9c809a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -856,6 +856,7 @@
/data/app/vmdltest01.tmp/test apk_tmp_file
/data/app/vmdltest02.tmp/oat dalvikcache_data_file
/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
+/data/app-metadata apk_metadata_file
/data/app-private apk_private_data_file
/data/app-private/test apk_private_data_file
/data/app-private/vmdltest.tmp apk_private_tmp_file
diff --git a/private/file.te b/private/file.te
index b96e18b..7b2507c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -168,6 +168,9 @@
# This type is set on the directory through the `rootcontext=` mount option.
type pre_reboot_dexopt_artd_file, file_type;
+# /data/app-metadata - extracted app metadata bundles from APKs
+type apk_metadata_file, file_type, data_file_type, core_data_file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/private/file_contexts b/private/file_contexts
index b209109..3f5c9ef 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -583,6 +583,7 @@
/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app-metadata(/.*)? u:object_r:apk_metadata_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
diff --git a/private/priv_app.te b/private/priv_app.te
index 5c3f351..bb5da7c 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -96,6 +96,7 @@
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
# For AppFuse.
allow priv_app vold:fd use;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8884a7a..a07d272 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -225,3 +225,4 @@
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/shell.te b/private/shell.te
index 8adc71c..ed99b53 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -426,6 +426,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# Allow reads (but not writes) of the MGLRU state
+allow shell sysfs_lru_gen_enabled:file r_file_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 5c210c3..e129fa8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -518,6 +518,10 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Manage /data/app-metadata
+allow system_server apk_metadata_file:dir create_dir_perms;
+allow system_server apk_metadata_file:file create_file_perms;
+
# Access input configuration files in the /vendor directory
r_dir_file(system_server, vendor_keylayout_file)
r_dir_file(system_server, vendor_keychars_file)
diff --git a/public/file.te b/public/file.te
index 5c64dc0..e4c01a2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -22,8 +22,11 @@
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
-# TODO(b/330670954): guard this once all internal references are removed.
-type proc_compaction_proactiveness, fs_type, proc_type;
+
+starting_at_board_api(202504, `
+ type proc_compaction_proactiveness, fs_type, proc_type;
+')
+
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index b9b935c..fa05eb1 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,10 +48,6 @@
removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
- # TODO(b/330670954): remove this once all internal references are removed.
- if "proc_compaction_proactiveness" in added_types:
- added_types.remove("proc_compaction_proactiveness")
-
if removed_types:
results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index a55a921..745ab13 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -382,21 +382,25 @@
char *p, *start;
int result;
+ int non_comment_len = 0, cur_non_comment_len = 0;
+ char *cur_non_comment_text = calloc(1, (end - text) + 1);
+ char *non_comment_text = cur_non_comment_text;
+ if (!cur_non_comment_text)
+ goto err;
p = text;
+ bool in_comment = false;
while (p < end) {
- while (p < end && isspace(*p))
- p++;
-
- if (*p == '#') {
- while (p < end && *p != '\n')
- p++;
- continue;
- }
-
+ if (*p == '#') in_comment = true;
+ if (!in_comment || *p == '\n') *cur_non_comment_text++ = *p;
+ if (*p == '\n') in_comment = false;
+ ++p;
+ }
+ p = non_comment_text;
+ end = cur_non_comment_text;
+ while (p < end) {
+ while (p < end && isspace(*p)) p++;
start = p;
- while (p < end && !isspace(*p))
- p++;
-
+ while (p < end && !isspace(*p)) p++;
len = p - start;
if (len != keyword_size || strncmp(start, keyword, keyword_size))
continue;
@@ -437,8 +441,10 @@
result = check_assertions(NULL, policydb, neverallows);
avrule_list_destroy(neverallows);
+ free(non_comment_text);
return result;
err:
+ free(non_comment_text);
if (errno == ENOMEM) {
fprintf(stderr, "Out of memory while parsing neverallow rules\n");
} else