commit 32342bf854de69503c75220ee6f63bab206b2959
author Suren Baghdasaryan <surenb@google.com> Tue Apr 30 20:08:35 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Apr 30 20:08:35 2024 +0000
tree ee7a9005b803aea533924665dfc1093a6bd6038e
parent e7bdf818fcd22acc3979582e21bd24ba40f0ec32
parent 5c5ff28912ba4001f48589e88a7f13f25a9989e3

Merge "lmkd: Add ro.lmkd.lowmem_min_oom_score property policies" into main

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f403f8b..c9c809a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -856,6 +856,7 @@
 /data/app/vmdltest01.tmp/test                                     apk_tmp_file
 /data/app/vmdltest02.tmp/oat                                      dalvikcache_data_file
 /data/app/vmdltest02.tmp/oat/test                                 dalvikcache_data_file
+/data/app-metadata                                                apk_metadata_file
 /data/app-private                                                 apk_private_data_file
 /data/app-private/test                                            apk_private_data_file
 /data/app-private/vmdltest.tmp                                    apk_private_tmp_file

private/file.te

diff --git a/private/file.te b/private/file.te
index b96e18b..7b2507c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -168,6 +168,9 @@
 # This type is set on the directory through the `rootcontext=` mount option.
 type pre_reboot_dexopt_artd_file, file_type;
 
+# /data/app-metadata - extracted app metadata bundles from APKs
+type apk_metadata_file, file_type, data_file_type, core_data_file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index b209109..3f5c9ef 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -583,6 +583,7 @@
 /data/apex/decompressed/(.*)?    u:object_r:staging_data_file:s0
 /data/apex/ota_reserved(/.*)?       u:object_r:apex_ota_reserved_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
+/data/app-metadata(/.*)?              u:object_r:apk_metadata_file:s0
 # Traditional /data/app/[packageName]-[randomString]/base.apk location
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
 # /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 5c3f351..bb5da7c 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -96,6 +96,7 @@
 # Allow verifier to access staged apks.
 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
 
 # For AppFuse.
 allow priv_app vold:fd use;

private/seapp_contexts

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8884a7a..a07d272 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -225,3 +225,4 @@
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app fromRunAs=true domain=runas_app levelFrom=user
 user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 8adc71c..ed99b53 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -426,6 +426,9 @@
 allow shell sysfs_batteryinfo:dir r_dir_perms;
 allow shell sysfs_batteryinfo:file r_file_perms;
 
+# Allow reads (but not writes) of the MGLRU state
+allow shell sysfs_lru_gen_enabled:file r_file_perms;
+
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 5c210c3..e129fa8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -518,6 +518,10 @@
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Manage /data/app-metadata
+allow system_server apk_metadata_file:dir create_dir_perms;
+allow system_server apk_metadata_file:file create_file_perms;
+
 # Access input configuration files in the /vendor directory
 r_dir_file(system_server, vendor_keylayout_file)
 r_dir_file(system_server, vendor_keychars_file)

public/file.te

diff --git a/public/file.te b/public/file.te
index 5c64dc0..e4c01a2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -22,8 +22,11 @@
 type proc_kpageflags, fs_type, proc_type;
 type proc_watermark_boost_factor, fs_type, proc_type;
 type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
-# TODO(b/330670954): guard this once all internal references are removed.
-type proc_compaction_proactiveness, fs_type, proc_type;
+
+starting_at_board_api(202504, `
+    type proc_compaction_proactiveness, fs_type, proc_type;
+')
+
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, proc_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;

tests/sepolicy_freeze_test.py

diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index b9b935c..fa05eb1 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,10 +48,6 @@
     removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
     added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
 
-    # TODO(b/330670954): remove this once all internal references are removed.
-    if "proc_compaction_proactiveness" in added_types:
-        added_types.remove("proc_compaction_proactiveness")
-
     if removed_types:
         results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
 

tools/sepolicy-analyze/neverallow.c

diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index a55a921..745ab13 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -382,21 +382,25 @@
     char *p, *start;
     int result;
 
+    int non_comment_len = 0, cur_non_comment_len = 0;
+    char *cur_non_comment_text = calloc(1, (end - text) + 1);
+    char *non_comment_text = cur_non_comment_text;
+    if (!cur_non_comment_text)
+        goto err;
     p = text;
+    bool in_comment = false;
     while (p < end) {
-        while (p < end && isspace(*p))
-            p++;
-
-        if (*p == '#') {
-            while (p < end && *p != '\n')
-                p++;
-            continue;
-        }
-
+        if (*p == '#') in_comment = true;
+        if (!in_comment || *p == '\n') *cur_non_comment_text++ = *p;
+        if (*p == '\n') in_comment = false;
+        ++p;
+    }
+    p = non_comment_text;
+    end = cur_non_comment_text;
+    while (p < end) {
+        while (p < end && isspace(*p)) p++;
         start = p;
-        while (p < end && !isspace(*p))
-            p++;
-
+        while (p < end && !isspace(*p)) p++;
         len = p - start;
         if (len != keyword_size || strncmp(start, keyword, keyword_size))
             continue;
@@ -437,8 +441,10 @@
 
     result = check_assertions(NULL, policydb, neverallows);
     avrule_list_destroy(neverallows);
+    free(non_comment_text);
     return result;
 err:
+    free(non_comment_text);
     if (errno == ENOMEM) {
         fprintf(stderr, "Out of memory while parsing neverallow rules\n");
     } else