Merge changes Ib43d8e17,Ibb124fbb into main

* changes:
  Reland "Check added types/attributes on freeze test too"
  Guard new types with starting_at_board_api macro

3 files changed, 45 insertions, 8 deletions

diff --git a/public/file.te b/public/file.te
index 4700dedf4..5c64dc099 100644
--- a/public/file.te
+++ b/public/file.te
@@ -8,7 +8,11 @@ type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
 type binderfs_logs_stats, fs_type;
-type binderfs_logs_transactions, fs_type;
+
+starting_at_board_api(202504, `
+    type binderfs_logs_transactions, fs_type;
+')
+
 type binderfs_features, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type, proc_type;
@@ -18,6 +22,7 @@ type proc_min_free_order_shift, fs_type, proc_type;
 type proc_kpageflags, fs_type, proc_type;
 type proc_watermark_boost_factor, fs_type, proc_type;
 type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
+# TODO(b/330670954): guard this once all internal references are removed.
 type proc_compaction_proactiveness, fs_type, proc_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, proc_type;
@@ -139,8 +144,13 @@ type fs_bpf, fs_type, bpffs_type;
 # TODO: S+ fs_bpf_tethering (used by mainline) should be private
 type fs_bpf_tethering, fs_type, bpffs_type;
 type fs_bpf_vendor, fs_type, bpffs_type;
-type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
-type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+
+starting_at_board_api(202504, `
+    type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+    type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+')
+
+
 type configfs, fs_type;
 # /sys/devices/cs_etm
 type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/property.te b/public/property.te
index fd12d7f77..47a1bde20 100644
--- a/public/property.te
+++ b/public/property.te
@@ -76,7 +76,6 @@ system_restricted_prop(device_config_surface_flinger_native_boot_prop)
 system_restricted_prop(device_config_vendor_system_native_prop)
 system_restricted_prop(device_config_vendor_system_native_boot_prop)
 system_restricted_prop(drm_forcel3_prop)
-system_restricted_prop(enable_16k_pages_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
@@ -104,7 +103,11 @@ system_restricted_prop(usb_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
 system_restricted_prop(vold_status_prop)
 system_restricted_prop(vts_status_prop)
-system_restricted_prop(profcollectd_etr_prop)
+
+starting_at_board_api(202504, `
+    system_restricted_prop(enable_16k_pages_prop)
+    system_restricted_prop(profcollectd_etr_prop)
+')
 
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index 72c8fde33..b9b935cd8 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -37,20 +37,44 @@ def do_main():
 
     current_policy = mini_parser.MiniCilParser(options.current)
     prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
+    current_policy.typeattributes = set(filter(lambda x: "base_typeattr_" not in x,
+                                               current_policy.typeattributes))
+    prebuilt_policy.typeattributes = set(filter(lambda x: "base_typeattr_" not in x,
+                                                prebuilt_policy.typeattributes))
 
     results = ""
     removed_types = prebuilt_policy.types - current_policy.types
+    added_types = current_policy.types - prebuilt_policy.types
     removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
-    removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
+    added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
+
+    # TODO(b/330670954): remove this once all internal references are removed.
+    if "proc_compaction_proactiveness" in added_types:
+        added_types.remove("proc_compaction_proactiveness")
 
     if removed_types:
         results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
 
+    if added_types:
+        results += "The following public types were added:\n" + ", ".join(added_types) + "\n"
+
     if removed_attributes:
         results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"
 
-    if len(results) > 0:
-        sys.exit(results)
+    if added_attributes:
+        results += "The following public attributes were added:\n" + ", ".join(added_attributes) + "\n"
+
+    if results:
+        sys.exit(f'''{results}
+******************************
+You have tried to change system/sepolicy/public after vendor API freeze.
+To make these errors go away, you can guard types and attributes listed above,
+so they won't be included to the release build.
+
+See an example of how to guard them:
+    https://android-review.googlesource.com/3050544
+******************************
+''')
 
 if __name__ == '__main__':
     do_main()