Merge changes from topic "apex_sepolicy_tests-treble" into main * changes: Virtual Face HAL belongs to "system", not "vendor" apex_sepolicy_tests: check system/vendor attr

commit: 90c028d50b6ac1c5de94a013d60e2f96f74f70ba [log] [tgz]
author: Jooyung Han <jooyung@google.com> Tue Jan 07 19:36:08 2025 -0800
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 07 19:36:08 2025 -0800
tree: 73dca39f31e33170df8943014de60db73e2e03ca
parent: 15a8dbb7fcc5699aba3f69c6e292dc4995af8003 [diff]
parent: 20d0c90d33af2ad56e953865ea56bae62c0ca0b6 [diff]
diff --git a/Android.bp b/Android.bp
index 558810c..24b6fbc 100644
--- a/Android.bp
+++ b/Android.bp

@@ -906,8 +906,32 @@
 // Additional directories can be specified via Makefile variables:
 // SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
 //////////////////////////////////
+
+FREEZE_TEST_BOARD_API_LEVEL = "202404"
+
+se_policy_conf {
+    name: "base_plat_pub_policy_for_freeze_test.conf",
+    defaults: ["se_policy_conf_flags_defaults"],
+    srcs: plat_public_policy +
+        reqd_mask_policy,
+    build_variant: "user",
+    installable: false,
+    board_api_level: FREEZE_TEST_BOARD_API_LEVEL,
+}
+
+se_policy_cil {
+    name: "base_plat_pub_policy_for_freeze_test.cil",
+    src: ":base_plat_pub_policy_for_freeze_test.conf",
+    filter_out: [":reqd_policy_mask.cil"],
+    secilc_check: false,
+    installable: false,
+}
+
 se_freeze_test {
     name: "se_freeze_test",
+    board_api_level: FREEZE_TEST_BOARD_API_LEVEL,
+    current_cil: ":base_plat_pub_policy_for_freeze_test.cil",
+    prebuilt_cil: ":" + FREEZE_TEST_BOARD_API_LEVEL + "_plat_pub_policy.cil",
 }
 
 //////////////////////////////////

diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 41d460d..21f6dba 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go

@@ -20,9 +20,6 @@
 	"android/soong/android"
 )
 
-var currentCilTag = dependencyTag{name: "current_cil"}
-var prebuiltCilTag = dependencyTag{name: "prebuilt_cil"}
-
 func init() {
 	ctx := android.InitRegistrationContext
 	ctx.RegisterModuleType("se_freeze_test", freezeTestFactory)
@@ -33,72 +30,35 @@
 // SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
 func freezeTestFactory() android.Module {
 	f := &freezeTestModule{}
+	f.AddProperties(&f.properties)
 	android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
-	android.AddLoadHook(f, func(ctx android.LoadHookContext) {
-		f.loadHook(ctx)
-	})
 	return f
 }
 
+type freezeTestProperties struct {
+	// Frozen SEPolicy version to compare
+	Board_api_level *string
+
+	// Path to the base platform public policy cil
+	Current_cil *string `android:"path"`
+
+	// Path to the prebuilt cil of given board API level
+	Prebuilt_cil *string `android:"path"`
+}
+
 type freezeTestModule struct {
 	android.ModuleBase
+
+	properties freezeTestProperties
+
 	freezeTestTimestamp android.ModuleOutPath
 }
 
-func (f *freezeTestModule) shouldRunTest(ctx android.EarlyModuleContext) bool {
+func (f *freezeTestModule) shouldCompareExtraDirs(ctx android.EarlyModuleContext) bool {
 	val, _ := ctx.Config().GetBuildFlag("RELEASE_BOARD_API_LEVEL_FROZEN")
 	return val == "true"
 }
 
-func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
-	extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
-	extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
-
-	if !f.shouldRunTest(ctx) {
-		if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
-			ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
-			return
-		}
-
-		return
-	}
-
-	if len(extraDirs) != len(extraPrebuiltDirs) {
-		ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
-		return
-	}
-}
-
-func (f *freezeTestModule) prebuiltCilModuleName(ctx android.EarlyModuleContext) string {
-	return ctx.DeviceConfig().PlatformSepolicyVersion() + "_plat_pub_policy.cil"
-}
-
-func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
-	if !f.shouldRunTest(ctx) {
-		return
-	}
-
-	ctx.AddDependency(f, currentCilTag, "base_plat_pub_policy.cil")
-	ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
-}
-
-func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
-	deps := ctx.GetDirectDepsWithTag(depTag)
-	if len(deps) != 1 {
-		ctx.ModuleErrorf("%d deps having tag %q; expected only one dep", len(deps), depTag)
-		return nil
-	}
-
-	dep := deps[0]
-	output := android.OutputFilesForModule(ctx, dep, "")
-	if len(output) != 1 {
-		ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
-		return nil
-	}
-
-	return output[0]
-}
-
 func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	if ctx.ModuleName() != "se_freeze_test" || ctx.ModuleDir() != "system/sepolicy" {
 		// two freeze test modules don't make sense.
@@ -107,15 +67,9 @@
 
 	f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
 
-	if !f.shouldRunTest(ctx) {
-		// we still build a rule to prevent possible regression
-		android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
-		return
-	}
-
 	// Freeze test 1: compare ToT sepolicy and prebuilt sepolicy
-	currentCil := f.outputFileOfDep(ctx, currentCilTag)
-	prebuiltCil := f.outputFileOfDep(ctx, prebuiltCilTag)
+	currentCil := android.PathForModuleSrc(ctx, String(f.properties.Current_cil))
+	prebuiltCil := android.PathForModuleSrc(ctx, String(f.properties.Prebuilt_cil))
 	if ctx.Failed() {
 		return
 	}
@@ -131,23 +85,35 @@
 	extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
 
 	var implicits []string
-	for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
-		glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
-		if err != nil {
-			ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+	if f.shouldCompareExtraDirs(ctx) {
+		if len(extraDirs) != len(extraPrebuiltDirs) {
+			ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
 			return
 		}
-		implicits = append(implicits, glob...)
-	}
-	sort.Strings(implicits)
 
-	for idx, _ := range extraDirs {
-		rule.Command().Text("diff").
-			Flag("-r").
-			Flag("-q").
-			FlagWithArg("-x ", "bug_map"). // exclude
-			Text(extraDirs[idx]).
-			Text(extraPrebuiltDirs[idx])
+		for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
+			glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
+			if err != nil {
+				ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+				return
+			}
+			implicits = append(implicits, glob...)
+		}
+		sort.Strings(implicits)
+
+		for idx, _ := range extraDirs {
+			rule.Command().Text("diff").
+				Flag("-r").
+				Flag("-q").
+				FlagWithArg("-x ", "bug_map"). // exclude
+				Text(extraDirs[idx]).
+				Text(extraPrebuiltDirs[idx])
+		}
+	} else {
+		if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
+			ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
+			return
+		}
 	}
 
 	rule.Command().Text("touch").

diff --git a/compat/plat_sepolicy_genfs_202504.cil b/compat/plat_sepolicy_genfs_202504.cil
index 79cc732..d78194f 100644
--- a/compat/plat_sepolicy_genfs_202504.cil
+++ b/compat/plat_sepolicy_genfs_202504.cil

@@ -1 +1,2 @@
 (genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))
+(genfscon sysfs "/power/mem_sleep" (u object_r sysfs_mem_sleep ((s0) (s0))))

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index fc2d7b8..fcaf9f6 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -321,7 +321,6 @@
 /system/bin/fsck.f2fs                                             fsck_exec
 /system/bin/init                                                  init_exec
 /system/bin/mini-keyctl                                           toolbox_exec
-/system/bin/fsverity_init                                         fsverity_init_exec
 /system/bin/sload_f2fs                                            e2fs_exec
 /system/bin/make_f2fs                                             e2fs_exec
 /system/bin/fsck_msdos                                            fsck_exec

diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index e4315a2..822797c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te

@@ -14,6 +14,10 @@
 # Allow to set debug prop
 set_prop(microdroid_payload, debug_prop)
 
+# Allow to use service manager APIs without waiting for the servicemanager
+# process because it's not installed in microdroid
+get_prop(microdroid_payload, servicemanager_prop)
+
 # Allow microdroid_payload to use vsock inherited from microdroid_manager
 allow microdroid_payload microdroid_manager:vsock_socket { read write };
 

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 803e25e..13306dd 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts

@@ -122,6 +122,9 @@
 microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
 microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
 
+# servicemanager property to avoid waiting for servicemanager process
+servicemanager.installed u:object_r:servicemanager_prop:s0 exact bool
+
 init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool
 
 dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string

diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 18dab10..ae1c70c 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te

@@ -50,6 +50,7 @@
 type usb_control_prop, property_type;
 type vendor_default_prop, property_type;
 type powerctl_prop, property_type;
+type servicemanager_prop, property_type;
 
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.

diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index c78632b..e9c97e5 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil

@@ -2475,7 +2475,7 @@
 (typeattributeset surfaceflinger_tmpfs_202404 (surfaceflinger_tmpfs))
 (typeattributeset suspend_prop_202404 (suspend_prop))
 (typeattributeset swap_block_device_202404 (swap_block_device))
-(typeattributeset sysfs_202404 (sysfs sysfs_udc))
+(typeattributeset sysfs_202404 (sysfs sysfs_mem_sleep sysfs_udc))
 (typeattributeset sysfs_android_usb_202404 (sysfs_android_usb))
 (typeattributeset sysfs_batteryinfo_202404 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_202404 (sysfs_bluetooth_writable))

diff --git a/private/domain.te b/private/domain.te
index a8ec298..6aaf5de 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -526,11 +526,12 @@
 # still contains global information about the system.
 neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
 
-# Allow access to fsverity keyring.
+# Needed for loading kernel modules.
+# TODO(384942085): Reduce the scope.
 allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
+
 # For testing purposes, allow access to keys installed with su.
+# TODO(277916185): Remove since this shouldn't be needed anymore.
 userdebug_or_eng(`
   allow domain su:key search;
 ')

diff --git a/private/file.te b/private/file.te
index 856af1d..b60ce34 100644
--- a/private/file.te
+++ b/private/file.te

@@ -259,5 +259,8 @@
     type tee_service_contexts_file, system_file_type, file_type;
 ')
 
-## END Types added in 202504 in public/file.te
+until_board_api(202504, `
+    type sysfs_mem_sleep, fs_type, sysfs_type;
+')
 
+## END Types added in 202504 in public/file.te

diff --git a/private/file_contexts b/private/file_contexts
index d6f7113..7e7ae7c 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -256,7 +256,6 @@
 /system/bin/init		u:object_r:init_exec:s0
 # TODO(/123600489): merge mini-keyctl into toybox
 /system/bin/mini-keyctl	--	u:object_r:toolbox_exec:s0
-/system/bin/fsverity_init	u:object_r:fsverity_init_exec:s0
 /system/bin/sload_f2fs	--	u:object_r:e2fs_exec:s0
 /system/bin/make_f2fs	--	u:object_r:e2fs_exec:s0
 /system/bin/fsck_msdos	--	u:object_r:fsck_exec:s0

diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index a3765ec..0000000
--- a/private/fsverity_init.te
+++ /dev/null

@@ -1,16 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
-dontaudit fsverity_init domain:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };

diff --git a/private/keystore.te b/private/keystore.te
index 014903e..41c29db 100644
--- a/private/keystore.te
+++ b/private/keystore.te

@@ -39,7 +39,7 @@
 # can call keystore methods on those references.
 allow keystore vold:binder transfer;
 
-set_prop(keystore, keystore_crash_prop)
+set_prop(keystore, keystore_diagnostics_prop)
 
 # Allow keystore to monitor the `apexd.status` property.
 get_prop(keystore, apexd_prop)
@@ -102,6 +102,6 @@
 
 neverallow * keystore:process ptrace;
 
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+# Only keystore can set keystore_diagnostics_prop system properties. Since init is allowed to set
+# any system property, an exception is added for init as well.
+neverallow { domain -keystore -init } keystore_diagnostics_prop:property_service set;

diff --git a/private/odsign.te b/private/odsign.te
index f06795c..4af0708 100644
--- a/private/odsign.te
+++ b/private/odsign.te

@@ -51,9 +51,6 @@
 # Run odrefresh to refresh ART artifacts
 domain_auto_trans(odsign, odrefresh_exec, odrefresh)
 
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
 # Run compos_verify to verify CompOs signatures
 domain_auto_trans(odsign, compos_verify_exec, compos_verify)
 
@@ -65,5 +62,5 @@
 set_prop(odsign, ctl_odsign_prop)
 
 # Neverallows
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
+neverallow { domain -odsign -init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init} odsign_data_file:file *;

diff --git a/private/property.te b/private/property.te
index 92e244d..dec43e1 100644
--- a/private/property.te
+++ b/private/property.te

@@ -30,7 +30,7 @@
 system_internal_prop(init_storage_prop)
 system_internal_prop(init_svc_debug_prop)
 system_internal_prop(kcmdline_prop)
-system_internal_prop(keystore_crash_prop)
+system_internal_prop(keystore_diagnostics_prop)
 system_internal_prop(keystore_listen_prop)
 system_internal_prop(last_boot_reason_prop)
 system_internal_prop(localization_prop)
@@ -77,7 +77,7 @@
 system_internal_prop(system_service_enable_prop)
 system_internal_prop(ctl_artd_pre_reboot_prop)
 system_internal_prop(trusty_security_vm_sys_prop)
-
+system_internal_prop(hint_manager_config_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(bionic_linker_16kb_app_compat_prop)

diff --git a/private/property_contexts b/private/property_contexts
index 643a179..fe4b6d8 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -250,7 +250,8 @@
 traced.oome_heap_session.count u:object_r:traced_oome_heap_session_count_prop:s0 exact uint
 
 # servicemanager properties
-servicemanager.ready    u:object_r:servicemanager_prop:s0 exact bool
+servicemanager.ready     u:object_r:servicemanager_prop:s0 exact bool
+servicemanager.installed u:object_r:servicemanager_prop:s0 exact bool
 
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
@@ -801,6 +802,7 @@
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
 ro.crypto.fde_algorithm                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.fde_sector_size                       u:object_r:vold_config_prop:s0 exact int
+ro.crypto.hw_wrapped_keys.kdf                   u:object_r:vold_config_prop:s0 exact string
 ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.scrypt_params                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.set_dun                               u:object_r:vold_config_prop:s0 exact bool
@@ -1605,8 +1607,11 @@
 # Broadcast boot stages, which keystore listens to
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 
-# Property that tracks keystore crash counts during a boot cycle.
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+# Tracks keystore crash counts during a boot cycle.
+keystore.crash_count u:object_r:keystore_diagnostics_prop:s0 exact int
+
+# Tracks whether Keystore has successfully sent the module info hash to (V4+) KeyMints.
+keystore.module_hash.sent u:object_r:keystore_diagnostics_prop:s0 exact bool
 
 # Configure the means by which we protect the L0 key from the future
 ro.keystore.boot_level_key.strategy u:object_r:keystore_config_prop:s0 exact string
@@ -1765,6 +1770,13 @@
 # Properties for game manager service
 persist.graphics.game_default_frame_rate.enabled  u:object_r:game_manager_config_prop:s0 exact bool
 
+# Properties for the HintManagerService
+persist.hms.use_hal_headrooms u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_tid u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_affinity u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_proc_stat_min_millis u:object_r:hint_manager_config_prop:s0 exact int
+persist.hms.cpu_headroom_tid_max_cnt u:object_r:hint_manager_config_prop:s0 exact int
+
 # Properties for ThreadNetworkService
 threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
 

diff --git a/private/shell.te b/private/shell.te
index 890d6f4..2033f7e 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -444,6 +444,9 @@
 # Allow reads (but not writes) of the MGLRU state
 allow shell sysfs_lru_gen_enabled:file r_file_perms;
 
+# Allow reads (but not writes) of mem_sleep to determine suspend mechanism
+allow shell sysfs_mem_sleep:file r_file_perms;
+
 # Allow communicating with the VM terminal.
 userdebug_or_eng(`
   allow shell vmlauncher_app_devpts:chr_file rw_file_perms;

diff --git a/private/system_app.te b/private/system_app.te
index 93be46f..9a70375 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -70,6 +70,9 @@
 # Allow developer settings to check 16k pages boot option status
 get_prop(system_app, enable_16k_pages_prop)
 
+# Allow developer settings to check virtualization capabilities
+get_prop(system_app, hypervisor_prop)
+
 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;

diff --git a/private/system_server.te b/private/system_server.te
index 01097f2..fecca1b 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1651,6 +1651,16 @@
 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
 set_prop(system_server, game_manager_config_prop)
 
+# Allow system server to write HintManagerService properties
+set_prop(system_server, hint_manager_config_prop)
+neverallow {
+  domain
+  -init
+  -vendor_init
+  -system_server
+  userdebug_or_eng(`-shell')
+} hint_manager_config_prop:property_service set;
+
 # ThreadNetworkService reads Thread Network properties
 get_prop(system_server, threadnetwork_config_prop)
 

diff --git a/public/file.te b/public/file.te
index 94483a3..4fca64e 100644
--- a/public/file.te
+++ b/public/file.te

@@ -124,6 +124,11 @@
 type sysfs_net, fs_type, sysfs_type;
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
+
+starting_at_board_api(202504, `
+    type sysfs_mem_sleep, fs_type, sysfs_type;
+')
+
 type sysfs_suspend_stats, fs_type, sysfs_type;
 type sysfs_switch, fs_type, sysfs_type;
 type sysfs_sync_on_suspend, fs_type, sysfs_type;
commit	90c028d50b6ac1c5de94a013d60e2f96f74f70ba	[log] [tgz]
author	Jooyung Han <jooyung@google.com>	Tue Jan 07 19:36:08 2025 -0800
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Jan 07 19:36:08 2025 -0800
tree	73dca39f31e33170df8943014de60db73e2e03ca
parent	15a8dbb7fcc5699aba3f69c6e292dc4995af8003 [diff]
parent	20d0c90d33af2ad56e953865ea56bae62c0ca0b6 [diff]