tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/Android.bp

908 lines
27 KiB
Text
Raw Normal View History

Soong module selinux compat maps And migrate 26.0.cil and 27.0.cil build targets from Android.mk to Android.bp Bug: 33691272 Test: 26.0.cil and 27.0.cil mapping files on the device are unchanged. Change-Id: Id0ea45c149e096996bc0657615ea98915df3c9e1
2018-03-22 19:35:02 +01:00
// Copyright (C) 2018 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
[LSC] Add LOCAL_LICENSE_KINDS to system/sepolicy Added SPDX-license-identifier-Apache-2.0 to: build/Android.bp build/soong/Android.bp tests/Android.bp tools/Android.bp Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered to: Android.bp Android.mk compat.mk contexts_tests.mk mac_permissions.mk seapp_contexts.mk treble_sepolicy_tests_for_release.mk Added legacy_unencumbered to: apex/Android.bp tools/sepolicy-analyze/Android.bp Bug: 68860345 Bug: 151177513 Bug: 151953481 Test: m all Exempt-From-Owner-Approval: janitorial work Change-Id: I1ab286543ef1bdcb494cf74f2b35e35a08225d28
2021-02-04 08:07:40 +01:00
package {
default_applicable_licenses: ["system_sepolicy_license"],
}
// Added automatically by a large-scale-change that took the approach of
// 'apply every license found to every target'. While this makes sure we respect
// every license restriction, it may not be entirely correct.
//
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
//
// Please consider splitting the single license below into multiple licenses,
// taking care not to lose any license_kind information, and overriding the
// default license using the 'licenses: [...]' property on targets as needed.
//
// For unused files, consider creating a 'filegroup' with "//visibility:private"
// to attach the license to, and including a comment whether the files may be
// used in the current project.
// http://go/android-license-faq
license {
name: "system_sepolicy_license",
visibility: [":__subpackages__"],
license_kinds: [
"SPDX-license-identifier-Apache-2.0",
"legacy_unencumbered",
],
license_text: [
"NOTICE",
],
}
Android.bp: set sepolicy version for use by init Init needs to be aware of the policy version defined in sepolicy for on-device compilation. Bug: 124499219 Test: build and boot a device. Try both precompiled and on-device compiled policy. Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
2019-02-15 21:18:15 +01:00
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
Adding file group for vts_treble_sys_prop_test. Bug: 147720376 Test: m vts_treble_sys_prop_test Change-Id: I81a0e21a989dd89f8c37adf5a5c739ca0bdfbac0
2020-04-15 07:55:47 +02:00
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
srcs: ["private/property_contexts"],
visibility: [
"//test/vts-testcase/security/system_property",
],
}
Add cil files to Android.bp for microdroid Contexts files, plat_sepolicy.cil, and 10000.0.cil are needed to boot. This adds cil files to microdroid. But cil files are temporary and only for testing. We'll need to migrate real cil files to Android.bp. Bug: 178993690 Test: boot microdroid Change-Id: I711b1db39c11d88bc1f9defeff5799e6f24756ab
2021-02-18 11:15:41 +01:00
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
se_build_files {
name: "se_build_files",
Add cil files to Android.bp for microdroid Contexts files, plat_sepolicy.cil, and 10000.0.cil are needed to boot. This adds cil files to microdroid. But cil files are temporary and only for testing. We'll need to migrate real cil files to Android.bp. Bug: 178993690 Test: boot microdroid Change-Id: I711b1db39c11d88bc1f9defeff5799e6f24756ab
2021-02-18 11:15:41 +01:00
srcs: [
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
"security_classes",
"initial_sids",
"access_vectors",
"global_macros",
"neverallow_macros",
"mls_macros",
"mls_decl",
"mls",
"policy_capabilities",
"te_macros",
"attributes",
"ioctl_defines",
"ioctl_macros",
"*.te",
"roles_decl",
"roles",
"users",
"initial_sid_contexts",
"fs_use",
"genfs_contexts",
"port_contexts",
Add cil files to Android.bp for microdroid Contexts files, plat_sepolicy.cil, and 10000.0.cil are needed to boot. This adds cil files to microdroid. But cil files are temporary and only for testing. We'll need to migrate real cil files to Android.bp. Bug: 178993690 Test: boot microdroid Change-Id: I711b1db39c11d88bc1f9defeff5799e6f24756ab
2021-02-18 11:15:41 +01:00
],
}
Use se_build_files for technical_debt.cil It's a no-op for now, but it will be used when migrating vendor sepolicy to Android.bp. Bug: 33691272 Test: build and boot Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
2021-12-16 08:52:14 +01:00
se_build_files {
name: "sepolicy_technical_debt",
srcs: ["technical_debt.cil"],
}
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
reqd_mask_policy = [":se_build_files{.reqd_mask}"]
plat_public_policy = [":se_build_files{.plat_public}"]
plat_private_policy = [":se_build_files{.plat_private}"]
system_ext_public_policy = [":se_build_files{.system_ext_public}"]
system_ext_private_policy = [":se_build_files{.system_ext_private}"]
product_public_policy = [":se_build_files{.product_public}"]
product_private_policy = [":se_build_files{.product_private}"]
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
// reqd_policy_mask - a policy.conf file which contains only the bare minimum
// policy necessary to use checkpolicy.
//
// This bare-minimum policy needs to be present in all policy.conf files, but
// should not necessarily be exported as part of the public policy.
//
// The rules generated by reqd_policy_mask will allow the compilation of public
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: reqd_mask_policy,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-17 11:07:15 +01:00
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
se_policy_cil {
name: "reqd_policy_mask.cil",
src: ":reqd_policy_mask.conf",
secilc_check: false,
installable: false,
Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-17 11:07:15 +01:00
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
// pub_policy - policy that will be exported to be a part of non-platform
// policy corresponding to this platform version.
//
// This is a limited subset of policy that would not compile in checkpolicy on
// its own.
//
// To get around this limitation, add only the required files from private
// policy, which will generate CIL policy that will then be filtered out by the
// reqd_policy_mask.
//
// There are three pub_policy.cil files below:
// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
// - plat_pub_policy.cil: exported 'system' policy.
//
// Those above files will in turn be used to generate the following versioned cil files:
// - product_mapping_file: the versioned, exported 'product' policy in product partition.
// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
// in vendor partition.
//
se_policy_conf {
name: "pub_policy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
vendor: true,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
}
Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-17 11:07:15 +01:00
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
se_policy_cil {
name: "pub_policy.cil",
src: ":pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
vendor: true,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-17 11:07:15 +01:00
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
se_policy_conf {
name: "system_ext_pub_policy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
system_ext_specific: true,
Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-17 11:07:15 +01:00
installable: false,
Add cil files to Android.bp for microdroid Contexts files, plat_sepolicy.cil, and 10000.0.cil are needed to boot. This adds cil files to microdroid. But cil files are temporary and only for testing. We'll need to migrate real cil files to Android.bp. Bug: 178993690 Test: boot microdroid Change-Id: I711b1db39c11d88bc1f9defeff5799e6f24756ab
2021-02-18 11:15:41 +01:00
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
se_policy_cil {
name: "system_ext_pub_policy.cil",
src: ":system_ext_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
system_ext_specific: true,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
}
se_policy_conf {
name: "plat_pub_policy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
reqd_mask_policy,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
}
se_policy_cil {
name: "plat_pub_policy.cil",
src: ":plat_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
// plat_policy.conf - A combination of the private and public platform policy
// which will ship with the device.
//
// The platform will always reflect the most recent platform version and is not
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
}
se_policy_cil {
name: "plat_sepolicy.cil",
src: ":plat_sepolicy.conf",
Use se_build_files for technical_debt.cil It's a no-op for now, but it will be used when migrating vendor sepolicy to Android.bp. Bug: 33691272 Test: build and boot Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
2021-12-16 08:52:14 +01:00
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
}
Revert "Move parts of sdk_sandbox from private to apex policy" Revert "Add java SeamendcHostTest in cts" Revert submission 2111065-seamendc Reason for revert: b/240731742, b/240462388 and b/240463116 Reverted Changes: I3ce2845f2:Move parts of sdk_sandbox from private to apex pol... I0c10106e2:Add java SeamendcHostTest in cts Test: revert cl Change-Id: If9981796694b22b7cbfe1368cd815889c741e69d
2022-08-01 19:20:38 +02:00
Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp" This reverts commit a46d61cd3fae9f11c4a7fb1980d807afc0da8f62. Reason for revert: fixed debug_ramdisk partition problem Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-29 15:53:20 +02:00
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy,
Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp" This reverts commit a46d61cd3fae9f11c4a7fb1980d807afc0da8f62. Reason for revert: fixed debug_ramdisk partition problem Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-29 15:53:20 +02:00
build_variant: "userdebug",
installable: false,
}
se_policy_cil {
name: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
Use se_build_files for technical_debt.cil It's a no-op for now, but it will be used when migrating vendor sepolicy to Android.bp. Bug: 33691272 Test: build and boot Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
2021-12-16 08:52:14 +01:00
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp" This reverts commit a46d61cd3fae9f11c4a7fb1980d807afc0da8f62. Reason for revert: fixed debug_ramdisk partition problem Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-29 15:53:20 +02:00
debug_ramdisk: true,
Dist userdebug_plat_sepolicy.cil to facilitate VTS testing repack_bootimg can use the userdebug_plat_sepolicy.cil artifact to prepare a debuggable boot image for VTS testing. (TODO in follow-up) The eliminates the need for GSI boot-with-debug-ramdisk-*.img, and we can skip building them to conserve build resources. Bug: 202129499 Test: m out/target/product/generic_arm64/userdebug_plat_sepolicy.cil Test: Check presubmit artifacts include userdebug_plat_sepolicy.cil Change-Id: I7629e462d4febd05ebe8a89a7bc00e8724dcb4a4
2021-10-15 21:23:05 +02:00
dist: {
targets: ["droidcore"],
},
Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp" This reverts commit a46d61cd3fae9f11c4a7fb1980d807afc0da8f62. Reason for revert: fixed debug_ramdisk partition problem Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-29 15:53:20 +02:00
}
Reland: Add system_ext_userdebug_plat_sepolicy.cil for GSI system_ext_userdebug_plat_sepolicy.cil is a copy of userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the system_ext partition. The build rule is gated by a BoardConfig variable, so products other than GSI cannot accidentally install this module. Bug: 188067818 Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash gsi_arm64-user from master, device can boot and `adb root` works Change-Id: I75183e2dfdb434aee0b015b1627c9e23b4f3437f
2021-09-23 16:14:16 +02:00
// A copy of the userdebug_plat_policy in GSI.
soong_config_module_type {
name: "gsi_se_policy_cil",
module_type: "se_policy_cil",
config_namespace: "ANDROID",
bool_variables: [
"PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
],
properties: [
"enabled",
"installable",
],
}
gsi_se_policy_cil {
name: "system_ext_userdebug_plat_sepolicy.cil",
stem: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
Use se_build_files for technical_debt.cil It's a no-op for now, but it will be used when migrating vendor sepolicy to Android.bp. Bug: 33691272 Test: build and boot Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
2021-12-16 08:52:14 +01:00
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Reland: Add system_ext_userdebug_plat_sepolicy.cil for GSI system_ext_userdebug_plat_sepolicy.cil is a copy of userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the system_ext partition. The build rule is gated by a BoardConfig variable, so products other than GSI cannot accidentally install this module. Bug: 188067818 Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash gsi_arm64-user from master, device can boot and `adb root` works Change-Id: I75183e2dfdb434aee0b015b1627c9e23b4f3437f
2021-09-23 16:14:16 +02:00
system_ext_specific: true,
enabled: false,
installable: false,
soong_config_variables: {
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
enabled: true,
installable: true,
},
},
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
system_ext_specific: true,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-17 11:07:15 +01:00
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
se_policy_cil {
name: "system_ext_sepolicy.cil",
src: ":system_ext_sepolicy.conf",
system_ext_specific: true,
filter_out: [":plat_sepolicy.cil"],
remove_line_marker: true,
}
// product_policy.conf - A combination of the private and public product policy
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
product_private_policy,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
product_specific: true,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
installable: false,
}
se_policy_cil {
name: "product_sepolicy.cil",
src: ":product_sepolicy.conf",
product_specific: true,
filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
remove_line_marker: true,
}
Migrate mapping files to Android.bp Bug: 33691272 Test: boot cf && boot microdroid && see precompiled sepolicy works Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:37:34 +01:00
// policy mapping files
// auto-generate the mapping file for current platform policy, since it needs to
// track platform policy development
se_versioned_policy {
name: "plat_mapping_file",
base: ":plat_pub_policy.cil",
mapping: true,
version: "current",
relative_install_path: "mapping", // install to /system/etc/selinux/mapping
}
se_versioned_policy {
name: "system_ext_mapping_file",
base: ":system_ext_pub_policy.cil",
mapping: true,
version: "current",
filter_out: [":plat_mapping_file"],
relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
system_ext_specific: true,
}
se_versioned_policy {
name: "product_mapping_file",
base: ":pub_policy.cil",
mapping: true,
version: "current",
filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
relative_install_path: "mapping", // install to /product/etc/selinux/mapping
product_specific: true,
}
Revert^2 "Add 1000000.0 mapping file temporarily" 82126e9d7765c4c33605c8380e2f09e52f143009 Change-Id: Ia2ef237d9918532f24cd00688ae2bc15196123e9
2024-02-13 03:19:24 +01:00
// HACK to support vendor blobs using 1000000.0
// TODO(b/314010177): remove after new ToT (202404) fully propagates
se_versioned_policy {
name: "plat_mapping_file_1000000.0",
base: ":plat_pub_policy.cil",
mapping: true,
version: "1000000.0",
relative_install_path: "mapping", // install to /system/etc/selinux/mapping
}
se_versioned_policy {
name: "system_ext_mapping_file_1000000.0",
base: ":system_ext_pub_policy.cil",
mapping: true,
version: "1000000.0",
filter_out: [":plat_mapping_file"],
relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
system_ext_specific: true,
}
se_versioned_policy {
name: "product_mapping_file_1000000.0",
base: ":pub_policy.cil",
mapping: true,
version: "1000000.0",
filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
relative_install_path: "mapping", // install to /product/etc/selinux/mapping
product_specific: true,
}
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
//////////////////////////////////
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
// vendor/odm sepolicy
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
//////////////////////////////////
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
Migrate mapping files to Android.bp Bug: 33691272 Test: boot cf && boot microdroid && see precompiled sepolicy works Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:37:34 +01:00
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
base: ":pub_policy.cil",
target_policy: ":pub_policy.cil",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
version: "vendor",
vendor: true,
}
// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy + [
":se_build_files{.plat_vendor}",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
":se_build_files{.vendor}",
],
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
vendor: true,
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
installable: false,
}
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
filter_out: [":reqd_policy_mask.cil"],
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
secilc_check: false, // will be done in se_versioned_policy module
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
vendor: true,
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
installable: false,
}
se_versioned_policy {
name: "vendor_sepolicy.cil",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
base: ":pub_policy.cil",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
Migrate mapping files to Android.bp Bug: 33691272 Test: boot cf && boot microdroid && see precompiled sepolicy works Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:37:34 +01:00
dependent_cils: [
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
":plat_sepolicy.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
":plat_pub_versioned.cil",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
":plat_mapping_file",
Migrate mapping files to Android.bp Bug: 33691272 Test: boot cf && boot microdroid && see precompiled sepolicy works Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:37:34 +01:00
],
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
filter_out: [":plat_pub_versioned.cil"],
Migrate mapping files to Android.bp Bug: 33691272 Test: boot cf && boot microdroid && see precompiled sepolicy works Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:37:34 +01:00
vendor: true,
}
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy + [
":se_build_files{.plat_vendor}",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
device_specific: true,
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
installable: false,
}
se_policy_cil {
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
":reqd_policy_mask.cil",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
device_specific: true,
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
installable: false,
}
se_versioned_policy {
name: "odm_sepolicy.cil",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
base: ":pub_policy.cil",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
":plat_sepolicy.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
":plat_pub_versioned.cil",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
":plat_mapping_file",
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
device_specific: true,
}
Migrate mapping files to Android.bp Bug: 33691272 Test: boot cf && boot microdroid && see precompiled sepolicy works Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:37:34 +01:00
//////////////////////////////////
// Precompiled sepolicy is loaded if and only if:
// - plat_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
// AND
// - system_ext_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
name: "plat_sepolicy_and_mapping.sha256_gen",
srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
out: ["plat_sepolicy_and_mapping.sha256"],
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
}
prebuilt_etc {
name: "plat_sepolicy_and_mapping.sha256",
filename: "plat_sepolicy_and_mapping.sha256",
src: ":plat_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
}
prebuilt_etc {
name: "system_ext_sepolicy_and_mapping.sha256",
filename: "system_ext_sepolicy_and_mapping.sha256",
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
system_ext_specific: true,
}
genrule {
name: "product_sepolicy_and_mapping.sha256_gen",
srcs: [":product_sepolicy.cil", ":product_mapping_file"],
out: ["product_sepolicy_and_mapping.sha256"],
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
}
prebuilt_etc {
name: "product_sepolicy_and_mapping.sha256",
filename: "product_sepolicy_and_mapping.sha256",
src: ":product_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
product_specific: true,
}
Add sepolicy_vers for plat_sepolicy_vers.txt plat_sepolicy_vers.txt stores the version of vendor policy. This change adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to Android.bp. - Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS - Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION because all microdroid artifacts are bound to platform Bug: 33691272 Test: boot device && boot microdroid Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
2021-04-29 17:11:43 +02:00
sepolicy_vers {
name: "plat_sepolicy_vers.txt",
version: "vendor",
vendor: true,
}
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
soong_config_module_type {
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
name: "precompiled_sepolicy_prebuilts_defaults",
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
module_type: "prebuilt_defaults",
config_namespace: "ANDROID",
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
}
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
precompiled_sepolicy_prebuilts_defaults {
name: "precompiled_sepolicy_prebuilts",
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
conditions_default: {
vendor: true,
},
},
},
}
//////////////////////////////////
// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
defaults: ["precompiled_sepolicy_prebuilts"],
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
src: ":plat_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
defaults: ["precompiled_sepolicy_prebuilts"],
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
//////////////////////////////////
// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
defaults: ["precompiled_sepolicy_prebuilts"],
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
src: ":product_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
soong_config_module_type {
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
}
Add prebuilt_sepolicy_srcs filegroup This allows OEM to get a copy of precompiled SEPolicy. This can be useful when an OEM needs to bind-mount some of the Android partitions across the VM boundary to ensure the correct labeling. Bug: 301629552 Test: Presubmit builds should be enough. Change-Id: I3339a7abfe2612993ee659fd5492c323aa895999
2023-10-02 23:17:04 +02:00
filegroup {
name: "precompiled_sepolicy_srcs",
Add apex_sepolicy targets for running go/seamendc This is a roll-forward of some of the changes rolled back in aosp/2170746. I am rolling forward in smaller chunks so that it is easier to identify and avoid possible breakages. Bug: 236691128 Test: atest SeamendcHostTest Change-Id: Ibe451325d471fe04cd52683ba90a22543fa84c7c
2022-08-05 13:38:56 +02:00
srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
":plat_mapping_file",
":system_ext_mapping_file",
":product_mapping_file",
Add apex_sepolicy targets for running go/seamendc This is a roll-forward of some of the changes rolled back in aosp/2170746. I am rolling forward in smaller chunks so that it is easier to identify and avoid possible breakages. Bug: 236691128 Test: atest SeamendcHostTest Change-Id: Ibe451325d471fe04cd52683ba90a22543fa84c7c
2022-08-05 13:38:56 +02:00
],
Add prebuilt_sepolicy_srcs filegroup This allows OEM to get a copy of precompiled SEPolicy. This can be useful when an OEM needs to bind-mount some of the Android partitions across the VM boundary to ensure the correct labeling. Bug: 301629552 Test: Presubmit builds should be enough. Change-Id: I3339a7abfe2612993ee659fd5492c323aa895999
2023-10-02 23:17:04 +02:00
// Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
// Useful when some partitions need to be bind mounted across VM boundaries.
visibility: ["//visibility:public"],
}
precompiled_se_policy_binary {
name: "precompiled_sepolicy",
srcs: [
":precompiled_sepolicy_srcs",
],
Add apex_sepolicy targets for running go/seamendc This is a roll-forward of some of the changes rolled back in aosp/2170746. I am rolling forward in smaller chunks so that it is easier to identify and avoid possible breakages. Bug: 236691128 Test: atest SeamendcHostTest Change-Id: Ibe451325d471fe04cd52683ba90a22543fa84c7c
2022-08-05 13:38:56 +02:00
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
conditions_default: {
vendor: true,
},
},
},
required: [
"sepolicy_neverallows",
Migrate neverallow tests to Android.bp A new module type se_neverallow_test is added, to migrate sepolicy_neverallow modules. se_neverallow_test is affected by SELINUX_IGNORE_NEVERALLOWS. Bug: 33691272 Test: m selinux_policy Test: intentionally create neverallow violations and m selinux_policy Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
2021-12-22 15:06:53 +01:00
],
Add new goal for compat file generator To generate compat files, we need the following files. - base_plat_sepolicy: to get all types - base_plat_pub_policy.cil: to get public types - {ver}_plat_sepolicy: to get old types This creates a new dist goal, base-sepolicy-files-for-mapping, to conveniently generate and gather desired files under out/dist. Bug: 214336258 Test: build/soong/soong_ui.bash --make-mode dist \ base-sepolicy-files-for-mapping \ TARGET_PRODUCT=aosp_arm64 TARGET_BUILD_VARIANT=userdebug Change-Id: I2f210ab47be777cd91346d635f75064845821144
2022-01-21 03:47:54 +01:00
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
Build vendor/odm sepolicies with Android.bp The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 11:00:03 +01:00
}
Migrate precompiled sepolicy hashes to Android.bp Bug: 33691272 Test: build with odm and build without odm Test: boot and see precompiled sepolicy used Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 13:44:37 +02:00
Build recovery policy with Android.bp Bug: 33691272 Test: enter recovery mode Change-Id: Ifc38ed99e6615431d81ade76ec10ea4d34fbbf90
2021-12-28 06:57:03 +01:00
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
product_private_policy + [
":se_build_files{.plat_vendor}",
Build recovery policy with Android.bp Bug: 33691272 Test: enter recovery mode Change-Id: Ifc38ed99e6615431d81ade76ec10ea4d34fbbf90
2021-12-28 06:57:03 +01:00
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
target_recovery: true,
installable: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
recovery: true,
Build recovery policy with Android.bp Bug: 33691272 Test: enter recovery mode Change-Id: Ifc38ed99e6615431d81ade76ec10ea4d34fbbf90
2021-12-28 06:57:03 +01:00
}
se_policy_cil {
name: "recovery_sepolicy.cil",
src: ":recovery_sepolicy.conf",
secilc_check: false, // will be done in se_policy_binary module
installable: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
recovery: true,
Build recovery policy with Android.bp Bug: 33691272 Test: enter recovery mode Change-Id: Ifc38ed99e6615431d81ade76ec10ea4d34fbbf90
2021-12-28 06:57:03 +01:00
}
se_policy_binary {
name: "sepolicy.recovery",
srcs: [":recovery_sepolicy.cil"],
stem: "sepolicy",
recovery: true,
}
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy,
Reland "Build platform side policy with Soong" This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a. Reason for revert: fixed breakage The breakage was due to the difference between plat_sepolicy.conf and microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with se_policy_conf module, so it is synced with plat_sepolicy.conf Test: boot microdroid with and without SANITIZE_TARGET=address Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 02:26:13 +01:00
build_variant: "user",
cts: true,
exclude_build_test: true,
}
Migrate freeze test to Soong Bug: 33691272 Test: m selinux_policy on sc-dev Change-Id: Ie536d885034e5d888f1329ac189fd0bf9723a6c4
2021-09-15 05:01:05 +02:00
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
//////////////////////////////////
// Base system policy for treble sepolicy tests.
// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
// See treble_sepolicy_tests_for_release.mk for more details.
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_plat_sepolicy.cil",
src: ":base_plat_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
installable: false,
secilc_check: false, // done by se_policy_binary
}
se_policy_binary {
name: "base_plat_sepolicy",
srcs: [":base_plat_sepolicy.cil"],
installable: false,
Add new goal for compat file generator To generate compat files, we need the following files. - base_plat_sepolicy: to get all types - base_plat_pub_policy.cil: to get public types - {ver}_plat_sepolicy: to get old types This creates a new dist goal, base-sepolicy-files-for-mapping, to conveniently generate and gather desired files under out/dist. Bug: 214336258 Test: build/soong/soong_ui.bash --make-mode dist \ base-sepolicy-files-for-mapping \ TARGET_PRODUCT=aosp_arm64 TARGET_BUILD_VARIANT=userdebug Change-Id: I2f210ab47be777cd91346d635f75064845821144
2022-01-21 03:47:54 +01:00
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
}
se_policy_conf {
name: "base_product_sepolicy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
product_private_policy,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
build_variant: "user",
installable: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
product_specific: true,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
}
se_policy_cil {
name: "base_product_sepolicy.cil",
src: ":base_product_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
product_specific: true,
installable: false,
secilc_check: false, // done by se_policy_binary
}
se_policy_binary {
name: "base_product_sepolicy",
srcs: [":base_product_sepolicy.cil"],
product_specific: true,
installable: false,
}
se_policy_conf {
name: "base_plat_pub_policy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
reqd_mask_policy,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_plat_pub_policy.cil",
src: ":base_plat_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
Add new goal for compat file generator To generate compat files, we need the following files. - base_plat_sepolicy: to get all types - base_plat_pub_policy.cil: to get public types - {ver}_plat_sepolicy: to get old types This creates a new dist goal, base-sepolicy-files-for-mapping, to conveniently generate and gather desired files under out/dist. Bug: 214336258 Test: build/soong/soong_ui.bash --make-mode dist \ base-sepolicy-files-for-mapping \ TARGET_PRODUCT=aosp_arm64 TARGET_BUILD_VARIANT=userdebug Change-Id: I2f210ab47be777cd91346d635f75064845821144
2022-01-21 03:47:54 +01:00
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
}
se_policy_conf {
name: "base_product_pub_policy.conf",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Refactor Android.bp build modules for readability When we compile sepolicy files into a cil file, we first gather all sepolicy files to create a conf file, and then convert the conf file to a cil file with checkpolicy. The problem is that checkpolicy is sensitive to the input order; the conf file should contain statements in a specific order: classes, initial_sid, access vectors, macros, mls, etc. This restriction has made Android.bp migration difficult, and we had to create a magical module called "se_build_files" to correctly include source files in the designated order. It works, but significant readability problem has happened. For example, when we write ":se_build_files{.system_ext_public}", how can we easily figure out that the tag actually includes plat public + system_ext public + reqd mask, without taking a look at the build system code? This change refactors the se_build_files module and se_policy_conf module, so we can easily see the desginated files for each module, just like we did in the Android.mk. se_policy_conf module now stably sorts source files in an order which will make checkpolicy happy. se_build_files module is also refactored, so one tag can represent exactly one set of policy files, rather than doing magical works behind the scene. For example, system_ext public policy module is changed from: se_policy_conf { name: "system_ext_pub_policy.conf", // se_build_files automatically adds plat public and reqd mask srcs: [":se_build_files{.system_ext_public}"], } to: se_policy_conf { name: "system_ext_pub_policy.conf", // se_policy_conf automatically sorts the input files srcs: [ ":se_build_files{.plat_public}", ":se_build_files{.system_ext_public}", ":se_build_files{.reqd_mask}", ], } Bug: 209933272 Test: build and diff before/after Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
build_variant: "user",
installable: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
product_specific: true,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
}
se_policy_cil {
name: "base_product_pub_policy.cil",
src: ":base_product_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
Use target specific intermediate paths This won't be harmful and this can help reduce rebuilding sepolicy artifacts upon lunch target change. Bug: 279524023 Test: m selinux_policy Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
2023-04-26 04:03:35 +02:00
product_specific: true,
Migrate system sepolicy binaries to Soong Bug: 33691272 Test: m selinux_policy Test: boot microdroid Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-27 15:43:01 +02:00
}
Treblelize bug_map: split bug_map to multiple partitions * plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 12:30:04 +01:00
// bug_map - Bug tracking information for selinux denials loaded by auditd.
Replace se_filegroup to se_build_files se_build_files is a replacement for se_filegroup module. se_build_files can be used with the normal Soong convention ":module_name{.tag}" by implementing android.OutputFileProducer. It's better than implementing ad-hoc logics across various modules, which is the case for se_filegroup module. Test: build and boot Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
2022-04-22 00:50:22 +02:00
se_build_files {
Treblelize bug_map: split bug_map to multiple partitions * plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 12:30:04 +01:00
name: "bug_map_files",
srcs: ["bug_map"],
}
se_bug_map {
name: "plat_bug_map",
Replace se_filegroup to se_build_files se_build_files is a replacement for se_filegroup module. se_build_files can be used with the normal Soong convention ":module_name{.tag}" by implementing android.OutputFileProducer. It's better than implementing ad-hoc logics across various modules, which is the case for se_filegroup module. Test: build and boot Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
2022-04-22 00:50:22 +02:00
srcs: [":bug_map_files{.plat_private}"],
Treblelize bug_map: split bug_map to multiple partitions * plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 12:30:04 +01:00
stem: "bug_map",
}
se_bug_map {
name: "system_ext_bug_map",
Replace se_filegroup to se_build_files se_build_files is a replacement for se_filegroup module. se_build_files can be used with the normal Soong convention ":module_name{.tag}" by implementing android.OutputFileProducer. It's better than implementing ad-hoc logics across various modules, which is the case for se_filegroup module. Test: build and boot Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
2022-04-22 00:50:22 +02:00
srcs: [":bug_map_files{.system_ext_private}"],
Treblelize bug_map: split bug_map to multiple partitions * plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 12:30:04 +01:00
stem: "bug_map",
system_ext_specific: true,
}
se_bug_map {
name: "vendor_bug_map",
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
Treblelize bug_map: split bug_map to multiple partitions * plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 12:30:04 +01:00
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
}
Migrate neverallow tests to Android.bp A new module type se_neverallow_test is added, to migrate sepolicy_neverallow modules. se_neverallow_test is affected by SELINUX_IGNORE_NEVERALLOWS. Bug: 33691272 Test: m selinux_policy Test: intentionally create neverallow violations and m selinux_policy Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
2021-12-22 15:06:53 +01:00
se_neverallow_test {
name: "sepolicy_neverallows",
Add macros to flag-guard te and contexts files This adds two macros which can be used in te files and contexts files. * is_flag_enabled(flag_name, codes) * is_flag_disabled(flag_name, codes) Also flag-guarding requires to process input files before any validations. Property contexts test and seapp contexts test are modified a little to handle that. Bug: 306563735 Test: build with manual guarding Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
2023-11-09 03:13:01 +01:00
defaults: ["se_policy_conf_flags_defaults"],
Migrate neverallow tests to Android.bp A new module type se_neverallow_test is added, to migrate sepolicy_neverallow modules. se_neverallow_test is affected by SELINUX_IGNORE_NEVERALLOWS. Bug: 33691272 Test: m selinux_policy Test: intentionally create neverallow violations and m selinux_policy Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
2021-12-22 15:06:53 +01:00
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
Remove code about mixed sepolicy build There is no one actively using mixed sepolicy build, and it made sepolicy codes too complicated. As we are deprecating mixed build, removing such code for cleanup. Bug: 298305798 Test: boot cuttlefish Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
2023-08-31 09:47:38 +02:00
product_private_policy + [
":se_build_files{.plat_vendor}",
Migrate neverallow tests to Android.bp A new module type se_neverallow_test is added, to migrate sepolicy_neverallow modules. se_neverallow_test is affected by SELINUX_IGNORE_NEVERALLOWS. Bug: 33691272 Test: m selinux_policy Test: intentionally create neverallow violations and m selinux_policy Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
2021-12-22 15:06:53 +01:00
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
}
Migrate freeze test to Soong Bug: 33691272 Test: m selinux_policy on sc-dev Change-Id: Ie536d885034e5d888f1329ac189fd0bf9723a6c4
2021-09-15 05:01:05 +02:00
//////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables:
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
se_freeze_test {
Relax freeze_test to check only compatibility For now, freeze_test compares prebuilts against sources with diff, to ensure that sources are identical to prebuilts. However, it could be the case that the branch should be able to build both REL and ToT. In that case, changes to the sources are inevitable and the freeze test will fail. To fix the issue, freeze_test will now only check compatibility. To be specific, it will check if any public types or attributes are removed. Contexts files and neverallow rules are not checked, but they may be added later. Also to support the new freeze_test - build_files module is changed to use glob (because REL version won't be in compat versions list) - plat_pub_policy modules are added under prebuilts/api (because freeze_test needs that) Bug: 296875906 Test: m selinux_policy Change-Id: I39c40992965b98664facea3b760d9d6be1f6b87e
2023-09-04 10:40:03 +02:00
name: "se_freeze_test",
Migrate freeze test to Soong Bug: 33691272 Test: m selinux_policy on sc-dev Change-Id: Ie536d885034e5d888f1329ac189fd0bf9723a6c4
2021-09-15 05:01:05 +02:00
}
Move sepolicy_test to Android.bp Bug: 33691272 Test: m selinux_policy triggers sepolicy_test Change-Id: I1618c2a35b3ce9d747db3955788427dc422fd532
2022-02-25 03:26:16 +01:00
//////////////////////////////////
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
genrule {
name: "sepolicy_test",
srcs: [
":plat_file_contexts",
":vendor_file_contexts",
":system_ext_file_contexts",
":product_file_contexts",
":odm_file_contexts",
":precompiled_sepolicy",
],
tools: ["sepolicy_tests"],
out: ["sepolicy_test"],
cmd: "$(location sepolicy_tests) " +
"-f $(location :plat_file_contexts) " +
"-f $(location :vendor_file_contexts) " +
"-f $(location :system_ext_file_contexts) " +
"-f $(location :product_file_contexts) " +
"-f $(location :odm_file_contexts) " +
"-p $(location :precompiled_sepolicy) && " +
"touch $(out)",
}
Add dev_type test Files under /dev should have dev_type attribute. Bug: 303367345 Test: m selinux_policy Change-Id: Iaa1e39338e2fae32086bd770c6f3ab4b33bb82aa
2023-09-27 10:39:07 +02:00
//////////////////////////////////
// TestDevTypeViolations can't run on old devices (V or before)
//////////////////////////////////
soong_config_module_type {
name: "dev_type_test_genrule",
module_type: "genrule",
config_namespace: "ANDROID",
bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
properties: ["cmd"],
}
dev_type_test_genrule {
name: "sepolicy_dev_type_test",
srcs: [
":plat_file_contexts",
":vendor_file_contexts",
":system_ext_file_contexts",
":product_file_contexts",
":odm_file_contexts",
":precompiled_sepolicy",
],
tools: ["sepolicy_tests"],
out: ["sepolicy_dev_type_test"],
soong_config_variables: {
CHECK_DEV_TYPE_VIOLATIONS: {
cmd: "$(location sepolicy_tests) " +
"-f $(location :plat_file_contexts) " +
"-f $(location :vendor_file_contexts) " +
"-f $(location :system_ext_file_contexts) " +
"-f $(location :product_file_contexts) " +
"-f $(location :odm_file_contexts) " +
"-p $(location :precompiled_sepolicy) " +
"-t TestDevTypeViolations && " +
"touch $(out)",
conditions_default: {
cmd: "touch $(out)",
},
},
},
}
Reference in a new issue Copy permalink