tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Use only public cil files for Treble compat test

Browse source 
Rationale for this change:

1) Vendors use only public files, so we should be able to use only
   public cil files for compatibility test.
2) treble_sepolicy_tests_for_release.mk is too complex, because it
   requires compiled sepolicy. Reducing the complexity will help migrate
   into REL build.
3) This fixes a tiny bug of treble_sepolicy_tests that it can't catch
   public types being moved to private types, and then removed. 29.0.cil
   and 30.0.cil change contains such missing public types.

Bug: 296875906
Test: m selinux_policy (with/without intentional breakage)
Change-Id: Ia2c0733176df898f268b5680195da25b588b09c7
This commit is contained in:
Inseob Kim 2023-09-06 18:01:53 +09:00
parent 5d7423ff3d
commit 0d49b9bc28
11 changed files with 63 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
prebuilts/api/29.0/Android.bp
View file

@ -52,4 +52,7 @@ se_policy_binary {
name: "29.0_plat_policy", name: "29.0_plat_policy",
srcs: [":29.0_plat_policy.cil"], srcs: [":29.0_plat_policy.cil"],
installable: false, installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
} }

3
prebuilts/api/30.0/Android.bp
View file

@ -52,4 +52,7 @@ se_policy_binary {
name: "30.0_plat_policy", name: "30.0_plat_policy",
srcs: [":30.0_plat_policy.cil"], srcs: [":30.0_plat_policy.cil"],
installable: false, installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
} }

3
prebuilts/api/31.0/Android.bp
View file

@ -52,4 +52,7 @@ se_policy_binary {
name: "31.0_plat_policy", name: "31.0_plat_policy",
srcs: [":31.0_plat_policy.cil"], srcs: [":31.0_plat_policy.cil"],
installable: false, installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
} }

3
prebuilts/api/32.0/Android.bp
View file

@ -52,4 +52,7 @@ se_policy_binary {
name: "32.0_plat_policy", name: "32.0_plat_policy",
srcs: [":32.0_plat_policy.cil"], srcs: [":32.0_plat_policy.cil"],
installable: false, installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
} }

3
prebuilts/api/33.0/Android.bp
View file

@ -52,4 +52,7 @@ se_policy_binary {
name: "33.0_plat_policy", name: "33.0_plat_policy",
srcs: [":33.0_plat_policy.cil"], srcs: [":33.0_plat_policy.cil"],
installable: false, installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
} }

3
prebuilts/api/34.0/Android.bp
View file

@ -52,4 +52,7 @@ se_policy_binary {
name: "34.0_plat_policy", name: "34.0_plat_policy",
srcs: [":34.0_plat_policy.cil"], srcs: [":34.0_plat_policy.cil"],
installable: false, installable: false,
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
} }

4
private/compat/29.0/29.0.cil
View file

@ -1,13 +1,15 @@
;; types removed from current policy ;; types removed from current policy
(type ashmemd) (type ashmemd)
(type clatd_exec)
(type clatd)
(type exported_audio_prop) (type exported_audio_prop)
(type exported_dalvik_prop) (type exported_dalvik_prop)
(type exported_vold_prop) (type exported_vold_prop)
(type exported2_config_prop) (type exported2_config_prop)
(type exported2_vold_prop) (type exported2_vold_prop)
(type hal_wifi_offload_hwservice) (type hal_wifi_offload_hwservice)
(type install_recovery)
(type install_recovery_exec) (type install_recovery_exec)
(type install_recovery)
(type mediacodec_service) (type mediacodec_service)
(type perfprofd_data_file) (type perfprofd_data_file)
(type perfprofd_service) (type perfprofd_service)

18
private/compat/30.0/30.0.cil
View file

@ -1,11 +1,16 @@
;; types removed from current policy ;; types removed from current policy
(type adbd_prop)
(type cgroup_bpf) (type cgroup_bpf)
(type device_config_configuration_prop)
(type device_config_storage_native_boot_prop)
(type device_config_sys_traced_prop)
(type device_config_window_manager_native_boot_prop)
(type exported_audio_prop) (type exported_audio_prop)
(type exported_dalvik_prop) (type exported_dalvik_prop)
(type exported_ffs_prop) (type exported_ffs_prop)
(type exported_fingerprint_prop) (type exported_fingerprint_prop)
(type exported_system_radio_prop)
(type exported_radio_prop) (type exported_radio_prop)
(type exported_system_radio_prop)
(type exported_vold_prop) (type exported_vold_prop)
(type exported_wifi_prop) (type exported_wifi_prop)
(type exported2_config_prop) (type exported2_config_prop)
@ -16,8 +21,19 @@
(type exported3_default_prop) (type exported3_default_prop)
(type exported3_radio_prop) (type exported3_radio_prop)
(type ffs_prop) (type ffs_prop)
(type gsid_prop)
(type init_perf_lsm_hooks_prop)
(type init_svc_debug_prop)
(type last_boot_reason_prop)
(type mediatranscoding_exec)
(type netd_stable_secret_prop)
(type pm_prop)
(type system_adbd_prop)
(type system_radio_prop) (type system_radio_prop)
(type thermalcallback_hwservice) (type thermalcallback_hwservice)
(type traced_perf_enabled_prop)
(type userspace_reboot_log_prop)
(type userspace_reboot_test_prop)
(typeattribute binder_in_vendor_violators) (typeattribute binder_in_vendor_violators)

2
tests/Android.bp
View file

@ -50,9 +50,7 @@ python_binary_host {
}, },
libs: [ libs: [
"mini_cil_parser", "mini_cil_parser",
"pysepolwrap",
], ],
data: [":libsepolwrap"],
} }
python_binary_host { python_binary_host {

81
tests/treble_sepolicy_tests.py
View file

@ -16,17 +16,11 @@ from optparse import OptionParser
from optparse import Option, OptionValueError from optparse import Option, OptionValueError
import os import os
import mini_parser import mini_parser
import pkgutil
import policy
from policy import MatchPathPrefix
import re import re
import shutil import shutil
import sys import sys
import tempfile import tempfile
DEBUG=False
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
''' '''
Verify that Treble compatibility are not broken. Verify that Treble compatibility are not broken.
''' '''
@ -39,13 +33,13 @@ Verify that Treble compatibility are not broken.
### ###
# Make sure that any new public type introduced in the new policy that was not # Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file. # present in the old policy has been recorded in the mapping file.
def TestNoUnmappedNewTypes(test_policy): def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
newt = test_policy.alltypes - test_policy.oldalltypes newt = base_pub_policy.types - old_pub_policy.types
ret = "" ret = ""
violators = [] violators = []
for n in newt: for n in newt:
if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None: if mapping.rTypeattributesets.get(n) is None:
violators.append(n) violators.append(n)
if len(violators) > 0: if len(violators) > 0:
@ -62,13 +56,13 @@ def TestNoUnmappedNewTypes(test_policy):
### ###
# Make sure that any public type removed in the current policy has its # Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy # declaration added to the mapping file for use in non-platform policy
def TestNoUnmappedRmTypes(test_policy): def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
rmt = test_policy.oldalltypes - test_policy.alltypes rmt = old_pub_policy.types - base_pub_policy.types
ret = "" ret = ""
violators = [] violators = []
for o in rmt: for o in rmt:
if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types: if o in mapping.pubtypes and not o in mapping.types:
violators.append(o) violators.append(o)
if len(violators) > 0: if len(violators) > 0:
@ -81,9 +75,9 @@ def TestNoUnmappedRmTypes(test_policy):
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n" ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret return ret
def TestTrebleCompatMapping(test_policy): def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
ret = TestNoUnmappedNewTypes(test_policy) ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
ret += TestNoUnmappedRmTypes(test_policy) ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
return ret return ret
### ###
@ -103,73 +97,38 @@ class MultipleOption(Option):
else: else:
Option.take_action(self, action, dest, opt, value, values, parser) Option.take_action(self, action, dest, opt, value, values, parser)
def do_main(libpath): def do_main():
"""
Args:
libpath: string, path to libsepolwrap.so
"""
test_policy = policy.TestPolicy()
usage = "treble_sepolicy_tests " usage = "treble_sepolicy_tests "
usage += "-p curr_policy -b base_policy -o old_policy " usage += "-b base_pub_policy -o old_pub_policy "
usage += "-m mapping file [--test test] [--help]" usage += "-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage) parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE") parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE") metavar="FILE")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE") parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE") parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
parser.add_option("-p", "--policy", dest="policy", metavar="FILE") metavar="FILE")
(options, args) = parser.parse_args() (options, args) = parser.parse_args()
if not options.policy:
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
sys.exit("Error: policy file " + options.policy + " does not exist\n"
+ parser.usage)
# Mapping files and public platform policy are only necessary for the # Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test. # TrebleCompatMapping test.
if not options.basepolicy:
sys.exit("Must specify the current platform-only policy file\n"
+ parser.usage)
if not options.mapping: if not options.mapping:
sys.exit("Must specify a compatibility mapping file\n" sys.exit("Must specify a compatibility mapping file\n"
+ parser.usage) + parser.usage)
if not options.oldpolicy: if not options.old_pub_policy:
sys.exit("Must specify the previous monolithic policy file\n" sys.exit("Must specify the previous public policy .cil file\n"
+ parser.usage) + parser.usage)
if not options.base_pub_policy: if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy " sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage) + ".cil file\n" + parser.usage)
basepol = policy.Policy(options.basepolicy, None, libpath)
oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping) mapping = mini_parser.MiniCilParser(options.mapping)
pubpol = mini_parser.MiniCilParser(options.base_pub_policy) base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types) old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
pol = policy.Policy(options.policy, None, libpath) results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
test_policy.setup(pol)
if DEBUG:
test_policy.PrintScontexts()
results = TestTrebleCompatMapping(test_policy)
if len(results) > 0: if len(results) > 0:
sys.exit(results) sys.exit(results)
if __name__ == '__main__': if __name__ == '__main__':
temp_dir = tempfile.mkdtemp() do_main()
try:
libname = "libsepolwrap" + SHARED_LIB_EXTENSION
libpath = os.path.join(temp_dir, libname)
with open(libpath, "wb") as f:
blob = pkgutil.get_data("treble_sepolicy_tests", libname)
if not blob:
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
f.write(blob)
do_main(libpath)
finally:
shutil.rmtree(temp_dir)

20
treble_sepolicy_tests_for_release.mk
View file

@ -24,10 +24,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
# built to enable us to determine the diff between the current policy and the # built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has # $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files. # been maintained by our mapping files.
built_$(version)_plat_sepolicy := $(call intermediates-dir-for,ETC,$(version)_plat_policy)/$(version)_plat_policy built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
# TODO(b/214336258): move to Soong
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \ $(version)_mapping.ignore.cil := \
@ -58,27 +55,20 @@ $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mappi
cat $^ > $@ cat $^ > $@
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
built_sepolicy_files := $(built_product_sepolicy)
public_cil_files := $(base_product_pub_policy.cil) public_cil_files := $(base_product_pub_policy.cil)
else else
built_sepolicy_files := $(built_plat_sepolicy)
public_cil_files := $(base_plat_pub_policy.cil) public_cil_files := $(base_plat_pub_policy.cil)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil) $(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files) $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) \
$(built_sepolicy_files) \
$(public_cil_files) \ $(public_cil_files) \
$(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil) $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \ -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \ -o $(PRIVATE_SEPOLICY_OLD)
-u $(PRIVATE_PLAT_PUB_SEPOLICY)
$(hide) touch $@ $(hide) touch $@
built_sepolicy_files := built_sepolicy_files :=