From 2c18965e27552ab284d4310ffa8da76a3f845462 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Mon, 8 Nov 2021 19:30:04 +0800 Subject: [PATCH] Treblelize bug_map: split bug_map to multiple partitions * plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b --- Android.bp | 27 ++++++++++ Android.mk | 26 ++-------- build/soong/Android.bp | 1 + build/soong/bug_map.go | 112 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 143 insertions(+), 23 deletions(-) create mode 100644 build/soong/bug_map.go diff --git a/Android.bp b/Android.bp index e51735648..8ee5cbc19 100644 --- a/Android.bp +++ b/Android.bp @@ -1156,6 +1156,33 @@ se_policy_cil { installable: false, } +// bug_map - Bug tracking information for selinux denials loaded by auditd. +se_filegroup { + name: "bug_map_files", + srcs: ["bug_map"], +} + +se_bug_map { + name: "plat_bug_map", + srcs: [":bug_map_files"], + stem: "bug_map", +} + +se_bug_map { + name: "system_ext_bug_map", + srcs: [":bug_map_files"], + stem: "bug_map", + system_ext_specific: true, +} + +se_bug_map { + name: "vendor_bug_map", + srcs: [":bug_map_files"], + // Legacy file name of the vendor partition bug_map. + stem: "selinux_denial_metadata", + vendor: true, +} + ////////////////////////////////// // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy // Additional directories can be specified via Makefile variables: diff --git a/Android.mk b/Android.mk index 6fd84e998..efacc1b55 100644 --- a/Android.mk +++ b/Android.mk @@ -381,6 +381,7 @@ LOCAL_REQUIRED_MODULES += \ plat_service_contexts_test \ plat_hwservice_contexts \ plat_hwservice_contexts_test \ + plat_bug_map \ searchpolicy \ # This conditional inclusion closely mimics the conditional logic @@ -455,6 +456,7 @@ LOCAL_REQUIRED_MODULES += \ system_ext_service_contexts \ system_ext_service_contexts_test \ system_ext_mac_permissions.xml \ + system_ext_bug_map \ $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ endif @@ -549,6 +551,7 @@ LOCAL_REQUIRED_MODULES += \ vendor_service_contexts \ vendor_hwservice_contexts \ vendor_hwservice_contexts_test \ + vendor_bug_map \ vndservice_contexts \ ifdef BOARD_ODM_SEPOLICY_DIRS @@ -567,9 +570,6 @@ endif LOCAL_REQUIRED_MODULES += selinux_policy_system_ext LOCAL_REQUIRED_MODULES += selinux_policy_product -LOCAL_REQUIRED_MODULES += \ - selinux_denial_metadata \ - # Builds an addtional userdebug sepolicy into the debug ramdisk. LOCAL_REQUIRED_MODULES += \ userdebug_plat_sepolicy.cil \ @@ -1211,26 +1211,6 @@ file_contexts.device.tmp := file_contexts.local.tmp := file_contexts.modules.tmp := -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := selinux_denial_metadata -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered -LOCAL_LICENSE_CONDITIONS := notice unencumbered -LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux - -include $(BUILD_SYSTEM)/base_rules.mk - -bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY)) - -$(LOCAL_BUILT_MODULE) : $(bug_files) - @mkdir -p $(dir $@) - cat $^ > $@ - -bug_files := - ################################## include $(LOCAL_PATH)/seapp_contexts.mk diff --git a/build/soong/Android.bp b/build/soong/Android.bp index 3126430b6..e3b6541ce 100644 --- a/build/soong/Android.bp +++ b/build/soong/Android.bp @@ -31,6 +31,7 @@ bootstrap_go_package { "soong-sysprop", ], srcs: [ + "bug_map.go", "build_files.go", "cil_compat_map.go", "compat_cil.go", diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go new file mode 100644 index 000000000..91c634727 --- /dev/null +++ b/build/soong/bug_map.go @@ -0,0 +1,112 @@ +// Copyright 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package selinux + +import ( + "github.com/google/blueprint/proptools" + + "android/soong/android" +) + +func init() { + android.RegisterModuleType("se_bug_map", bugMapFactory) +} + +// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd. +func bugMapFactory() android.Module { + c := &bugMap{} + c.AddProperties(&c.properties) + android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon) + return c +} + +type bugMap struct { + android.ModuleBase + properties bugMapProperties + installSource android.Path + installPath android.InstallPath +} + +type bugMapProperties struct { + // List of source files. Can reference se_filegroup type modules with the ":module" syntax. + Srcs []string `android:"path"` + + // Output file name. Defaults to module name if unspecified. + Stem *string +} + +func (b *bugMap) stem() string { + return proptools.StringDefault(b.properties.Stem, b.Name()) +} + +func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths { + srcPaths := make(android.Paths, 0, len(b.properties.Srcs)) + for _, src := range b.properties.Srcs { + if m := android.SrcIsModule(src); m != "" { + module := android.GetModuleFromPathDep(ctx, m, "") + if module == nil { + // Error would have been handled by ExtractSourcesDeps + continue + } + if fg, ok := module.(*fileGroup); ok { + if b.SocSpecific() { + srcPaths = append(srcPaths, fg.VendorSrcs()...) + srcPaths = append(srcPaths, fg.SystemVendorSrcs()...) + } else if b.SystemExtSpecific() { + srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...) + } else { + srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...) + } + } else { + ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m) + } + } else { + srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src)) + } + } + return android.FirstUniquePaths(srcPaths) +} + +func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) { + if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() { + ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions") + } + + srcPaths := b.expandSeSources(ctx) + out := android.PathForModuleGen(ctx, b.Name()) + ctx.Build(pctx, android.BuildParams{ + Rule: android.Cat, + Inputs: srcPaths, + Output: out, + Description: "Combining bug_map for " + b.Name(), + }) + + b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux") + b.installSource = out + ctx.InstallFile(b.installPath, b.stem(), b.installSource) +} + +func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries { + return []android.AndroidMkEntries{android.AndroidMkEntries{ + Class: "ETC", + OutputFile: android.OptionalPathForPath(b.installSource), + ExtraEntries: []android.AndroidMkExtraEntriesFunc{ + func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) { + entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath()) + entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem()) + }, + }, + }} +}