tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Treblelize bug_map: split bug_map to multiple partitions

Browse source 
* plat_bug_map: Platform-specific bug_map definitions.
* system_ext_bug_map: Product-specific bug_map definitions.
* vendor_bug_map: SOC-specific bug_map definitions.

Bug: 177977370
Test: Boot and check auditd logs
Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
This commit is contained in:
Yi-Yo Chiang 2021-11-08 19:30:04 +08:00
parent 635f273be5
commit 2c18965e27
4 changed files with 143 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
Android.bp
View file

@ -1156,6 +1156,33 @@ se_policy_cil {
installable: false, installable: false,
} }
// bug_map - Bug tracking information for selinux denials loaded by auditd.
se_filegroup {
name: "bug_map_files",
srcs: ["bug_map"],
}
se_bug_map {
name: "plat_bug_map",
srcs: [":bug_map_files"],
stem: "bug_map",
}
se_bug_map {
name: "system_ext_bug_map",
srcs: [":bug_map_files"],
stem: "bug_map",
system_ext_specific: true,
}
se_bug_map {
name: "vendor_bug_map",
srcs: [":bug_map_files"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
}
////////////////////////////////// //////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables: // Additional directories can be specified via Makefile variables:

26
Android.mk
View file

@ -381,6 +381,7 @@ LOCAL_REQUIRED_MODULES += \
plat_service_contexts_test \ plat_service_contexts_test \
plat_hwservice_contexts \ plat_hwservice_contexts \
plat_hwservice_contexts_test \ plat_hwservice_contexts_test \
plat_bug_map \
searchpolicy \ searchpolicy \
# This conditional inclusion closely mimics the conditional logic # This conditional inclusion closely mimics the conditional logic
@ -455,6 +456,7 @@ LOCAL_REQUIRED_MODULES += \
system_ext_service_contexts \ system_ext_service_contexts \
system_ext_service_contexts_test \ system_ext_service_contexts_test \
system_ext_mac_permissions.xml \ system_ext_mac_permissions.xml \
system_ext_bug_map \
$(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif endif
@ -549,6 +551,7 @@ LOCAL_REQUIRED_MODULES += \
vendor_service_contexts \ vendor_service_contexts \
vendor_hwservice_contexts \ vendor_hwservice_contexts \
vendor_hwservice_contexts_test \ vendor_hwservice_contexts_test \
vendor_bug_map \
vndservice_contexts \ vndservice_contexts \
ifdef BOARD_ODM_SEPOLICY_DIRS ifdef BOARD_ODM_SEPOLICY_DIRS
@ -567,9 +570,6 @@ endif
LOCAL_REQUIRED_MODULES += selinux_policy_system_ext LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
LOCAL_REQUIRED_MODULES += selinux_policy_product LOCAL_REQUIRED_MODULES += selinux_policy_product
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
# Builds an addtional userdebug sepolicy into the debug ramdisk. # Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \ userdebug_plat_sepolicy.cil \
@ -1211,26 +1211,6 @@ file_contexts.device.tmp :=
file_contexts.local.tmp := file_contexts.local.tmp :=
file_contexts.modules.tmp := file_contexts.modules.tmp :=
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
$(LOCAL_BUILT_MODULE) : $(bug_files)
@mkdir -p $(dir $@)
cat $^ > $@
bug_files :=
################################## ##################################
include $(LOCAL_PATH)/seapp_contexts.mk include $(LOCAL_PATH)/seapp_contexts.mk

1
build/soong/Android.bp
View file

@ -31,6 +31,7 @@ bootstrap_go_package {
"soong-sysprop", "soong-sysprop",
], ],
srcs: [ srcs: [
"bug_map.go",
"build_files.go", "build_files.go",
"cil_compat_map.go", "cil_compat_map.go",
"compat_cil.go", "compat_cil.go",

112
build/soong/bug_map.go Normal file
View file

@ -0,0 +1,112 @@
// Copyright 2021 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package selinux
import (
"github.com/google/blueprint/proptools"
"android/soong/android"
)
func init() {
android.RegisterModuleType("se_bug_map", bugMapFactory)
}
// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
func bugMapFactory() android.Module {
c := &bugMap{}
c.AddProperties(&c.properties)
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
return c
}
type bugMap struct {
android.ModuleBase
properties bugMapProperties
installSource android.Path
installPath android.InstallPath
}
type bugMapProperties struct {
// List of source files. Can reference se_filegroup type modules with the ":module" syntax.
Srcs []string `android:"path"`
// Output file name. Defaults to module name if unspecified.
Stem *string
}
func (b *bugMap) stem() string {
return proptools.StringDefault(b.properties.Stem, b.Name())
}
func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
for _, src := range b.properties.Srcs {
if m := android.SrcIsModule(src); m != "" {
module := android.GetModuleFromPathDep(ctx, m, "")
if module == nil {
// Error would have been handled by ExtractSourcesDeps
continue
}
if fg, ok := module.(*fileGroup); ok {
if b.SocSpecific() {
srcPaths = append(srcPaths, fg.VendorSrcs()...)
srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
} else if b.SystemExtSpecific() {
srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
} else {
srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
}
} else {
ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
}
} else {
srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
}
}
return android.FirstUniquePaths(srcPaths)
}
func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
}
srcPaths := b.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, b.Name())
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
Output: out,
Description: "Combining bug_map for " + b.Name(),
})
b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
b.installSource = out
ctx.InstallFile(b.installPath, b.stem(), b.installSource)
}
func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
return []android.AndroidMkEntries{android.AndroidMkEntries{
Class: "ETC",
OutputFile: android.OptionalPathForPath(b.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
},
},
}}
}