Treblelize bug_map: split bug_map to multiple partitions

* plat_bug_map: Platform-specific bug_map definitions. * system_ext_bug_map: Product-specific bug_map definitions. * vendor_bug_map: SOC-specific bug_map definitions. Bug: 177977370 Test: Boot and check auditd logs Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 19:30:04 +08:00 · 2021-11-08 19:30:04 +08:00 · 2c18965e27
commit 2c18965e27
parent 635f273be5
4 changed files with 143 additions and 23 deletions
--- a/Android.bp
+++ b/Android.bp
@ -1156,6 +1156,33 @@ se_policy_cil {
    installable: false,
 }

+// bug_map - Bug tracking information for selinux denials loaded by auditd.
+se_filegroup {
+    name: "bug_map_files",
+    srcs: ["bug_map"],
+}
+
+se_bug_map {
+    name: "plat_bug_map",
+    srcs: [":bug_map_files"],
+    stem: "bug_map",
+}
+
+se_bug_map {
+    name: "system_ext_bug_map",
+    srcs: [":bug_map_files"],
+    stem: "bug_map",
+    system_ext_specific: true,
+}
+
+se_bug_map {
+    name: "vendor_bug_map",
+    srcs: [":bug_map_files"],
+    // Legacy file name of the vendor partition bug_map.
+    stem: "selinux_denial_metadata",
+    vendor: true,
+}
+
 //////////////////////////////////
 // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
 // Additional directories can be specified via Makefile variables:
--- a/Android.mk
+++ b/Android.mk
@ -381,6 +381,7 @@ LOCAL_REQUIRED_MODULES += \
    plat_service_contexts_test \
    plat_hwservice_contexts \
    plat_hwservice_contexts_test \
+    plat_bug_map \
    searchpolicy \

 # This conditional inclusion closely mimics the conditional logic
@ -455,6 +456,7 @@ LOCAL_REQUIRED_MODULES += \
    system_ext_service_contexts \
    system_ext_service_contexts_test \
    system_ext_mac_permissions.xml \
+    system_ext_bug_map \
    $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \

 endif
@ -549,6 +551,7 @@ LOCAL_REQUIRED_MODULES += \
    vendor_service_contexts \
    vendor_hwservice_contexts \
    vendor_hwservice_contexts_test \
+    vendor_bug_map \
    vndservice_contexts \

 ifdef BOARD_ODM_SEPOLICY_DIRS
@ -567,9 +570,6 @@ endif
 LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
 LOCAL_REQUIRED_MODULES += selinux_policy_product

-LOCAL_REQUIRED_MODULES += \
-    selinux_denial_metadata \
-
 # Builds an addtional userdebug sepolicy into the debug ramdisk.
 LOCAL_REQUIRED_MODULES += \
    userdebug_plat_sepolicy.cil \
@ -1211,26 +1211,6 @@ file_contexts.device.tmp :=
 file_contexts.local.tmp :=
 file_contexts.modules.tmp :=

-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_denial_metadata
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
-
-$(LOCAL_BUILT_MODULE) : $(bug_files)
-	@mkdir -p $(dir $@)
-	cat $^ > $@
-
-bug_files :=
-
 ##################################
 include $(LOCAL_PATH)/seapp_contexts.mk

--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@ -31,6 +31,7 @@ bootstrap_go_package {
        "soong-sysprop",
    ],
    srcs: [
+        "bug_map.go",
        "build_files.go",
        "cil_compat_map.go",
        "compat_cil.go",
--- a/build/soong/bug_map.go
+++ b/build/soong/bug_map.go
@ -0,0 +1,112 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+	"github.com/google/blueprint/proptools"
+
+	"android/soong/android"
+)
+
+func init() {
+	android.RegisterModuleType("se_bug_map", bugMapFactory)
+}
+
+// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
+func bugMapFactory() android.Module {
+	c := &bugMap{}
+	c.AddProperties(&c.properties)
+	android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+	return c
+}
+
+type bugMap struct {
+	android.ModuleBase
+	properties    bugMapProperties
+	installSource android.Path
+	installPath   android.InstallPath
+}
+
+type bugMapProperties struct {
+	// List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+	Srcs []string `android:"path"`
+
+	// Output file name. Defaults to module name if unspecified.
+	Stem *string
+}
+
+func (b *bugMap) stem() string {
+	return proptools.StringDefault(b.properties.Stem, b.Name())
+}
+
+func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
+	srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
+	for _, src := range b.properties.Srcs {
+		if m := android.SrcIsModule(src); m != "" {
+			module := android.GetModuleFromPathDep(ctx, m, "")
+			if module == nil {
+				// Error would have been handled by ExtractSourcesDeps
+				continue
+			}
+			if fg, ok := module.(*fileGroup); ok {
+				if b.SocSpecific() {
+					srcPaths = append(srcPaths, fg.VendorSrcs()...)
+					srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
+				} else if b.SystemExtSpecific() {
+					srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+				} else {
+					srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+				}
+			} else {
+				ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+			}
+		} else {
+			srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+		}
+	}
+	return android.FirstUniquePaths(srcPaths)
+}
+
+func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
+		ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
+	}
+
+	srcPaths := b.expandSeSources(ctx)
+	out := android.PathForModuleGen(ctx, b.Name())
+	ctx.Build(pctx, android.BuildParams{
+		Rule:        android.Cat,
+		Inputs:      srcPaths,
+		Output:      out,
+		Description: "Combining bug_map for " + b.Name(),
+	})
+
+	b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+	b.installSource = out
+	ctx.InstallFile(b.installPath, b.stem(), b.installSource)
+}
+
+func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
+	return []android.AndroidMkEntries{android.AndroidMkEntries{
+		Class:      "ETC",
+		OutputFile: android.OptionalPathForPath(b.installSource),
+		ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+			func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+				entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+				entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
+			},
+		},
+	}}
+}