From 5d7423ff3de9dc79863e5af61a30a53eebc12691 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 6 Sep 2023 14:39:49 +0900 Subject: [PATCH 1/2] Build prebuilt policy with Soong ... and remove redundant Makefile codes. This also updates commit hook as we now only use Soong to build sepolicy. Bug: 296875906 Test: m selinux_policy Change-Id: I93f0d222a0c10e31c51c9380780a8927c47d62b1 --- Android.bp | 46 ----------- Android.mk | 109 +++++---------------------- build/soong/policy.go | 1 - definitions.mk | 39 ---------- policy_version.mk | 4 - prebuilts/api/29.0/Android.bp | 27 +++++++ prebuilts/api/30.0/Android.bp | 27 +++++++ prebuilts/api/31.0/Android.bp | 27 +++++++ prebuilts/api/32.0/Android.bp | 27 +++++++ prebuilts/api/33.0/Android.bp | 27 +++++++ prebuilts/api/34.0/Android.bp | 27 +++++++ tools/Android.mk | 3 - tools/policy_version_check.sh | 2 +- treble_sepolicy_tests_for_release.mk | 67 +--------------- 14 files changed, 183 insertions(+), 250 deletions(-) delete mode 100644 definitions.mk delete mode 100644 policy_version.mk delete mode 100644 tools/Android.mk diff --git a/Android.bp b/Android.bp index dedcf6380..3c53931db 100644 --- a/Android.bp +++ b/Android.bp @@ -752,33 +752,6 @@ se_policy_binary { }, } -se_policy_conf { - name: "base_system_ext_sepolicy.conf", - srcs: plat_public_policy + - plat_private_policy + - system_ext_public_policy + - system_ext_private_policy, - build_variant: "user", - installable: false, - system_ext_specific: true, -} - -se_policy_cil { - name: "base_system_ext_sepolicy.cil", - src: ":base_system_ext_sepolicy.conf", - additional_cil_files: ["private/technical_debt.cil"], - system_ext_specific: true, - installable: false, - secilc_check: false, // done by se_policy_binary -} - -se_policy_binary { - name: "base_system_ext_sepolicy", - srcs: [":base_system_ext_sepolicy.cil"], - system_ext_specific: true, - installable: false, -} - se_policy_conf { name: "base_product_sepolicy.conf", srcs: plat_public_policy + @@ -827,25 +800,6 @@ se_policy_cil { }, } -se_policy_conf { - name: "base_system_ext_pub_policy.conf", - srcs: plat_public_policy + - system_ext_public_policy + - reqd_mask_policy, - build_variant: "user", - installable: false, - system_ext_specific: true, -} - -se_policy_cil { - name: "base_system_ext_pub_policy.cil", - src: ":base_system_ext_pub_policy.conf", - filter_out: [":reqd_policy_mask.cil"], - secilc_check: false, - installable: false, - system_ext_specific: true, -} - se_policy_conf { name: "base_product_pub_policy.conf", srcs: plat_public_policy + diff --git a/Android.mk b/Android.mk index b39ee440d..93db82aa1 100644 --- a/Android.mk +++ b/Android.mk @@ -1,13 +1,7 @@ LOCAL_PATH:= $(call my-dir) -include $(LOCAL_PATH)/definitions.mk -include $(LOCAL_PATH)/policy_version.mk - include $(CLEAR_VARS) -MLS_SENS=1 -MLS_CATS=1024 - ifdef BOARD_SEPOLICY_UNION $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) endif @@ -73,7 +67,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) HAS_PRODUCT_SEPOLICY_DIR := true endif -NEVERALLOW_ARG := ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) ifeq ($(TARGET_BUILD_VARIANT),user) $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) @@ -81,7 +74,6 @@ endif $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ It does not work in user builds and using it will \ not stop you from failing CTS.) -NEVERALLOW_ARG := -N endif # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. @@ -170,36 +162,11 @@ ifdef HAS_PRODUCT_SEPOLICY_DIR endif endif # ifdef HAS_PRODUCT_SEPOLICY_DIR -# CIL files which contain workarounds for current limitation of human-readable -# module policy language. These files are appended to the CIL files produced -# from module language files. -sepolicy_build_cil_workaround_files := technical_debt.cil - -my_target_arch := $(TARGET_ARCH) -ifneq (,$(filter mips mips64,$(TARGET_ARCH))) - my_target_arch := mips -endif - -intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates - with_asan := false ifneq (,$(filter address,$(SANITIZE_TARGET))) with_asan := true endif -with_native_coverage := false -ifeq ($(NATIVE_COVERAGE),true) - with_native_coverage := true -endif -ifeq ($(CLANG_COVERAGE),true) - with_native_coverage := true -endif - -treble_sysprop_neverallow := true -ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true) - treble_sysprop_neverallow := false -endif - ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) #$(warning no product shipping level defined) else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) @@ -208,16 +175,6 @@ else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) endif endif -enforce_sysprop_owner := true -ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true) - enforce_sysprop_owner := false -endif - -enforce_debugfs_restriction := false -ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true) - enforce_debugfs_restriction := true -endif - ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) #$(warning no product shipping level defined) else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) @@ -226,13 +183,6 @@ else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) endif endif -# Library extension for host-side tests -ifeq ($(HOST_OS),darwin) -SHAREDLIB_EXT=dylib -else -SHAREDLIB_EXT=so -endif - ################################# include $(CLEAR_VARS) @@ -480,16 +430,6 @@ include $(BUILD_PHONY_PACKAGE) # Policy files are now built with Android.bp. Grab them from intermediate. # See Android.bp for details of policy files. # -built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil - -ifdef HAS_SYSTEM_EXT_SEPOLICY -built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil -endif # ifdef HAS_SYSTEM_EXT_SEPOLICY - -ifdef HAS_PRODUCT_SEPOLICY -built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil -endif # ifdef HAS_PRODUCT_SEPOLICY - built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows @@ -542,6 +482,23 @@ ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) endif +########################################################### +## Collect file_contexts files into a single tmp file with m4 +## +## $(1): list of file_contexts files +## $(2): filename into which file_contexts files are merged +########################################################### + +define _merge-fc-files +$(2): $(1) $(M4) + $(hide) mkdir -p $$(dir $$@) + $(hide) $(M4) --fatal-warnings -s $(1) > $$@ +endef + +define merge-fc-files +$(eval $(call _merge-fc-files,$(1),$(2))) +endef + file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp $(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp)) @@ -581,32 +538,14 @@ $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< -built_fc := $(LOCAL_BUILT_MODULE) local_fc_files := -local_fcfiles_with_nl := device_fc_files := -device_fcfiles_with_nl := file_contexts.concat.tmp := file_contexts.device.sorted.tmp := file_contexts.device.tmp := file_contexts.local.tmp := file_contexts.modules.tmp := -################################## - -all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts -all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts -ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR -all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts -endif -ifdef HAS_PRODUCT_SEPOLICY_DIR -all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts -endif -ifdef BOARD_ODM_SEPOLICY_DIRS -all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts -endif -all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) - ################################## # Tests for Treble compatibility of current platform policy and vendor policy of # given release version. @@ -630,8 +569,6 @@ built_product_sepolicy := base_plat_pub_policy.cil := base_system_ext_pub_polcy.cil := base_product_pub_policy.cil := -all_fc_files := -all_fc_args := ################################# @@ -639,19 +576,7 @@ all_fc_args := build_vendor_policy := build_odm_policy := build_policy := -built_plat_cil := -built_system_ext_cil := -built_product_cil := built_sepolicy := built_sepolicy_neverallows := -built_plat_svc := -built_vendor_svc := -treble_sysprop_neverallow := -enforce_sysprop_owner := -enforce_debugfs_restriction := -my_target_arch := sepolicy_build_files := -sepolicy_build_cil_workaround_files := with_asan := - -include $(call all-makefiles-under,$(LOCAL_PATH)) diff --git a/build/soong/policy.go b/build/soong/policy.go index d8c3ffb85..0793e2ac8 100644 --- a/build/soong/policy.go +++ b/build/soong/policy.go @@ -27,7 +27,6 @@ import ( ) const ( - // TODO: sync with Android.mk MlsSens = 1 MlsCats = 1024 PolicyVers = 30 diff --git a/definitions.mk b/definitions.mk deleted file mode 100644 index 63c4d94af..000000000 --- a/definitions.mk +++ /dev/null @@ -1,39 +0,0 @@ -# Command to turn collection of policy files into a policy.conf file to be -# processed by checkpolicy -define transform-policy-to-conf -@mkdir -p $(dir $@) -$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \ - -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ - -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \ - -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ - -D target_arch=$(PRIVATE_TGT_ARCH) \ - -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ - -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \ - -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \ - -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \ - -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \ - -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \ - -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \ - -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \ - -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \ - $(PRIVATE_TGT_RECOVERY) \ - -s $(PRIVATE_POLICY_FILES) > $@ -endef -.KATI_READONLY := transform-policy-to-conf - -########################################################### -## Collect file_contexts files into a single tmp file with m4 -## -## $(1): list of file_contexts files -## $(2): filename into which file_contexts files are merged -########################################################### - -define _merge-fc-files -$(2): $(1) $(M4) - $(hide) mkdir -p $$(dir $$@) - $(hide) $(M4) --fatal-warnings -s $(1) > $$@ -endef - -define merge-fc-files -$(eval $(call _merge-fc-files,$(1),$(2))) -endef diff --git a/policy_version.mk b/policy_version.mk deleted file mode 100644 index e6bb74722..000000000 --- a/policy_version.mk +++ /dev/null @@ -1,4 +0,0 @@ -# SELinux policy version. -# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. -# Must be within the compatibility range reported by checkpolicy -V. -POLICYVERS ?= 30 diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp index 34052a249..f7918783d 100644 --- a/prebuilts/api/29.0/Android.bp +++ b/prebuilts/api/29.0/Android.bp @@ -26,3 +26,30 @@ se_policy_cil { secilc_check: false, installable: false, } + +se_policy_conf { + name: "29.0_plat_policy.conf", + srcs: [ + ":se_build_files{.plat_public_29.0}", + ":se_build_files{.plat_private_29.0}", + ":se_build_files{.system_ext_public_29.0}", + ":se_build_files{.system_ext_private_29.0}", + ":se_build_files{.product_public_29.0}", + ":se_build_files{.product_private_29.0}", + ], + installable: false, + build_variant: "user", +} + +se_policy_cil { + name: "29.0_plat_policy.cil", + src: ":29.0_plat_policy.conf", + additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"], + installable: false, +} + +se_policy_binary { + name: "29.0_plat_policy", + srcs: [":29.0_plat_policy.cil"], + installable: false, +} diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp index 0e51bb7b9..c124c104e 100644 --- a/prebuilts/api/30.0/Android.bp +++ b/prebuilts/api/30.0/Android.bp @@ -26,3 +26,30 @@ se_policy_cil { secilc_check: false, installable: false, } + +se_policy_conf { + name: "30.0_plat_policy.conf", + srcs: [ + ":se_build_files{.plat_public_30.0}", + ":se_build_files{.plat_private_30.0}", + ":se_build_files{.system_ext_public_30.0}", + ":se_build_files{.system_ext_private_30.0}", + ":se_build_files{.product_public_30.0}", + ":se_build_files{.product_private_30.0}", + ], + installable: false, + build_variant: "user", +} + +se_policy_cil { + name: "30.0_plat_policy.cil", + src: ":30.0_plat_policy.conf", + additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"], + installable: false, +} + +se_policy_binary { + name: "30.0_plat_policy", + srcs: [":30.0_plat_policy.cil"], + installable: false, +} diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp index 569717376..d6c02db53 100644 --- a/prebuilts/api/31.0/Android.bp +++ b/prebuilts/api/31.0/Android.bp @@ -26,3 +26,30 @@ se_policy_cil { secilc_check: false, installable: false, } + +se_policy_conf { + name: "31.0_plat_policy.conf", + srcs: [ + ":se_build_files{.plat_public_31.0}", + ":se_build_files{.plat_private_31.0}", + ":se_build_files{.system_ext_public_31.0}", + ":se_build_files{.system_ext_private_31.0}", + ":se_build_files{.product_public_31.0}", + ":se_build_files{.product_private_31.0}", + ], + installable: false, + build_variant: "user", +} + +se_policy_cil { + name: "31.0_plat_policy.cil", + src: ":31.0_plat_policy.conf", + additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"], + installable: false, +} + +se_policy_binary { + name: "31.0_plat_policy", + srcs: [":31.0_plat_policy.cil"], + installable: false, +} diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp index 723f743fc..9c4929402 100644 --- a/prebuilts/api/32.0/Android.bp +++ b/prebuilts/api/32.0/Android.bp @@ -26,3 +26,30 @@ se_policy_cil { secilc_check: false, installable: false, } + +se_policy_conf { + name: "32.0_plat_policy.conf", + srcs: [ + ":se_build_files{.plat_public_32.0}", + ":se_build_files{.plat_private_32.0}", + ":se_build_files{.system_ext_public_32.0}", + ":se_build_files{.system_ext_private_32.0}", + ":se_build_files{.product_public_32.0}", + ":se_build_files{.product_private_32.0}", + ], + installable: false, + build_variant: "user", +} + +se_policy_cil { + name: "32.0_plat_policy.cil", + src: ":32.0_plat_policy.conf", + additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"], + installable: false, +} + +se_policy_binary { + name: "32.0_plat_policy", + srcs: [":32.0_plat_policy.cil"], + installable: false, +} diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp index df4da89f5..327fc1165 100644 --- a/prebuilts/api/33.0/Android.bp +++ b/prebuilts/api/33.0/Android.bp @@ -26,3 +26,30 @@ se_policy_cil { secilc_check: false, installable: false, } + +se_policy_conf { + name: "33.0_plat_policy.conf", + srcs: [ + ":se_build_files{.plat_public_33.0}", + ":se_build_files{.plat_private_33.0}", + ":se_build_files{.system_ext_public_33.0}", + ":se_build_files{.system_ext_private_33.0}", + ":se_build_files{.product_public_33.0}", + ":se_build_files{.product_private_33.0}", + ], + installable: false, + build_variant: "user", +} + +se_policy_cil { + name: "33.0_plat_policy.cil", + src: ":33.0_plat_policy.conf", + additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"], + installable: false, +} + +se_policy_binary { + name: "33.0_plat_policy", + srcs: [":33.0_plat_policy.cil"], + installable: false, +} diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp index e962848b6..474e29b2d 100644 --- a/prebuilts/api/34.0/Android.bp +++ b/prebuilts/api/34.0/Android.bp @@ -26,3 +26,30 @@ se_policy_cil { secilc_check: false, installable: false, } + +se_policy_conf { + name: "34.0_plat_policy.conf", + srcs: [ + ":se_build_files{.plat_public_34.0}", + ":se_build_files{.plat_private_34.0}", + ":se_build_files{.system_ext_public_34.0}", + ":se_build_files{.system_ext_private_34.0}", + ":se_build_files{.product_public_34.0}", + ":se_build_files{.product_private_34.0}", + ], + installable: false, + build_variant: "user", +} + +se_policy_cil { + name: "34.0_plat_policy.cil", + src: ":34.0_plat_policy.conf", + additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"], + installable: false, +} + +se_policy_binary { + name: "34.0_plat_policy", + srcs: [":34.0_plat_policy.cil"], + installable: false, +} diff --git a/tools/Android.mk b/tools/Android.mk deleted file mode 100644 index 34f43859f..000000000 --- a/tools/Android.mk +++ /dev/null @@ -1,3 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -include $(call all-makefiles-under,$(LOCAL_PATH)) diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh index 33ce8618a..f82c53d27 100755 --- a/tools/policy_version_check.sh +++ b/tools/policy_version_check.sh @@ -1,6 +1,6 @@ #!/bin/bash -MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]') +MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]') BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }') if [ "$MK" != "$BP" ]; then diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk index 45845ab34..761f59bf1 100644 --- a/treble_sepolicy_tests_for_release.mk +++ b/treble_sepolicy_tests_for_release.mk @@ -11,15 +11,9 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE LOCAL_MODULE_CLASS := FAKE LOCAL_MODULE_TAGS := optional -# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy -# make file of the system_ext partition. -SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR) -# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy -# make file of the product partition. -PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR) IS_TREBLE_TEST_ENABLED_PARTNER := false ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),) -ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY)) +ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR)) IS_TREBLE_TEST_ENABLED_PARTNER := true endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY)) endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),) @@ -30,60 +24,11 @@ include $(BUILD_SYSTEM)/base_rules.mk # built to enable us to determine the diff between the current policy and the # $(version) policy, which will be used in tests to make sure that compatibility has # been maintained by our mapping files. -$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public -$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private -ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) -ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)) -$(version)_PLAT_PUBLIC_POLICY += \ - $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public -$(version)_PLAT_PRIVATE_POLICY += \ - $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private -endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)) -ifneq (,$(PRODUCT_PREBUILT_POLICY)) -$(version)_PLAT_PUBLIC_POLICY += \ - $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public -$(version)_PLAT_PRIVATE_POLICY += \ - $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private -endif # (,$(PRODUCT_PREBUILT_POLICY)) -endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) -policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY)) -$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf -$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user -$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true -$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$($(version)_plat_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - $(hide) sed '/dontaudit/d' $@ > $@.dontaudit - -policy_files := - -built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy -$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ - $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY)) -$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) -$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ - $(HOST_OUT_EXECUTABLES)/secilc \ - $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \ - $(built_sepolicy_neverallows) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ - $(POLICYVERS) -o $@ $< - $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ - $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null - -$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy) +built_$(version)_plat_sepolicy := $(call intermediates-dir-for,ETC,$(version)_plat_policy)/$(version)_plat_policy # TODO(b/214336258): move to Soong $(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy) -$(version)_plat_policy.conf := - $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil $(version)_mapping.ignore.cil := \ $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil @@ -106,6 +51,7 @@ endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true) # combining the current platform policy with nonplatform policy based on the # $(version) policy release and also a special ignored file that exists purely for # these tests. +intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates $(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil) mkdir -p $(dir $@) @@ -135,15 +81,8 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \ -u $(PRIVATE_PLAT_PUB_SEPOLICY) $(hide) touch $@ -$(version)_SYSTEM_EXT_PUBLIC_POLICY := -$(version)_SYSTEM_EXT_PRIVATE_POLICY := -$(version)_PRODUCT_PUBLIC_POLICY := -$(version)_PRODUCT_PRIVATE_POLICY := -$(version)_PLAT_PUBLIC_POLICY := -$(version)_PLAT_PRIVATE_POLICY := built_sepolicy_files := public_cil_files := -cil_files := $(version)_mapping.cil := $(version)_mapping.combined.cil := $(version)_mapping.ignore.cil := From 0d49b9bc285e749a78c1f65f264fd0a133a5476f Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 6 Sep 2023 18:01:53 +0900 Subject: [PATCH 2/2] Use only public cil files for Treble compat test Rationale for this change: 1) Vendors use only public files, so we should be able to use only public cil files for compatibility test. 2) treble_sepolicy_tests_for_release.mk is too complex, because it requires compiled sepolicy. Reducing the complexity will help migrate into REL build. 3) This fixes a tiny bug of treble_sepolicy_tests that it can't catch public types being moved to private types, and then removed. 29.0.cil and 30.0.cil change contains such missing public types. Bug: 296875906 Test: m selinux_policy (with/without intentional breakage) Change-Id: Ia2c0733176df898f268b5680195da25b588b09c7 --- prebuilts/api/29.0/Android.bp | 3 ++ prebuilts/api/30.0/Android.bp | 3 ++ prebuilts/api/31.0/Android.bp | 3 ++ prebuilts/api/32.0/Android.bp | 3 ++ prebuilts/api/33.0/Android.bp | 3 ++ prebuilts/api/34.0/Android.bp | 3 ++ private/compat/29.0/29.0.cil | 4 +- private/compat/30.0/30.0.cil | 18 ++++++- tests/Android.bp | 2 - tests/treble_sepolicy_tests.py | 81 +++++++--------------------- treble_sepolicy_tests_for_release.mk | 20 ++----- 11 files changed, 63 insertions(+), 80 deletions(-) diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp index f7918783d..fe019b0d5 100644 --- a/prebuilts/api/29.0/Android.bp +++ b/prebuilts/api/29.0/Android.bp @@ -52,4 +52,7 @@ se_policy_binary { name: "29.0_plat_policy", srcs: [":29.0_plat_policy.cil"], installable: false, + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, } diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp index c124c104e..0f89b7c75 100644 --- a/prebuilts/api/30.0/Android.bp +++ b/prebuilts/api/30.0/Android.bp @@ -52,4 +52,7 @@ se_policy_binary { name: "30.0_plat_policy", srcs: [":30.0_plat_policy.cil"], installable: false, + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, } diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp index d6c02db53..10ec80f42 100644 --- a/prebuilts/api/31.0/Android.bp +++ b/prebuilts/api/31.0/Android.bp @@ -52,4 +52,7 @@ se_policy_binary { name: "31.0_plat_policy", srcs: [":31.0_plat_policy.cil"], installable: false, + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, } diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp index 9c4929402..f1fb581bf 100644 --- a/prebuilts/api/32.0/Android.bp +++ b/prebuilts/api/32.0/Android.bp @@ -52,4 +52,7 @@ se_policy_binary { name: "32.0_plat_policy", srcs: [":32.0_plat_policy.cil"], installable: false, + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, } diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp index 327fc1165..980e28873 100644 --- a/prebuilts/api/33.0/Android.bp +++ b/prebuilts/api/33.0/Android.bp @@ -52,4 +52,7 @@ se_policy_binary { name: "33.0_plat_policy", srcs: [":33.0_plat_policy.cil"], installable: false, + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, } diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp index 474e29b2d..30a8075d7 100644 --- a/prebuilts/api/34.0/Android.bp +++ b/prebuilts/api/34.0/Android.bp @@ -52,4 +52,7 @@ se_policy_binary { name: "34.0_plat_policy", srcs: [":34.0_plat_policy.cil"], installable: false, + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, } diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil index 731568723..408cf335d 100644 --- a/private/compat/29.0/29.0.cil +++ b/private/compat/29.0/29.0.cil @@ -1,13 +1,15 @@ ;; types removed from current policy (type ashmemd) +(type clatd_exec) +(type clatd) (type exported_audio_prop) (type exported_dalvik_prop) (type exported_vold_prop) (type exported2_config_prop) (type exported2_vold_prop) (type hal_wifi_offload_hwservice) -(type install_recovery) (type install_recovery_exec) +(type install_recovery) (type mediacodec_service) (type perfprofd_data_file) (type perfprofd_service) diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil index 83d83ff70..f95488cca 100644 --- a/private/compat/30.0/30.0.cil +++ b/private/compat/30.0/30.0.cil @@ -1,11 +1,16 @@ ;; types removed from current policy +(type adbd_prop) (type cgroup_bpf) +(type device_config_configuration_prop) +(type device_config_storage_native_boot_prop) +(type device_config_sys_traced_prop) +(type device_config_window_manager_native_boot_prop) (type exported_audio_prop) (type exported_dalvik_prop) (type exported_ffs_prop) (type exported_fingerprint_prop) -(type exported_system_radio_prop) (type exported_radio_prop) +(type exported_system_radio_prop) (type exported_vold_prop) (type exported_wifi_prop) (type exported2_config_prop) @@ -16,8 +21,19 @@ (type exported3_default_prop) (type exported3_radio_prop) (type ffs_prop) +(type gsid_prop) +(type init_perf_lsm_hooks_prop) +(type init_svc_debug_prop) +(type last_boot_reason_prop) +(type mediatranscoding_exec) +(type netd_stable_secret_prop) +(type pm_prop) +(type system_adbd_prop) (type system_radio_prop) (type thermalcallback_hwservice) +(type traced_perf_enabled_prop) +(type userspace_reboot_log_prop) +(type userspace_reboot_test_prop) (typeattribute binder_in_vendor_violators) diff --git a/tests/Android.bp b/tests/Android.bp index 544db3758..2c2c9a63f 100644 --- a/tests/Android.bp +++ b/tests/Android.bp @@ -50,9 +50,7 @@ python_binary_host { }, libs: [ "mini_cil_parser", - "pysepolwrap", ], - data: [":libsepolwrap"], } python_binary_host { diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py index b2792a08e..ff1a34817 100644 --- a/tests/treble_sepolicy_tests.py +++ b/tests/treble_sepolicy_tests.py @@ -16,17 +16,11 @@ from optparse import OptionParser from optparse import Option, OptionValueError import os import mini_parser -import pkgutil -import policy -from policy import MatchPathPrefix import re import shutil import sys import tempfile -DEBUG=False -SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so' - ''' Verify that Treble compatibility are not broken. ''' @@ -39,13 +33,13 @@ Verify that Treble compatibility are not broken. ### # Make sure that any new public type introduced in the new policy that was not # present in the old policy has been recorded in the mapping file. -def TestNoUnmappedNewTypes(test_policy): - newt = test_policy.alltypes - test_policy.oldalltypes +def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping): + newt = base_pub_policy.types - old_pub_policy.types ret = "" violators = [] for n in newt: - if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None: + if mapping.rTypeattributesets.get(n) is None: violators.append(n) if len(violators) > 0: @@ -62,13 +56,13 @@ def TestNoUnmappedNewTypes(test_policy): ### # Make sure that any public type removed in the current policy has its # declaration added to the mapping file for use in non-platform policy -def TestNoUnmappedRmTypes(test_policy): - rmt = test_policy.oldalltypes - test_policy.alltypes +def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping): + rmt = old_pub_policy.types - base_pub_policy.types ret = "" violators = [] for o in rmt: - if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types: + if o in mapping.pubtypes and not o in mapping.types: violators.append(o) if len(violators) > 0: @@ -81,9 +75,9 @@ def TestNoUnmappedRmTypes(test_policy): ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n" return ret -def TestTrebleCompatMapping(test_policy): - ret = TestNoUnmappedNewTypes(test_policy) - ret += TestNoUnmappedRmTypes(test_policy) +def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping): + ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping) + ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping) return ret ### @@ -103,73 +97,38 @@ class MultipleOption(Option): else: Option.take_action(self, action, dest, opt, value, values, parser) -def do_main(libpath): - """ - Args: - libpath: string, path to libsepolwrap.so - """ - test_policy = policy.TestPolicy() - +def do_main(): usage = "treble_sepolicy_tests " - usage += "-p curr_policy -b base_policy -o old_policy " + usage += "-b base_pub_policy -o old_pub_policy " usage += "-m mapping file [--test test] [--help]" parser = OptionParser(option_class=MultipleOption, usage=usage) - parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE") - parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy", + parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy", metavar="FILE") parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE") - parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE") - parser.add_option("-p", "--policy", dest="policy", metavar="FILE") + parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy", + metavar="FILE") (options, args) = parser.parse_args() - if not options.policy: - sys.exit("Must specify current monolithic policy file\n" + parser.usage) - if not os.path.exists(options.policy): - sys.exit("Error: policy file " + options.policy + " does not exist\n" - + parser.usage) - # Mapping files and public platform policy are only necessary for the # TrebleCompatMapping test. - if not options.basepolicy: - sys.exit("Must specify the current platform-only policy file\n" - + parser.usage) if not options.mapping: sys.exit("Must specify a compatibility mapping file\n" + parser.usage) - if not options.oldpolicy: - sys.exit("Must specify the previous monolithic policy file\n" + if not options.old_pub_policy: + sys.exit("Must specify the previous public policy .cil file\n" + parser.usage) if not options.base_pub_policy: sys.exit("Must specify the current platform-only public policy " + ".cil file\n" + parser.usage) - basepol = policy.Policy(options.basepolicy, None, libpath) - oldpol = policy.Policy(options.oldpolicy, None, libpath) mapping = mini_parser.MiniCilParser(options.mapping) - pubpol = mini_parser.MiniCilParser(options.base_pub_policy) - test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types) + base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy) + old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy) - pol = policy.Policy(options.policy, None, libpath) - test_policy.setup(pol) - - if DEBUG: - test_policy.PrintScontexts() - - results = TestTrebleCompatMapping(test_policy) + results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping) if len(results) > 0: sys.exit(results) if __name__ == '__main__': - temp_dir = tempfile.mkdtemp() - try: - libname = "libsepolwrap" + SHARED_LIB_EXTENSION - libpath = os.path.join(temp_dir, libname) - with open(libpath, "wb") as f: - blob = pkgutil.get_data("treble_sepolicy_tests", libname) - if not blob: - sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n") - f.write(blob) - do_main(libpath) - finally: - shutil.rmtree(temp_dir) + do_main() diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk index 761f59bf1..9d6960bb7 100644 --- a/treble_sepolicy_tests_for_release.mk +++ b/treble_sepolicy_tests_for_release.mk @@ -24,10 +24,7 @@ include $(BUILD_SYSTEM)/base_rules.mk # built to enable us to determine the diff between the current policy and the # $(version) policy, which will be used in tests to make sure that compatibility has # been maintained by our mapping files. -built_$(version)_plat_sepolicy := $(call intermediates-dir-for,ETC,$(version)_plat_policy)/$(version)_plat_policy - -# TODO(b/214336258): move to Soong -$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy) +built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil $(version)_mapping.ignore.cil := \ @@ -58,27 +55,20 @@ $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mappi cat $^ > $@ ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) -built_sepolicy_files := $(built_product_sepolicy) public_cil_files := $(base_product_pub_policy.cil) else -built_sepolicy_files := $(built_plat_sepolicy) public_cil_files := $(base_plat_pub_policy.cil) endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy) +$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil) $(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil) -$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files) $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files) $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \ - $(all_fc_files) $(built_sepolicy) \ - $(built_sepolicy_files) \ $(public_cil_files) \ - $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil) + $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil) @mkdir -p $(dir $@) $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \ - -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \ - -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \ - -u $(PRIVATE_PLAT_PUB_SEPOLICY) + -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \ + -o $(PRIVATE_SEPOLICY_OLD) $(hide) touch $@ built_sepolicy_files :=