Preserve treble-only flag for CTS neverallows
CTS includes general_sepolicy.conf built from this project. CTS then tests this file's neverallow rules against the policy of the device under test. Prior to this commit, neverallow rules which must be enforced only for Treble devices we not included into general_sepolicy.conf. As a result, these rules were not enforced for Treble devices. This commit fixes the issue as follows. Because CTS includes only one policy, the policy now contains also the rules which are only for Treble devices. To enable CTS to distinguish rules needed for all devices from rules needed only on Treble devices, the latter rules are contained in sections delimited with BEGIN_TREBLE_ONLY and END_TREBLE_ONLY comments. This commit also removes the unnecessary sepolicy.general target. This target is not used anywhere and is causing trouble because it is verifying neverallows of the policy meant to be used by CTS. This policy can no longer be verified with checkpolicy without conditionally including or excluding Treble-only neverallows. Test: mmm system/sepolicy Test: Device boots -- no new denials Bug: 37082262 Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
This commit is contained in:
Alex Klyubin
parent
42424f13e5
commit
446279a6b9
2 changed files with 10 additions and 22 deletions
25
Android.mk
25
Android.mk
|
|
@ -647,6 +647,9 @@ plat_policy_nvr.recovery :=
|
|||
mapping_policy_nvr.recovery :=
|
||||
nonplat_policy_nvr.recovery :=
|
||||
|
||||
##################################
|
||||
# SELinux policy embedded into CTS.
|
||||
# CTS checks neverallow rules of this policy against the policy of the device under test.
|
||||
##################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
|
|
@ -667,28 +670,10 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
|
|||
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
|
||||
-D target_arch=$(PRIVATE_TGT_ARCH) \
|
||||
-D target_with_asan=false \
|
||||
-D target_full_treble=cts \
|
||||
-s $^ > $@
|
||||
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
|
||||
|
||||
built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
|
||||
exp_sepolicy_build_files :=
|
||||
|
||||
##################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := sepolicy.general
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := tests
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
|
||||
$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
|
||||
|
||||
built_general_sepolicy := $(LOCAL_BUILT_MODULE)
|
||||
|
||||
##################################
|
||||
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
|
||||
#
|
||||
|
|
@ -1164,8 +1149,6 @@ build_device_policy :=
|
|||
build_policy :=
|
||||
built_plat_fc :=
|
||||
built_nonplat_fc :=
|
||||
built_general_sepolicy :=
|
||||
built_general_sepolicy.conf :=
|
||||
built_nl :=
|
||||
built_plat_cil :=
|
||||
built_mapping_cil :=
|
||||
|
|
|
|||
|
|
@ -387,7 +387,12 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
|
|||
# Full TREBLE only
|
||||
# SELinux rules which apply only to full TREBLE devices
|
||||
#
|
||||
define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
|
||||
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
|
||||
ifelse(target_full_treble, `cts',
|
||||
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
||||
$1
|
||||
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
||||
, )))
|
||||
|
||||
#####################################
|
||||
# Not full TREBLE
|
||||
|
|
|
|||
Loading…
Reference in a new issue