tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge changes from topic "sepolicy_test"

Browse source 
* changes:
  Build vndservice_contexts with Android.bp
  Move sepolicy_test to Android.bp
This commit is contained in:
Inseob Kim 2022-03-03 04:02:25 +00:00 committed by Gerrit Code Review
commit 4891dbefad
4 changed files with 106 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
Android.bp
View file

@ -189,6 +189,11 @@ se_build_files {
srcs: ["seapp_contexts"], srcs: ["seapp_contexts"],
} }
se_build_files {
name: "vndservice_contexts_files",
srcs: ["vndservice_contexts"],
}
// For vts_treble_sys_prop_test // For vts_treble_sys_prop_test
filegroup { filegroup {
name: "private_property_contexts", name: "private_property_contexts",
@ -1103,3 +1108,29 @@ se_neverallow_test {
se_freeze_test { se_freeze_test {
name: "sepolicy_freeze_test", name: "sepolicy_freeze_test",
} }
//////////////////////////////////
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
genrule {
name: "sepolicy_test",
srcs: [
":plat_file_contexts",
":vendor_file_contexts",
":system_ext_file_contexts",
":product_file_contexts",
":odm_file_contexts",
":precompiled_sepolicy",
],
tools: ["sepolicy_tests"],
out: ["sepolicy_test"],
cmd: "$(location sepolicy_tests) " +
"-f $(location :plat_file_contexts) " +
"-f $(location :vendor_file_contexts) " +
"-f $(location :system_ext_file_contexts) " +
"-f $(location :product_file_contexts) " +
"-f $(location :odm_file_contexts) " +
"-p $(location :precompiled_sepolicy) && " +
"touch $(out)",
}

56
Android.mk
View file

@ -347,9 +347,13 @@ endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
ifneq ($(with_asan),true) ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
sepolicy_compat_test \ sepolicy_compat_test \
# HACK: sepolicy_test is implemented as genrule
# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@ -505,6 +509,7 @@ LOCAL_REQUIRED_MODULES += \
vendor_hwservice_contexts_test \ vendor_hwservice_contexts_test \
vendor_bug_map \ vendor_bug_map \
vndservice_contexts \ vndservice_contexts \
vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
@ -663,51 +668,9 @@ file_contexts.device.tmp :=
file_contexts.local.tmp := file_contexts.local.tmp :=
file_contexts.modules.tmp := file_contexts.modules.tmp :=
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vndservice_contexts
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
@mkdir -p $(dir $@)
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
vnd_svcfiles :=
vndservice_contexts.tmp :=
################################## ##################################
include $(LOCAL_PATH)/mac_permissions.mk include $(LOCAL_PATH)/mac_permissions.mk
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@ -721,13 +684,6 @@ all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
endif endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
################################## ##################################
# Tests for Treble compatibility of current platform policy and vendor policy of # Tests for Treble compatibility of current platform policy and vendor policy of
# given release version. # given release version.

22
build/soong/selinux_contexts.go
View file

@ -93,11 +93,13 @@ func init() {
android.RegisterModuleType("service_contexts", serviceFactory) android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory) android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory) android.RegisterModuleType("seapp_contexts", seappFactory)
android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory) android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory) android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory) android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory) android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
} }
func (m *selinuxContextsModule) InstallInRoot() bool { func (m *selinuxContextsModule) InstallInRoot() bool {
@ -495,6 +497,18 @@ func seappFactory() android.Module {
return m return m
} }
func vndServiceFactory() android.Module {
m := newModule()
m.build = m.buildGeneralContexts
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
if !ctx.SocSpecific() {
ctx.ModuleErrorf(m.Name(), "must set vendor: true")
return
}
})
return m
}
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil) var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer // Implements android.OutputFileProducer
@ -565,6 +579,14 @@ func serviceContextsTestFactory() android.Module {
return m return m
} }
// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
func vndServiceContextsTestFactory() android.Module {
m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) { func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
tool := m.tool tool := m.tool
if tool != "checkfc" && tool != "property_info_checker" { if tool != "checkfc" && tool != "property_info_checker" {

51
contexts/Android.bp
View file

@ -67,28 +67,55 @@ file_contexts {
":file_contexts_files{.vendor}", ":file_contexts_files{.vendor}",
], ],
soc_specific: true, soc_specific: true,
recovery_available: true, }
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
":file_contexts_files{.plat_vendor_for_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
recovery: true,
} }
file_contexts { file_contexts {
name: "system_ext_file_contexts", name: "system_ext_file_contexts",
srcs: [":file_contexts_files{.system_ext_private}"], srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true, system_ext_specific: true,
recovery_available: true, }
file_contexts {
name: "system_ext_file_contexts.recovery",
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
} }
file_contexts { file_contexts {
name: "product_file_contexts", name: "product_file_contexts",
srcs: [":file_contexts_files{.product_private}"], srcs: [":file_contexts_files{.product_private}"],
product_specific: true, product_specific: true,
recovery_available: true, }
file_contexts {
name: "product_file_contexts.recovery",
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
} }
file_contexts { file_contexts {
name: "odm_file_contexts", name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"], srcs: [":file_contexts_files{.odm}"],
device_specific: true, device_specific: true,
recovery_available: true, }
file_contexts {
name: "odm_file_contexts.recovery",
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
} }
hwservice_contexts { hwservice_contexts {
@ -287,6 +314,16 @@ seapp_contexts {
sepolicy: ":precompiled_sepolicy", sepolicy: ":precompiled_sepolicy",
} }
vndservice_contexts {
name: "vndservice_contexts",
srcs: [
":vndservice_contexts_files{.plat_vendor_for_vendor}",
":vndservice_contexts_files{.vendor}",
":vndservice_contexts_files{.reqd_mask_for_vendor}",
],
soc_specific: true,
}
// for CTS // for CTS
genrule { genrule {
name: "plat_seapp_neverallows", name: "plat_seapp_neverallows",
@ -432,3 +469,9 @@ service_contexts_test {
srcs: [":vendor_service_contexts"], srcs: [":vendor_service_contexts"],
sepolicy: ":precompiled_sepolicy", sepolicy: ":precompiled_sepolicy",
} }
vndservice_contexts_test {
name: "vndservice_contexts_test",
srcs: [":vndservice_contexts"],
sepolicy: ":precompiled_sepolicy",
}