Move sepolicy_test to Android.bp

Bug: 33691272
Test: m selinux_policy triggers sepolicy_test
Change-Id: I1618c2a35b3ce9d747db3955788427dc422fd532
This commit is contained in:
Inseob Kim 2022-02-25 11:26:16 +09:00
parent 8ce2e156d0
commit 61257ca545
3 changed files with 62 additions and 23 deletions

View file

@ -1103,3 +1103,29 @@ se_neverallow_test {
se_freeze_test {
name: "sepolicy_freeze_test",
}
//////////////////////////////////
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
genrule {
name: "sepolicy_test",
srcs: [
":plat_file_contexts",
":vendor_file_contexts",
":system_ext_file_contexts",
":product_file_contexts",
":odm_file_contexts",
":precompiled_sepolicy",
],
tools: ["sepolicy_tests"],
out: ["sepolicy_test"],
cmd: "$(location sepolicy_tests) " +
"-f $(location :plat_file_contexts) " +
"-f $(location :vendor_file_contexts) " +
"-f $(location :system_ext_file_contexts) " +
"-f $(location :product_file_contexts) " +
"-f $(location :odm_file_contexts) " +
"-p $(location :precompiled_sepolicy) && " +
"touch $(out)",
}

View file

@ -347,9 +347,13 @@ endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
sepolicy_compat_test \
# HACK: sepolicy_test is implemented as genrule
# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@ -697,17 +701,6 @@ vndservice_contexts.tmp :=
##################################
include $(LOCAL_PATH)/mac_permissions.mk
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@ -721,13 +714,6 @@ all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.

View file

@ -67,28 +67,55 @@ file_contexts {
":file_contexts_files{.vendor}",
],
soc_specific: true,
recovery_available: true,
}
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
":file_contexts_files{.plat_vendor_for_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
recovery: true,
}
file_contexts {
name: "system_ext_file_contexts",
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
}
file_contexts {
name: "system_ext_file_contexts.recovery",
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
}
file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
}
file_contexts {
name: "product_file_contexts.recovery",
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
}
file_contexts {
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
recovery_available: true,
}
file_contexts {
name: "odm_file_contexts.recovery",
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
}
hwservice_contexts {