Merge changes Ia1c6d00b,I9b3460aa into main

* changes:
  Add macros to flag-guard te and contexts files
  Support passing flag parameters to M4
This commit is contained in:
Treehugger Robot 2023-11-09 14:16:56 +00:00 committed by Gerrit Code Review
commit 66551aa50f
13 changed files with 276 additions and 31 deletions

View file

@ -103,6 +103,7 @@ product_private_policy = [":se_build_files{.product_private}"]
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@ -138,6 +139,7 @@ se_policy_cil {
//
se_policy_conf {
name: "pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@ -157,6 +159,7 @@ se_policy_cil {
se_policy_conf {
name: "system_ext_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
@ -175,6 +178,7 @@ se_policy_cil {
se_policy_conf {
name: "plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@ -195,6 +199,7 @@ se_policy_cil {
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
installable: false,
@ -210,6 +215,7 @@ se_policy_cil {
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "userdebug",
@ -260,6 +266,7 @@ gsi_se_policy_cil {
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@ -280,6 +287,7 @@ se_policy_cil {
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@ -348,6 +356,7 @@ se_versioned_policy {
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@ -389,6 +398,7 @@ se_versioned_policy {
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@ -598,6 +608,7 @@ precompiled_se_policy_binary {
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@ -634,6 +645,7 @@ se_policy_binary {
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@ -650,6 +662,7 @@ se_policy_conf {
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@ -675,6 +688,7 @@ se_policy_binary {
se_policy_conf {
name: "base_product_sepolicy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@ -704,6 +718,7 @@ se_policy_binary {
se_policy_conf {
name: "base_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@ -723,6 +738,7 @@ se_policy_cil {
se_policy_conf {
name: "base_product_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@ -770,6 +786,7 @@ se_bug_map {
se_neverallow_test {
name: "sepolicy_neverallows",
defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +

View file

@ -35,6 +35,7 @@ bootstrap_go_package {
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
"flags.go",
"mac_permissions.go",
"policy.go",
"selinux.go",

View file

@ -129,6 +129,7 @@ var _ android.OutputFileProducer = (*compatCil)(nil)
// current policy.
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
f.AddProperties(&f.properties)
android.InitAndroidModule(f)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
@ -138,6 +139,10 @@ func compatTestFactory() android.SingletonModule {
type compatTestModule struct {
android.SingletonModuleBase
properties struct {
// Default modules for conf
Defaults []string
}
compatTestTimestamp android.ModuleOutPath
}
@ -157,6 +162,10 @@ func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookCont
":se_build_files{.reqd_mask}",
},
Installable: proptools.BoolPtr(false),
}, &struct {
Defaults []string
}{
Defaults: f.properties.Defaults,
})
ctx.CreateModule(policyCilFactory, &nameProperties{

54
build/soong/flags.go Normal file
View file

@ -0,0 +1,54 @@
// Copyright (C) 2023 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package selinux
import (
"android/soong/android"
)
type flagsProperties struct {
// List of flags to be passed to M4 macro.
Flags []string
}
type flaggableModule interface {
android.Module
flagModuleBase() *flaggableModuleBase
getBuildFlags(ctx android.ModuleContext) map[string]string
}
type flaggableModuleBase struct {
properties flagsProperties
}
func initFlaggableModule(m flaggableModule) {
base := m.flagModuleBase()
m.AddProperties(&base.properties)
}
func (f *flaggableModuleBase) flagModuleBase() *flaggableModuleBase {
return f
}
// getBuildFlags returns a map from flag names to flag values.
func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
ret := make(map[string]string)
for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
if val, ok := ctx.Config().GetBuildFlag(flag); ok {
ret[flag] = val
}
}
return ret
}

View file

@ -58,6 +58,7 @@ var policyConfOrder = []string{
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
android.RegisterModuleType("se_policy_conf_defaults", policyConfDefaultFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
@ -93,6 +94,8 @@ type policyConfProperties struct {
type policyConf struct {
android.ModuleBase
android.DefaultableModuleBase
flaggableModuleBase
properties policyConfProperties
@ -100,12 +103,35 @@ type policyConf struct {
installPath android.InstallPath
}
var _ flaggableModule = (*policyConf)(nil)
// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
// checkpolicy.
func policyConfFactory() android.Module {
c := &policyConf{}
c.AddProperties(&c.properties)
initFlaggableModule(c)
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
android.InitDefaultableModule(c)
return c
}
type policyConfDefaults struct {
android.ModuleBase
android.DefaultsModuleBase
}
// se_policy_conf_defaults provides a set of properties that can be inherited by other
// se_policy_conf_defaults modules. A module can use the properties from a se_policy_conf_defaults
// using `defaults: ["<:default_module_name>"]`. Properties of both modules are merged (when
// possible) by prepending the default module's values to the depending module's values.
func policyConfDefaultFactory() android.Module {
c := &policyConfDefaults{}
c.AddProperties(
&policyConfProperties{},
&flagsProperties{},
)
android.InitDefaultsModule(c)
return c
}
@ -216,6 +242,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
})
flags := c.getBuildFlags(ctx)
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
@ -234,6 +261,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
Flags(flagsToM4Macros(flags)).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@ -242,10 +270,6 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
return conf
}
func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
// do nothing
}
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !c.installable() {
c.SkipInstall()

View file

@ -40,3 +40,13 @@ func pathForModuleOut(ctx android.ModuleContext, paths ...string) android.Output
return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
}
// flagsToM4Macros converts given map to a list of M4's -D parameters to guard te files and contexts
// files.
func flagsToM4Macros(flags map[string]string) []string {
flagMacros := []string{}
for _, flag := range android.SortedKeys(flags) {
flagMacros = append(flagMacros, "-D target_flag_"+flag+"="+flags[flag])
}
return flagMacros
}

View file

@ -17,7 +17,6 @@ package selinux
import (
"fmt"
"io"
"os"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@ -59,6 +58,8 @@ type seappProperties struct {
type selinuxContextsModule struct {
android.ModuleBase
android.DefaultableModuleBase
flaggableModuleBase
properties selinuxContextsProperties
seappProperties seappProperties
@ -68,6 +69,8 @@ type selinuxContextsModule struct {
installPath android.InstallPath
}
var _ flaggableModule = (*selinuxContextsModule)(nil)
var (
reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
@ -76,6 +79,7 @@ var (
func init() {
pctx.HostBinToolVariable("fc_sort", "fc_sort")
android.RegisterModuleType("contexts_defaults", contextsDefaultsFactory)
android.RegisterModuleType("file_contexts", fileFactory)
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
@ -155,13 +159,35 @@ func newModule() *selinuxContextsModule {
&m.properties,
&m.seappProperties,
)
initFlaggableModule(m)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.InitDefaultableModule(m)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
m.selinuxContextsHook(ctx)
})
return m
}
type contextsDefaults struct {
android.ModuleBase
android.DefaultsModuleBase
}
// contexts_defaults provides a set of properties that can be inherited by other contexts modules.
// (file_contexts, property_contexts, seapp_contexts, etc.) A module can use the properties from a
// contexts_defaults using `defaults: ["<:default_module_name>"]`. Properties of both modules are
// erged (when possible) by prepending the default module's values to the depending module's values.
func contextsDefaultsFactory() android.Module {
m := &contextsDefaults{}
m.AddProperties(
&selinuxContextsProperties{},
&seappProperties{},
&flagsProperties{},
)
android.InitDefaultsModule(m)
return m
}
func (m *selinuxContextsModule) selinuxContextsHook(ctx android.LoadHookContext) {
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
@ -245,10 +271,12 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext,
inputsWithNewline = append(inputsWithNewline, input, newlineFile)
}
flags := m.getBuildFlags(ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Flags(flagsToM4Macros(flags)).
Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
@ -309,7 +337,7 @@ func (m *selinuxContextsModule) buildServiceContexts(ctx android.ModuleContext,
return m.buildGeneralContexts(ctx, inputs)
}
func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, input android.Path) android.Path {
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
@ -350,37 +378,33 @@ func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleC
}
}
var ret android.Paths
for _, input := range inputs {
cmd := rule.Command().
BuiltTool("check_prop_prefix").
FlagWithInput("--property-contexts ", input).
FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
cmd := rule.Command().
BuiltTool("check_prop_prefix").
FlagWithInput("--property-contexts ", input).
FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
cmd.Flag("--strict")
}
out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
rule.Command().Text("cp -f").Input(input).Output(out)
ret = append(ret, out)
if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
cmd.Flag("--strict")
}
out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
rule.Command().Text("cp -f").Input(input).Output(out)
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
return ret
return out
}
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
// vendor/odm, make sure that only vendor/odm properties exist.
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
inputs = m.checkVendorPropertyNamespace(ctx, inputs)
builtCtxFile = m.checkVendorPropertyNamespace(ctx, builtCtxFile)
}
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
@ -429,23 +453,39 @@ func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext)
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
ret := pathForModuleOut(ctx, m.stem())
ret := pathForModuleOut(ctx, "checkseapp", m.stem())
// Step 1. Generate a M4 processed neverallow file
flags := m.getBuildFlags(ctx)
m4NeverallowFile := pathForModuleOut(ctx, "neverallow.m4out")
rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().Text("(grep").
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Flags(flagsToM4Macros(flags)).
Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
FlagWithOutput("> ", m4NeverallowFile)
rule.Temporary(m4NeverallowFile)
rule.Command().
Text("( grep").
Flag("-ihe").
Text("'^neverallow'").
Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
Input(m4NeverallowFile).
Text(">").
Output(neverallowFile).
Text("|| true)") // to make ninja happy even when result is empty
Text("|| true )") // to make ninja happy even when result is empty
// Step 2. Generate a M4 processed contexts file
builtCtx := m.buildGeneralContexts(ctx, inputs)
// Step 3. checkseapp
rule.Temporary(neverallowFile)
checkCmd := rule.Command().BuiltTool("checkseapp").
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
FlagWithOutput("-o ", ret).
Inputs(inputs).
Input(builtCtx).
Input(neverallowFile)
if m.shouldCheckCoredomain(ctx) {

View file

@ -29,6 +29,9 @@ func init() {
}
type neverallowTestProperties struct {
// Default modules for conf
Defaults []string
// Policy files to be tested.
Srcs []string `android:"path"`
}
@ -79,6 +82,10 @@ func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
Srcs: n.properties.Srcs,
Build_variant: proptools.StringPtr("user"),
Installable: proptools.BoolPtr(false),
}, &struct {
Defaults []string
}{
Defaults: n.properties.Defaults,
})
sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
@ -89,6 +96,10 @@ func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
Build_variant: proptools.StringPtr("user"),
Exclude_build_test: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
}, &struct {
Defaults []string
}{
Defaults: n.properties.Defaults,
})
}

View file

@ -429,6 +429,7 @@ se_compat_cil {
se_compat_test {
name: "sepolicy_compat_test",
defaults: ["se_policy_conf_flags_defaults"],
}
se_build_files {

View file

@ -70,6 +70,7 @@ se_build_files {
file_contexts {
name: "plat_file_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
product_variables: {
address_sanitize: {
@ -83,6 +84,7 @@ file_contexts {
file_contexts {
name: "plat_file_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
stem: "plat_file_contexts",
product_variables: {
@ -98,6 +100,7 @@ file_contexts {
file_contexts {
name: "vendor_file_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
@ -108,6 +111,7 @@ file_contexts {
file_contexts {
name: "vendor_file_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
@ -119,12 +123,14 @@ file_contexts {
file_contexts {
name: "system_ext_file_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
file_contexts {
name: "system_ext_file_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
@ -132,12 +138,14 @@ file_contexts {
file_contexts {
name: "product_file_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
}
file_contexts {
name: "product_file_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
@ -145,6 +153,7 @@ file_contexts {
file_contexts {
name: "odm_file_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
fc_sort: true,
@ -152,6 +161,7 @@ file_contexts {
file_contexts {
name: "odm_file_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
@ -160,23 +170,27 @@ file_contexts {
hwservice_contexts {
name: "plat_hwservice_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.plat_private}"],
}
hwservice_contexts {
name: "system_ext_hwservice_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
hwservice_contexts {
name: "product_hwservice_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.product_private}"],
product_specific: true,
}
hwservice_contexts {
name: "vendor_hwservice_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
@ -187,17 +201,20 @@ hwservice_contexts {
hwservice_contexts {
name: "odm_hwservice_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.odm}"],
device_specific: true,
}
property_contexts {
name: "plat_property_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
}
property_contexts {
name: "plat_property_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
stem: "plat_property_contexts",
recovery: true,
@ -205,6 +222,7 @@ property_contexts {
property_contexts {
name: "system_ext_property_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@ -212,6 +230,7 @@ property_contexts {
property_contexts {
name: "product_property_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@ -219,6 +238,7 @@ property_contexts {
property_contexts {
name: "vendor_property_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
@ -230,6 +250,7 @@ property_contexts {
property_contexts {
name: "odm_property_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
recovery_available: true,
@ -237,11 +258,13 @@ property_contexts {
service_contexts {
name: "plat_service_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
}
service_contexts {
name: "plat_service_contexts.recovery",
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
stem: "plat_service_contexts",
recovery: true,
@ -249,6 +272,7 @@ service_contexts {
service_contexts {
name: "system_ext_service_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@ -256,6 +280,7 @@ service_contexts {
service_contexts {
name: "product_service_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@ -263,6 +288,7 @@ service_contexts {
service_contexts {
name: "vendor_service_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
@ -274,6 +300,7 @@ service_contexts {
service_contexts {
name: "odm_service_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.odm}",
],
@ -283,23 +310,27 @@ service_contexts {
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.plat_private}"],
}
keystore2_key_contexts {
name: "system_keystore2_key_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
keystore2_key_contexts {
name: "product_keystore2_key_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.product_private}"],
product_specific: true,
}
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
@ -310,12 +341,14 @@ keystore2_key_contexts {
seapp_contexts {
name: "plat_seapp_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.plat_private}"],
sepolicy: ":precompiled_sepolicy",
}
seapp_contexts {
name: "system_ext_seapp_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.system_ext_private}"],
neverallow_files: [":seapp_contexts_files{.plat_private}"],
system_ext_specific: true,
@ -324,6 +357,7 @@ seapp_contexts {
seapp_contexts {
name: "product_seapp_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.product_private}"],
neverallow_files: [
":seapp_contexts_files{.plat_private}",
@ -335,6 +369,7 @@ seapp_contexts {
seapp_contexts {
name: "vendor_seapp_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
@ -351,6 +386,7 @@ seapp_contexts {
seapp_contexts {
name: "odm_seapp_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.odm}",
],
@ -365,6 +401,7 @@ seapp_contexts {
vndservice_contexts {
name: "vndservice_contexts",
defaults: ["contexts_flags_defaults"],
srcs: [
":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",

32
flagging/Android.bp Normal file
View file

@ -0,0 +1,32 @@
// Copyright (C) 2023 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// This file contains a list of flags for sepolicy.
se_policy_conf_defaults {
name: "se_policy_conf_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
flags: [],
}
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
flags: [],
}
filegroup {
name: "sepolicy_flagging_macros",
srcs: ["te_macros"],
}

9
flagging/te_macros Normal file
View file

@ -0,0 +1,9 @@
####################################
# is_flag_enabled(flag, rules)
# SELinux rules which apply only if given feature is turned on
define(`is_flag_enabled', `ifelse(target_flag_$1, `true', $2, )')
####################################
# is_flag_disabled(flag, rules)
# SELinux rules which apply only if given feature is turned off
define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , $2)')

View file

@ -76,7 +76,7 @@ if len(violations) > 0:
print('%d violations found:' % len(violations))
print('\n'.join(violations))
print('******************************')
print('%s contains properties which are not properly namespaced.' % args.property_contexts)
print("vendor's and odm's property_contexts MUST use ONLY vendor-prefixed properties.")
print('This is enforced by VTS, so please fix such offending properties.')
if args.allowed_property_prefix:
print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))