Merge changes Ia1c6d00b,I9b3460aa into main
* changes: Add macros to flag-guard te and contexts files Support passing flag parameters to M4
This commit is contained in:
commit
66551aa50f
13 changed files with 276 additions and 31 deletions
17
Android.bp
17
Android.bp
|
@ -103,6 +103,7 @@ product_private_policy = [":se_build_files{.product_private}"]
|
|||
// policy and subsequent removal of CIL policy that should not be exported.
|
||||
se_policy_conf {
|
||||
name: "reqd_policy_mask.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: reqd_mask_policy,
|
||||
installable: false,
|
||||
}
|
||||
|
@ -138,6 +139,7 @@ se_policy_cil {
|
|||
//
|
||||
se_policy_conf {
|
||||
name: "pub_policy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
system_ext_public_policy +
|
||||
product_public_policy +
|
||||
|
@ -157,6 +159,7 @@ se_policy_cil {
|
|||
|
||||
se_policy_conf {
|
||||
name: "system_ext_pub_policy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
system_ext_public_policy +
|
||||
reqd_mask_policy,
|
||||
|
@ -175,6 +178,7 @@ se_policy_cil {
|
|||
|
||||
se_policy_conf {
|
||||
name: "plat_pub_policy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
reqd_mask_policy,
|
||||
installable: false,
|
||||
|
@ -195,6 +199,7 @@ se_policy_cil {
|
|||
// currently being attributized.
|
||||
se_policy_conf {
|
||||
name: "plat_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy,
|
||||
installable: false,
|
||||
|
@ -210,6 +215,7 @@ se_policy_cil {
|
|||
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
|
||||
se_policy_conf {
|
||||
name: "userdebug_plat_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy,
|
||||
build_variant: "userdebug",
|
||||
|
@ -260,6 +266,7 @@ gsi_se_policy_cil {
|
|||
// policy which will ship with the device. System_ext policy is not attributized
|
||||
se_policy_conf {
|
||||
name: "system_ext_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy +
|
||||
system_ext_public_policy +
|
||||
|
@ -280,6 +287,7 @@ se_policy_cil {
|
|||
// which will ship with the device. Product policy is not attributized
|
||||
se_policy_conf {
|
||||
name: "product_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy +
|
||||
system_ext_public_policy +
|
||||
|
@ -348,6 +356,7 @@ se_versioned_policy {
|
|||
// policy and the platform public policy files in order to use checkpolicy.
|
||||
se_policy_conf {
|
||||
name: "vendor_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
system_ext_public_policy +
|
||||
product_public_policy +
|
||||
|
@ -389,6 +398,7 @@ se_versioned_policy {
|
|||
// policy and the platform public policy files in order to use checkpolicy.
|
||||
se_policy_conf {
|
||||
name: "odm_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
system_ext_public_policy +
|
||||
product_public_policy +
|
||||
|
@ -598,6 +608,7 @@ precompiled_se_policy_binary {
|
|||
// policy for recovery
|
||||
se_policy_conf {
|
||||
name: "recovery_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy +
|
||||
system_ext_public_policy +
|
||||
|
@ -634,6 +645,7 @@ se_policy_binary {
|
|||
//////////////////////////////////
|
||||
se_policy_conf {
|
||||
name: "general_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy,
|
||||
build_variant: "user",
|
||||
|
@ -650,6 +662,7 @@ se_policy_conf {
|
|||
//////////////////////////////////
|
||||
se_policy_conf {
|
||||
name: "base_plat_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy,
|
||||
build_variant: "user",
|
||||
|
@ -675,6 +688,7 @@ se_policy_binary {
|
|||
|
||||
se_policy_conf {
|
||||
name: "base_product_sepolicy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy +
|
||||
system_ext_public_policy +
|
||||
|
@ -704,6 +718,7 @@ se_policy_binary {
|
|||
|
||||
se_policy_conf {
|
||||
name: "base_plat_pub_policy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
reqd_mask_policy,
|
||||
build_variant: "user",
|
||||
|
@ -723,6 +738,7 @@ se_policy_cil {
|
|||
|
||||
se_policy_conf {
|
||||
name: "base_product_pub_policy.conf",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
system_ext_public_policy +
|
||||
product_public_policy +
|
||||
|
@ -770,6 +786,7 @@ se_bug_map {
|
|||
|
||||
se_neverallow_test {
|
||||
name: "sepolicy_neverallows",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
srcs: plat_public_policy +
|
||||
plat_private_policy +
|
||||
system_ext_public_policy +
|
||||
|
|
|
@ -35,6 +35,7 @@ bootstrap_go_package {
|
|||
"build_files.go",
|
||||
"cil_compat_map.go",
|
||||
"compat_cil.go",
|
||||
"flags.go",
|
||||
"mac_permissions.go",
|
||||
"policy.go",
|
||||
"selinux.go",
|
||||
|
|
|
@ -129,6 +129,7 @@ var _ android.OutputFileProducer = (*compatCil)(nil)
|
|||
// current policy.
|
||||
func compatTestFactory() android.SingletonModule {
|
||||
f := &compatTestModule{}
|
||||
f.AddProperties(&f.properties)
|
||||
android.InitAndroidModule(f)
|
||||
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
|
||||
f.loadHook(ctx)
|
||||
|
@ -138,6 +139,10 @@ func compatTestFactory() android.SingletonModule {
|
|||
|
||||
type compatTestModule struct {
|
||||
android.SingletonModuleBase
|
||||
properties struct {
|
||||
// Default modules for conf
|
||||
Defaults []string
|
||||
}
|
||||
|
||||
compatTestTimestamp android.ModuleOutPath
|
||||
}
|
||||
|
@ -157,6 +162,10 @@ func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookCont
|
|||
":se_build_files{.reqd_mask}",
|
||||
},
|
||||
Installable: proptools.BoolPtr(false),
|
||||
}, &struct {
|
||||
Defaults []string
|
||||
}{
|
||||
Defaults: f.properties.Defaults,
|
||||
})
|
||||
|
||||
ctx.CreateModule(policyCilFactory, &nameProperties{
|
||||
|
|
54
build/soong/flags.go
Normal file
54
build/soong/flags.go
Normal file
|
@ -0,0 +1,54 @@
|
|||
// Copyright (C) 2023 The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package selinux
|
||||
|
||||
import (
|
||||
"android/soong/android"
|
||||
)
|
||||
|
||||
type flagsProperties struct {
|
||||
// List of flags to be passed to M4 macro.
|
||||
Flags []string
|
||||
}
|
||||
|
||||
type flaggableModule interface {
|
||||
android.Module
|
||||
flagModuleBase() *flaggableModuleBase
|
||||
getBuildFlags(ctx android.ModuleContext) map[string]string
|
||||
}
|
||||
|
||||
type flaggableModuleBase struct {
|
||||
properties flagsProperties
|
||||
}
|
||||
|
||||
func initFlaggableModule(m flaggableModule) {
|
||||
base := m.flagModuleBase()
|
||||
m.AddProperties(&base.properties)
|
||||
}
|
||||
|
||||
func (f *flaggableModuleBase) flagModuleBase() *flaggableModuleBase {
|
||||
return f
|
||||
}
|
||||
|
||||
// getBuildFlags returns a map from flag names to flag values.
|
||||
func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
|
||||
ret := make(map[string]string)
|
||||
for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
|
||||
if val, ok := ctx.Config().GetBuildFlag(flag); ok {
|
||||
ret[flag] = val
|
||||
}
|
||||
}
|
||||
return ret
|
||||
}
|
|
@ -58,6 +58,7 @@ var policyConfOrder = []string{
|
|||
|
||||
func init() {
|
||||
android.RegisterModuleType("se_policy_conf", policyConfFactory)
|
||||
android.RegisterModuleType("se_policy_conf_defaults", policyConfDefaultFactory)
|
||||
android.RegisterModuleType("se_policy_cil", policyCilFactory)
|
||||
android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
|
||||
}
|
||||
|
@ -93,6 +94,8 @@ type policyConfProperties struct {
|
|||
|
||||
type policyConf struct {
|
||||
android.ModuleBase
|
||||
android.DefaultableModuleBase
|
||||
flaggableModuleBase
|
||||
|
||||
properties policyConfProperties
|
||||
|
||||
|
@ -100,12 +103,35 @@ type policyConf struct {
|
|||
installPath android.InstallPath
|
||||
}
|
||||
|
||||
var _ flaggableModule = (*policyConf)(nil)
|
||||
|
||||
// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
|
||||
// checkpolicy.
|
||||
func policyConfFactory() android.Module {
|
||||
c := &policyConf{}
|
||||
c.AddProperties(&c.properties)
|
||||
initFlaggableModule(c)
|
||||
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
|
||||
android.InitDefaultableModule(c)
|
||||
return c
|
||||
}
|
||||
|
||||
type policyConfDefaults struct {
|
||||
android.ModuleBase
|
||||
android.DefaultsModuleBase
|
||||
}
|
||||
|
||||
// se_policy_conf_defaults provides a set of properties that can be inherited by other
|
||||
// se_policy_conf_defaults modules. A module can use the properties from a se_policy_conf_defaults
|
||||
// using `defaults: ["<:default_module_name>"]`. Properties of both modules are merged (when
|
||||
// possible) by prepending the default module's values to the depending module's values.
|
||||
func policyConfDefaultFactory() android.Module {
|
||||
c := &policyConfDefaults{}
|
||||
c.AddProperties(
|
||||
&policyConfProperties{},
|
||||
&flagsProperties{},
|
||||
)
|
||||
android.InitDefaultsModule(c)
|
||||
return c
|
||||
}
|
||||
|
||||
|
@ -216,6 +242,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
|
|||
return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
|
||||
})
|
||||
|
||||
flags := c.getBuildFlags(ctx)
|
||||
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
|
||||
Flag("--fatal-warnings").
|
||||
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
|
||||
|
@ -234,6 +261,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
|
|||
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
|
||||
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
|
||||
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
|
||||
Flags(flagsToM4Macros(flags)).
|
||||
Flag("-s").
|
||||
Inputs(srcs).
|
||||
Text("> ").Output(conf)
|
||||
|
@ -242,10 +270,6 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
|
|||
return conf
|
||||
}
|
||||
|
||||
func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
|
||||
// do nothing
|
||||
}
|
||||
|
||||
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
|
||||
if !c.installable() {
|
||||
c.SkipInstall()
|
||||
|
|
|
@ -40,3 +40,13 @@ func pathForModuleOut(ctx android.ModuleContext, paths ...string) android.Output
|
|||
|
||||
return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
|
||||
}
|
||||
|
||||
// flagsToM4Macros converts given map to a list of M4's -D parameters to guard te files and contexts
|
||||
// files.
|
||||
func flagsToM4Macros(flags map[string]string) []string {
|
||||
flagMacros := []string{}
|
||||
for _, flag := range android.SortedKeys(flags) {
|
||||
flagMacros = append(flagMacros, "-D target_flag_"+flag+"="+flags[flag])
|
||||
}
|
||||
return flagMacros
|
||||
}
|
||||
|
|
|
@ -17,7 +17,6 @@ package selinux
|
|||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
|
||||
"github.com/google/blueprint"
|
||||
"github.com/google/blueprint/proptools"
|
||||
|
@ -59,6 +58,8 @@ type seappProperties struct {
|
|||
|
||||
type selinuxContextsModule struct {
|
||||
android.ModuleBase
|
||||
android.DefaultableModuleBase
|
||||
flaggableModuleBase
|
||||
|
||||
properties selinuxContextsProperties
|
||||
seappProperties seappProperties
|
||||
|
@ -68,6 +69,8 @@ type selinuxContextsModule struct {
|
|||
installPath android.InstallPath
|
||||
}
|
||||
|
||||
var _ flaggableModule = (*selinuxContextsModule)(nil)
|
||||
|
||||
var (
|
||||
reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
|
||||
syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
|
||||
|
@ -76,6 +79,7 @@ var (
|
|||
func init() {
|
||||
pctx.HostBinToolVariable("fc_sort", "fc_sort")
|
||||
|
||||
android.RegisterModuleType("contexts_defaults", contextsDefaultsFactory)
|
||||
android.RegisterModuleType("file_contexts", fileFactory)
|
||||
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
|
||||
android.RegisterModuleType("property_contexts", propertyFactory)
|
||||
|
@ -155,13 +159,35 @@ func newModule() *selinuxContextsModule {
|
|||
&m.properties,
|
||||
&m.seappProperties,
|
||||
)
|
||||
initFlaggableModule(m)
|
||||
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
|
||||
android.InitDefaultableModule(m)
|
||||
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
|
||||
m.selinuxContextsHook(ctx)
|
||||
})
|
||||
return m
|
||||
}
|
||||
|
||||
type contextsDefaults struct {
|
||||
android.ModuleBase
|
||||
android.DefaultsModuleBase
|
||||
}
|
||||
|
||||
// contexts_defaults provides a set of properties that can be inherited by other contexts modules.
|
||||
// (file_contexts, property_contexts, seapp_contexts, etc.) A module can use the properties from a
|
||||
// contexts_defaults using `defaults: ["<:default_module_name>"]`. Properties of both modules are
|
||||
// erged (when possible) by prepending the default module's values to the depending module's values.
|
||||
func contextsDefaultsFactory() android.Module {
|
||||
m := &contextsDefaults{}
|
||||
m.AddProperties(
|
||||
&selinuxContextsProperties{},
|
||||
&seappProperties{},
|
||||
&flagsProperties{},
|
||||
)
|
||||
android.InitDefaultsModule(m)
|
||||
return m
|
||||
}
|
||||
|
||||
func (m *selinuxContextsModule) selinuxContextsHook(ctx android.LoadHookContext) {
|
||||
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
|
||||
var srcs []string
|
||||
|
@ -245,10 +271,12 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext,
|
|||
inputsWithNewline = append(inputsWithNewline, input, newlineFile)
|
||||
}
|
||||
|
||||
flags := m.getBuildFlags(ctx)
|
||||
rule.Command().
|
||||
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
|
||||
Text("--fatal-warnings -s").
|
||||
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
|
||||
Flags(flagsToM4Macros(flags)).
|
||||
Inputs(inputsWithNewline).
|
||||
FlagWithOutput("> ", builtContext)
|
||||
|
||||
|
@ -309,7 +337,7 @@ func (m *selinuxContextsModule) buildServiceContexts(ctx android.ModuleContext,
|
|||
return m.buildGeneralContexts(ctx, inputs)
|
||||
}
|
||||
|
||||
func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
|
||||
func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, input android.Path) android.Path {
|
||||
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
|
||||
ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
|
||||
|
||||
|
@ -350,37 +378,33 @@ func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleC
|
|||
}
|
||||
}
|
||||
|
||||
var ret android.Paths
|
||||
for _, input := range inputs {
|
||||
cmd := rule.Command().
|
||||
BuiltTool("check_prop_prefix").
|
||||
FlagWithInput("--property-contexts ", input).
|
||||
FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
|
||||
FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
|
||||
cmd := rule.Command().
|
||||
BuiltTool("check_prop_prefix").
|
||||
FlagWithInput("--property-contexts ", input).
|
||||
FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
|
||||
FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
|
||||
|
||||
if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
|
||||
cmd.Flag("--strict")
|
||||
}
|
||||
|
||||
out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
|
||||
rule.Command().Text("cp -f").Input(input).Output(out)
|
||||
ret = append(ret, out)
|
||||
if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
|
||||
cmd.Flag("--strict")
|
||||
}
|
||||
|
||||
out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
|
||||
rule.Command().Text("cp -f").Input(input).Output(out)
|
||||
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
|
||||
return ret
|
||||
return out
|
||||
}
|
||||
|
||||
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
|
||||
// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
|
||||
// vendor/odm, make sure that only vendor/odm properties exist.
|
||||
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
|
||||
|
||||
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
|
||||
ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
|
||||
if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
|
||||
inputs = m.checkVendorPropertyNamespace(ctx, inputs)
|
||||
builtCtxFile = m.checkVendorPropertyNamespace(ctx, builtCtxFile)
|
||||
}
|
||||
|
||||
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
|
||||
|
||||
var apiFiles android.Paths
|
||||
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
|
||||
i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
|
||||
|
@ -429,23 +453,39 @@ func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext)
|
|||
|
||||
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
|
||||
neverallowFile := pathForModuleOut(ctx, "neverallow")
|
||||
ret := pathForModuleOut(ctx, m.stem())
|
||||
ret := pathForModuleOut(ctx, "checkseapp", m.stem())
|
||||
|
||||
// Step 1. Generate a M4 processed neverallow file
|
||||
flags := m.getBuildFlags(ctx)
|
||||
m4NeverallowFile := pathForModuleOut(ctx, "neverallow.m4out")
|
||||
rule := android.NewRuleBuilder(pctx, ctx)
|
||||
rule.Command().Text("(grep").
|
||||
rule.Command().
|
||||
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
|
||||
Flag("--fatal-warnings").
|
||||
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
|
||||
Flags(flagsToM4Macros(flags)).
|
||||
Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
|
||||
FlagWithOutput("> ", m4NeverallowFile)
|
||||
|
||||
rule.Temporary(m4NeverallowFile)
|
||||
rule.Command().
|
||||
Text("( grep").
|
||||
Flag("-ihe").
|
||||
Text("'^neverallow'").
|
||||
Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
|
||||
Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
|
||||
Input(m4NeverallowFile).
|
||||
Text(">").
|
||||
Output(neverallowFile).
|
||||
Text("|| true)") // to make ninja happy even when result is empty
|
||||
Text("|| true )") // to make ninja happy even when result is empty
|
||||
|
||||
// Step 2. Generate a M4 processed contexts file
|
||||
builtCtx := m.buildGeneralContexts(ctx, inputs)
|
||||
|
||||
// Step 3. checkseapp
|
||||
rule.Temporary(neverallowFile)
|
||||
checkCmd := rule.Command().BuiltTool("checkseapp").
|
||||
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
|
||||
FlagWithOutput("-o ", ret).
|
||||
Inputs(inputs).
|
||||
Input(builtCtx).
|
||||
Input(neverallowFile)
|
||||
|
||||
if m.shouldCheckCoredomain(ctx) {
|
||||
|
|
|
@ -29,6 +29,9 @@ func init() {
|
|||
}
|
||||
|
||||
type neverallowTestProperties struct {
|
||||
// Default modules for conf
|
||||
Defaults []string
|
||||
|
||||
// Policy files to be tested.
|
||||
Srcs []string `android:"path"`
|
||||
}
|
||||
|
@ -79,6 +82,10 @@ func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
|
|||
Srcs: n.properties.Srcs,
|
||||
Build_variant: proptools.StringPtr("user"),
|
||||
Installable: proptools.BoolPtr(false),
|
||||
}, &struct {
|
||||
Defaults []string
|
||||
}{
|
||||
Defaults: n.properties.Defaults,
|
||||
})
|
||||
|
||||
sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
|
||||
|
@ -89,6 +96,10 @@ func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
|
|||
Build_variant: proptools.StringPtr("user"),
|
||||
Exclude_build_test: proptools.BoolPtr(true),
|
||||
Installable: proptools.BoolPtr(false),
|
||||
}, &struct {
|
||||
Defaults []string
|
||||
}{
|
||||
Defaults: n.properties.Defaults,
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
@ -429,6 +429,7 @@ se_compat_cil {
|
|||
|
||||
se_compat_test {
|
||||
name: "sepolicy_compat_test",
|
||||
defaults: ["se_policy_conf_flags_defaults"],
|
||||
}
|
||||
|
||||
se_build_files {
|
||||
|
|
|
@ -70,6 +70,7 @@ se_build_files {
|
|||
|
||||
file_contexts {
|
||||
name: "plat_file_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.plat_private}"],
|
||||
product_variables: {
|
||||
address_sanitize: {
|
||||
|
@ -83,6 +84,7 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "plat_file_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.plat_private}"],
|
||||
stem: "plat_file_contexts",
|
||||
product_variables: {
|
||||
|
@ -98,6 +100,7 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "vendor_file_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":file_contexts_files{.plat_vendor}",
|
||||
":file_contexts_files{.vendor}",
|
||||
|
@ -108,6 +111,7 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "vendor_file_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":file_contexts_files{.plat_vendor}",
|
||||
":file_contexts_files{.vendor}",
|
||||
|
@ -119,12 +123,14 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "system_ext_file_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.system_ext_private}"],
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
file_contexts {
|
||||
name: "system_ext_file_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.system_ext_private}"],
|
||||
stem: "system_ext_file_contexts",
|
||||
recovery: true,
|
||||
|
@ -132,12 +138,14 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "product_file_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.product_private}"],
|
||||
product_specific: true,
|
||||
}
|
||||
|
||||
file_contexts {
|
||||
name: "product_file_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.product_private}"],
|
||||
stem: "product_file_contexts",
|
||||
recovery: true,
|
||||
|
@ -145,6 +153,7 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "odm_file_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.odm}"],
|
||||
device_specific: true,
|
||||
fc_sort: true,
|
||||
|
@ -152,6 +161,7 @@ file_contexts {
|
|||
|
||||
file_contexts {
|
||||
name: "odm_file_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":file_contexts_files{.odm}"],
|
||||
stem: "odm_file_contexts",
|
||||
recovery: true,
|
||||
|
@ -160,23 +170,27 @@ file_contexts {
|
|||
|
||||
hwservice_contexts {
|
||||
name: "plat_hwservice_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":hwservice_contexts_files{.plat_private}"],
|
||||
}
|
||||
|
||||
hwservice_contexts {
|
||||
name: "system_ext_hwservice_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":hwservice_contexts_files{.system_ext_private}"],
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
hwservice_contexts {
|
||||
name: "product_hwservice_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":hwservice_contexts_files{.product_private}"],
|
||||
product_specific: true,
|
||||
}
|
||||
|
||||
hwservice_contexts {
|
||||
name: "vendor_hwservice_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":hwservice_contexts_files{.plat_vendor}",
|
||||
":hwservice_contexts_files{.vendor}",
|
||||
|
@ -187,17 +201,20 @@ hwservice_contexts {
|
|||
|
||||
hwservice_contexts {
|
||||
name: "odm_hwservice_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":hwservice_contexts_files{.odm}"],
|
||||
device_specific: true,
|
||||
}
|
||||
|
||||
property_contexts {
|
||||
name: "plat_property_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":property_contexts_files{.plat_private}"],
|
||||
}
|
||||
|
||||
property_contexts {
|
||||
name: "plat_property_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":property_contexts_files{.plat_private}"],
|
||||
stem: "plat_property_contexts",
|
||||
recovery: true,
|
||||
|
@ -205,6 +222,7 @@ property_contexts {
|
|||
|
||||
property_contexts {
|
||||
name: "system_ext_property_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":property_contexts_files{.system_ext_private}"],
|
||||
system_ext_specific: true,
|
||||
recovery_available: true,
|
||||
|
@ -212,6 +230,7 @@ property_contexts {
|
|||
|
||||
property_contexts {
|
||||
name: "product_property_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":property_contexts_files{.product_private}"],
|
||||
product_specific: true,
|
||||
recovery_available: true,
|
||||
|
@ -219,6 +238,7 @@ property_contexts {
|
|||
|
||||
property_contexts {
|
||||
name: "vendor_property_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":property_contexts_files{.plat_vendor}",
|
||||
":property_contexts_files{.vendor}",
|
||||
|
@ -230,6 +250,7 @@ property_contexts {
|
|||
|
||||
property_contexts {
|
||||
name: "odm_property_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":property_contexts_files{.odm}"],
|
||||
device_specific: true,
|
||||
recovery_available: true,
|
||||
|
@ -237,11 +258,13 @@ property_contexts {
|
|||
|
||||
service_contexts {
|
||||
name: "plat_service_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":service_contexts_files{.plat_private}"],
|
||||
}
|
||||
|
||||
service_contexts {
|
||||
name: "plat_service_contexts.recovery",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":service_contexts_files{.plat_private}"],
|
||||
stem: "plat_service_contexts",
|
||||
recovery: true,
|
||||
|
@ -249,6 +272,7 @@ service_contexts {
|
|||
|
||||
service_contexts {
|
||||
name: "system_ext_service_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":service_contexts_files{.system_ext_private}"],
|
||||
system_ext_specific: true,
|
||||
recovery_available: true,
|
||||
|
@ -256,6 +280,7 @@ service_contexts {
|
|||
|
||||
service_contexts {
|
||||
name: "product_service_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":service_contexts_files{.product_private}"],
|
||||
product_specific: true,
|
||||
recovery_available: true,
|
||||
|
@ -263,6 +288,7 @@ service_contexts {
|
|||
|
||||
service_contexts {
|
||||
name: "vendor_service_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":service_contexts_files{.plat_vendor}",
|
||||
":service_contexts_files{.vendor}",
|
||||
|
@ -274,6 +300,7 @@ service_contexts {
|
|||
|
||||
service_contexts {
|
||||
name: "odm_service_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":service_contexts_files{.odm}",
|
||||
],
|
||||
|
@ -283,23 +310,27 @@ service_contexts {
|
|||
|
||||
keystore2_key_contexts {
|
||||
name: "plat_keystore2_key_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":keystore2_key_contexts_files{.plat_private}"],
|
||||
}
|
||||
|
||||
keystore2_key_contexts {
|
||||
name: "system_keystore2_key_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
|
||||
system_ext_specific: true,
|
||||
}
|
||||
|
||||
keystore2_key_contexts {
|
||||
name: "product_keystore2_key_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":keystore2_key_contexts_files{.product_private}"],
|
||||
product_specific: true,
|
||||
}
|
||||
|
||||
keystore2_key_contexts {
|
||||
name: "vendor_keystore2_key_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":keystore2_key_contexts_files{.plat_vendor}",
|
||||
":keystore2_key_contexts_files{.vendor}",
|
||||
|
@ -310,12 +341,14 @@ keystore2_key_contexts {
|
|||
|
||||
seapp_contexts {
|
||||
name: "plat_seapp_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":seapp_contexts_files{.plat_private}"],
|
||||
sepolicy: ":precompiled_sepolicy",
|
||||
}
|
||||
|
||||
seapp_contexts {
|
||||
name: "system_ext_seapp_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":seapp_contexts_files{.system_ext_private}"],
|
||||
neverallow_files: [":seapp_contexts_files{.plat_private}"],
|
||||
system_ext_specific: true,
|
||||
|
@ -324,6 +357,7 @@ seapp_contexts {
|
|||
|
||||
seapp_contexts {
|
||||
name: "product_seapp_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [":seapp_contexts_files{.product_private}"],
|
||||
neverallow_files: [
|
||||
":seapp_contexts_files{.plat_private}",
|
||||
|
@ -335,6 +369,7 @@ seapp_contexts {
|
|||
|
||||
seapp_contexts {
|
||||
name: "vendor_seapp_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":seapp_contexts_files{.plat_vendor}",
|
||||
":seapp_contexts_files{.vendor}",
|
||||
|
@ -351,6 +386,7 @@ seapp_contexts {
|
|||
|
||||
seapp_contexts {
|
||||
name: "odm_seapp_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":seapp_contexts_files{.odm}",
|
||||
],
|
||||
|
@ -365,6 +401,7 @@ seapp_contexts {
|
|||
|
||||
vndservice_contexts {
|
||||
name: "vndservice_contexts",
|
||||
defaults: ["contexts_flags_defaults"],
|
||||
srcs: [
|
||||
":vndservice_contexts_files{.plat_vendor}",
|
||||
":vndservice_contexts_files{.vendor}",
|
||||
|
|
32
flagging/Android.bp
Normal file
32
flagging/Android.bp
Normal file
|
@ -0,0 +1,32 @@
|
|||
// Copyright (C) 2023 The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// This file contains a list of flags for sepolicy.
|
||||
se_policy_conf_defaults {
|
||||
name: "se_policy_conf_flags_defaults",
|
||||
srcs: [":sepolicy_flagging_macros"],
|
||||
flags: [],
|
||||
}
|
||||
|
||||
contexts_defaults {
|
||||
name: "contexts_flags_defaults",
|
||||
srcs: [":sepolicy_flagging_macros"],
|
||||
neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
|
||||
flags: [],
|
||||
}
|
||||
|
||||
filegroup {
|
||||
name: "sepolicy_flagging_macros",
|
||||
srcs: ["te_macros"],
|
||||
}
|
9
flagging/te_macros
Normal file
9
flagging/te_macros
Normal file
|
@ -0,0 +1,9 @@
|
|||
####################################
|
||||
# is_flag_enabled(flag, rules)
|
||||
# SELinux rules which apply only if given feature is turned on
|
||||
define(`is_flag_enabled', `ifelse(target_flag_$1, `true', $2, )')
|
||||
|
||||
####################################
|
||||
# is_flag_disabled(flag, rules)
|
||||
# SELinux rules which apply only if given feature is turned off
|
||||
define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , $2)')
|
|
@ -76,7 +76,7 @@ if len(violations) > 0:
|
|||
print('%d violations found:' % len(violations))
|
||||
print('\n'.join(violations))
|
||||
print('******************************')
|
||||
print('%s contains properties which are not properly namespaced.' % args.property_contexts)
|
||||
print("vendor's and odm's property_contexts MUST use ONLY vendor-prefixed properties.")
|
||||
print('This is enforced by VTS, so please fix such offending properties.')
|
||||
if args.allowed_property_prefix:
|
||||
print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
|
||||
|
|
Loading…
Reference in a new issue