tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Use target specific intermediate paths

Browse source 
This won't be harmful and this can help reduce rebuilding sepolicy
artifacts upon lunch target change.

Bug: 279524023
Test: m selinux_policy
Change-Id: I859de6dc0ac1958b44d847159904960bd7f9a0c2
This commit is contained in:
Inseob Kim 2023-04-26 11:03:35 +09:00
parent 97a5408aca
commit 6c6f53b1a8
6 changed files with 52 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
Android.bp
View file

@ -142,6 +142,7 @@ se_policy_conf {
system_ext_public_policy +
product_public_policy +
reqd_mask_policy,
vendor: true,
installable: false,
}
@ -150,6 +151,7 @@ se_policy_cil {
src: ":pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
vendor: true,
installable: false,
}
@ -158,6 +160,7 @@ se_policy_conf {
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
system_ext_specific: true,
installable: false,
}
@ -166,6 +169,7 @@ se_policy_cil {
src: ":system_ext_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
system_ext_specific: true,
installable: false,
}
@ -290,6 +294,7 @@ se_policy_conf {
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy,
system_ext_specific: true,
installable: false,
}
@ -311,6 +316,7 @@ se_policy_conf {
system_ext_private_policy +
product_public_policy +
product_private_policy,
product_specific: true,
installable: false,
}
@ -476,6 +482,7 @@ se_policy_conf {
":se_build_files{.plat_vendor_for_vendor}",
":se_build_files{.vendor}",
],
vendor: true,
installable: false,
}
@ -484,6 +491,7 @@ se_policy_cil {
src: ":vendor_sepolicy.conf",
filter_out: [":reqd_policy_mask_for_vendor.cil"],
secilc_check: false, // will be done in se_versioned_policy module
vendor: true,
installable: false,
}
@ -511,6 +519,7 @@ se_policy_conf {
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
device_specific: true,
installable: false,
}
@ -522,6 +531,7 @@ se_policy_cil {
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
device_specific: true,
installable: false,
}
@ -795,6 +805,7 @@ se_policy_conf {
],
target_recovery: true,
installable: false,
recovery: true,
}
se_policy_cil {
@ -802,6 +813,7 @@ se_policy_cil {
src: ":recovery_sepolicy.conf",
secilc_check: false, // will be done in se_policy_binary module
installable: false,
recovery: true,
}
se_policy_binary {
@ -864,6 +876,7 @@ se_policy_conf {
system_ext_private_policy,
build_variant: "user",
installable: false,
system_ext_specific: true,
}
se_policy_cil {
@ -892,6 +905,7 @@ se_policy_conf {
product_private_policy,
build_variant: "user",
installable: false,
product_specific: true,
}
se_policy_cil {
@ -936,6 +950,7 @@ se_policy_conf {
reqd_mask_policy,
build_variant: "user",
installable: false,
system_ext_specific: true,
}
se_policy_cil {
@ -944,6 +959,7 @@ se_policy_cil {
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
system_ext_specific: true,
}
se_policy_conf {
@ -954,6 +970,7 @@ se_policy_conf {
reqd_mask_policy,
build_variant: "user",
installable: false,
product_specific: true,
}
se_policy_cil {
@ -962,6 +979,7 @@ se_policy_cil {
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
product_specific: true,
}
// bug_map - Bug tracking information for selinux denials loaded by auditd.
@ -1008,6 +1026,7 @@ se_neverallow_test {
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
vendor: true,
}
//////////////////////////////////

10
build/soong/policy.go
View file

@ -209,7 +209,7 @@ func findPolicyConfOrder(name string) int {
}
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
conf := pathForModuleOut(ctx, c.stem())
rule := android.NewRuleBuilder(pctx, ctx)
srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
@ -340,7 +340,7 @@ func (c *policyCil) stem() string {
}
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
cil := pathForModuleOut(ctx, c.stem())
rule := android.NewRuleBuilder(pctx, ctx)
checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
@ -496,7 +496,7 @@ func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
ctx.PropertyErrorf("srcs", "must be specified")
return
}
bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
bin := pathForModuleOut(ctx, c.stem()+"_policy")
rule := android.NewRuleBuilder(pctx, ctx)
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls
@ -514,7 +514,7 @@ func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
permissiveDomains := pathForModuleOut(ctx, c.stem()+"_permissive")
cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
Text("permissive")
@ -544,7 +544,7 @@ func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
Text("; exit 1; fi")
}
out := android.PathForModuleOut(ctx, c.stem())
out := pathForModuleOut(ctx, c.stem())
rule.Command().Text("cp").
Flag("-f").
Input(bin).

12
build/soong/selinux.go
View file

@ -28,3 +28,15 @@ type dependencyTag struct {
var (
pctx = android.NewPackageContext("android/soong/selinux")
)
// pathForModuleOut is same as android.PathForModuleOut, except that it uses DeviceName() as its
// intermediate directory name for system_ext/product/vendor/odm modules, to avoid rebuilding upon
// target change. Contents of system modules (core sepolicy) should be identical across devices, so
// they falls back to android.PathForModuleOut.
func pathForModuleOut(ctx android.ModuleContext, paths ...string) android.OutputPath {
if ctx.Platform() && !ctx.InstallInRecovery() {
return android.PathForModuleOut(ctx, paths...).OutputPath
}
return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
}

24
build/soong/selinux_contexts.go
View file

@ -243,11 +243,11 @@ func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext,
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
builtContext := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
builtContext := pathForModuleOut(ctx, ctx.ModuleName()+"_m4out")
rule := android.NewRuleBuilder(pctx, ctx)
newlineFile := android.PathForModuleGen(ctx, "newline")
newlineFile := pathForModuleOut(ctx, "newline")
rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
rule.Temporary(newlineFile)
@ -267,7 +267,7 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext,
if proptools.Bool(m.properties.Remove_comment) {
rule.Temporary(builtContext)
remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment")
remove_comment_output := pathForModuleOut(ctx, ctx.ModuleName()+"_remove_comment")
rule.Command().
Text("sed -e 's/#.*$//' -e '/^$/d'").
@ -280,7 +280,7 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext,
if proptools.Bool(m.properties.Fc_sort) {
rule.Temporary(builtContext)
sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted")
sorted_output := pathForModuleOut(ctx, ctx.ModuleName()+"_sorted")
rule.Command().
Tool(ctx.Config().HostToolPath(ctx, "fc_sort")).
@ -290,7 +290,7 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext,
builtContext = sorted_output
}
ret := android.PathForModuleGen(ctx, m.stem())
ret := pathForModuleOut(ctx, m.stem())
rule.Temporary(builtContext)
rule.Command().Text("cp").Input(builtContext).Output(ret)
@ -309,7 +309,7 @@ func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inp
if ctx.Config().FlattenApex() {
for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
out := pathForModuleOut(ctx, "flattened_apex", path.Rel())
apex_path := "/system/apex/" + strings.Replace(
strings.TrimSuffix(path.Base(), "-file_contexts"),
".", "\\\\.", -1)
@ -394,7 +394,7 @@ func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleC
cmd.Flag("--strict")
}
out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
rule.Command().Text("cp -f").Input(input).Output(out)
ret = append(ret, out)
}
@ -426,7 +426,7 @@ func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext,
// check compatibility with sysprop_library
if len(apiFiles) > 0 {
out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
out := pathForModuleOut(ctx, ctx.ModuleName()+"_api_checked")
rule := android.NewRuleBuilder(pctx, ctx)
msg := `\n******************************\n` +
@ -452,8 +452,8 @@ func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext,
}
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := android.PathForModuleGen(ctx, "neverallow")
ret := android.PathForModuleGen(ctx, m.stem())
neverallowFile := pathForModuleOut(ctx, "neverallow")
ret := pathForModuleOut(ctx, m.stem())
rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().Text("(grep").
@ -547,7 +547,7 @@ type contextsTestModule struct {
flags []string
properties contextsTestProperties
testTimestamp android.ModuleOutPath
testTimestamp android.OutputPath
}
// checkfc parses a context file and checks for syntax errors.
@ -622,7 +622,7 @@ func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleConte
Input(sepolicy).
Inputs(srcs)
m.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
m.testTimestamp = pathForModuleOut(ctx, "timestamp")
rule.Command().Text("touch").Output(m.testTimestamp)
rule.Build("contexts_test", "running contexts test: "+ctx.ModuleName())
}

6
build/soong/sepolicy_neverallow.go
View file

@ -36,7 +36,7 @@ type neverallowTestProperties struct {
type neverallowTestModule struct {
android.ModuleBase
properties neverallowTestProperties
testTimestamp android.ModuleOutPath
testTimestamp android.OutputPath
}
type nameProperties struct {
@ -98,7 +98,7 @@ func (n *neverallowTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
}
func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
n.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
n.testTimestamp = pathForModuleOut(ctx, "timestamp")
if ctx.Config().SelinuxIgnoreNeverallows() {
// just touch
android.WriteFileRule(ctx, n.testTimestamp, "")
@ -146,7 +146,7 @@ func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleCon
rule := android.NewRuleBuilder(pctx, ctx)
// Step 1. Build a binary policy from the conf file including build test
binaryPolicy := android.PathForModuleOut(ctx, "policy")
binaryPolicy := pathForModuleOut(ctx, "policy")
rule.Command().BuiltTool("checkpolicy").
Flag("-M").
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).

2
build/soong/versioned_policy.go
View file

@ -103,7 +103,7 @@ func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext)
stem = ctx.ModuleName()
}
out := android.PathForModuleOut(ctx, stem)
out := pathForModuleOut(ctx, stem)
rule := android.NewRuleBuilder(pctx, ctx)
if proptools.String(m.properties.Base) == "" {