tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Remove code about mixed sepolicy build" into main

Browse source
This commit is contained in:
Inseob Kim 2023-09-01 01:06:38 +00:00 committed by Gerrit Code Review
commit 726bcb500c
5 changed files with 71 additions and 237 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

210
Android.bp
View file

@ -359,116 +359,16 @@ se_versioned_policy {
product_specific: true,
}
//////////////////////////////////
// vendor/odm sepolicy
//
// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
// policy files of platform (system, system_ext, product) can't be mixed with
// policy files of vendor (vendor, odm). If it's the case, platform policies and
// vendor policies are separately built. More specifically,
//
// - Platform policy files needed to build vendor policies, such as plat_policy,
// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
//
// - sepolicy_neverallows only checks platform policies, and a new module
// sepolicy_neverallows_vendor checks vendor policies.
//
// - neverallow checks are turned off while compiling precompiled_sepolicy
// module and sepolicy module.
//
// - Vendor policies are not checked on the compat test (compat.mk).
//
// In such scenario, we can grab platform policy files from the prebuilts/api
// directory. But we need more than that: prebuilts of system_ext, product,
// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
// variables are introduced to specify such prebuilts.
//
// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
//
// Vendors are responsible for copying policy files from the old version of the
// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
// can be used to build vendor policies.
//
// To support both mixed build and normal build, platform policy files are
// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
// Otherwise, they will be equal to the Makefile variables above.
plat_public_policies_for_vendor = [
":se_build_files{.plat_public_for_vendor}",
":se_build_files{.system_ext_public_for_vendor}",
":se_build_files{.product_public_for_vendor}",
":se_build_files{.reqd_mask_for_vendor}",
]
plat_policies_for_vendor = [
":se_build_files{.plat_public_for_vendor}",
":se_build_files{.plat_private_for_vendor}",
":se_build_files{.system_ext_public_for_vendor}",
":se_build_files{.system_ext_private_for_vendor}",
":se_build_files{.product_public_for_vendor}",
":se_build_files{.product_private_for_vendor}",
]
se_policy_conf {
name: "plat_policy_for_vendor.conf",
srcs: plat_policies_for_vendor,
installable: false,
}
se_policy_cil {
name: "plat_policy_for_vendor.cil",
src: ":plat_policy_for_vendor.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
installable: false,
}
se_policy_conf {
name: "reqd_policy_mask_for_vendor.conf",
srcs: [":se_build_files{.reqd_mask_for_vendor}"],
installable: false,
}
se_policy_cil {
name: "reqd_policy_mask_for_vendor.cil",
src: ":reqd_policy_mask_for_vendor.conf",
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "pub_policy_for_vendor.conf",
srcs: plat_public_policies_for_vendor,
installable: false,
}
se_policy_cil {
name: "pub_policy_for_vendor.cil",
src: ":pub_policy_for_vendor.conf",
filter_out: [":reqd_policy_mask_for_vendor.cil"],
secilc_check: false,
installable: false,
}
se_versioned_policy {
name: "plat_mapping_file_for_vendor",
base: ":pub_policy_for_vendor.cil",
mapping: true,
version: "vendor",
installable: false,
}
//////////////////////////////////
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
base: ":pub_policy_for_vendor.cil",
target_policy: ":pub_policy_for_vendor.cil",
base: ":pub_policy.cil",
target_policy: ":pub_policy.cil",
version: "vendor",
vendor: true,
}
@ -478,8 +378,11 @@ se_versioned_policy {
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
srcs: plat_public_policies_for_vendor + [
":se_build_files{.plat_vendor_for_vendor}",
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy + [
":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
],
vendor: true,
@ -489,7 +392,7 @@ se_policy_conf {
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
filter_out: [":reqd_policy_mask_for_vendor.cil"],
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
vendor: true,
installable: false,
@ -497,13 +400,15 @@ se_policy_cil {
se_versioned_policy {
name: "vendor_sepolicy.cil",
base: ":pub_policy_for_vendor.cil",
base: ":pub_policy.cil",
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
":plat_policy_for_vendor.cil",
":plat_sepolicy.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
":plat_pub_versioned.cil",
":plat_mapping_file_for_vendor",
":plat_mapping_file",
],
filter_out: [":plat_pub_versioned.cil"],
vendor: true,
@ -514,8 +419,11 @@ se_versioned_policy {
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
srcs: plat_public_policies_for_vendor + [
":se_build_files{.plat_vendor_for_vendor}",
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy + [
":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@ -527,7 +435,7 @@ se_policy_cil {
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
":reqd_policy_mask_for_vendor.cil",
":reqd_policy_mask.cil",
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
@ -537,13 +445,15 @@ se_policy_cil {
se_versioned_policy {
name: "odm_sepolicy.cil",
base: ":pub_policy_for_vendor.cil",
base: ":pub_policy.cil",
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
":plat_policy_for_vendor.cil",
":plat_sepolicy.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
":plat_pub_versioned.cil",
":plat_mapping_file_for_vendor",
":plat_mapping_file",
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
@ -701,9 +611,8 @@ soong_config_module_type {
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
value_variables: ["MIXED_SEPOLICY_VERSION"],
properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
}
precompiled_se_policy_binary {
@ -716,6 +625,9 @@ precompiled_se_policy_binary {
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
":plat_mapping_file",
":system_ext_mapping_file",
":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@ -724,27 +636,9 @@ precompiled_se_policy_binary {
vendor: true,
},
},
IS_TARGET_MIXED_SEPOLICY: {
ignore_neverallow: true,
},
MIXED_SEPOLICY_VERSION: {
srcs: [
":plat_%s.cil",
":system_ext_%s.cil",
":product_%s.cil",
],
conditions_default: {
srcs: [
":plat_mapping_file",
":system_ext_mapping_file",
":product_mapping_file",
],
},
},
},
required: [
"sepolicy_neverallows",
"sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@ -760,6 +654,9 @@ precompiled_se_policy_binary {
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
":plat_mapping_file",
":system_ext_mapping_file",
":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@ -768,27 +665,9 @@ precompiled_se_policy_binary {
vendor: true,
},
},
IS_TARGET_MIXED_SEPOLICY: {
ignore_neverallow: true,
},
MIXED_SEPOLICY_VERSION: {
srcs: [
":plat_%s.cil",
":system_ext_%s.cil",
":product_%s.cil",
],
conditions_default: {
srcs: [
":plat_mapping_file",
":system_ext_mapping_file",
":product_mapping_file",
],
},
},
},
required: [
"sepolicy_neverallows",
"sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@ -798,8 +677,13 @@ precompiled_se_policy_binary {
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
srcs: plat_policies_for_vendor + [
":se_build_files{.plat_vendor_for_vendor}",
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
product_private_policy + [
":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@ -1003,7 +887,7 @@ se_bug_map {
se_bug_map {
name: "vendor_bug_map",
srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
@ -1016,17 +900,11 @@ se_neverallow_test {
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
product_private_policy,
}
se_neverallow_test {
name: "sepolicy_neverallows_vendor",
srcs: plat_policies_for_vendor + [
":se_build_files{.plat_vendor_for_vendor}",
product_private_policy + [
":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
vendor: true,
}
//////////////////////////////////

24
Android.mk
View file

@ -73,12 +73,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
HAS_PRODUCT_SEPOLICY_DIR := true
endif
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
mixed_sepolicy_build := true
else
mixed_sepolicy_build :=
endif
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@ -98,21 +92,6 @@ ifdef BOARD_SEPOLICY_DIRS
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
# Set default values for these prebuilt directories
ifeq (,$(BOARD_REQD_MASK_POLICY))
BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
endif
ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
endif
$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
$(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
) \
)))
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@ -125,7 +104,7 @@ endef
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@ -513,7 +492,6 @@ endif # ifdef HAS_PRODUCT_SEPOLICY
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.

22
build/soong/build_files.go
View file

@ -103,28 +103,6 @@ func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
// vendor uses the same source with plat policy
b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
} else {
// use vendor-supplied plat prebuilts
b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
}
// directories used for compat tests and Treble tests
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))

40
contexts/Android.bp
View file

@ -99,7 +99,7 @@ file_contexts {
file_contexts {
name: "vendor_file_contexts",
srcs: [
":file_contexts_files{.plat_vendor_for_vendor}",
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
@ -108,7 +108,7 @@ file_contexts {
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
":file_contexts_files{.plat_vendor_for_vendor}",
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
@ -174,9 +174,9 @@ hwservice_contexts {
hwservice_contexts {
name: "vendor_hwservice_contexts",
srcs: [
":hwservice_contexts_files{.plat_vendor_for_vendor}",
":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
":hwservice_contexts_files{.reqd_mask_for_vendor}",
":hwservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@ -216,9 +216,9 @@ property_contexts {
property_contexts {
name: "vendor_property_contexts",
srcs: [
":property_contexts_files{.plat_vendor_for_vendor}",
":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
":property_contexts_files{.reqd_mask_for_vendor}",
":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@ -260,9 +260,9 @@ service_contexts {
service_contexts {
name: "vendor_service_contexts",
srcs: [
":service_contexts_files{.plat_vendor_for_vendor}",
":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
":service_contexts_files{.reqd_mask_for_vendor}",
":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@ -297,9 +297,9 @@ keystore2_key_contexts {
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
srcs: [
":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
":keystore2_key_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@ -332,14 +332,14 @@ seapp_contexts {
seapp_contexts {
name: "vendor_seapp_contexts",
srcs: [
":seapp_contexts_files{.plat_vendor_for_vendor}",
":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
":seapp_contexts_files{.reqd_mask_for_vendor}",
":seapp_contexts_files{.reqd_mask}",
],
neverallow_files: [
":seapp_contexts_files{.plat_private_for_vendor}",
":seapp_contexts_files{.system_ext_private_for_vendor}",
":seapp_contexts_files{.product_private_for_vendor}",
":seapp_contexts_files{.plat_private}",
":seapp_contexts_files{.system_ext_private}",
":seapp_contexts_files{.product_private}",
],
soc_specific: true,
sepolicy: ":precompiled_sepolicy",
@ -351,9 +351,9 @@ seapp_contexts {
":seapp_contexts_files{.odm}",
],
neverallow_files: [
":seapp_contexts_files{.plat_private_for_vendor}",
":seapp_contexts_files{.system_ext_private_for_vendor}",
":seapp_contexts_files{.product_private_for_vendor}",
":seapp_contexts_files{.plat_private}",
":seapp_contexts_files{.system_ext_private}",
":seapp_contexts_files{.product_private}",
],
device_specific: true,
sepolicy: ":precompiled_sepolicy",
@ -362,9 +362,9 @@ seapp_contexts {
vndservice_contexts {
name: "vndservice_contexts",
srcs: [
":vndservice_contexts_files{.plat_vendor_for_vendor}",
":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
":vndservice_contexts_files{.reqd_mask_for_vendor}",
":vndservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}

12
mac_permissions/Android.bp
View file

@ -72,14 +72,14 @@ mac_permissions {
mac_permissions {
name: "vendor_mac_permissions.xml",
keys: [
":keys.conf{.plat_vendor_for_vendor}",
":keys.conf{.plat_vendor}",
":keys.conf{.vendor}",
":keys.conf{.reqd_mask_for_vendor}",
":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.plat_vendor_for_vendor}",
":mac_permissions.xml{.plat_vendor}",
":mac_permissions.xml{.vendor}",
":mac_permissions.xml{.reqd_mask_for_vendor}",
":mac_permissions.xml{.reqd_mask}",
],
vendor: true,
}
@ -88,11 +88,11 @@ mac_permissions {
name: "odm_mac_permissions.xml",
keys: [
":keys.conf{.odm}",
":keys.conf{.reqd_mask_for_vendor}",
":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.odm}",
":mac_permissions.xml{.reqd_mask_for_vendor}",
":mac_permissions.xml{.reqd_mask}",
],
device_specific: true,
}