Remove compat test from treble sepolicy tests

Treble sepolicy tests check whether previous versions are compatible to ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it, but it also includes a compat test whether ToT sepolicy + {ver} mapping + {ver} plat_pub_versioned.cil can be built together or not. We definitely need such tests, but we already have a test called "compat test" which does exactly that, and testing it again with Treble sepolicy tests is just redundant. The only difference between those two is that Treble sepolicy tests can also test system_ext and product compat files, which was contributed by a partner. The ultimate goal here is to migrate *.mk to Soong, thus merging these two tests (compat, Treble) into one. As we've already migrated the compat test to Soong, this change removes the compat test part from treble sepolicy tests. Instead, the compat test will be extended so it can test system_ext and product compat files too. prebuilts/api/{ver}/plat_pub_versioned.cil and prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't used anymore: vendor_sepolicy.cil is an empty stub, and plat_pub_versioned.cil can be built from the prebuilt source files. Bug: 33691272 Test: m selinux_policy Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
2022-02-14 23:01:04 +09:00 · 2022-02-14 23:01:04 +09:00 · 73f43ff847
commit 73f43ff847
parent ba8615a186
14 changed files with 10 additions and 22066 deletions
--- a/Android.mk
+++ b/Android.mk
@ -532,33 +532,16 @@ include $(BUILD_PHONY_PACKAGE)
 # Policy files are now built with Android.bp. Grab them from intermediate.
 # See Android.bp for details of policy files.
 #
-reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
-
-pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
-system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
-plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
-
 built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file

 ifdef HAS_SYSTEM_EXT_SEPOLICY
 built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
 endif # ifdef HAS_SYSTEM_EXT_SEPOLICY

 ifdef HAS_PRODUCT_SEPOLICY
 built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
 endif # ifdef HAS_PRODUCT_SEPOLICY

-built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
-
-built_vendor_cil := $(call intermediates-dir-for,ETC,vendor_sepolicy.cil)/vendor_sepolicy.cil
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
-endif
-
 built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
 built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
 built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
@ -785,12 +768,6 @@ build_policy :=
 built_plat_cil :=
 built_system_ext_cil :=
 built_product_cil :=
-built_pub_vers_cil :=
-built_plat_mapping_cil :=
-built_system_ext_mapping_cil :=
-built_product_mapping_cil :=
-built_vendor_cil :=
-built_odm_cil :=
 built_sepolicy :=
 built_sepolicy_neverallows :=
 built_plat_svc :=
@ -798,12 +775,7 @@ built_vendor_svc :=
 treble_sysprop_neverallow :=
 enforce_sysprop_owner :=
 enforce_debugfs_restriction :=
-mapping_policy :=
 my_target_arch :=
-pub_policy.cil :=
-system_ext_pub_policy.cil :=
-plat_pub_policy.cil :=
-reqd_policy_mask.cil :=
 sepolicy_build_files :=
 sepolicy_build_cil_workaround_files :=
 with_asan :=
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@ -125,8 +125,13 @@ func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 		b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
 	}

+	// directories used for compat tests and Treble tests
 	for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
 		b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
 		b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+		b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
+		b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
+		b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
+		b.srcs[".product_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
 	}
 }
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@ -154,6 +154,8 @@ func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookCont
 	}, &policyConfProperties{
 		Srcs: []string{
 			fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
+			fmt.Sprintf(":se_build_files{.system_ext_public_%s}", ver),
+			fmt.Sprintf(":se_build_files{.product_public_%s}", ver),
 			":se_build_files{.reqd_mask}",
 		},
 		Installable: proptools.BoolPtr(false),
--- a/prebuilts/api/28.0/plat_pub_versioned.cil
+++ b/prebuilts/api/28.0/plat_pub_versioned.cil
--- a/prebuilts/api/28.0/vendor_sepolicy.cil
+++ b/prebuilts/api/28.0/vendor_sepolicy.cil
--- a/prebuilts/api/29.0/plat_pub_versioned.cil
+++ b/prebuilts/api/29.0/plat_pub_versioned.cil
--- a/prebuilts/api/29.0/vendor_sepolicy.cil
+++ b/prebuilts/api/29.0/vendor_sepolicy.cil
@ -1 +0,0 @@
-;; empty stub
--- a/prebuilts/api/30.0/plat_pub_versioned.cil
+++ b/prebuilts/api/30.0/plat_pub_versioned.cil
--- a/prebuilts/api/30.0/vendor_sepolicy.cil
+++ b/prebuilts/api/30.0/vendor_sepolicy.cil
@ -1 +0,0 @@
-;; empty stub
--- a/prebuilts/api/31.0/plat_pub_versioned.cil
+++ b/prebuilts/api/31.0/plat_pub_versioned.cil
--- a/prebuilts/api/31.0/vendor_sepolicy.cil
+++ b/prebuilts/api/31.0/vendor_sepolicy.cil
@ -1 +0,0 @@
-;; empty stub
--- a/prebuilts/api/32.0/plat_pub_versioned.cil
+++ b/prebuilts/api/32.0/plat_pub_versioned.cil
--- a/prebuilts/api/32.0/vendor_sepolicy.cil
+++ b/prebuilts/api/32.0/vendor_sepolicy.cil
@ -1 +0,0 @@
-;; empty stub
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@ -17,19 +17,11 @@ SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
 # BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
 # make file of the product partition.
 PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
-# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
-# plat_pub_versioned.cil should be in
-# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
-# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
-# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
-# In order to enable treble sepolicy tests for platform, system_ext and product
-# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
-# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
 IS_TREBLE_TEST_ENABLED_PARTNER := false
 ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
 IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
 endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)

 include $(BUILD_SYSTEM)/base_rules.mk
@ -90,14 +82,9 @@ $(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_se

 $(version)_plat_policy.conf :=

-# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
-# targeting the $(version) SELinux release.  This ensures that our policy will build
-# when used on a device that has non-platform policy targetting the $(version) release.
-$(version)_compat := $(intermediates)/$(version)_compat
 $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
 $(version)_mapping.ignore.cil := \
    $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
-$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
 ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
 $(version)_mapping.cil += \
@ -111,29 +98,8 @@ $(version)_mapping.cil += \
 $(version)_mapping.ignore.cil += \
    $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
 endif # (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
 endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)

-# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
-# nonplat_sepolicy.cil.
-$(version)_vendor := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
-$($(version)_prebuilts_dir)/plat_pub_versioned.cil
-
-cil_files := $(built_plat_cil)
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
-cil_files += $(built_system_ext_cil)
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
-ifneq (,$(PRODUCT_PREBUILT_POLICY)
-cil_files += $(built_product_cil)
-endif # (,$(PRODUCT_PREBUILT_POLICY)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-cil_files += $($(version)_mapping.cil) $($(version)_vendor)
-$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
-$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
-	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
-		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
 # $(version)_mapping.combined.cil - a combination of the mapping file used when
 # combining the current platform policy with nonplatform policy based on the
 # $(version) policy release and also a special ignored file that exists purely for
@ -165,7 +131,7 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
  $(all_fc_files) $(built_sepolicy) \
  $(built_sepolicy_files) \
  $(public_cil_files) \
-  $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
+  $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
                -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
@ -183,12 +149,9 @@ $(version)_PLAT_PRIVATE_POLICY :=
 built_sepolicy_files :=
 public_cil_files :=
 cil_files :=
-$(version)_compat :=
 $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=
 $(version)_mapping.ignore.cil :=
-$(version)_vendor :=
-$(version)_prebuilts_dir :=
 built_$(version)_plat_sepolicy :=
 version :=
 version_under_treble_tests :=