Remove compat test from treble sepolicy tests
Treble sepolicy tests check whether previous versions are compatible to ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it, but it also includes a compat test whether ToT sepolicy + {ver} mapping + {ver} plat_pub_versioned.cil can be built together or not. We definitely need such tests, but we already have a test called "compat test" which does exactly that, and testing it again with Treble sepolicy tests is just redundant. The only difference between those two is that Treble sepolicy tests can also test system_ext and product compat files, which was contributed by a partner. The ultimate goal here is to migrate *.mk to Soong, thus merging these two tests (compat, Treble) into one. As we've already migrated the compat test to Soong, this change removes the compat test part from treble sepolicy tests. Instead, the compat test will be extended so it can test system_ext and product compat files too. prebuilts/api/{ver}/plat_pub_versioned.cil and prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't used anymore: vendor_sepolicy.cil is an empty stub, and plat_pub_versioned.cil can be built from the prebuilt source files. Bug: 33691272 Test: m selinux_policy Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
This commit is contained in:
parent
ba8615a186
commit
73f43ff847
14 changed files with 10 additions and 22066 deletions
28
Android.mk
28
Android.mk
|
@ -532,33 +532,16 @@ include $(BUILD_PHONY_PACKAGE)
|
||||||
# Policy files are now built with Android.bp. Grab them from intermediate.
|
# Policy files are now built with Android.bp. Grab them from intermediate.
|
||||||
# See Android.bp for details of policy files.
|
# See Android.bp for details of policy files.
|
||||||
#
|
#
|
||||||
reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
|
|
||||||
|
|
||||||
pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
|
|
||||||
system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
|
|
||||||
plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
|
|
||||||
|
|
||||||
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
|
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
|
||||||
built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
|
|
||||||
|
|
||||||
ifdef HAS_SYSTEM_EXT_SEPOLICY
|
ifdef HAS_SYSTEM_EXT_SEPOLICY
|
||||||
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
|
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
|
||||||
built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
|
|
||||||
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
|
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
|
||||||
|
|
||||||
ifdef HAS_PRODUCT_SEPOLICY
|
ifdef HAS_PRODUCT_SEPOLICY
|
||||||
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
|
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
|
||||||
built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
|
|
||||||
endif # ifdef HAS_PRODUCT_SEPOLICY
|
endif # ifdef HAS_PRODUCT_SEPOLICY
|
||||||
|
|
||||||
built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
|
|
||||||
|
|
||||||
built_vendor_cil := $(call intermediates-dir-for,ETC,vendor_sepolicy.cil)/vendor_sepolicy.cil
|
|
||||||
|
|
||||||
ifdef BOARD_ODM_SEPOLICY_DIRS
|
|
||||||
built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
|
|
||||||
endif
|
|
||||||
|
|
||||||
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
|
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
|
||||||
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
|
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
|
||||||
built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
|
built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
|
||||||
|
@ -785,12 +768,6 @@ build_policy :=
|
||||||
built_plat_cil :=
|
built_plat_cil :=
|
||||||
built_system_ext_cil :=
|
built_system_ext_cil :=
|
||||||
built_product_cil :=
|
built_product_cil :=
|
||||||
built_pub_vers_cil :=
|
|
||||||
built_plat_mapping_cil :=
|
|
||||||
built_system_ext_mapping_cil :=
|
|
||||||
built_product_mapping_cil :=
|
|
||||||
built_vendor_cil :=
|
|
||||||
built_odm_cil :=
|
|
||||||
built_sepolicy :=
|
built_sepolicy :=
|
||||||
built_sepolicy_neverallows :=
|
built_sepolicy_neverallows :=
|
||||||
built_plat_svc :=
|
built_plat_svc :=
|
||||||
|
@ -798,12 +775,7 @@ built_vendor_svc :=
|
||||||
treble_sysprop_neverallow :=
|
treble_sysprop_neverallow :=
|
||||||
enforce_sysprop_owner :=
|
enforce_sysprop_owner :=
|
||||||
enforce_debugfs_restriction :=
|
enforce_debugfs_restriction :=
|
||||||
mapping_policy :=
|
|
||||||
my_target_arch :=
|
my_target_arch :=
|
||||||
pub_policy.cil :=
|
|
||||||
system_ext_pub_policy.cil :=
|
|
||||||
plat_pub_policy.cil :=
|
|
||||||
reqd_policy_mask.cil :=
|
|
||||||
sepolicy_build_files :=
|
sepolicy_build_files :=
|
||||||
sepolicy_build_cil_workaround_files :=
|
sepolicy_build_cil_workaround_files :=
|
||||||
with_asan :=
|
with_asan :=
|
||||||
|
|
|
@ -125,8 +125,13 @@ func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
|
||||||
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
|
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// directories used for compat tests and Treble tests
|
||||||
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
|
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
|
||||||
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
|
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
|
||||||
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
|
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
|
||||||
|
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
|
||||||
|
b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
|
||||||
|
b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
|
||||||
|
b.srcs[".product_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -154,6 +154,8 @@ func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookCont
|
||||||
}, &policyConfProperties{
|
}, &policyConfProperties{
|
||||||
Srcs: []string{
|
Srcs: []string{
|
||||||
fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
|
fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
|
||||||
|
fmt.Sprintf(":se_build_files{.system_ext_public_%s}", ver),
|
||||||
|
fmt.Sprintf(":se_build_files{.product_public_%s}", ver),
|
||||||
":se_build_files{.reqd_mask}",
|
":se_build_files{.reqd_mask}",
|
||||||
},
|
},
|
||||||
Installable: proptools.BoolPtr(false),
|
Installable: proptools.BoolPtr(false),
|
||||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load diff
|
@ -1 +0,0 @@
|
||||||
;; empty stub
|
|
File diff suppressed because it is too large
Load diff
|
@ -1 +0,0 @@
|
||||||
;; empty stub
|
|
File diff suppressed because it is too large
Load diff
|
@ -1 +0,0 @@
|
||||||
;; empty stub
|
|
File diff suppressed because it is too large
Load diff
|
@ -1 +0,0 @@
|
||||||
;; empty stub
|
|
|
@ -17,19 +17,11 @@ SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
|
||||||
# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
|
# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
|
||||||
# make file of the product partition.
|
# make file of the product partition.
|
||||||
PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
|
PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
|
||||||
# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
|
|
||||||
# plat_pub_versioned.cil should be in
|
|
||||||
# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
|
|
||||||
# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
|
|
||||||
# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
|
|
||||||
# In order to enable treble sepolicy tests for platform, system_ext and product
|
|
||||||
# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
|
|
||||||
# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
|
|
||||||
IS_TREBLE_TEST_ENABLED_PARTNER := false
|
IS_TREBLE_TEST_ENABLED_PARTNER := false
|
||||||
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
||||||
ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
|
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
|
||||||
IS_TREBLE_TEST_ENABLED_PARTNER := true
|
IS_TREBLE_TEST_ENABLED_PARTNER := true
|
||||||
endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
|
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
|
||||||
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
||||||
|
|
||||||
include $(BUILD_SYSTEM)/base_rules.mk
|
include $(BUILD_SYSTEM)/base_rules.mk
|
||||||
|
@ -90,14 +82,9 @@ $(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_se
|
||||||
|
|
||||||
$(version)_plat_policy.conf :=
|
$(version)_plat_policy.conf :=
|
||||||
|
|
||||||
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
|
|
||||||
# targeting the $(version) SELinux release. This ensures that our policy will build
|
|
||||||
# when used on a device that has non-platform policy targetting the $(version) release.
|
|
||||||
$(version)_compat := $(intermediates)/$(version)_compat
|
|
||||||
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
|
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
|
||||||
$(version)_mapping.ignore.cil := \
|
$(version)_mapping.ignore.cil := \
|
||||||
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
|
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
|
||||||
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
|
|
||||||
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
||||||
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
|
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
|
||||||
$(version)_mapping.cil += \
|
$(version)_mapping.cil += \
|
||||||
|
@ -111,29 +98,8 @@ $(version)_mapping.cil += \
|
||||||
$(version)_mapping.ignore.cil += \
|
$(version)_mapping.ignore.cil += \
|
||||||
$(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
|
$(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
|
||||||
endif # (,$(PRODUCT_PREBUILT_POLICY))
|
endif # (,$(PRODUCT_PREBUILT_POLICY))
|
||||||
$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
|
|
||||||
endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
||||||
|
|
||||||
# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
|
|
||||||
# nonplat_sepolicy.cil.
|
|
||||||
$(version)_vendor := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
|
|
||||||
$($(version)_prebuilts_dir)/plat_pub_versioned.cil
|
|
||||||
|
|
||||||
cil_files := $(built_plat_cil)
|
|
||||||
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
|
||||||
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
|
|
||||||
cil_files += $(built_system_ext_cil)
|
|
||||||
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
|
|
||||||
ifneq (,$(PRODUCT_PREBUILT_POLICY)
|
|
||||||
cil_files += $(built_product_cil)
|
|
||||||
endif # (,$(PRODUCT_PREBUILT_POLICY)
|
|
||||||
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
|
||||||
cil_files += $($(version)_mapping.cil) $($(version)_vendor)
|
|
||||||
$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
|
|
||||||
$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
|
|
||||||
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
|
|
||||||
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
|
|
||||||
|
|
||||||
# $(version)_mapping.combined.cil - a combination of the mapping file used when
|
# $(version)_mapping.combined.cil - a combination of the mapping file used when
|
||||||
# combining the current platform policy with nonplatform policy based on the
|
# combining the current platform policy with nonplatform policy based on the
|
||||||
# $(version) policy release and also a special ignored file that exists purely for
|
# $(version) policy release and also a special ignored file that exists purely for
|
||||||
|
@ -165,7 +131,7 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
|
||||||
$(all_fc_files) $(built_sepolicy) \
|
$(all_fc_files) $(built_sepolicy) \
|
||||||
$(built_sepolicy_files) \
|
$(built_sepolicy_files) \
|
||||||
$(public_cil_files) \
|
$(public_cil_files) \
|
||||||
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
|
$(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
|
||||||
@mkdir -p $(dir $@)
|
@mkdir -p $(dir $@)
|
||||||
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
|
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
|
||||||
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
|
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
|
||||||
|
@ -183,12 +149,9 @@ $(version)_PLAT_PRIVATE_POLICY :=
|
||||||
built_sepolicy_files :=
|
built_sepolicy_files :=
|
||||||
public_cil_files :=
|
public_cil_files :=
|
||||||
cil_files :=
|
cil_files :=
|
||||||
$(version)_compat :=
|
|
||||||
$(version)_mapping.cil :=
|
$(version)_mapping.cil :=
|
||||||
$(version)_mapping.combined.cil :=
|
$(version)_mapping.combined.cil :=
|
||||||
$(version)_mapping.ignore.cil :=
|
$(version)_mapping.ignore.cil :=
|
||||||
$(version)_vendor :=
|
|
||||||
$(version)_prebuilts_dir :=
|
|
||||||
built_$(version)_plat_sepolicy :=
|
built_$(version)_plat_sepolicy :=
|
||||||
version :=
|
version :=
|
||||||
version_under_treble_tests :=
|
version_under_treble_tests :=
|
||||||
|
|
Loading…
Reference in a new issue