From 7629e86053aed5d5d898bff8c94e60b8fbcb6eda Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 17 Mar 2021 19:07:15 +0900 Subject: [PATCH] Build platform side policy with Soong This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57 --- Android.bp | 380 ++++++++++++++++++++++++++++------------------------- Android.mk | 369 +++------------------------------------------------ 2 files changed, 225 insertions(+), 524 deletions(-) diff --git a/Android.bp b/Android.bp index aca6e406e..80da56bc9 100644 --- a/Android.bp +++ b/Android.bp @@ -493,137 +493,190 @@ filegroup { ], } -// This is a minimized cil modules to test microdroid. -// TODO(b/178993690): migrate cil files to Android.bp and remove below -filegroup { - name: "microdroid_sepolicy_build_files", +se_build_files { + name: "se_build_files", srcs: [ - // This order is important. Should be identical to sepolicy_build_files in Android.mk - "private/security_classes", - "private/initial_sids", - "private/access_vectors", - "public/global_macros", - "public/neverallow_macros", - "private/mls_macros", - "private/mls_decl", - "private/mls", - "private/policy_capabilities", - "public/te_macros", - "public/attributes", - "private/attributes", - "public/ioctl_defines", - "public/ioctl_macros", - "public/*.te", - "private/*.te", - "private/roles_decl", - "public/roles", - "private/users", - "private/initial_sid_contexts", - "private/fs_use", - "private/genfs_contexts", - "private/port_contexts", + "security_classes", + "initial_sids", + "access_vectors", + "global_macros", + "neverallow_macros", + "mls_macros", + "mls_decl", + "mls", + "policy_capabilities", + "te_macros", + "attributes", + "ioctl_defines", + "ioctl_macros", + "*.te", + "roles_decl", + "roles", + "users", + "initial_sid_contexts", + "fs_use", + "genfs_contexts", + "port_contexts", ], } -filegroup { - name: "microdroid_sepolicy_public_and_reqd_mask_build_files", - srcs: [ - // This order is important. Should be identical to sepolicy_build_files in Android.mk - "reqd_mask/security_classes", - "reqd_mask/initial_sids", - "reqd_mask/access_vectors", - "public/global_macros", - "public/neverallow_macros", - "reqd_mask/mls_macros", - "reqd_mask/mls_decl", - "reqd_mask/mls", - "public/te_macros", - "public/attributes", - "public/ioctl_defines", - "public/ioctl_macros", - "public/*.te", - "reqd_mask/*.te", - "reqd_mask/roles_decl", - "public/roles", - "reqd_mask/roles", - "reqd_mask/users", - "reqd_mask/initial_sid_contexts", - ], -} - -filegroup { - name: "microdroid_sepolicy_reqd_mask_build_files", - srcs: [ - // This order is important. Should be identical to sepolicy_build_files in Android.mk - "reqd_mask/security_classes", - "reqd_mask/initial_sids", - "reqd_mask/access_vectors", - "reqd_mask/mls_macros", - "reqd_mask/mls_decl", - "reqd_mask/mls", - "reqd_mask/*.te", - "reqd_mask/roles_decl", - "reqd_mask/roles", - "reqd_mask/users", - "reqd_mask/initial_sid_contexts", - ], -} - -// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch, -// these configurations should be fine to test microdroid on normal devices with full treble. -// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not -// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully -// migrated into Soong, these will have correct values. -policy_to_conf_flags = "$(location m4) --fatal-warnings " + -"-D mls_num_sens=1 -D mls_num_cats=1024 " + -"-D target_build_variant=userdebug " + -"-D target_with_asan=false " + -"-D target_with_native_coverage=false " + -"-D target_full_treble=true " + -"-D target_compatible_property=true " + -"-D target_treble_sysprop_neverallow=true " + -"-D target_enforce_sysprop_owner=true " - -genrule { - name: "microdroid_plat_sepolicy.cil_gen", - srcs: [":microdroid_sepolicy_build_files"], - tools: ["m4", "checkpolicy"], - out: ["plat_sepolicy.cil"], - cmd: policy_to_conf_flags + - "-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" + - "&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf", - visibility: ["//visibility:private"], -} - -prebuilt_etc { - name: "microdroid_plat_sepolicy.cil", - src: ":microdroid_plat_sepolicy.cil_gen", - filename: "plat_sepolicy.cil", - relative_install_path: "selinux", +// reqd_policy_mask - a policy.conf file which contains only the bare minimum +// policy necessary to use checkpolicy. +// +// This bare-minimum policy needs to be present in all policy.conf files, but +// should not necessarily be exported as part of the public policy. +// +// The rules generated by reqd_policy_mask will allow the compilation of public +// policy and subsequent removal of CIL policy that should not be exported. +se_policy_conf { + name: "reqd_policy_mask.conf", + srcs: [":se_build_files{.reqd_mask}"], installable: false, } -genrule { - name: "microdroid_reqd_policy_mask.cil_gen", - srcs: [":microdroid_sepolicy_reqd_mask_build_files"], - tools: ["m4", "checkpolicy"], - out: ["reqd_policy_mask.cil"], - cmd: policy_to_conf_flags + - "-s $(in) > $(out).conf" + - "&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf", - visibility: ["//visibility:private"], +se_policy_cil { + name: "reqd_policy_mask.cil", + src: ":reqd_policy_mask.conf", + secilc_check: false, + installable: false, } +// pub_policy - policy that will be exported to be a part of non-platform +// policy corresponding to this platform version. +// +// This is a limited subset of policy that would not compile in checkpolicy on +// its own. +// +// To get around this limitation, add only the required files from private +// policy, which will generate CIL policy that will then be filtered out by the +// reqd_policy_mask. +// +// There are three pub_policy.cil files below: +// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. +// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. +// - plat_pub_policy.cil: exported 'system' policy. +// +// Those above files will in turn be used to generate the following versioned cil files: +// - product_mapping_file: the versioned, exported 'product' policy in product partition. +// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. +// - plat_mapping_file: the versioned, exported 'system' policy in system partition. +// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy +// in vendor partition. +// +se_policy_conf { + name: "pub_policy.conf", + srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext + installable: false, +} + +se_policy_cil { + name: "pub_policy.cil", + src: ":pub_policy.conf", + filter_out: [":reqd_policy_mask.cil"], + secilc_check: false, + installable: false, +} + +se_policy_conf { + name: "system_ext_pub_policy.conf", + srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system + installable: false, +} + +se_policy_cil { + name: "system_ext_pub_policy.cil", + src: ":system_ext_pub_policy.conf", + filter_out: [":reqd_policy_mask.cil"], + secilc_check: false, + installable: false, +} + +se_policy_conf { + name: "plat_pub_policy.conf", + srcs: [":se_build_files{.plat_public}"], + installable: false, +} + +se_policy_cil { + name: "plat_pub_policy.cil", + src: ":plat_pub_policy.conf", + filter_out: [":reqd_policy_mask.cil"], + secilc_check: false, + installable: false, +} + +// plat_policy.conf - A combination of the private and public platform policy +// which will ship with the device. +// +// The platform will always reflect the most recent platform version and is not +// currently being attributized. +se_policy_conf { + name: "plat_sepolicy.conf", + srcs: [":se_build_files{.plat}"], + installable: false, +} + +se_policy_cil { + name: "plat_sepolicy.cil", + src: ":plat_sepolicy.conf", + additional_cil_files: ["private/technical_debt.cil"], +} + +// system_ext_policy.conf - A combination of the private and public system_ext +// policy which will ship with the device. System_ext policy is not attributized +se_policy_conf { + name: "system_ext_sepolicy.conf", + srcs: [":se_build_files{.system_ext}"], + installable: false, +} + +se_policy_cil { + name: "system_ext_sepolicy.cil", + src: ":system_ext_sepolicy.conf", + system_ext_specific: true, + filter_out: [":plat_sepolicy.cil"], + remove_line_marker: true, +} + +// product_policy.conf - A combination of the private and public product policy +// which will ship with the device. Product policy is not attributized +se_policy_conf { + name: "product_sepolicy.conf", + srcs: [":se_build_files{.product}"], + installable: false, +} + +se_policy_cil { + name: "product_sepolicy.cil", + src: ":product_sepolicy.conf", + product_specific: true, + filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"], + remove_line_marker: true, +} + +////////////////////////////////// +// SELinux policy embedded into CTS. +// CTS checks neverallow rules of this policy against the policy of the device under test. +////////////////////////////////// +se_policy_conf { + name: "general_sepolicy.conf", + srcs: [":se_build_files{.plat}"], + build_variant: "user", + cts: true, + exclude_build_test: true, +} + +////////////////////////////////// +// modules for microdroid +// TODO(b/178993690): migrate Android.mk to Android.bp and remove below +////////////////////////////////// genrule { name: "microdroid_plat_mapping_file_gen", - srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"], - tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"], + srcs: [":plat_pub_policy.cil", ":reqd_policy_mask.cil"], + tools: ["build_sepolicy", "version_policy"], out: ["10000.0.cil"], - cmd: policy_to_conf_flags + - "-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" + - "&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" + - "&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" + - "&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)", + cmd: "$(location build_sepolicy) filter_out -f $(location :reqd_policy_mask.cil) -t $(location :plat_pub_policy.cil)" + + "&& $(location version_policy) -b $(location :plat_pub_policy.cil) -m -n 10000.0 -o $(out)", visibility: ["//visibility:private"], } @@ -635,34 +688,29 @@ prebuilt_etc { installable: false, } -/////////////////////////////////////////////////////////////////// -genrule { - name: "microdroid_pub_policy.cil_gen", - srcs: [ - ":microdroid_sepolicy_public_and_reqd_mask_build_files", - ":microdroid_reqd_policy_mask.cil_gen", - ], - tools: ["m4", "checkpolicy", "build_sepolicy"], - out: ["pub_policy.cil"], - cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " + - "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " + - "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)", - visibility: ["//visibility:private"], -} - +// Normally plat_pub_versioned.cil is built from pub_policy.cil (including system_ext and product). +// But microdroid only has system, so its plat_pub_versioned.cil uses plat_pub_policy.cil. genrule { name: "microdroid_plat_pub_versioned.cil_gen", - srcs: [":microdroid_pub_policy.cil_gen"], + srcs: [":plat_pub_policy.cil"], tools: ["version_policy"], out: ["plat_pub_versioned.cil"], cmd: "$(location version_policy) " + - "-b $(location :microdroid_pub_policy.cil_gen) " + - "-t $(location :microdroid_pub_policy.cil_gen) " + + "-b $(location :plat_pub_policy.cil) " + + "-t $(location :plat_pub_policy.cil) " + "-n 10000.0 " + "-o $(out)", visibility: ["//visibility:private"], } +prebuilt_etc { + name: "microdroid_plat_pub_versioned.cil", + src: ":microdroid_plat_pub_versioned.cil_gen", + filename: "plat_pub_versioned.cil", + relative_install_path: "selinux", + installable: false, +} + filegroup { name: "microdroid_vendor_sepolicy_build_files", srcs: [ @@ -689,13 +737,28 @@ filegroup { ], } +// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch, +// these configurations should be fine to test microdroid on normal devices with full treble. +// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not +// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully +// migrated into Soong, these will have correct values. +policy_to_conf_flags = "$(location m4) --fatal-warnings " + +"-D mls_num_sens=1 -D mls_num_cats=1024 " + +"-D target_build_variant=userdebug " + +"-D target_with_asan=false " + +"-D target_with_native_coverage=false " + +"-D target_full_treble=true " + +"-D target_compatible_property=true " + +"-D target_treble_sysprop_neverallow=true " + +"-D target_enforce_sysprop_owner=true " + genrule { name: "microdroid_vendor_sepolicy.cil_gen", srcs: [ ":microdroid_vendor_sepolicy_build_files", ":microdroid_plat_pub_versioned.cil_gen", - ":microdroid_pub_policy.cil_gen", - ":microdroid_reqd_policy_mask.cil_gen", + ":pub_policy.cil", + ":reqd_policy_mask.cil", ], tools: [ "m4", @@ -711,9 +774,9 @@ genrule { "build_cil " + "--input_policy_conf $(out).conf " + "--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " + - "--base_policy $(location :microdroid_pub_policy.cil_gen) " + + "--base_policy $(location :pub_policy.cil) " + "--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " + - "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " + + "--reqd_mask $(location :reqd_policy_mask.cil) " + "--treble_sepolicy_vers 10000.0 " + "--policy_vers 30 " + "--output_cil $(out)", @@ -727,38 +790,3 @@ prebuilt_etc { relative_install_path: "selinux", installable: false, } - -prebuilt_etc { - name: "microdroid_plat_pub_versioned.cil", - src: ":microdroid_plat_pub_versioned.cil_gen", - filename: "plat_pub_versioned.cil", - relative_install_path: "selinux", - installable: false, -} - -se_build_files { - name: "se_build_files", - srcs: [ - "security_classes", - "initial_sids", - "access_vectors", - "global_macros", - "neverallow_macros", - "mls_macros", - "mls_decl", - "mls", - "policy_capabilities", - "te_macros", - "attributes", - "ioctl_defines", - "ioctl_macros", - "*.te", - "roles_decl", - "roles", - "users", - "initial_sid_contexts", - "fs_use", - "genfs_contexts", - "port_contexts", - ], -} diff --git a/Android.mk b/Android.mk index 77513a0b0..7c4ddbe33 100644 --- a/Android.mk +++ b/Android.mk @@ -741,209 +741,36 @@ built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE) endif # ifeq ($(mixed_sepolicy_build),true) ################################## -# reqd_policy_mask - a policy.conf file which contains only the bare minimum -# policy necessary to use checkpolicy. This bare-minimum policy needs to be -# present in all policy.conf files, but should not necessarily be exported as -# part of the public policy. The rules generated by reqd_policy_mask will allow -# the compilation of public policy and subsequent removal of CIL policy that -# should not be exported. - -policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) -reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf -$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(reqd_policy_mask.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) -# b/37755687 -CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 - -reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil -$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ - $(POLICYVERS) -o $@ $< - -reqd_policy_mask.conf := +# plat policy files are now built with Android.bp. Grab them from intermediate. +# See Android.bp for details of plat policy files. +# +reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil) -################################## -# pub_policy - policy that will be exported to be a part of non-platform -# policy corresponding to this platform version. This is a limited subset of -# policy that would not compile in checkpolicy on its own. To get around this -# limitation, add only the required files from private policy, which will -# generate CIL policy that will then be filtered out by the reqd_policy_mask. -# -# There are three pub_policy.cil files below: -# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. -# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. -# - plat_pub_policy.cil: exported 'system' policy. -# -# Those above files will in turn be used to generate the following versioned cil files: -# - product_mapping_file: the versioned, exported 'product' policy in product partition. -# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. -# - plat_mapping_file: the versioned, exported 'system' policy in system partition. -# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' -# policy in vendor partition. -# -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) -pub_policy.conf := $(intermediates)/pub_policy.conf -$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(pub_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) -pub_policy.cil := $(intermediates)/pub_policy.cil -$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf) -$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) -$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ -$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) - $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ - -f $(PRIVATE_REQD_MASK) -t $@ - +pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil) -pub_policy.conf := - -################################## -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) -system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf -$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(system_ext_pub_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - -system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil -$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf) -$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) -$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ -$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) - $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ - -f $(PRIVATE_REQD_MASK) -t $@ - +system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil) -system_ext_pub_policy.conf := - -################################## -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) -plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf -$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(plat_pub_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - -plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil -$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) -$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) -$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ -$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) - $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ - -f $(PRIVATE_REQD_MASK) -t $@ - +plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil) -plat_pub_policy.conf := - -################################# -include $(CLEAR_VARS) - -LOCAL_MODULE := plat_sepolicy.cil -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered -LOCAL_LICENSE_CONDITIONS := notice unencumbered -LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux - -include $(BUILD_SYSTEM)/base_rules.mk - -# plat_policy.conf - A combination of the private and public platform policy -# which will ship with the device. The platform will always reflect the most -# recent platform version and is not currently being attributized. -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) -plat_policy.conf := $(intermediates)/plat_policy.conf -$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(plat_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit - -$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ - $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) -$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) -$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ - $(HOST_OUT_EXECUTABLES)/secilc \ - $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ - $(built_sepolicy_neverallows) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ - $(POLICYVERS) -o $@.tmp $< - $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp - $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null - $(hide) mv $@.tmp $@ - -built_plat_cil := $(LOCAL_BUILT_MODULE) +built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil) -plat_policy.conf := + +ifdef HAS_SYSTEM_EXT_SEPOLICY +built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil +built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil) +endif # ifdef HAS_SYSTEM_EXT_SEPOLICY + +ifdef HAS_PRODUCT_SEPOLICY +built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil +built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil) +endif # ifdef HAS_PRODUCT_SEPOLICY + +# b/37755687 +CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 ################################# include $(CLEAR_VARS) @@ -997,128 +824,6 @@ userdebug_plat_policy.conf := ################################# include $(CLEAR_VARS) -ifdef HAS_SYSTEM_EXT_SEPOLICY -LOCAL_MODULE := system_ext_sepolicy.cil -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered -LOCAL_LICENSE_CONDITIONS := notice unencumbered -LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux - -include $(BUILD_SYSTEM)/base_rules.mk - -# system_ext_policy.conf - A combination of the private and public system_ext policy -# which will ship with the device. System_ext policy is not attributized. -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ - $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) -system_ext_policy.conf := $(intermediates)/system_ext_policy.conf -$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(system_ext_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - $(hide) sed '/dontaudit/d' $@ > $@.dontaudit - -$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) -$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil) -$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ -$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ - $(POLICYVERS) -o $@ $< - $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ - -f $(PRIVATE_PLAT_CIL) -t $@ - # Line markers (denoted by ;;) are malformed after above cmd. They are only - # used for debugging, so we remove them. - $(hide) grep -v ';;' $@ > $@.tmp - $(hide) mv $@.tmp $@ - # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the - # latter doesn't accidentally depend on vendor/odm policies. - $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ - $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null - - -built_system_ext_cil := $(LOCAL_BUILT_MODULE) -built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil) -system_ext_policy.conf := -endif # ifdef HAS_SYSTEM_EXT_SEPOLICY - -################################# -include $(CLEAR_VARS) - -ifdef HAS_PRODUCT_SEPOLICY -LOCAL_MODULE := product_sepolicy.cil -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered -LOCAL_LICENSE_CONDITIONS := notice unencumbered -LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux - -include $(BUILD_SYSTEM)/base_rules.mk - -# product_policy.conf - A combination of the private and public product policy -# which will ship with the device. Product policy is not attributized. -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ - $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ - $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) -product_policy.conf := $(intermediates)/product_policy.conf -$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) -$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(product_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - $(hide) sed '/dontaudit/d' $@ > $@.dontaudit - -$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) -$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) -$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ -$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \ -$(built_plat_cil) $(built_system_ext_cil) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ - $(POLICYVERS) -o $@ $< - $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ - -f $(PRIVATE_PLAT_CIL_FILES) -t $@ - # Line markers (denoted by ;;) are malformed after above cmd. They are only - # used for debugging, so we remove them. - $(hide) grep -v ';;' $@ > $@.tmp - $(hide) mv $@.tmp $@ - # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to - # make sure that the latter doesn't accidentally depend on vendor/odm policies. - $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ - $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null - - -built_product_cil := $(LOCAL_BUILT_MODULE) -built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil) -product_policy.conf := -endif # ifdef HAS_PRODUCT_SEPOLICY - -################################# -include $(CLEAR_VARS) - LOCAL_MODULE := plat_sepolicy_vers.txt LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered LOCAL_LICENSE_CONDITIONS := notice unencumbered @@ -1687,38 +1392,6 @@ $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpo sepolicy.recovery.conf := -################################## -# SELinux policy embedded into CTS. -# CTS checks neverallow rules of this policy against the policy of the device under test. -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := general_sepolicy.conf -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered -LOCAL_LICENSE_CONDITIONS := notice unencumbered -LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) -$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) -$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) -$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user -$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) -$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts -$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts -$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts -$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts -$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true -$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files) -$(LOCAL_BUILT_MODULE): $(policy_files) $(M4) - $(transform-policy-to-conf) - $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit - ################################## # TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. #