tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Split mapping file into system and product parts

Browse source 
Both mapping files need to be included when building sepolicy at boot
time.

Bug: 119305624
Test: boot taimen
Test: "cnd" type is declared in /vendor; "dataservice_app" type is
declared in /product. This permission is preserved
"allow cnd dataservice_app:binder { transfer call };"
Change-Id: I138f34208ea05e170defd2b4ef4700ffa81f9573
This commit is contained in:
Tri Vo 2019-01-15 15:16:55 -08:00
parent e68ba59fb3
commit 937e66496d
1 changed files with 91 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

113
Android.mk
View file

@ -103,8 +103,6 @@ $(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DI
endif endif
endif endif
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
########################################################### ###########################################################
# Compute policy files to be used in policy build. # Compute policy files to be used in policy build.
# $(1): files to include # $(1): files to include
@ -193,7 +191,7 @@ LOCAL_MODULE := selinux_policy_system
# These build targets are not used on non-Treble devices. However, we build these to avoid # These build targets are not used on non-Treble devices. However, we build these to avoid
# divergence between Treble and non-Treble devices. # divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \ plat_mapping_file \
$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \ plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \ plat_and_mapping_sepolicy.cil.sha256 \
@ -290,6 +288,7 @@ LOCAL_REQUIRED_MODULES += \
product_seapp_contexts \ product_seapp_contexts \
product_service_contexts \ product_service_contexts \
product_mac_permissions.xml \ product_mac_permissions.xml \
product_mapping_file \
endif endif
include $(BUILD_PHONY_PACKAGE) include $(BUILD_PHONY_PACKAGE)
@ -420,6 +419,32 @@ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil
pub_policy.conf := pub_policy.conf :=
##################################
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
plat_pub_policy.conf :=
################################## ##################################
include $(CLEAR_VARS) include $(CLEAR_VARS)
@ -549,22 +574,48 @@ $(LOCAL_BUILT_MODULE) :
################################# #################################
include $(CLEAR_VARS) include $(CLEAR_VARS)
LOCAL_MODULE := $(platform_mapping_file) LOCAL_MODULE := plat_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
include $(BUILD_SYSTEM)/base_rules.mk include $(BUILD_SYSTEM)/base_rules.mk
# TODO(b/119305624): Move product-specific sepolicy out of mapping files.
# auto-generate the mapping file for current platform policy, since it needs to # auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development # track platform policy development
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy $(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
built_mapping_cil := $(LOCAL_BUILT_MODULE) built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
#################################
include $(CLEAR_VARS)
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
$(built_plat_mapping_cil)
@mkdir -p $(dir $@)
# Generate product mapping file as mapping file of all public sepolicy minus
# plat_mapping_file.
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
endif # HAS_PRODUCT_SEPOLICY
################################# #################################
include $(CLEAR_VARS) include $(CLEAR_VARS)
@ -576,7 +627,9 @@ LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil) $(built_product_cil) # TODO(b/119305624): Need one hash for system, one for product.
$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_product_cil) \
$(built_plat_mapping_cil) $(built_product_mapping_cil)
cat $^ | sha256sum | cut -d' ' -f1 > $@ cat $^ | sha256sum | cut -d' ' -f1 > $@
################################# #################################
@ -594,9 +647,11 @@ include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil) $(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) $(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil)\
$(built_plat_mapping_cil) $(built_product_mapping_cil)
$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ $(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
$(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil) $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_product_cil) \
$(built_plat_mapping_cil) $(built_product_mapping_cil)
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
@ -637,11 +692,13 @@ $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_pub_vers_cil) $(built_mapping_cil) $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil)\
$(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_product_mapping_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil) $(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
$(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
$(built_plat_cil) $(built_pub_vers_cil) $(built_mapping_cil) $(built_plat_cil) $(built_product_cil) $(built_pub_vers_cil) \
$(built_plat_mapping_cil) $(built_product_mapping_cil)
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@ -685,12 +742,14 @@ $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_pub_vers_cil) \ $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil) \
$(built_mapping_cil) $(built_vendor_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_product_mapping_cil)\
$(built_vendor_cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil) $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
$(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
$(built_plat_cil) $(built_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil) $(built_plat_cil) $(built_product_cil) $(built_pub_vers_cil) \
$(built_plat_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@ -720,12 +779,15 @@ include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \ all_cil_files := \
$(built_plat_cil) \ $(built_plat_cil) \
$(built_mapping_cil) \ $(built_plat_mapping_cil) \
$(built_pub_vers_cil) \ $(built_pub_vers_cil) \
$(built_vendor_cil) $(built_vendor_cil)
ifdef HAS_PRODUCT_SEPOLICY ifdef HAS_PRODUCT_SEPOLICY
all_cil_files += $(built_product_cil) all_cil_files += \
$(built_product_cil) \
$(built_product_mapping_cil) \
endif endif
ifdef BOARD_ODM_SEPOLICY_DIRS ifdef BOARD_ODM_SEPOLICY_DIRS
@ -759,8 +821,11 @@ endif
include $(BUILD_SYSTEM)/base_rules.mk include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) $(built_product_cil) # TODO(b/119305624): Need one hash for system, one for product.
$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil) $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_product_cil) \
$(built_plat_mapping_cil) $(built_product_mapping_cil)
$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_product_cil)\
$(built_plat_mapping_cil) $(built_product_cil)
cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
################################# #################################
@ -776,12 +841,15 @@ include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \ all_cil_files := \
$(built_plat_cil) \ $(built_plat_cil) \
$(built_mapping_cil) \ $(built_plat_mapping_cil) \
$(built_pub_vers_cil) \ $(built_pub_vers_cil) \
$(built_vendor_cil) $(built_vendor_cil)
ifdef HAS_PRODUCT_SEPOLICY ifdef HAS_PRODUCT_SEPOLICY
all_cil_files += $(built_product_cil) all_cil_files += \
$(built_product_cil) \
$(built_product_mapping_cil) \
endif endif
ifdef BOARD_ODM_SEPOLICY_DIRS ifdef BOARD_ODM_SEPOLICY_DIRS
@ -1945,7 +2013,8 @@ built_odm_fc :=
built_nl := built_nl :=
built_plat_cil := built_plat_cil :=
built_pub_vers_cil := built_pub_vers_cil :=
built_mapping_cil := built_plat_mapping_cil :=
built_product_mapping_cil :=
built_plat_pc := built_plat_pc :=
built_product_pc := built_product_pc :=
built_vendor_cil := built_vendor_cil :=