Mechanism to exclude neverallows from *TS. am: 77c44fc420
am: 66e7d2b063
Change-Id: Idd27b85bc97a79ff434412cbbeee74082907553d
This commit is contained in:
Tri Vo
android-build-merger
commit
972e06de59
3 changed files with 18 additions and 3 deletions
|
|
@ -769,6 +769,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
|
|||
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
|
||||
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
|
||||
$(transform-policy-to-conf)
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
|
|||
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
|
||||
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
|
||||
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
|
||||
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
|
||||
$(PRIVATE_TGT_RECOVERY) \
|
||||
-s $^ > $@
|
||||
endef
|
||||
|
|
|
|||
|
|
@ -213,10 +213,15 @@ expandattribute hal_$1_client true;
|
|||
attribute hal_$1_server;
|
||||
expandattribute hal_$1_server false;
|
||||
|
||||
neverallow { hal_$1_server -hal_$1 } domain:process fork;
|
||||
neverallow { hal_$1_server -halserverdomain } domain:process fork;
|
||||
# hal_*_client and halclientdomain attributes are always expanded for
|
||||
# performance reasons. Neverallow rules targeting expanded attributes can not be
|
||||
# verified by CTS since these attributes are already expanded by that time.
|
||||
build_test_only(`
|
||||
neverallow { hal_$1_server -hal_$1 } domain:process fork;
|
||||
neverallow { hal_$1_client -halclientdomain } domain:process fork;
|
||||
')
|
||||
')
|
||||
|
||||
#####################################
|
||||
# hal_server_domain(domain, hal_type)
|
||||
|
|
@ -492,6 +497,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
|
|||
#
|
||||
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
|
||||
|
||||
#####################################
|
||||
# Build-time-only test
|
||||
# SELinux rules which are verified during build, but not as part of *TS testing.
|
||||
#
|
||||
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
|
||||
|
||||
####################################
|
||||
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
|
||||
#
|
||||
|
|
@ -607,7 +618,9 @@ define(`add_hwservice', `
|
|||
# Used to pair hal_foo_client with hal_foo_hwservice
|
||||
define(`hal_attribute_hwservice', `
|
||||
allow $1_client $2:hwservice_manager find;
|
||||
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
|
||||
|
||||
add_hwservice($1_server, $2)
|
||||
|
||||
build_test_only(`
|
||||
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
|
||||
')
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in a new issue