From 9eadc832209b308439b7ff5941a3976c42bf9739 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 25 Jan 2022 21:58:03 +0900 Subject: [PATCH] Implement compat file generator sepolicy_generate_compat is a binary that creates a new compat file when freezing sepolicy API. Suppose that we are adding {ver} compat file, after freezing {ver} sepolicy. Then the workflow would be: 1) copy prebuilts to system/sepolicy/prebuilts/api/{ver} 2) add {ver} to PLATFORM_SEPOLICY_COMPAT_VERSIONS under build/make/core/config.mk 3) touch the following three files - system/sepolicy/private/compat/{ver}/{ver}.cil - system/sepolicy/private/compat/{ver}/{ver}.compat.cil - system/sepolicy/private/compat/{ver}/{ver}.ignore.cil - system/sepolicy/prebuilts/api/{ver}/vendor_sepolicy.cil - system/sepolicy/prebuilts/api/{ver}/plat_pub_versioned.cil * This step is to build base compat files, and won't be needed in the future. 4) add compat module files (won't be needed in the future) - {ver}.cil - {ver}.compat.cil - {ver}.ignore.cil * This step is to build base compat files, and won't be needed in the future. 5) run the following command to update above three files: $ source build/envsetup.sh && lunch aosp_arm64-userdebug $ m sepolicy_generate_compat $ sepolicy_generate_compat --branch=(branch_for_ver) \ --build latest --target-version {ver} \ --latest-version {ver-1} 6) upload build/make and system/sepolicy changes. This script still lacks: - handling of plat_pub_versioned.cil - test cases We will tackle such problems with follow-up changes. Bug: 214336258 Test: manual Change-Id: I21723a0832e5adadae7c22797c5aba867dc0174e --- tools/sepolicy_generate_compat.py | 149 ++++++++++++++++++++++++++++-- 1 file changed, 142 insertions(+), 7 deletions(-) diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py index 317a00e10..17a4d7546 100644 --- a/tools/sepolicy_generate_compat.py +++ b/tools/sepolicy_generate_compat.py @@ -23,11 +23,23 @@ import os import policy import shutil import subprocess +import sys import tempfile import zipfile """This tool generates a mapping file for {ver} core sepolicy.""" temp_dir = '' +compat_cil_template = ";; This file can't be empty.\n" +ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + %s + )) +""" def check_run(cmd, cwd=None): @@ -88,12 +100,12 @@ def extract_mapping_file_from_img(img_path, ver, destination='.'): cmd = [ 'debugfs', '-R', - 'cat system/etc/selinux/mapping/%s.cil' % ver, img_path + 'cat system/etc/selinux/mapping/10000.0.cil', img_path ] path = os.path.join(destination, '%s.cil' % ver) with open(path, 'wb') as f: logging.debug('Extracting %s.cil to %s' % (ver, destination)) - f.write(check_output(cmd).stdout) + f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0')) return path @@ -156,6 +168,28 @@ def build_base_files(target_version): return base_policy_path, old_policy_path, pub_policy_cil_path +def change_api_level(versioned_type, api_from, api_to): + """ Verifies the API version of versioned_type, and changes it to new API level. + + For example, change_api_level("foo_32_0", "32.0", "31.0") will return + "foo_31_0". + + Args: + versioned_type: string, type with version suffix + api_from: string, api version of versioned_type + api_to: string, new api version for versioned_type + + Returns: + string, a new versioned type + """ + old_suffix = api_from.replace('.', '_') + new_suffix = api_to.replace('.', '_') + if not versioned_type.endswith(old_suffix): + raise ValueError('Version of type %s is different from %s' % + (versioned_type, api_from)) + return versioned_type.removesuffix(old_suffix) + new_suffix + + def get_args(): parser = argparse.ArgumentParser() parser.add_argument( @@ -202,12 +236,10 @@ def main(): build_top = get_android_build_top() sepolicy_path = os.path.join(build_top, 'system', 'sepolicy') - target_compat_path = os.path.join(sepolicy_path, 'private', 'compat', - args.target_version) # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes - mapping_file = download_mapping_file(args.branch, args.build, - args.target_version) + mapping_file = download_mapping_file( + args.branch, args.build, args.target_version, destination=temp_dir) mapping_file_cil = mini_parser.MiniCilParser(mapping_file) mapping_file_cil.types = set() mapping_file_cil.typeattributes = set() @@ -231,7 +263,110 @@ def main(): logging.info('new types: %s' % new_types) logging.info('removed types: %s' % removed_types) - # TODO: Step 4. Map new types and removed types appropriately + # Step 4. Map new types and removed types appropriately, based on the latest mapping + latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat', + args.latest_version) + latest_mapping_cil = mini_parser.MiniCilParser( + os.path.join(latest_compat_path, args.latest_version + '.cil')) + latest_ignore_cil = mini_parser.MiniCilParser( + os.path.join(latest_compat_path, + args.latest_version + '.ignore.cil')) + + latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys()) + latest_removed_types = latest_mapping_cil.types + logging.debug('types ignored in latest policy: %s' % + latest_ignored_types) + logging.debug('types removed in latest policy: %s' % + latest_removed_types) + + target_ignored_types = set() + target_removed_types = set() + invalid_new_types = set() + invalid_mapping_types = set() + invalid_removed_types = set() + + logging.info('starting mapping') + for new_type in new_types: + # Either each new type should be in latest_ignore_cil, or mapped to existing types + if new_type in latest_ignored_types: + logging.debug('adding %s to ignore' % new_type) + target_ignored_types.add(new_type) + elif new_type in latest_mapping_cil.rTypeattributesets: + latest_mapped_types = latest_mapping_cil.rTypeattributesets[ + new_type] + target_mapped_types = {change_api_level(t, args.latest_version, + args.target_version) + for t in latest_mapped_types} + logging.debug('mapping %s to %s' % + (new_type, target_mapped_types)) + + for t in target_mapped_types: + if t not in mapping_file_cil.typeattributesets: + logging.error( + 'Cannot find desired type %s in mapping file' % t) + invalid_mapping_types.add(t) + continue + mapping_file_cil.typeattributesets[t].add(new_type) + else: + logging.error('no mapping information for new type %s' % + new_type) + invalid_new_types.add(new_type) + + for removed_type in removed_types: + # Removed type should be in latest_mapping_cil + if removed_type in latest_removed_types: + logging.debug('adding %s to removed' % removed_type) + target_removed_types.add(removed_type) + else: + logging.error('no mapping information for removed type %s' % + removed_type) + invalid_removed_types.add(removed_type) + + error_msg = '' + + if invalid_new_types: + error_msg += ('The following new types were not in the latest ' + 'mapping: %s\n') % sorted(invalid_new_types) + if invalid_mapping_types: + error_msg += ( + 'The following existing types were not in the ' + 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types) + if invalid_removed_types: + error_msg += ('The following removed types were not in the latest ' + 'mapping: %s\n') % sorted(invalid_removed_types) + + if error_msg: + error_msg += '\n' + error_msg += ('Please make sure the source tree and the build ID is' + ' up to date.\n') + sys.exit(error_msg) + + # Step 5. Write to system/sepolicy/private/compat + target_compat_path = os.path.join(sepolicy_path, 'private', 'compat', + args.target_version) + target_mapping_file = os.path.join(target_compat_path, + args.target_version + '.cil') + target_compat_file = os.path.join(target_compat_path, + args.target_version + '.compat.cil') + target_ignore_file = os.path.join(target_compat_path, + args.target_version + '.ignore.cil') + + with open(target_mapping_file, 'w') as f: + logging.info('writing %s' % target_mapping_file) + if removed_types: + f.write(';; types removed from current policy\n') + f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types))) + f.write('\n\n') + f.write(mapping_file_cil.unparse()) + + with open(target_compat_file, 'w') as f: + logging.info('writing %s' % target_compat_file) + f.write(compat_cil_template) + + with open(target_ignore_file, 'w') as f: + logging.info('writing %s' % target_ignore_file) + f.write(ignore_cil_template % + ('\n '.join(sorted(target_ignored_types)))) finally: logging.info('Deleting temporary dir: {}'.format(temp_dir)) shutil.rmtree(temp_dir)