From 9ebf0c8ecfd03b0e00b8878f776ab35be5de9e80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 25 Jan 2022 21:07:00 +1100 Subject: [PATCH] Split sepolicy_neverallow rule sepolicy_neverallow is based on a combination of calling checkpolicy followed by sepolicy-analyze. If the first tool fails, the error message associated with the second is returned, which is misleading. Separate both part of the rule using a new build command. Bug: 175911415 Test: Modify policy to trigger neverallow (checkpolicy); no misleading messages from sepolicy-analyze Change-Id: I5977ced23dee09a28c7df334e4790d212e0db0c1 --- build/soong/sepolicy_neverallow.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go index 119e477bd..98dd3cf03 100644 --- a/build/soong/sepolicy_neverallow.go +++ b/build/soong/sepolicy_neverallow.go @@ -152,10 +152,11 @@ func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleCon FlagWithArg("-c ", strconv.Itoa(PolicyVers)). FlagWithOutput("-o ", binaryPolicy). Input(checkpolicyConfPath) + rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName()) // Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy // file from Step 1 - + rule = android.NewRuleBuilder(pctx, ctx) msg := `sepolicy-analyze failed. This is most likely due to the use\n` + `of an expanded attribute in a neverallow assertion. Please fix\n` + `the policy.` @@ -170,9 +171,8 @@ func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleCon Text(`"` + msg + `"`). Text("; exit 1)") - rule.Temporary(binaryPolicy) rule.Command().Text("touch").Output(n.testTimestamp) - rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName()) + rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName()) } func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {