Split sepolicy_neverallow rule
sepolicy_neverallow is based on a combination of calling checkpolicy
followed by sepolicy-analyze. If the first tool fails, the error message
associated with the second is returned, which is misleading.
Separate both part of the rule using a new build command.
Bug: 175911415
Test: Modify policy to trigger neverallow (checkpolicy); no misleading
messages from sepolicy-analyze
Change-Id: I5977ced23dee09a28c7df334e4790d212e0db0c1
This commit is contained in:
Thiébaud Weksteen
parent
7423beb1bd
commit
9ebf0c8ecf
1 changed files with 3 additions and 3 deletions
|
|
@ -152,10 +152,11 @@ func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleCon
|
|||
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
|
||||
FlagWithOutput("-o ", binaryPolicy).
|
||||
Input(checkpolicyConfPath)
|
||||
rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
|
||||
|
||||
// Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
|
||||
// file from Step 1
|
||||
|
||||
rule = android.NewRuleBuilder(pctx, ctx)
|
||||
msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
|
||||
`of an expanded attribute in a neverallow assertion. Please fix\n` +
|
||||
`the policy.`
|
||||
|
|
@ -170,9 +171,8 @@ func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleCon
|
|||
Text(`"` + msg + `"`).
|
||||
Text("; exit 1)")
|
||||
|
||||
rule.Temporary(binaryPolicy)
|
||||
rule.Command().Text("touch").Output(n.testTimestamp)
|
||||
rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
|
||||
rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
|
||||
}
|
||||
|
||||
func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
|
||||
|
|
|
|||
Loading…
Reference in a new issue