tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge changes I9deb367b,I8c88622e,I18747dc6,I4e94db4a am: 8cd5d0b899

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2261556

Change-Id: I8a296f33ea9b1d75bb339b389385afa572b1cd91
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot 2022-10-20 04:42:47 +00:00 committed by Automerger Merge Worker
commit dddcfee197
2 changed files with 140 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
compat/Android.bp
View file

@ -188,7 +188,6 @@ se_cil_compat_map {
name: "plat_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.plat_private}"],
// top_half: "plat_34.0.cil",
}
se_cil_compat_map {
@ -235,7 +234,6 @@ se_cil_compat_map {
name: "system_ext_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
// top_half: "system_ext_34.0.cil",
system_ext_specific: true,
}
@ -283,7 +281,6 @@ se_cil_compat_map {
name: "product_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.product_private}"],
// top_half: "product_34.0.cil",
product_specific: true,
}
@ -320,7 +317,6 @@ se_cil_compat_map {
se_cil_compat_map {
name: "33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.plat_private}"],
// top_half: "34.0.ignore.cil",
}
se_cil_compat_map {
@ -347,7 +343,6 @@ se_cil_compat_map {
se_cil_compat_map {
name: "system_ext_33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
// top_half: "system_ext_34.0.ignore.cil",
system_ext_specific: true,
}
@ -375,7 +370,6 @@ se_cil_compat_map {
se_cil_compat_map {
name: "product_33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.product_private}"],
// top_half: "product_34.0.ignore.cil",
product_specific: true,
}

153
tools/sepolicy_generate_compat.py
View file

@ -14,8 +14,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
from pathlib import Path
import argparse
import distutils.ccompiler
import glob
import logging
import mini_parser
@ -41,6 +41,7 @@ ignore_cil_template = """;; new_objects - a collection of types that have been i
))
"""
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
def check_run(cmd, cwd=None):
if cwd:
@ -105,7 +106,7 @@ def extract_mapping_file_from_img(img_path, ver, destination='.'):
path = os.path.join(destination, '%s.cil' % ver)
with open(path, 'wb') as f:
logging.debug('Extracting %s.cil to %s' % (ver, destination))
f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
f.write(check_output(cmd).stdout.replace(b'10000_0', ver.replace('.', '_').encode()))
return path
@ -190,6 +191,122 @@ def change_api_level(versioned_type, api_from, api_to):
return versioned_type.removesuffix(old_suffix) + new_suffix
def create_target_compat_modules(bp_path, target_ver):
""" Creates compat modules to Android.bp.
Args:
bp_path: string, path to Android.bp
target_ver: string, api version to generate
"""
module_template = """
se_build_files {{
name: "{ver}.board.compat.map",
srcs: ["compat/{ver}/{ver}.cil"],
}}
se_build_files {{
name: "{ver}.board.compat.cil",
srcs: ["compat/{ver}/{ver}.compat.cil"],
}}
se_build_files {{
name: "{ver}.board.ignore.map",
srcs: ["compat/{ver}/{ver}.ignore.cil"],
}}
se_cil_compat_map {{
name: "plat_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
}}
se_cil_compat_map {{
name: "system_ext_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
system_ext_specific: true,
}}
se_cil_compat_map {{
name: "product_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
product_specific: true,
}}
se_cil_compat_map {{
name: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
}}
se_cil_compat_map {{
name: "system_ext_{ver}.ignore.cil",
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
system_ext_specific: true,
}}
se_cil_compat_map {{
name: "product_{ver}.ignore.cil",
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
product_specific: true,
}}
se_compat_cil {{
name: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
}}
se_compat_cil {{
name: "system_ext_{ver}.compat.cil",
stem: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
system_ext_specific: true,
}}
"""
with open(bp_path, 'a') as f:
f.write(module_template.format(ver=target_ver))
def patch_top_half_of_latest_compat_modules(bp_path, latest_ver, target_ver):
""" Adds top_half property to latest compat modules in Android.bp.
Args:
bp_path: string, path to Android.bp
latest_ver: string, previous api version
target_ver: string, api version to generate
"""
modules_to_patch = [
"plat_{ver}.cil",
"system_ext_{ver}.cil",
"product_{ver}.cil",
"{ver}.ignore.cil",
"system_ext_{ver}.ignore.cil",
"product_{ver}.ignore.cil",
]
for module in modules_to_patch:
# set latest_ver module's top_half property to target_ver
# e.g.
#
# se_cil_compat_map {
# name: "plat_33.0.cil",
# top_half: "plat_34.0.cil", <== this
# ...
# }
check_run([
"bpmodify",
"-m", module.format(ver=latest_ver),
"-property", "top_half",
"-str", module.format(ver=target_ver),
"-w",
bp_path
])
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument(
@ -227,8 +344,7 @@ def main():
try:
libpath = os.path.join(
os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
distutils.ccompiler.new_compiler().shared_lib_extension)
os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit(
'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
@ -237,6 +353,26 @@ def main():
build_top = get_android_build_top()
sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
# Step 0. Create a placeholder files and compat modules
# These are needed to build base policy files below.
compat_bp_path = os.path.join(sepolicy_path, 'compat', 'Android.bp')
create_target_compat_modules(compat_bp_path, args.target_version)
patch_top_half_of_latest_compat_modules(compat_bp_path, args.latest_version,
args.target_version)
target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
args.target_version)
target_mapping_file = os.path.join(target_compat_path,
args.target_version + '.cil')
target_compat_file = os.path.join(target_compat_path,
args.target_version + '.compat.cil')
target_ignore_file = os.path.join(target_compat_path,
args.target_version + '.ignore.cil')
Path(target_compat_path).mkdir(parents=True, exist_ok=True)
Path(target_mapping_file).touch()
Path(target_compat_file).touch()
Path(target_ignore_file).touch()
# Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
mapping_file = download_mapping_file(
args.branch, args.build, args.target_version, destination=temp_dir)
@ -342,15 +478,6 @@ def main():
sys.exit(error_msg)
# Step 5. Write to system/sepolicy/private/compat
target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
args.target_version)
target_mapping_file = os.path.join(target_compat_path,
args.target_version + '.cil')
target_compat_file = os.path.join(target_compat_path,
args.target_version + '.compat.cil')
target_ignore_file = os.path.join(target_compat_path,
args.target_version + '.ignore.cil')
with open(target_mapping_file, 'w') as f:
logging.info('writing %s' % target_mapping_file)
if removed_types: