tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Migrate sepolicy compat test to Android.bp"

Browse source
This commit is contained in:
Treehugger Robot 2022-01-10 02:09:23 +00:00 committed by Gerrit Code Review
commit e9b0ec455d
5 changed files with 170 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
Android.mk
View file

@ -349,7 +349,7 @@ ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
sepolicy_tests \ sepolicy_tests \
$(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ sepolicy_compat_test \
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \ LOCAL_REQUIRED_MODULES += \
@ -770,11 +770,6 @@ $(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
) )
endif # PRODUCT_SEPOLICY_SPLIT endif # PRODUCT_SEPOLICY_SPLIT
$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/compat.mk) \
)
built_plat_sepolicy := built_plat_sepolicy :=
built_system_ext_sepolicy := built_system_ext_sepolicy :=
built_product_sepolicy := built_product_sepolicy :=

5
build/soong/build_files.go
View file

@ -124,4 +124,9 @@ func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...) b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...) b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
} }
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
}
} }

161
build/soong/compat_cil.go
View file

@ -15,13 +15,21 @@
package selinux package selinux
import ( import (
"fmt"
"github.com/google/blueprint/proptools" "github.com/google/blueprint/proptools"
"android/soong/android" "android/soong/android"
) )
var (
compatTestDepTag = dependencyTag{name: "compat_test"}
)
func init() { func init() {
android.RegisterModuleType("se_compat_cil", compatCilFactory) ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
} }
// se_compat_cil collects and installs backwards compatibility cil files. // se_compat_cil collects and installs backwards compatibility cil files.
@ -107,3 +115,154 @@ func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
}, },
}} }}
} }
func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
switch tag {
case "":
return android.Paths{c.installSource}, nil
default:
return nil, fmt.Errorf("unsupported module reference tag %q", tag)
}
}
var _ android.OutputFileProducer = (*compatCil)(nil)
// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
// current policy.
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
android.InitAndroidModule(f)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
return f
}
type compatTestModule struct {
android.SingletonModuleBase
compatTestTimestamp android.ModuleOutPath
}
func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
confName := fmt.Sprintf("pub_policy_%s.conf", ver)
cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
ctx.CreateModule(policyConfFactory, &nameProperties{
Name: proptools.StringPtr(confName),
}, &policyConfProperties{
Srcs: []string{
fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
":se_build_files{.reqd_mask}",
},
Installable: proptools.BoolPtr(false),
})
ctx.CreateModule(policyCilFactory, &nameProperties{
Name: proptools.StringPtr(cilName),
}, &policyCilProperties{
Src: proptools.StringPtr(":" + confName),
Filter_out: []string{":reqd_policy_mask.cil"},
Secilc_check: proptools.BoolPtr(false),
Installable: proptools.BoolPtr(false),
})
ctx.CreateModule(versionedPolicyFactory, &nameProperties{
Name: proptools.StringPtr(platPubVersionedName),
}, &versionedPolicyProperties{
Base: proptools.StringPtr(":" + cilName),
Target_policy: proptools.StringPtr(":" + cilName),
Version: proptools.StringPtr(ver),
Installable: proptools.BoolPtr(false),
})
}
func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
srcs := []string{
":plat_sepolicy.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
fmt.Sprintf(":plat_%s.cil", ver),
fmt.Sprintf(":%s.compat.cil", ver),
fmt.Sprintf(":system_ext_%s.cil", ver),
fmt.Sprintf(":system_ext_%s.compat.cil", ver),
fmt.Sprintf(":product_%s.cil", ver),
}
if ver == ctx.DeviceConfig().BoardSepolicyVers() {
srcs = append(srcs,
":plat_pub_versioned.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
)
} else {
srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
}
compatTestName := fmt.Sprintf("%s_compat_test", ver)
ctx.CreateModule(policyBinaryFactory, &nameProperties{
Name: proptools.StringPtr(compatTestName),
}, &policyBinaryProperties{
Srcs: srcs,
Ignore_neverallow: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
})
}
func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
f.createPlatPubVersionedModule(ctx, ver)
f.createCompatTestModule(ctx, ver)
}
}
func (f *compatTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
ctx.AddDependency(f, compatTestDepTag, fmt.Sprintf("%s_compat_test", ver))
}
}
func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
// does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
}
func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
var inputs android.Paths
ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
o, ok := child.(android.OutputFileProducer)
if !ok {
panic(fmt.Errorf("Module %q should be an OutputFileProducer but it isn't", ctx.OtherModuleName(child)))
}
outputs, err := o.OutputFiles("")
if err != nil {
panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
}
if len(outputs) != 1 {
panic(fmt.Errorf("Module %q should produce exactly one output, but did %q", ctx.OtherModuleName(child), outputs.Strings()))
}
inputs = append(inputs, outputs[0])
})
f.compatTestTimestamp = android.PathForModuleOut(ctx, "timestamp")
rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().Text("touch").Output(f.compatTestTimestamp).Implicits(inputs)
rule.Build("compat", "compat test timestamp for: "+f.Name())
}
func (f *compatTestModule) AndroidMkEntries() []android.AndroidMkEntries {
return []android.AndroidMkEntries{android.AndroidMkEntries{
Class: "FAKE",
// OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
// Without OutputFile this module won't be exported to Makefile.
OutputFile: android.OptionalPathForPath(f.compatTestTimestamp),
Include: "$(BUILD_PHONY_PACKAGE)",
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.compatTestTimestamp.String())
},
},
}}
}

56
compat.mk
View file

@ -1,56 +0,0 @@
version := $(version_under_treble_tests)
include $(CLEAR_VARS)
#################################
# build this target to ensure the compat permissions files all build against the current policy
#
LOCAL_MODULE := $(version)_compat_test
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_REQUIRED_MODULES := $(version).compat.cil
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \
$(built_plat_cil) \
$(built_plat_mapping_cil) \
$(built_pub_vers_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
all_cil_files += $(built_system_ext_cil)
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
all_cil_files += $(built_product_cil)
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
all_cil_files += $(built_product_mapping_cil)
endif
ifneq ($(mixed_sepolicy_build),true)
all_cil_files += $(built_vendor_cil)
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
endif # ifneq ($(mixed_sepolicy_build),true)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
$(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
all_cil_files :=
version :=
version_under_treble_tests :=

4
compat/Android.bp
View file

@ -269,3 +269,7 @@ se_compat_cil {
stem: "32.0.compat.cil", stem: "32.0.compat.cil",
system_ext_specific: true, system_ext_specific: true,
} }
se_compat_test {
name: "sepolicy_compat_test",
}