From f9348b5509bfb0141029072fe18de3923e8da576 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Tue, 14 Dec 2021 13:32:12 +0100 Subject: [PATCH] Support for APEX updatable sepolicy Builds: - sepolicy_test - file that init mounts in /dev/selinux to demonstrate that updatable sepolicy is loaded. - apex_sepolicy.cil - Initially includes a rule allowing shell to read sepolicy_test. - apex_file_contexts - Initially includes mapping of /dev/selinux/sepolicy_test. - apex_sepolicy.sha256. Used by init to determine of precompiled_sepolicy can be used. - apex_service_contexts - Currently empty. - apex_property_contexts - Currently empty. - apex_seapp_contexts - Currently empty. Bug: 199914227 Test: Build, boot, ls -laZ /dev/selinux/sepolicy_test Change-Id: I6aa625dda5235c6e7a0cfff777a9e15606084c12 --- Android.bp | 45 ++++++++++++++++++ com.android.sepolicy/33/Android.bp | 56 +++++++++++++++++++++++ com.android.sepolicy/33/file_contexts | 1 + com.android.sepolicy/33/property_contexts | 0 com.android.sepolicy/33/seapp_contexts | 0 com.android.sepolicy/33/service_contexts | 0 com.android.sepolicy/33/shell.te | 2 + com.android.sepolicy/Android.bp | 28 ++++++++++++ 8 files changed, 132 insertions(+) create mode 100644 com.android.sepolicy/33/Android.bp create mode 100644 com.android.sepolicy/33/file_contexts create mode 100644 com.android.sepolicy/33/property_contexts create mode 100644 com.android.sepolicy/33/seapp_contexts create mode 100644 com.android.sepolicy/33/service_contexts create mode 100644 com.android.sepolicy/33/shell.te create mode 100644 com.android.sepolicy/Android.bp diff --git a/Android.bp b/Android.bp index 438b13fa9..fdd97ff1e 100644 --- a/Android.bp +++ b/Android.bp @@ -342,6 +342,21 @@ se_policy_cil { additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], } + +se_policy_conf { + name: "apex_sepolicy-33.conf", + srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"], + installable: false, +} + +se_policy_cil { + name: "apex_sepolicy-33.cil", + src: ":apex_sepolicy-33.conf", + filter_out: [":plat_sepolicy.cil"], + installable: false, + stem: "apex_sepolicy.cil", +} + // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil se_policy_conf { name: "userdebug_plat_sepolicy.conf", @@ -659,6 +674,9 @@ se_versioned_policy { // AND // - product_sepolicy_and_mapping.sha256 equals // precompiled_sepolicy.product_sepolicy_and_mapping.sha256 +// AND +// - apex_sepolicy.sha256 equals +// precompiled_sepolicy.apex_sepolicy.sha256 // See system/core/init/selinux.cpp for details. ////////////////////////////////// genrule { @@ -675,6 +693,20 @@ prebuilt_etc { relative_install_path: "selinux", } +genrule { + name: "apex_sepolicy.sha256_gen", + srcs: [":apex_sepolicy-33.cil"], + out: ["apex_sepolicy.sha256"], + cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", +} + +prebuilt_etc { + name: "apex_sepolicy.sha256", + filename: "apex_sepolicy.sha256", + src: ":apex_sepolicy.sha256_gen", + installable: false, +} + genrule { name: "system_ext_sepolicy_and_mapping.sha256_gen", srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"], @@ -743,6 +775,18 @@ prebuilt_etc { relative_install_path: "selinux", } +////////////////////////////////// +// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy +// was built. +////////////////////////////////// +prebuilt_etc { + defaults: ["precompiled_sepolicy_prebuilts"], + name: "precompiled_sepolicy.apex_sepolicy.sha256", + filename: "precompiled_sepolicy.apex_sepolicy.sha256", + src: ":apex_sepolicy.sha256_gen", + relative_install_path: "selinux", +} + ////////////////////////////////// // SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against // which precompiled_policy was built. @@ -780,6 +824,7 @@ precompiled_se_policy_binary { name: "precompiled_sepolicy", srcs: [ ":plat_sepolicy.cil", + ":apex_sepolicy-33.cil", ":plat_pub_versioned.cil", ":system_ext_sepolicy.cil", ":product_sepolicy.cil", diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp new file mode 100644 index 000000000..f3387ac8c --- /dev/null +++ b/com.android.sepolicy/33/Android.bp @@ -0,0 +1,56 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package { + // http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // the below license kinds from "system_sepolicy_license": + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["system_sepolicy_license"], +} + +genrule { + name: "apex_file_contexts-33.gen", + defaults: ["sepolicy_file_contexts_gen_default"], + srcs: ["file_contexts"], + out: ["apex_file_contexts-33"], +} + +prebuilt_etc { + name: "apex_file_contexts-33", + filename: "apex_file_contexts", + src: ":apex_file_contexts-33.gen", + installable: false, +} + +prebuilt_etc { + name: "apex_property_contexts-33", + filename: "apex_property_contexts", + src: "property_contexts", + installable: false, +} + +prebuilt_etc { + name: "apex_service_contexts-33", + filename: "apex_service_contexts", + src: "service_contexts", + installable: false, +} + +prebuilt_etc { + name: "apex_seapp_contexts-33", + filename: "apex_seapp_contexts", + src: "seapp_contexts", + installable: false, +} diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts new file mode 100644 index 000000000..14f99f954 --- /dev/null +++ b/com.android.sepolicy/33/file_contexts @@ -0,0 +1 @@ +/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0 diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts new file mode 100644 index 000000000..e69de29bb diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts new file mode 100644 index 000000000..e69de29bb diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts new file mode 100644 index 000000000..e69de29bb diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te new file mode 100644 index 000000000..757328eb1 --- /dev/null +++ b/com.android.sepolicy/33/shell.te @@ -0,0 +1,2 @@ +allow shell sepolicy_test_file:file r_file_perms; + diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp new file mode 100644 index 000000000..1e042f3c5 --- /dev/null +++ b/com.android.sepolicy/Android.bp @@ -0,0 +1,28 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package { + // http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // the below license kinds from "system_sepolicy_license": + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["system_sepolicy_license"], +} + +genrule_defaults { + name: "sepolicy_file_contexts_gen_default", + tools: ["fc_sort"], + cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " + + "$(location fc_sort) -i $(out).tmp -o $(out)", +}