1. Splitted plat_property_contexts and plat_file_contexts so that they
can be included by the CtsSecurityHostTestCases module;
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.
Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I0e0e7f6778d42ab2fdae3a181f40216fe6719e7c
There's nothing special in the Custom method supplied, replace it
with normal AndroidMkEntries fields.
Bug: 204136549
Test: m checkbuild
Change-Id: I624005d2ee313aaa60397749b0726e393a842618
This change stops using deprecated functionality and migrates this
repository's custom Soong code to support current practices to manage
path property related dependencies. i.e. when a property includes
something that looks like ":module".
ExtractSourcesDeps has been deprecated in favor of tagging properties
with `android:"path"` which will cause the pathDepsMutator to add the
dependencies automatically.
android.SourceDepTag has been deprecated as the underlying type needs
to be changed and this will no longer work for its current uses.
* ctx.GetDirectDepWithTag(moduleName, android.SourceDepTag) will not
work to retrieve a reference to the module dependency added for
path properties. GetModuleFromPathDep(ctx, moduleName, "") must be
used instead.
* depTag == android.SourceDepTag can no longer be used to check to
see if depTag was used to add a module dependency for a module
reference in a path property without any output tag.
IsSourceDepTagWithOutputTag(depTag, "") must be used instead.
Bug: 193228441
Test: m nothing
Change-Id: I307039612f0f2a541ac7dbfddd052ef78c290f60
InstallFile skips install only if SkipInstall is called before
InstallFile.
Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
This reverts commit b44e506223.
Reason for revert: secilc is fixed by aosp/1701846, so the workaround is no longer needed
Bug: 183362912
Test: S GSI on R CF boot test
Change-Id: Ic73c7cea1ebe42b483049cbc29f192e738748894
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.
- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform
Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
* changes:
Revert "Add a neverallow for debugfs mounting"
Revert "Add neverallows for debugfs access"
Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
Revert "Check that tracefs files are labelled as tracefs_type"
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
This reverts commit 57b64bd282.
Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.
Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
to ensure the file size is greater than 0, as secilc cannot handle
zero-sized cil files.
Fixes: 185256986
Bug: 183362912
Test: Forrest re-run broken test
Change-Id: Ief3039d38728fbeff67c6e39d6b15bddb006e5f8
Installs backwards compatibility cil files.
Bug: 183362912
Test: Presubmit
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I5e2c6b8dfa8df431edfe96f29daae463b130367f
plat_vendor tag consists of vendor available policies in system/sepolicy
directory, and is for minimized vendor policies.
Bug: 33691272
Test: boot microdroid
Change-Id: Icb3c1be02ee41b526d7d95f0053e56bf8b34f49d
It was missing when migrating definitions.mk to Android.bp module.
Test: m selinux_policy on sc-arc
Change-Id: I3c943440295bc9064d50e1a2f9025715c76b539e
This adds a new module se_policy_cil. It will consume the policy.conf
file (usually built with se_policy_conf) and outputs a compiled cil
policy file, which will be shipped to devices.
Bug: 33691272
Test: try building se_policy_cil from se_policy_conf
Change-Id: I7a33ab6cb5978e1a7d991be7514305c5e9f8159b
This adds a new soong module that transforms selinux policy files to
policy.conf file. It uses m4 macro with various variables, and replaces
transform-policy-to-conf macro in system/sepolicy/definitions.mk.
The module will be used when building:
- policy cil files shipped to the device
- CTS tests that needs general_policy.conf
Bug: 33691272
Test: try building se_policy_conf with se_build_files
Change-Id: Ie1082a8193c2205992b425509b9d5bfa4b495b2f
se_build_files module globs given srcs from sepolicy directories and
acts as a filegroup with the following tags, which can be used to build
system side policy files.
- plat
- plat_public
- system_ext
- system_ext_public
- product
- product_public
- reqd_mask
se_build_files module acts like the build_policy macro in Android.mk.
Normal genrule module can't easily handle that, because both file order
and directory order matter.
Support for vendor/odm is to be added in the future.
Bug: 33691272
Test: inspect se_build_files with above tags and compare it to ninja
Change-Id: Id7c57b01c78fc14ac5e8eeeb074a6fc21d271e84
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.
To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.
Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
As image variants are now supported directly by android.Module, this
removes a custom mutator in selinux_contexts and uses image variant
functions in android.Module.
InRecovery and InstallInRecovery may be confusing. But refactoring it is
out of scope for this CL.
Test: compare out/soong/build.ninja before and after
Change-Id: I9ebf665a1d50d24bb4e5568a4fd1af4c4eb02c90
If sysprop library contains only internal properties, the API txt file
will be empty. This allows the API files to be missing in such cases to
turn off API-Review bit.
Bug: 177036449
Test: manual test
Change-Id: I9792e46ce6d19e65ee83cb055f76069063bec281
Revert "Add ability to declare licenses in soong."
Revert submission 1377717-metalics
Reason for revert: This has broken renderscript_mac target for aosp-master, see b/176909442
Reverted Changes:
I26ac54ca9:Define the standard license_kind rules.
I656486070:Export soong license data to make.
If9d661dfc:Export soong license data to make.
I97943de53:Add ability to declare licenses in soong.
Icaff40171:Rough-in license metadata support to make.
Ib8e538bd0:Add variables for notice deps, license kinds etc.
Change-Id: I9af3727fba03f6b40cd6d77c7e259ef4c9b7f29d
Now newer system policy and older vendor policy can be built together by
setting following variables:
- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
older system_ext and product policies)
Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
Pass pctx and ctx to NewRuleBuilder instead of RuleBuilder.Build,
and don't pass ctx to RuleBuilderCommand.BuiltTool. Follows the
changes in I63e6597e19167393876dc2259d6f521363b7dabc.
Test: m checkbuild
Change-Id: I372e8ecc3c4ea7ca8f66a8e1054eddd1a9af9dbd
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.
Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
Depends on changes in build/soong and build/make.
Make it more consistent with the change of `BOARD_PLAT_*`
behaviour and prepares introduction of
`SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS`.
Test: `make selinux_policy`with `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and
`BOARD_PLAT_PRIVATE_SEPOLICY_DIR` set.
Signed-off-by: Felix <google@ix5.org>
Change-Id: I9885f0594da9b76ee51386a980dfa76af98e2171
Previous behaviour:
Test: Set `PRODUCT_PUBLIC_SEPOLICY_DIRS`, causing
`product_sepolicy.cil` and `product_mapping_file` to
be generated. Do not use any `type` declarations that
would require a mapping in product sepolicy, e.g. only
define macros.
Run `make selinux_policy`, observe error:
```
FAILED: out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil
/bin/bash -c "(out/host/linux-x86/bin/version_policy -b out/target/product/mydevice/obj/FAKE/sepolicy_neverallows_intermediates/pub_policy.cil -t out/target/product/mydevice/obj/FAKE/sepolicy_neverallows_intermediates/pub_policy.cil -n 10000.0 -o out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil ) && (out/host/linux-x86/bin/secilc -m -M true -G -N -c 30 out/target/product/mydevice/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/mydevice/obj/ETC/product_sepolicy.cil_intermediates/product_sepolicy.cil out/target/product/mydevice/obj/ETC/plat_mapping_file_intermediates/10000.0.cil out/target/product/mydevice/obj/ETC/product_mapping_file_intermediates/10000.0.cil out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil -o /dev/null -f /dev/null )"
Failure reading file: out/target/product/mydevice/obj/ETC/product_mapping_file_intermediates/10000.0.cil
```
This is caused by `secilc.c` trying to read the empty file:
```
rc = fread(buffer, file_size, 1, file);
```
Fix: Append a newline to make sure any file processed by
`filter_out` is still readable by secilc.
After:
Test: `make selinux_policy` with same preconditions.
Signed-off-by: Felix <google@ix5.org>
Change-Id: I6dcfcccdfa83121bbdc09632f7a2b609ef932fc9
sysprop type checker compares a sysprop_library API file and
property_contexts files, and detects if there are any mismatches of
property types. For example, the following snippets are detected.
// foo.sysprop
prop {
prop_name: "ro.foo.bar"
type: Integer
...
}
// property_contexts
ro.foo.bar u:object_r:foo_prop:s0 exact string
"ro.foo.bar" is an Integer in .sysprop file, but it's a string in
property_contexts file.
Bug: 151879375
Test: sysprop_test
Test: run "m PlatformProperties" and see existing mismatches.
Change-Id: Ieb9965d14b8c90cfc730c3d20d95a28ecaabeba4
public/property_contexts needs to be included regardless of
API level so that the property *labels* are always included.
Else, devices without PRODUCT_COMPATIBLE_PROPERTY (shipping
API level <27) will run into denials because the props are
labeled `default_prop`.
As a side benefit, this reduces deviation in test matrices.
The guard was originally introduced in:
e49714542e "Whitelist exported platform properties"
Test: Build for device without PRODUCT_COMPATIBLE_PROPERTY,
no more denials for accessing `default_prop` from e.g. HALs.
Change-Id: I5bbe5d078040bb26dd48d353953661c9375d2009
Signed-off-by: Felix <google@ix5.org>
