Commit graph

64 commits

Author SHA1 Message Date
Yuntao Xu
1b76673577 Merge "Split property and file contexts modules" 2021-11-18 17:05:46 +00:00
Yi-Yo Chiang
2c18965e27 Treblelize bug_map: split bug_map to multiple partitions
* plat_bug_map: Platform-specific bug_map definitions.
* system_ext_bug_map: Product-specific bug_map definitions.
* vendor_bug_map: SOC-specific bug_map definitions.

Bug: 177977370
Test: Boot and check auditd logs
Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 22:44:34 +08:00
Inseob Kim
1b965988b7 Split property and file contexts modules
1. Splitted plat_property_contexts and plat_file_contexts so that they
can be included by the CtsSecurityHostTestCases module;
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I0e0e7f6778d42ab2fdae3a181f40216fe6719e7c
2021-11-08 15:44:29 +09:00
Colin Cross
f82aed0daa Don't use AndroidMkEntries.Custom
There's nothing special in the Custom method supplied, replace it
with normal AndroidMkEntries fields.

Bug: 204136549
Test: m checkbuild
Change-Id: I624005d2ee313aaa60397749b0726e393a842618
2021-11-04 17:25:55 -07:00
Inseob Kim
b9d0511de4 Add se_policy_binary module
se_policy_binary module compiles cil files to sepolicy binary file.

Bug: 33691272
Test: build
Change-Id: Id20183d0ac797fc68356feaad9df0d0bccc81c14
2021-09-27 13:13:46 +00:00
Inseob Kim
d58166165a Migrate freeze test to Soong
Bug: 33691272
Test: m selinux_policy on sc-dev
Change-Id: Ie536d885034e5d888f1329ac189fd0bf9723a6c4
2021-09-16 05:08:56 +00:00
Paul Duffin
532bde121b Stop using deprecated functionality for managing path deps
This change stops using deprecated functionality and migrates this
repository's custom Soong code to support current practices to manage
path property related dependencies. i.e. when a property includes
something that looks like ":module".

ExtractSourcesDeps has been deprecated in favor of tagging properties
with `android:"path"` which will cause the pathDepsMutator to add the
dependencies automatically.

android.SourceDepTag has been deprecated as the underlying type needs
to be changed and this will no longer work for its current uses.

* ctx.GetDirectDepWithTag(moduleName, android.SourceDepTag) will not
  work to retrieve a reference to the module dependency added for
  path properties. GetModuleFromPathDep(ctx, moduleName, "") must be
  used instead.

* depTag == android.SourceDepTag can no longer be used to check to
  see if depTag was used to add a module dependency for a module
  reference in a path property without any output tag.
  IsSourceDepTagWithOutputTag(depTag, "") must be used instead.

Bug: 193228441
Test: m nothing
Change-Id: I307039612f0f2a541ac7dbfddd052ef78c290f60
2021-07-09 23:15:17 +01:00
Inseob Kim
31db274078 Call SkipInstall before InstallFile
InstallFile skips install only if SkipInstall is called before
InstallFile.

Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
2021-06-08 10:31:09 +09:00
Yo Chiang
bb8d0050d9 Merge "Revert "se_compat_cil: Prepend generated files with a header"" 2021-05-12 05:35:51 +00:00
Yo Chiang
7c3ecf1356 Revert "se_compat_cil: Prepend generated files with a header"
This reverts commit b44e506223.

Reason for revert: secilc is fixed by aosp/1701846, so the workaround is no longer needed

Bug: 183362912
Test: S GSI on R CF boot test
Change-Id: Ic73c7cea1ebe42b483049cbc29f192e738748894
2021-05-12 01:54:27 +00:00
Hridya Valsaraju
a885dd84c7 Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
2021-05-02 21:41:53 -07:00
Inseob Kim
6cc75f4587 Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit a46d61cd3f.

Reason for revert: fixed debug_ramdisk partition problem

Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-30 14:53:25 +09:00
Inseob Kim
1c056b1ad0 Add sepolicy_vers for plat_sepolicy_vers.txt
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.

- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform

Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
2021-04-30 00:17:39 +09:00
Hridya Valsaraju
7362f58895 Merge changes from topic "revert-1668411-MWQWEZISXF"
* changes:
  Revert "Add a neverallow for debugfs mounting"
  Revert "Add neverallows for debugfs access"
  Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
  Revert "Check that tracefs files are labelled as tracefs_type"
2021-04-23 22:06:31 +00:00
Hridya Valsaraju
f9dbb72654 Revert "Add a neverallow for debugfs mounting"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
2021-04-23 16:38:20 +00:00
Treehugger Robot
f02af9d91c Merge "Revert^3 "Build userdebug_plat_sepolicy.cil with Android.bp"" 2021-04-23 13:09:24 +00:00
Inseob Kim
a46d61cd3f Revert^3 "Build userdebug_plat_sepolicy.cil with Android.bp"
e10ceab330

Change-Id: Ia1b38d6b709edb0e819ea4700e70ba68b1b61332
2021-04-22 23:14:58 +00:00
Florian Mayer
e10ceab330 Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"
0177004c7f

Change-Id: I40aa5025d487922decd9909c0d35c9e3a6b8dd61
2021-04-22 16:38:47 +00:00
Bowgo Tsai
0177004c7f Revert "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit 57b64bd282.

Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.

Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
2021-04-22 09:55:21 +08:00
Hridya Valsaraju
1c3d898d87 Add a neverallow for debugfs mounting
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
2021-04-21 14:13:02 -07:00
Treehugger Robot
8d2bfafcf5 Merge "Build userdebug_plat_sepolicy.cil with Android.bp" 2021-04-15 05:22:35 +00:00
Yo Chiang
466964d401 Merge "se_compat_cil: Prepend generated files with a header" 2021-04-14 08:30:38 +00:00
Yi-Yo Chiang
b44e506223 se_compat_cil: Prepend generated files with a header
to ensure the file size is greater than 0, as secilc cannot handle
zero-sized cil files.

Fixes: 185256986
Bug: 183362912
Test: Forrest re-run broken test
Change-Id: Ief3039d38728fbeff67c6e39d6b15bddb006e5f8
2021-04-14 07:41:23 +00:00
Yo Chiang
86a8275378 Merge "Remove references to BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR" 2021-04-14 06:55:59 +00:00
Inseob Kim
57b64bd282 Build userdebug_plat_sepolicy.cil with Android.bp
Bug: 33691272
Test: build and see $OUT/debug_ramdisk
Change-Id: I7994857a3dd4e54f2c2d35ff8e362ecae93ea7a2
2021-04-14 15:54:26 +09:00
Yi-Yo Chiang
41c34d6a70 Add se_compat_cil module
Installs backwards compatibility cil files.

Bug: 183362912
Test: Presubmit
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
  verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I5e2c6b8dfa8df431edfe96f29daae463b130367f
2021-04-13 02:58:21 +08:00
Yi-Yo Chiang
40073d4c7f Remove references to BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR
These variables are deprecated.

Bug: 183362912
Test: Presubmit; Noop
Change-Id: I80db5342044a06feb1451fbe661989fe4d191e74
2021-04-12 20:01:35 +08:00
Inseob Kim
39fbcf7c96 Add plat_vendor tag to se_build_files for microdroid
plat_vendor tag consists of vendor available policies in system/sepolicy
directory, and is for minimized vendor policies.

Bug: 33691272
Test: boot microdroid
Change-Id: Icb3c1be02ee41b526d7d95f0053e56bf8b34f49d
2021-04-05 09:50:47 +00:00
Inseob Kim
ebe6f385da Add se_versioned_policy module
se_versioned_policy module wraps version_sepolicy and generates mapping
files with Android.bp.

Bug: 33691272
Test: build
Change-Id: Iaba499db39b1214ef7b1f59c58232ec85d7c3bcb
2021-03-25 16:41:53 +09:00
Inseob Kim
4360c1975f Add target_with_dexpreopt option to policy
It was missing when migrating definitions.mk to Android.bp module.

Test: m selinux_policy on sc-arc
Change-Id: I3c943440295bc9064d50e1a2f9025715c76b539e
2021-03-23 20:52:53 +09:00
Inseob Kim
df1a0dee63 Add se_policy_cil module to build cil policy
This adds a new module se_policy_cil. It will consume the policy.conf
file (usually built with se_policy_conf) and outputs a compiled cil
policy file, which will be shipped to devices.

Bug: 33691272
Test: try building se_policy_cil from se_policy_conf
Change-Id: I7a33ab6cb5978e1a7d991be7514305c5e9f8159b
2021-03-18 19:54:30 +09:00
Inseob Kim
7e8bd1e657 Add se_policy_conf module to build policy.conf
This adds a new soong module that transforms selinux policy files to
policy.conf file. It uses m4 macro with various variables, and replaces
transform-policy-to-conf macro in system/sepolicy/definitions.mk.

The module will be used when building:
- policy cil files shipped to the device
- CTS tests that needs general_policy.conf

Bug: 33691272
Test: try building se_policy_conf with se_build_files
Change-Id: Ie1082a8193c2205992b425509b9d5bfa4b495b2f
2021-03-18 19:52:09 +09:00
Inseob Kim
619e4a7a82 Add se_build_files module
se_build_files module globs given srcs from sepolicy directories and
acts as a filegroup with the following tags, which can be used to build
system side policy files.

- plat
- plat_public
- system_ext
- system_ext_public
- product
- product_public
- reqd_mask

se_build_files module acts like the build_policy macro in Android.mk.
Normal genrule module can't easily handle that, because both file order
and directory order matter.

Support for vendor/odm is to be added in the future.

Bug: 33691272
Test: inspect se_build_files with above tags and compare it to ninja
Change-Id: Id7c57b01c78fc14ac5e8eeeb074a6fc21d271e84
2021-03-16 10:22:09 +09:00
Inseob Kim
2bcc045724 Check vendor_property_contexts namespaces
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.

To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.

Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
2021-02-17 12:41:38 +09:00
Bob Badour
601ebb43a3 [LSC] Add LOCAL_LICENSE_KINDS to system/sepolicy
Added SPDX-license-identifier-Apache-2.0 to:
  build/Android.bp
  build/soong/Android.bp
  tests/Android.bp
  tools/Android.bp

Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered to:
  Android.bp
  Android.mk
  compat.mk
  contexts_tests.mk
  mac_permissions.mk
  seapp_contexts.mk
  treble_sepolicy_tests_for_release.mk

Added legacy_unencumbered to:
  apex/Android.bp
  tools/sepolicy-analyze/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I1ab286543ef1bdcb494cf74f2b35e35a08225d28
2021-02-05 01:28:24 -08:00
Inseob Kim
fa6fe474f0 Remove mutator and use standard variant functions
As image variants are now supported directly by android.Module, this
removes a custom mutator in selinux_contexts and uses image variant
functions in android.Module.

InRecovery and InstallInRecovery may be confusing. But refactoring it is
out of scope for this CL.

Test: compare out/soong/build.ninja before and after
Change-Id: I9ebf665a1d50d24bb4e5568a4fd1af4c4eb02c90
2021-02-03 10:53:18 +09:00
Inseob Kim
3a3539a27b Allow sysprop library API files to be missing
If sysprop library contains only internal properties, the API txt file
will be empty. This allows the API files to be missing in such cases to
turn off API-Review bit.

Bug: 177036449
Test: manual test
Change-Id: I9792e46ce6d19e65ee83cb055f76069063bec281
2021-01-15 18:10:29 +09:00
Bob Badour
4eeb6a2eac Revert^2 "Export soong license data to make."
56f419d6c8

Change-Id: I5eebdea9dc8b6f3be1cda23225733df0d78cbbdc
2021-01-06 20:50:49 -08:00
Bob Badour
1135fd71cd Merge "Revert "Export soong license data to make."" 2021-01-06 19:17:44 +00:00
Jerome Gaillard
56f419d6c8 Revert "Export soong license data to make."
Revert "Add ability to declare licenses in soong."

Revert submission 1377717-metalics

Reason for revert: This has broken renderscript_mac target for aosp-master, see b/176909442

Reverted Changes:
I26ac54ca9:Define the standard license_kind rules.
I656486070:Export soong license data to make.
If9d661dfc:Export soong license data to make.
I97943de53:Add ability to declare licenses in soong.
Icaff40171:Rough-in license metadata support to make.
Ib8e538bd0:Add variables for notice deps, license kinds etc.

Change-Id: I9af3727fba03f6b40cd6d77c7e259ef4c9b7f29d
2021-01-06 19:00:05 +00:00
Bob Badour
c182ed7f74 Merge "Export soong license data to make." 2021-01-06 18:08:06 +00:00
Inseob Kim
8ada8a7c1b Support building mixed versions of sepolicy
Now newer system policy and older vendor policy can be built together by
setting following variables:

- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
  older system_ext and product policies)

Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
2021-01-06 10:46:15 +09:00
Bob Badour
bd8ca4af30 Export soong license data to make.
Bug: 151953481
Bug: 151177513
Bug: 67772237
Change-Id: I656486070103a2aeaab0e8cbfb3a0af097af8aa8
2021-01-05 08:42:48 -08:00
Colin Cross
242c8bc876 Follow argument changes to RuleBuilder
Pass pctx and ctx to NewRuleBuilder instead of RuleBuilder.Build,
and don't pass ctx to RuleBuilderCommand.BuiltTool.  Follows the
changes in I63e6597e19167393876dc2259d6f521363b7dabc.

Test: m checkbuild
Change-Id: I372e8ecc3c4ea7ca8f66a8e1054eddd1a9af9dbd
2020-11-30 20:22:31 -08:00
Treehugger Robot
9a0cff4756 Merge "build: Rename Plat->SystemExt*SepolicyDirs" 2020-10-12 03:49:24 +00:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
Felix
e0421d3746 build: Rename Plat->SystemExt*SepolicyDirs
Depends on changes in build/soong and build/make.

Make it more consistent with the change of `BOARD_PLAT_*`
behaviour and prepares introduction of
`SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS`.

Test: `make selinux_policy`with `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and
     `BOARD_PLAT_PRIVATE_SEPOLICY_DIR` set.

Signed-off-by: Felix <google@ix5.org>
Change-Id: I9885f0594da9b76ee51386a980dfa76af98e2171
2020-05-17 18:17:47 +02:00
Felix
0d6864aebd build/file_utils: Newline for mapping files
Previous behaviour:
Test: Set `PRODUCT_PUBLIC_SEPOLICY_DIRS`, causing
      `product_sepolicy.cil` and `product_mapping_file` to
      be generated. Do not use any `type` declarations that
      would require a mapping in product sepolicy, e.g. only
      define macros.
      Run `make selinux_policy`, observe error:
```
FAILED: out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil
/bin/bash -c "(out/host/linux-x86/bin/version_policy -b out/target/product/mydevice/obj/FAKE/sepolicy_neverallows_intermediates/pub_policy.cil -t out/target/product/mydevice/obj/FAKE/sepolicy_neverallows_intermediates/pub_policy.cil -n 10000.0 -o out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil ) && (out/host/linux-x86/bin/secilc -m -M true -G -N -c 30 		out/target/product/mydevice/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil  out/target/product/mydevice/obj/ETC/product_sepolicy.cil_intermediates/product_sepolicy.cil out/target/product/mydevice/obj/ETC/plat_mapping_file_intermediates/10000.0.cil  out/target/product/mydevice/obj/ETC/product_mapping_file_intermediates/10000.0.cil out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil -o /dev/null -f /dev/null )"
Failure reading file: out/target/product/mydevice/obj/ETC/product_mapping_file_intermediates/10000.0.cil
```
This is caused by `secilc.c` trying to read the empty file:
```
rc = fread(buffer, file_size, 1, file);
```

Fix: Append a newline to make sure any file processed by
`filter_out` is still readable by secilc.

After:
Test: `make selinux_policy` with same preconditions.

Signed-off-by: Felix <google@ix5.org>
Change-Id: I6dcfcccdfa83121bbdc09632f7a2b609ef932fc9
2020-03-31 17:56:49 +02:00
Inseob Kim
cd6164933f Implement sysprop type checker
sysprop type checker compares a sysprop_library API file and
property_contexts files, and detects if there are any mismatches of
property types. For example, the following snippets are detected.

// foo.sysprop
prop {
prop_name: "ro.foo.bar"
type: Integer
...
}

// property_contexts
ro.foo.bar u:object_r:foo_prop:s0 exact string

"ro.foo.bar" is an Integer in .sysprop file, but it's a string in
property_contexts file.

Bug: 151879375
Test: sysprop_test
Test: run "m PlatformProperties" and see existing mismatches.
Change-Id: Ieb9965d14b8c90cfc730c3d20d95a28ecaabeba4
2020-03-25 11:13:29 +09:00
Felix
342b58a2ee property_contexts: Drop COMPATIBLE_PROP guard
public/property_contexts needs to be included regardless of
API level so that the property *labels* are always included.
Else, devices without PRODUCT_COMPATIBLE_PROPERTY (shipping
API level <27) will run into denials because the props are
labeled `default_prop`.

As a side benefit, this reduces deviation in test matrices.

The guard was originally introduced in:
e49714542e "Whitelist exported platform properties"

Test: Build for device without PRODUCT_COMPATIBLE_PROPERTY,
no more denials for accessing `default_prop` from e.g. HALs.

Change-Id: I5bbe5d078040bb26dd48d353953661c9375d2009
Signed-off-by: Felix <google@ix5.org>
2020-03-02 16:28:38 +01:00