Commit graph

27 commits

Author SHA1 Message Date
Inseob Kim
b30e2f05f7 Fix treble sepolicy tests and combine_maps script
* Since vFRC there are no more minor version, so combine_maps.py is
  fixed to correctly handle both vFRC version and prior V.v version.

* treble_sepolicy_tests_for_release.mk uses incorrect variable
  SYSTEM_EXT_PREBUILT_POLICY and PRODUCT_PREBUILT_POLICY, so fixing
  them.

Bug: 331866470
Test: m selinux_policy
Change-Id: I7a3ab7cf3abf2155c1998e1972adee1202af8dff
2024-03-29 17:31:51 +09:00
Inseob Kim
0d49b9bc28 Use only public cil files for Treble compat test
Rationale for this change:

1) Vendors use only public files, so we should be able to use only
   public cil files for compatibility test.
2) treble_sepolicy_tests_for_release.mk is too complex, because it
   requires compiled sepolicy. Reducing the complexity will help migrate
   into REL build.
3) This fixes a tiny bug of treble_sepolicy_tests that it can't catch
   public types being moved to private types, and then removed. 29.0.cil
   and 30.0.cil change contains such missing public types.

Bug: 296875906
Test: m selinux_policy (with/without intentional breakage)
Change-Id: Ia2c0733176df898f268b5680195da25b588b09c7
2023-09-07 16:35:08 +09:00
Inseob Kim
5d7423ff3d Build prebuilt policy with Soong
... and remove redundant Makefile codes. This also updates commit hook
as we now only use Soong to build sepolicy.

Bug: 296875906
Test: m selinux_policy
Change-Id: I93f0d222a0c10e31c51c9380780a8927c47d62b1
2023-09-07 16:32:30 +09:00
Inseob Kim
eb0d40aa85 Move tests from treble_sepolicy_tests
Contrast to its name, sepolicy_tests also contains tests related to
Treble. Also tests other than the compat mapping test in
treble_sepoliy_tests don't need to be run several times.

Moving tests except for compat mapping test to sepolicy_tests to
simplify treble_sepolicy_tests and to reduce build time.

Bug: 288807412
Test: m selinux_policy
Test: atest SELinuxHostTest
Change-Id: I102fa48faf49b7028dc1bb5f21de65fa99babe6f
2023-09-06 14:26:25 +09:00
Bob Badour
267fc16a40 Non-module targets.
Bug: 151177513
Bug: 213388645
Bug: 210912771

Test: m droid dist reportmissinglicenses
Change-Id: I549e9f931347c2ebd89caa419d192e9cd377ef9b
2022-03-31 19:25:33 -07:00
Inseob Kim
73f43ff847 Remove compat test from treble sepolicy tests
Treble sepolicy tests check whether previous versions are compatible to
ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it,
but it also includes a compat test whether ToT sepolicy + {ver} mapping
+ {ver} plat_pub_versioned.cil can be built together or not. We
definitely need such tests, but we already have a test called "compat
test" which does exactly that, and testing it again with Treble sepolicy
tests is just redundant. The only difference between those two is that
Treble sepolicy tests can also test system_ext and product compat files,
which was contributed by a partner.

The ultimate goal here is to migrate *.mk to Soong, thus merging these
two tests (compat, Treble) into one. As we've already migrated the
compat test to Soong, this change removes the compat test part from
treble sepolicy tests. Instead, the compat test will be extended so it
can test system_ext and product compat files too.
prebuilts/api/{ver}/plat_pub_versioned.cil and
prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't
used anymore: vendor_sepolicy.cil is an empty stub, and
plat_pub_versioned.cil can be built from the prebuilt source files.

Bug: 33691272
Test: m selinux_policy
Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
2022-02-16 04:09:29 +00:00
Inseob Kim
eec3919969 Add new goal for compat file generator
To generate compat files, we need the following files.

- base_plat_sepolicy: to get all types
- base_plat_pub_policy.cil: to get public types
- {ver}_plat_sepolicy: to get old types

This creates a new dist goal, base-sepolicy-files-for-mapping, to
conveniently generate and gather desired files under out/dist.

Bug: 214336258
Test: build/soong/soong_ui.bash --make-mode dist \
      base-sepolicy-files-for-mapping \
      TARGET_PRODUCT=aosp_arm64 TARGET_BUILD_VARIANT=userdebug
Change-Id: I2f210ab47be777cd91346d635f75064845821144
2022-01-21 19:36:37 +09:00
Inseob Kim
6fa8efdf4a Use "data: libsepolwrap" in python binaries
To avoid hard-coded paths in Android.mk rules.

Test: m selinux_policy
Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 04:58:30 +00:00
Inseob Kim
e3bc8ffa36 Remove nonplat_sepolicy.cil from test
Because it's out of the Treble window.

Bug: 210536608
Test: build
Change-Id: I96a068ad579d1e9a9353aac1438a894829741aad
2021-12-14 01:43:44 +00:00
P.Adarsh Reddy
07dd59ff14 Adding sepolicy testcase for system_ext and product.
Types defined in system_ext/public or product/public
can be referenced by vendor side so it is important
to make sure functionality is not broken across version
bumps. So we are adding the treble sepolicy test cases
for system_ext and product sepolicy.

Bug: 173571515
Change-Id: Ia45979497029f83b1ae6712d2d26ffab263a7f91
2021-05-12 18:14:26 +05:30
Bob Badour
601ebb43a3 [LSC] Add LOCAL_LICENSE_KINDS to system/sepolicy
Added SPDX-license-identifier-Apache-2.0 to:
  build/Android.bp
  build/soong/Android.bp
  tests/Android.bp
  tools/Android.bp

Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered to:
  Android.bp
  Android.mk
  compat.mk
  contexts_tests.mk
  mac_permissions.mk
  seapp_contexts.mk
  treble_sepolicy_tests_for_release.mk

Added legacy_unencumbered to:
  apex/Android.bp
  tools/sepolicy-analyze/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I1ab286543ef1bdcb494cf74f2b35e35a08225d28
2021-02-05 01:28:24 -08:00
Tri Vo
6117855015 sepolicy: support /system_ext and /product mapping files
Install mapping files in SYSTEM_EXT_PRIVATE_POLICY and
PRODUCT_PRIVATE_POLICY into /system_ext and /product respectively.

Bug: 141084341
Test: boot taimen
Test: system mapping files are unchanged
Test: create mapping files in device/google/wahoo/sepolicy/ and check
that they are correctly expanded and installed.
Change-Id: I4d251c957b30a16df71eec47c871e24e5fc773a4
2019-10-11 12:32:12 -07:00
Steven Moreland
1cb64c4f59 PRODUCT_SEPOLICY_SPLIT forces Treble tests to run.
This is the flag for when sepolicy is split. Also removed other
commented-out heuristics around fake-treble. We should aim to remove it
entirely instead.

Fixes: 141348590
Test: build w/ and without adding binder_in_vendor_violators to a vendor
    process (and see the expected error there)

Change-Id: I29fb335cc5b5d6e117d93038fe458b8c74acf321
2019-09-25 15:56:52 +00:00
Dan Willemsen
3c3e59b2a2 Use prebuilt m4 instead of system m4
Bug: 117561006
Test: treehugger
Change-Id: Id794aed10fdffef10490561d2cfeb2a92801b331
2019-06-19 10:59:57 -07:00
Pirama Arumuga Nainar
ce9c0c5a5f In native coverage builds, allow all domains to access /data/misc/trace
Bug: http://b/135139675

Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type).  Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.

Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.

Test: Build 32-bit cuttlefish with coverage:
          m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
      and verify that there are no selinux denials in kernel log and
      logcat.

Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 08:31:51 -07:00
Jooyung Han
749cf93ae8 Test files on intermediates dir, not on /system
*_context_test / sepolicy_tests / treble_sepolicy_tests_* /
sepolicy_freeze_test files are installed on /system/etc.

By being FAKE modules, test files are not installed on target.

Additionally, we need to set up dependency from droidcore to
selinux_policy to make tests run on normal builds (m).

Bug: 133460071
Test: m & see if tests run and no test files on /system/etc
Test: m selinux_policy & see if tests run
Change-Id: Icacf004d5c1c8ec720c7cedef7bae8aa648cbe49
2019-05-30 01:05:43 +09:00
Tri Vo
0d23383759 Don't check PRODUCT_SHIPPING_API_LEVEL to determine fake treble.
Emulator device can not be considered a full treble device even though
it has PRODUCT_SHIPPING_API_LEVEL = 28. This is prevents us from merging
neverallow rules that implement Treble requirements (aosp/798433). As a
temporary workaround, disable the checks on that variable.

Bug: 112933807
Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I9a29c01dfcbc70e4ba1e4eef233355bc18ec2108
2018-11-01 10:04:32 -07:00
Tri Vo
9087b77517 Reland "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble"
This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.

Bug: 113124961
Bug: 111243627
Change-Id: I83d6efad0ff5c7d87a4b990560c390b66aeb3653
Test: m selinux_policy
2018-10-30 21:09:41 +00:00
Wei Wang
9c91bbaa45 Revert "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble"
This reverts commit 8844f28a75.

Reason for revert: break build

Change-Id: I853d31465ac7953d2f9c3ee2b0d2ea85a0db621d
2018-10-30 20:27:30 +00:00
Tri Vo
8844f28a75 Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble
This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.

Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I291b7cc3c8c07b838f1ea22e55550c42c5083d8f
2018-10-25 17:21:13 -07:00
Tri Vo
438684b39f Only maintain maps between current and previous selinux versions.
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.

Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.

Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-10-02 15:10:13 -07:00
Tri Vo
e3f4f77d39 Don't require private types in mapping file.
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.

We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.

Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-28 17:22:25 -07:00
Steven Moreland
c7670e5c55 Apply '--fake-treble' flag to the intended devices
(for the build-time tests)

treble_sepolicy_tests applies tests to the SEPolicy for devices which
implement the SEPolicy split introduced in Android O. For devices which
turn this on and also implement all of the other requirements which
together compose PRODUCT_FULL_TREBLE, these tests help ensure that the
backwards compatibility which this feature adds is possible.

When this test was originally written, devices which specified
PRODUCT_FULL_TREBLE_OVERRIDE were only those devices with a
PRODUCT_SHIPPING_API_LEVEL of < 26. This allowed them to update to use
these features but maintain some legacy behaviors. For these devices,
to achieve the same backwards compatibility guarantees, much
other/extra work would have to be done (if it is possible at all).

Since that time, a new category of devices take advantage of
PRODUCT_FULL_TREBLE_OVERRIDE. These devices must either not define a
PRODUCT_SHIPPING_API_LEVEL or they apply this flag even though it is
not required to be applied. For these cases, the full test suite not
being run has caused problems because these failures aren't discoverred
until later (when compliance tests are run).

Fixes: 112933807
Test: treble_sepolicy_tests on marlin, walleye, and 'some other device'
    (mma here runs this with the correct parameters)

Change-Id: I04c42d3cb86cda3c82f285919b40ba94e1332daa
2018-09-07 16:29:26 -07:00
Jae Shin
1fa9634896 Add mapping files for 28.0.[ignore.]cil
Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
2018-07-18 20:08:38 -07:00
Joel Galenson
c148621815 Use user policy for compatibility tests.
Use the user policy when running the compatibility tests.

Bug: 74344625
Test: Built policy for many devices.  Booted one device.
Test: Delete some compat rules, verify error on userdebug.
Change-Id: Ib2df2dfc06cdf55a839011e9a528e76160a9e436
2018-03-26 18:01:41 -07:00
Joel Galenson
8c72eea5ff Use user policy when checking neverallow rules.
When building userdebug or eng builds, we still want to build the user
policy when checking neverallow rules so that we can catch compile
errors.

Commit c0713e86 split out a helper function but lost one instance of
using user instead of the real variant.  This restores that one and
adds it to the neverallow check.

Bug: 74344625
Test: Added a rule that referred to a type defined only
in userdebug and eng and ensure we throw a compile error when building
userdebug mode.

Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae
(cherry picked from commit 053cb34130)
2018-03-08 09:57:54 -08:00
Tri Vo
1406926d09 Refactor build rule for treble sepolicy tests.
Bug: 69390067
Test: policy builds
Change-Id: I9b29a88ec071a17fc429892b5a8720b15fcbcf32
2018-02-27 14:26:31 -08:00