Commit graph

78 commits

Author SHA1 Message Date
Inseob Kim
2dac267dae Migrate seapp_contexts to Android.bp
Bug: 33691272
Test: build and boot
Test: atest SELinuxHostTest#testValidSeappContexts
Change-Id: I86f9d010d1628f9756cc152b4ee74dea1b9ff955
2021-12-29 17:54:57 +09:00
Inseob Kim
5bbcd68dcc Build recovery policy with Android.bp
Bug: 33691272
Test: enter recovery mode
Change-Id: Ifc38ed99e6615431d81ade76ec10ea4d34fbbf90
2021-12-28 17:51:51 +09:00
Inseob Kim
0de7fcc33a Migrate neverallow tests to Android.bp
A new module type se_neverallow_test is added, to migrate
sepolicy_neverallow modules. se_neverallow_test is affected by
SELINUX_IGNORE_NEVERALLOWS.

Bug: 33691272
Test: m selinux_policy
Test: intentionally create neverallow violations and m selinux_policy
Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
2021-12-28 10:23:22 +09:00
Inseob Kim
baee4a2cb6 Split compat and contexts part in Android.bp
Because Android.bp is getting bigger and bigger.

Test: build and boot
Test: set OVERRIDE_TARGET_FLATTEN_APEX=true and build
Change-Id: I397ce084bfbc98449d177dd553ff73fdfbdddcaf
2021-12-23 21:36:56 +09:00
Inseob Kim
6d3d5a6daf Fix contexts modules to use android:"path"
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.

Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
2021-12-23 21:36:27 +09:00
Inseob Kim
d144fa0333 Fix precompiled_sepolicy neverallow flag
Because we should ignore neverallow when SELINUX_IGNORE_NEVERALLOWS is
true.

Test: add a fake rule and build with/without SELINUX_IGNORE_NEVERALLOWS
Change-Id: I7811f5cef2243dae5b5de1154a36ab167871dc4f
2021-12-21 20:38:44 +09:00
Inseob Kim
3ac62fe9f6 Build vendor/odm sepolicies with Android.bp
The following files are built with Android.bp:
- vendor_sepolicy.cil
- odm_sepolicy.cil
- prebuilt_sepolicy

Also, prebuilt_policy.mk is removed as it's now redundant.

Bug: 33691272
Test: build and compare artifacts
Test: build with rvc-dev sepolicy
Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-20 21:16:39 +09:00
Inseob Kim
7cb20812b2 Use se_build_files for technical_debt.cil
It's a no-op for now, but it will be used when migrating vendor sepolicy
to Android.bp.

Bug: 33691272
Test: build and boot
Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
2021-12-16 16:52:14 +09:00
Inseob Kim
0a707fadb2 Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.

This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?

This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    // se_build_files automatically adds plat public and reqd mask
    srcs: [":se_build_files{.system_ext_public}"],
}

to:

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    // se_policy_conf automatically sorts the input files
    srcs: [
        ":se_build_files{.plat_public}",
        ":se_build_files{.system_ext_public}",
        ":se_build_files{.reqd_mask}",
    ],
}

Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-10 00:31:53 +09:00
Inseob Kim
9dc6d70044 Remove 26.0 and 27.0 compat support
Treble doesn't support T system + O vendor, so removing 26.0 (N) and
27.0 (O) prebuilts and compat files.

Bug: 207815515
Test: build
Change-Id: I98d5972221a8e77f3c45fc48ff50bb2b8eb94275
2021-12-02 10:22:10 +09:00
Inseob Kim
bee558e4bb Add 32.0 mapping files
Steps taken to produce the mapping files:

1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil
as an empty file.

When adding plat_pub_versioned.cil, leave only type and typeattribute
statements, removing the other statements: allow, neverallow, role, etc.

2. Add new file private/compat/32.0/32.0.cil by doing the following:
- copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev
aosp_arm64-eng device to private/compat/32.0/32.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 32 sepolicy.
Find all such types using treble_sepolicy_tests_32.0 test.
- for all these types figure out where to map them by looking at
31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_32.0 and installs
32.0.cil mapping file onto the device.

Bug: 206330997
Test: m treble_sepolicy_tests_32.0
Test: m 32.0_compat_test
Test: m selinux_policy
Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
2021-12-01 10:58:25 +09:00
Yuntao Xu
42e732c861 Split property/file/service contexts modules
1. Splitted plat_property_contexts, plat_file_contexts, and
plat_service_contexts so they can be included by the
CtsSecurityHostTestCases module.

2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I99ba55b1a89f196b3c8504e623b65960a9262165
2021-11-19 18:23:12 +09:00
Vova Sharaienko
919fa4f9fc Merge "Revert "Split property and file contexts modules"" 2021-11-18 17:56:09 +00:00
Vova Sharaienko
bec08097c9 Revert "Split property and file contexts modules"
Revert "Convert security/Android.mk to Android.bp"

Revert "Add seapp_contexts to allowlist of makefile goal"

Revert submission 1795972-Convert security/Android.mk to Android.bp

Reason for revert: http://b/206976319 Broken build 7928060 on aosp-master on sdk_arm64-sdk
Reverted Changes:
I0e0e7f677:Split property and file contexts modules
I5596d6f00:Add seapp_contexts to allowlist of makefile goal
If685e5ccc:Convert security/Android.mk to Android.bp

Change-Id: Ibbca0a17886d15b3fd7ecaf974a06df7107fd9aa
2021-11-18 17:29:01 +00:00
Yuntao Xu
1b76673577 Merge "Split property and file contexts modules" 2021-11-18 17:05:46 +00:00
Yifan Hong
28f9b97646 Merge changes from topic "servicemanager-recovery"
* changes:
  servicemanager: recovery write to kmsg.
  Add recovery service_contexts files.
2021-11-18 04:39:15 +00:00
Yifan Hong
d6b2901748 Add recovery service_contexts files.
This allows binder services to run in recovery.

Test: build them
Bug: 170338625
Change-Id: If8580c3fc1b3add87178365c58288126e61345b4
2021-11-16 20:54:17 -08:00
Yi-Yo Chiang
2c18965e27 Treblelize bug_map: split bug_map to multiple partitions
* plat_bug_map: Platform-specific bug_map definitions.
* system_ext_bug_map: Product-specific bug_map definitions.
* vendor_bug_map: SOC-specific bug_map definitions.

Bug: 177977370
Test: Boot and check auditd logs
Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 22:44:34 +08:00
Inseob Kim
1b965988b7 Split property and file contexts modules
1. Splitted plat_property_contexts and plat_file_contexts so that they
can be included by the CtsSecurityHostTestCases module;
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I0e0e7f6778d42ab2fdae3a181f40216fe6719e7c
2021-11-08 15:44:29 +09:00
Yi-Yo Chiang
68478b1f1a Dist userdebug_plat_sepolicy.cil to facilitate VTS testing
repack_bootimg can use the userdebug_plat_sepolicy.cil artifact to
prepare a debuggable boot image for VTS testing.

(TODO in follow-up) The eliminates the need for GSI
boot-with-debug-ramdisk-*.img, and we can skip building them to
conserve build resources.

Bug: 202129499
Test: m out/target/product/generic_arm64/userdebug_plat_sepolicy.cil
Test: Check presubmit artifacts include userdebug_plat_sepolicy.cil
Change-Id: I7629e462d4febd05ebe8a89a7bc00e8724dcb4a4
2021-10-16 03:23:05 +08:00
Inseob Kim
4d90b7e78b Migrate system sepolicy binaries to Soong
Bug: 33691272
Test: m selinux_policy
Test: boot microdroid
Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-28 01:21:39 +00:00
Treehugger Robot
dc4ea6a681 Merge "Migrate freeze test to Soong" 2021-09-27 11:05:19 +00:00
Yi-Yo Chiang
857ffc429f Reland: Add system_ext_userdebug_plat_sepolicy.cil for GSI
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.

Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
  gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I75183e2dfdb434aee0b015b1627c9e23b4f3437f
2021-09-23 14:26:49 +00:00
Santiago Seifert
498df59c64 Revert "Add system_ext_userdebug_plat_sepolicy.cil for GSI"
Revert submission 1824717-gsi_debug_policy

Reason for revert: Breaks the build (see b/200933187).
Reverted Changes:
I37ef02628:Add a copy of debug policy to GSI system image
I9c3dad8bb:Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
I43adc6ada:Add system_ext_userdebug_plat_sepolicy.cil for GSI...
I4d6235c73:Add /system_ext/etc/selinux/ to the debug policy s...

Change-Id: I22da171e7b6628cb4c5f28f316ee317fe28761c2
2021-09-23 13:07:25 +00:00
Yi-Yo Chiang
814f3deb94 Add system_ext_userdebug_plat_sepolicy.cil for GSI
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.

Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
  gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883
2021-09-17 20:27:28 +08:00
Inseob Kim
d58166165a Migrate freeze test to Soong
Bug: 33691272
Test: m selinux_policy on sc-dev
Change-Id: Ie536d885034e5d888f1329ac189fd0bf9723a6c4
2021-09-16 05:08:56 +00:00
Inseob Kim
4f20ff73ee Add 31.0 mapping files
Steps taken to produce the mapping files:

1. Add prebuilts/api/31.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/31.0/vendor_sepolicy.cil
as an empty file.

2. Add new file private/compat/31.0/31.0.cil by doing the following:
- copy /system/etc/selinux/mapping/31.0.cil from sc-dev aosp_arm64-eng
device to private/compat/31.0/31.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 31 sepolicy.
Find all such types using treble_sepolicy_tests_31.0 test.
- for all these types figure out where to map them by looking at
30.0.[ignore.]cil files and add approprite entries to 31.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_31.0 and installs
31.0.cil mapping file onto the device.

Bug: 189161483
Test: m treble_sepolicy_tests_31.0
Test: m 31.0_compat_test
Test: m selinux_policy
Change-Id: I6264b9cf77b80543dfea93157b45b864157e2b14
2021-06-15 12:08:22 +00:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
2021-06-07 19:22:18 +09:00
Inseob Kim
58f2b83eaa Merge "Adding sepolicy testcase for system_ext and product." 2021-05-20 09:25:14 +00:00
P.Adarsh Reddy
07dd59ff14 Adding sepolicy testcase for system_ext and product.
Types defined in system_ext/public or product/public
can be referenced by vendor side so it is important
to make sure functionality is not broken across version
bumps. So we are adding the treble sepolicy test cases
for system_ext and product sepolicy.

Bug: 173571515
Change-Id: Ia45979497029f83b1ae6712d2d26ffab263a7f91
2021-05-12 18:14:26 +05:30
Inseob Kim
731182a4a1 Migrate precompiled sepolicy hashes to Android.bp
Bug: 33691272
Test: build with odm and build without odm
Test: boot and see precompiled sepolicy used
Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
2021-05-06 11:44:37 +00:00
Inseob Kim
6cc75f4587 Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit a46d61cd3f.

Reason for revert: fixed debug_ramdisk partition problem

Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-30 14:53:25 +09:00
Inseob Kim
1c056b1ad0 Add sepolicy_vers for plat_sepolicy_vers.txt
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.

- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform

Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
2021-04-30 00:17:39 +09:00
Inseob Kim
a46d61cd3f Revert^3 "Build userdebug_plat_sepolicy.cil with Android.bp"
e10ceab330

Change-Id: Ia1b38d6b709edb0e819ea4700e70ba68b1b61332
2021-04-22 23:14:58 +00:00
Florian Mayer
e10ceab330 Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"
0177004c7f

Change-Id: I40aa5025d487922decd9909c0d35c9e3a6b8dd61
2021-04-22 16:38:47 +00:00
Bowgo Tsai
0177004c7f Revert "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit 57b64bd282.

Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.

Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
2021-04-22 09:55:21 +08:00
Inseob Kim
57b64bd282 Build userdebug_plat_sepolicy.cil with Android.bp
Bug: 33691272
Test: build and see $OUT/debug_ramdisk
Change-Id: I7994857a3dd4e54f2c2d35ff8e362ecae93ea7a2
2021-04-14 15:54:26 +09:00
Yi-Yo Chiang
a22511269f Change $(ver).compat.cil from prebuilt_etc to se_compat_cil
Use the new se_compat_cil module type to install compatibility cil
files.

Bug: 183362912
Test: Presubmit; Noop in terms of build artifact.
Change-Id: I5275e9ce524185ce2d228133763456df43834093
2021-04-13 02:58:21 +08:00
Yi-Yo Chiang
8be93c00b1 Add system_ext_$(ver).compat.cil
These are the system_ext counterpart of $(ver).compat.cil. They would
contain device specific compat rules that compliment $(ver).compat.cil,
which are the platform specific compat rules.

Bug: 183362912
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
  verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I2fb9b10bb3bcf112e33f504964fb705e3b63782b
2021-04-13 02:58:21 +08:00
Inseob Kim
39fbcf7c96 Add plat_vendor tag to se_build_files for microdroid
plat_vendor tag consists of vendor available policies in system/sepolicy
directory, and is for minimized vendor policies.

Bug: 33691272
Test: boot microdroid
Change-Id: Icb3c1be02ee41b526d7d95f0053e56bf8b34f49d
2021-04-05 09:50:47 +00:00
Inseob Kim
50375ce708 Migrate micordroid genrules to selinux module
Bug: 33691272
Test: boot microdroid, see selinux works
Change-Id: Ic360604edb1b75e94d06a7961ea60ea46a34aa68
2021-03-30 13:14:27 +09:00
Inseob Kim
039175bcfe Migrate mapping files to Android.bp
Bug: 33691272
Test: boot cf && boot microdroid && see precompiled sepolicy works
Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
2021-03-25 07:42:52 +00:00
Inseob Kim
002d9262fa Update TODO bug number
Test: N/A
Change-Id: Ie0bece3d965274a1639365ad00323cfce4458d4b
2021-03-24 17:10:44 +09:00
Inseob Kim
a49e724038 Reland "Build platform side policy with Soong"
This reverts commit d869d02758.

Reason for revert: fixed breakage

The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf

Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
2021-03-22 13:40:13 +09:00
Inseob Kim
d869d02758 Revert "Build platform side policy with Soong"
This reverts commit 7629e86053.

Reason for revert: broke build

Change-Id: I97dc1ea78901cab62404780e7ee096ad45c0b21b
2021-03-19 07:04:51 +00:00
Inseob Kim
7629e86053 Build platform side policy with Soong
This replaces the following policy files with Android.bp modules:

  - reqd_policy_mask.cil
  - plat_sepolicy.cil
  - system_ext_sepolicy.cil
  - product_sepolicy.cil
  - plat_pub_policy.cil
  - system_ext_pub_policy.cil
  - pub_policy.cil
  - general_sepolicy.conf (for CTS)

Also microdroid's system policy now uses above.

Bug: 33691272
Bug: 178993690
Test: policy files stay same
Test: boot normal device and microdroid, see sepolicy works
Test: build CtsSecurityHostTestCases
Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
2021-03-18 19:54:35 +09:00
Inseob Kim
619e4a7a82 Add se_build_files module
se_build_files module globs given srcs from sepolicy directories and
acts as a filegroup with the following tags, which can be used to build
system side policy files.

- plat
- plat_public
- system_ext
- system_ext_public
- product
- product_public
- reqd_mask

se_build_files module acts like the build_policy macro in Android.mk.
Normal genrule module can't easily handle that, because both file order
and directory order matter.

Support for vendor/odm is to be added in the future.

Bug: 33691272
Test: inspect se_build_files with above tags and compare it to ninja
Change-Id: Id7c57b01c78fc14ac5e8eeeb074a6fc21d271e84
2021-03-16 10:22:09 +09:00
Jiyong Park
cc9a09953b Fix a build error reguarding build_sepolicy
build_sepolicy internally uses other tools like checkpolicy and
version_policy. The dependencies are used to be found under
out/host/linux-x86/bin. But that assumption doesn't hold when soong
tried to sandbox command invocations. This change fixes the problem by
setting --android_host_path to the directory where build_sepolicy is
sandboxed and also by adding the internal dependeicies to the `tools`
property so that they are copied to the sandbox directory.

Bug: N/A
Test: choosecombo into aosp_x86_64 and run
m out/soong/.intermediates/system/sepolicy/microdroid_vendor_sepolicy.cil_gen/gen/vendor_sepolicy.cil

Change-Id: I28ae1f9013439f3ca1196b3816e0388ced5246e1
2021-03-04 00:02:15 +09:00
Jiyong Park
d89564e95d Reland "Build sepolicy files for microdroid_vendor"
This reverts commit 2c2c1f7c00.

Reason for revert: reland with a forward fix
Test: m on aosp_x86_64

Change-Id: I5c89ebeda88ca65286dff1e64841c2ada8634d34
2021-03-04 00:02:04 +09:00
Adrian Roos
2c2c1f7c00 Revert "Build sepolicy files for microdroid_vendor"
Revert submission 1609095-microdroid_vendor

Reason for revert: Breaks aosp_x86_64-userdebug build
Reverted Changes:
I82a66a00a:Add microdroid_vendor
I88eec6e1f:Build sepolicy files for microdroid_vendor

Bug: 180986662
Fixes: 181756343
Change-Id: Ie390d17ee99bae83fb98baaa3c3a1ca8d95c3919
2021-03-03 14:02:56 +00:00