A new module type se_neverallow_test is added, to migrate
sepolicy_neverallow modules. se_neverallow_test is affected by
SELINUX_IGNORE_NEVERALLOWS.
Bug: 33691272
Test: m selinux_policy
Test: intentionally create neverallow violations and m selinux_policy
Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
Because Android.bp is getting bigger and bigger.
Test: build and boot
Test: set OVERRIDE_TARGET_FLATTEN_APEX=true and build
Change-Id: I397ce084bfbc98449d177dd553ff73fdfbdddcaf
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.
Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
Because we should ignore neverallow when SELINUX_IGNORE_NEVERALLOWS is
true.
Test: add a fake rule and build with/without SELINUX_IGNORE_NEVERALLOWS
Change-Id: I7811f5cef2243dae5b5de1154a36ab167871dc4f
The following files are built with Android.bp:
- vendor_sepolicy.cil
- odm_sepolicy.cil
- prebuilt_sepolicy
Also, prebuilt_policy.mk is removed as it's now redundant.
Bug: 33691272
Test: build and compare artifacts
Test: build with rvc-dev sepolicy
Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
It's a no-op for now, but it will be used when migrating vendor sepolicy
to Android.bp.
Bug: 33691272
Test: build and boot
Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
Treble doesn't support T system + O vendor, so removing 26.0 (N) and
27.0 (O) prebuilts and compat files.
Bug: 207815515
Test: build
Change-Id: I98d5972221a8e77f3c45fc48ff50bb2b8eb94275
Steps taken to produce the mapping files:
1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil
as an empty file.
When adding plat_pub_versioned.cil, leave only type and typeattribute
statements, removing the other statements: allow, neverallow, role, etc.
2. Add new file private/compat/32.0/32.0.cil by doing the following:
- copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev
aosp_arm64-eng device to private/compat/32.0/32.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 32 sepolicy.
Find all such types using treble_sepolicy_tests_32.0 test.
- for all these types figure out where to map them by looking at
31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_32.0 and installs
32.0.cil mapping file onto the device.
Bug: 206330997
Test: m treble_sepolicy_tests_32.0
Test: m 32.0_compat_test
Test: m selinux_policy
Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
1. Splitted plat_property_contexts, plat_file_contexts, and
plat_service_contexts so they can be included by the
CtsSecurityHostTestCases module.
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.
Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I99ba55b1a89f196b3c8504e623b65960a9262165
Revert "Convert security/Android.mk to Android.bp"
Revert "Add seapp_contexts to allowlist of makefile goal"
Revert submission 1795972-Convert security/Android.mk to Android.bp
Reason for revert: http://b/206976319 Broken build 7928060 on aosp-master on sdk_arm64-sdk
Reverted Changes:
I0e0e7f677:Split property and file contexts modules
I5596d6f00:Add seapp_contexts to allowlist of makefile goal
If685e5ccc:Convert security/Android.mk to Android.bp
Change-Id: Ibbca0a17886d15b3fd7ecaf974a06df7107fd9aa
1. Splitted plat_property_contexts and plat_file_contexts so that they
can be included by the CtsSecurityHostTestCases module;
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.
Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I0e0e7f6778d42ab2fdae3a181f40216fe6719e7c
repack_bootimg can use the userdebug_plat_sepolicy.cil artifact to
prepare a debuggable boot image for VTS testing.
(TODO in follow-up) The eliminates the need for GSI
boot-with-debug-ramdisk-*.img, and we can skip building them to
conserve build resources.
Bug: 202129499
Test: m out/target/product/generic_arm64/userdebug_plat_sepolicy.cil
Test: Check presubmit artifacts include userdebug_plat_sepolicy.cil
Change-Id: I7629e462d4febd05ebe8a89a7bc00e8724dcb4a4
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I75183e2dfdb434aee0b015b1627c9e23b4f3437f
Revert submission 1824717-gsi_debug_policy
Reason for revert: Breaks the build (see b/200933187).
Reverted Changes:
I37ef02628:Add a copy of debug policy to GSI system image
I9c3dad8bb:Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
I43adc6ada:Add system_ext_userdebug_plat_sepolicy.cil for GSI...
I4d6235c73:Add /system_ext/etc/selinux/ to the debug policy s...
Change-Id: I22da171e7b6628cb4c5f28f316ee317fe28761c2
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883
Steps taken to produce the mapping files:
1. Add prebuilts/api/31.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/31.0/vendor_sepolicy.cil
as an empty file.
2. Add new file private/compat/31.0/31.0.cil by doing the following:
- copy /system/etc/selinux/mapping/31.0.cil from sc-dev aosp_arm64-eng
device to private/compat/31.0/31.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 31 sepolicy.
Find all such types using treble_sepolicy_tests_31.0 test.
- for all these types figure out where to map them by looking at
30.0.[ignore.]cil files and add approprite entries to 31.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_31.0 and installs
31.0.cil mapping file onto the device.
Bug: 189161483
Test: m treble_sepolicy_tests_31.0
Test: m 31.0_compat_test
Test: m selinux_policy
Change-Id: I6264b9cf77b80543dfea93157b45b864157e2b14
These are moved to packages/modules/Virtualization.
Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
Types defined in system_ext/public or product/public
can be referenced by vendor side so it is important
to make sure functionality is not broken across version
bumps. So we are adding the treble sepolicy test cases
for system_ext and product sepolicy.
Bug: 173571515
Change-Id: Ia45979497029f83b1ae6712d2d26ffab263a7f91
Bug: 33691272
Test: build with odm and build without odm
Test: boot and see precompiled sepolicy used
Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.
- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform
Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
This reverts commit 57b64bd282.
Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.
Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
Use the new se_compat_cil module type to install compatibility cil
files.
Bug: 183362912
Test: Presubmit; Noop in terms of build artifact.
Change-Id: I5275e9ce524185ce2d228133763456df43834093
These are the system_ext counterpart of $(ver).compat.cil. They would
contain device specific compat rules that compliment $(ver).compat.cil,
which are the platform specific compat rules.
Bug: 183362912
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I2fb9b10bb3bcf112e33f504964fb705e3b63782b
plat_vendor tag consists of vendor available policies in system/sepolicy
directory, and is for minimized vendor policies.
Bug: 33691272
Test: boot microdroid
Change-Id: Icb3c1be02ee41b526d7d95f0053e56bf8b34f49d
This reverts commit d869d02758.
Reason for revert: fixed breakage
The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf
Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
This replaces the following policy files with Android.bp modules:
- reqd_policy_mask.cil
- plat_sepolicy.cil
- system_ext_sepolicy.cil
- product_sepolicy.cil
- plat_pub_policy.cil
- system_ext_pub_policy.cil
- pub_policy.cil
- general_sepolicy.conf (for CTS)
Also microdroid's system policy now uses above.
Bug: 33691272
Bug: 178993690
Test: policy files stay same
Test: boot normal device and microdroid, see sepolicy works
Test: build CtsSecurityHostTestCases
Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
se_build_files module globs given srcs from sepolicy directories and
acts as a filegroup with the following tags, which can be used to build
system side policy files.
- plat
- plat_public
- system_ext
- system_ext_public
- product
- product_public
- reqd_mask
se_build_files module acts like the build_policy macro in Android.mk.
Normal genrule module can't easily handle that, because both file order
and directory order matter.
Support for vendor/odm is to be added in the future.
Bug: 33691272
Test: inspect se_build_files with above tags and compare it to ninja
Change-Id: Id7c57b01c78fc14ac5e8eeeb074a6fc21d271e84
build_sepolicy internally uses other tools like checkpolicy and
version_policy. The dependencies are used to be found under
out/host/linux-x86/bin. But that assumption doesn't hold when soong
tried to sandbox command invocations. This change fixes the problem by
setting --android_host_path to the directory where build_sepolicy is
sandboxed and also by adding the internal dependeicies to the `tools`
property so that they are copied to the sandbox directory.
Bug: N/A
Test: choosecombo into aosp_x86_64 and run
m out/soong/.intermediates/system/sepolicy/microdroid_vendor_sepolicy.cil_gen/gen/vendor_sepolicy.cil
Change-Id: I28ae1f9013439f3ca1196b3816e0388ced5246e1
This reverts commit 2c2c1f7c00.
Reason for revert: reland with a forward fix
Test: m on aosp_x86_64
Change-Id: I5c89ebeda88ca65286dff1e64841c2ada8634d34