bug_map is not picked up correctly when BOARD_VENDOR_SEPOLICY_DIRS is
used. And BOARD_SEPOLICY_DIRS is deprecated.
Test: m selinux_policy
Change-Id: I1dcc6ac6f7b6d0f41f29d5894bef81f3fbf841e6
Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I9e83e9bf118c8b8f8fcf84d5c0dcb6eb588e0d55
*_context_test / sepolicy_tests / treble_sepolicy_tests_* /
sepolicy_freeze_test files are installed on /system/etc.
By being FAKE modules, test files are not installed on target.
Additionally, we need to set up dependency from droidcore to
selinux_policy to make tests run on normal builds (m).
Bug: 133460071
Test: m & see if tests run and no test files on /system/etc
Test: m selinux_policy & see if tests run
Change-Id: Icacf004d5c1c8ec720c7cedef7bae8aa648cbe49
Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I59f6251e9baa6527a358dec024e9fae62388db2b
This is to migrate sepolicy Makefiles into Soong. For the first part,
file_contexts, hwservice_contexts, property_contexts, and
service_contexts are migrated. Build-time tests for contexts files are
still in Makefile; they will also be done with Soong after porting the
module sepolicy.
The motivation of migrating is based on generating property_contexts
dynamically: if we were to amend contexts files at build time in the
future, it would be nicer to manage them in Soong. To do that, building
contexts files with Soong can be very helpful.
Bug: 127949646
Bug: 129377144
Test: 1) Build blueline-userdebug, flash, and boot.
Test: 2) Build blueline-userdebug with TARGET_FLATTEN_APEX=true, flash,
and boot.
Test: 3) Build aosp_arm-userdebug.
Change-Id: I576f6f20686f6f2121204f76657274696d652121
The userdebug sepolicy will be installed into debug ramdisk.
When the ramdisk is used, the device must be unlocked and init will load
this userdebug version of platform sepolicy to allow adb root.
Bug: 126493225
Test: 'make' and checks that the userdebug sepolicy is in debug ramdisk
Change-Id: I9df514054a86d63449b3ebfd1afdee2aee649418
Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.
Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.
Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
Simplifies our reasoning about product hashes. They are either
present on both sides of the Treble boundary or not.
Might be worth installing all four hashes unconditionally in the future.
Fixes: 123996710
Test: boot taimen, precompiled policy loaded
Change-Id: I749e4b0cc4c85870407a10b7d41a2e2001a75ffb
BOARD_PLAT_*_SEPOLICY_DIR extends system sepolicy.
PRODUCT_PUBLIC_SEPOLICY_DIRS and PRODUCT_PRIVATE_SEPOLICY_DIRS now
specify locations of public and private product sepolicy respectively.
Bug: 119305624
Test: m selinux_policy
Change-Id: I48d491f0dd22020d96ff0243142153871d2d6b2b
When TARGET_FLATTEN_APEX=true, APEX files are not packaged in *.apex
files but flattened to the system partition under /system/apex/<name>
directories. There was a bug that those flattened files are not labeled
because the per-APEX file_contexts were applied only when building
*.apex. Fixing this by converting the file_contexts files so that
/system/apex/<name> path is prepended and applying the generated
file_contexts file for system.img when TARGET_FLATTEN_APEX=true.
Bug: 123314817
Test: TARGET_FLATTEN_APEX=true m
ls -alZ /system/apex/*/* shows that the files are correctly labeled
Change-Id: Ia82740a1da0083d5bcfd71354a6d374d2a918342
system/sepolicy/Android.mk has become too large (~2k lines) and hard to
navigate. This patch reorganizes build rules for convenience. No
functional changes are made.
Test: m selinux_policy
Change-Id: I9a022b223b2387a4475da6d8209d561bfea228fb
selinux_denial_metadate is an concatenation of different bug maps on the
device, including vendor one. This file is only used for debugging, so
we simply move it to /vendor instead of splitting it up.
/vendor/etc/selinux/selinux_denial_metadata has vendor_configs_file
selinux type, which is logd readable.
Bug: 5159394
Test: bug information is still preserved in avc logs, e.g.
audit(0.0:248): avc: denied { read } for
name="u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=18012
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=0
b/79617173 app=com.android.systemui
Change-Id: Id5eb9abd3bdeed92feb2aca40880903533468d50
We need to be able to tell if /system was updated independently
/product, and vice versa. Otherwise, the device might accidentally load
the precompiled_policy after a /product sepolicy update.
Also change the name of the hash file to more closely reflect how its
generated.
Bug: 119305624
Test: boot aosp_taimen, precompiled policy is loaded
Test: If either of these hashes
/system/etc/selinux/plat_sepolicy_and_mapping.sha256
/product/etc/selinux/product_sepolicy_and_mapping.sha256
are removed, then init falls back to compiling sepolicy at boot time.
Change-Id: I14af81c8d3c5cb85c01592518e22077a8c8c3e5e
Both mapping files need to be included when building sepolicy at boot
time.
Bug: 119305624
Test: boot taimen
Test: "cnd" type is declared in /vendor; "dataservice_app" type is
declared in /product. This permission is preserved
"allow cnd dataservice_app:binder { transfer call };"
Change-Id: I138f34208ea05e170defd2b4ef4700ffa81f9573
Public policy that is available to vendor (and odm) sepolicy is a
combination of system and product public sepolicy. Since "plat_" prefix
implies a pure system sepolicy component, drop "plat_" prefix from
"plat_pub_policy" to be consistent with naming in this file.
Bug: 119305624
Test: m selinux_policy
Change-Id: Iaf094702556ce97371fa1c58c01d707103d7f7d6
Mapping files for previous releases are unconditionally packaged on the
device. No need to account for case when BOARD_SEPOLICY_VERS and
PLATFORM_SEPOLICY_VERSION are different.
Bug: 119305624
Test: m selinux_policy
Change-Id: I36c3c43f96870d9a71adf91c8fb8926587c5a50e
This line always prints when building master branch, it's not
particularly useful.
system/sepolicy/Android.mk:77: warning: BOARD_SEPOLICY_VERS not
specified, assuming current platform version
Test: build
Change-Id: I52f8dc2a77966bc0c21168b1339f3029185e5339
This change installs *_contexts files to the same location on Treble and
non-Treble devices.
This was previously not possible because first stage mount was not
required on all platforms. It is now b/79758715.
Bug: 70851112
Test: m selinux_policy
Change-Id: I8124c59b129aef86d78d2ae4ebcfaecd896032fc
sed "-i" flag on Mac has different syntax than on Linux. Replace use of
sed with grep.
A simple fix like this should suffice for this case, but ideally, we
should maintain our own utils instead of using tools on the host
machine.
Fixes: 121235932
Test: m selinux_policy
Change-Id: I46c3bdb90bf7de48d2c942b15a65ce82ae3041c5
Product-specific sepolicy will be installed into /product/etc/selinux/*.
This change separates out /product/etc/selinux/product_sepolicy.cil out
of system sepolicy.
This file is merged into precompiled_sepolicy at build-time. In case
precompiled_sepolicy can't be used (e.g. system-only-ota), init wll
merge this file with the rest of the sepolicy at runtime.
I left TODOs to separate other product-specific SELinux artifacts out of
system.
Bug: 119305624
Test: boot aosp_taimen with product_sepolicy.cil
Test: build selinux_policy for aosp_arm64; no product_sepolicy.cil
produced
Change-Id: Idb84a1c8ceb2de78f1460d954497c53fed08935f
grep can potentially run out of memory on Mac builds for large input
files. So we add a python util to handle filtering out files.
We will also need this util to filter plat_sepolicy.cil out of
product_sepolicy.cil
Bug: 119305624
Test: boot aosp_taimen
Change-Id: I61cd68f407ea5de43a06bf522a5fc149e5067e8c
It doesn't seem like any of our (Google's) devices use
BOARD_ODM_SEPOLICY_DIRS, but this will be helpful for partners.
Also, use BOARD_VENDOR_SEPOLICY_DIRS instead BOARD_SEPOLICY_DIRS for
readability.
Bug: n/a
Test: m selinux_policy
Change-Id: I23f64a24d51ccdb8aa616d0fd8a06d70b6efed32
All these modules are being unconditionally added to
LOCAL_REQUIRED_MODULES a few lines down.
Test: make
Change-Id: I474c5d41e1a6dd34fd2c2f2d10299048df4c2b70
The SELinux policy language supports an expandattribute statement.
Similar to the C "inline" declaration, this expands the permissions
associated with types, instead of using the attribute directly. Please
see
1089665e31
for more detail on this language option.
Expansion of attributes causes consistency problems with CTS. If a
neverallow rule exists which refers to an expanded attribute, the CTS
neverallow test will fail, because the policy does not have the
attribute embedded in it. Examples:
* b/119783042 (fixed in 536d3413b8)
* b/67296580 (fixed in 6f7e8609f9)
* b/63809360 (fixed in 89f215e6a0)
etc...
Instead of waiting for the CTS test to fail, modify the Android.mk file
so that we do checks similar to CTS. This allows us to fail at compile
time instead of waiting for a CTS bug. For example, for b/119783042,
instead of the compile succeeding, it will now fail with the following
error message:
[ 70% 190/268] build out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c
30 -o out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy.conf ) &&
(out/host/linux-x86/bin/sepolicy-analyze
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
neverallow -w -f out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy_2.conf
|| ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2;
echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2;
echo \"the policy.\" 1>&2; exit 1 ) ) &&
(touch out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp )
&& (mv out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow violated by allow vold hal_bootctl_default:binder { call };
libsepol.check_assertions: 1 neverallow failures occurred
sepolicy-analyze failed. This is most likely due to the use
of an expanded attribute in a neverallow assertion. Please fix
the policy.
15:44:27 ninja failed with: exit status 1
Test: Revert 536d3413b8 and verify compile
fails as above.
Test: Compile succeeds
Bug: 119783042
Change-Id: I5df405b337bb744b838dadf53a2234d8ed94bf39
During the build process, use a temporary file until we've determined
that every step of the build process has completed. Failure to do this
may cause subsequent invocations of the make command to improperly
assume that this step ran to completion when it didn't.
Test: code compiles.
Change-Id: I9a28e653e33b61446a87278975789376769bcc6a
Commit b4f17069b3 ("sepolicy: Drop
BOARD_SEPOLICY_IGNORE/REPLACE support.", Mar 2015) made it a compile
time failure to use BOARD_SEPOLICY_REPLACE or BOARD_SEPOLICY_IGNORE.
As these restrictions have been in place since 2015, we can safely
assume all usages of this have been cleaned up, and there is no further
need to check for this.
8 lines deleted from Android.mk, 1720 lines to go.
Test: compiles.
Change-Id: I23249e4b2e9ec83cb6356a6c5a6e187ae1fc9744
Pass LOCAL_ADDITIONAL_M4DEFS to m4 when building vendor_file_contexts
and odm_file_contexts. The build command attempts to use
PRIVATE_ADDITIONAL_M4DEFS - but this is not set in the target-specific
variables.
This allows using custom M4 macros when building non-platform
file_contexts.
Change-Id: I5fa8d9ec91f1a97bee1dd735ba85af93eef91252
Part of an effort to remove Treble-specifics in the way be build
sepolicy.
Fixes: 64541653
Test: m selinux_policy for aosp_arm64
Change-Id: I9e42c720018674e7d3a6c47e01995401c4e748a7
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.
We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.
Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
All the *.conf.dontaudit files are generated from *.conf
with the command of 'sed '/dontaudit/d' $@ > $@.dontaudit',
but this command can not be applied to multi-line dontaudit statement.
Test: Set plat_policy.conf.dontaudit as the input_file parameter of
checkpolicy tool, then selinux syntax error will occur during building.
Change-Id: I281de923d8a5f0b46256ec7de4df12a1c1d7e061
Do not attempt to build odm_sepolicy.cil if BOARD_ODM_SEPOLICY_DIRS is
not defined. Attempting to do so will create an empty file, which causes
build problems when
0c6ea1e812
is applied.
Test: "cd system/sepolicy && mma -j55" succeeds
Test: "make checkbuild" succeeds
Change-Id: Iefc458bddff3d08e5fcb86f8be3cad16d7e36e73
Error out if m4 generates a warning. This will help detect and prevent
malformed macros.
See 855084960f for motivation.
Test: policy compiles
Test: Policy doesn't compile if 855084960f
is reverted.
Change-Id: Iee6b6273bc2a24b1220861fd662573e76001defc
/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices. Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.
Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
Steps taken to produce the mapping files:
1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng
2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.
Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
Create one _system and one _nonsystem target, which together contains
the same artifacts as before, just split by whether they go on the
system partition or not.
The product build hierarchy is being refactored to be split by
partition, so these targets facilitate inclusion of just the
system parts where necessary. Also keep the selinux_policy target
around for products that don't need the split.
Bug: 80410283
Test: for t in eng userdebug user; do lunch mainline_arm64-${t}; m nothing; done
Test: verified walleye /system and /vendor identical before and after, via:
Test: /google/data/rw/users/cc/ccross/bin/compare-target-files.sh P6259983 walleye-userdebug "SYSTEM/*" "VENDOR/*"
Test: only diffs are in build.prop files (timestamps and the like)
Change-Id: I0f5d8a1558a164ce5cfb7d521f34b431855ac260
build_test_only is used to denote rules that should not verified
as part of compliance testing.
Use this macro to exclude neverallow rules which we want to check as
part of build, but not CTS.
Bug: 80499271
Test: SELinuxNeverallowRulesTest on walleye has no more failure of type
"Type or attribute * used in neverallow undefined in policy being checked."
Number of failing test cases is reduced by 142.
Test: policy.conf used to check neverallows at build-time still retains
all neverallow rules.
Change-Id: I5f1b383d9096bb5a7b8c0f1bc008b5dd07419580
The bug_map file is only used whitelisting known test failures. It
needs to change fairly often to fix new failures and it doesn't affect
users, so it shouldn't matter if it diverges from prebuilts.
Test: Enable this test and build with and without different bug_maps.
Change-Id: I9176a6c7e9f7852a0cd7802fd121b1e86b216b22
For automotive (and I assume for other verticals) it make sense to keep
vertical-specific policies outside of /system/sepolicy as those not used
by the phones. However, there's no way to do it rather than using
BOARD_PLAT_{PUBLIC|PRIVATE}_SEPOLICY_DIR build variables.
Bug: 70637118
Test: lunch device && m
Test: verify it builds, boots and logs seems to be reasonable
Test: enable full treble for aosp_car_x86 - verify it builds, boots and
no denials in the logs
Change-Id: Ia5fd847f7a6152ff6cf99bbbc12e1e322f7946ab
(cherry picked from commit 34f233640a)
Part of an effort to remove Treble-specifics from the way be build
sepolicy.
Bug: 70851112
Test: build and boot bullhead.
Change-Id: I236f031e1b017875fb1afcc4f1b201699139516a
And migrate 26.0.cil and 27.0.cil build targets from Android.mk to
Android.bp
Bug: 33691272
Test: 26.0.cil and 27.0.cil mapping files on the device are unchanged.
Change-Id: Id0ea45c149e096996bc0657615ea98915df3c9e1