This script will build the SELinux policy for multiple targets in parallel.
To use it, run:
./build_policies.sh <Android root directory> <output directory> [specific targets to build]
If you do not pass any individual targets, it will build all targets it can find.
It will print out the list of failing targets. You can open up the corresponding log file in the output directory to see the exact errors.
This script is still a work in progress. It currently cannot discover all build targets (it misses ones "lunch" does not list).
Bug: 33463570
Test: Ran script to build multiple targets with and without failures.
Change-Id: Iee8ccf4da38e5eb7ce2034431613fe10c65696ab
Extend checkfc to support comparing two file_contexts or
file_contexts.bin files. This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.
Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.
Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
See NEVERALLOW CHECKING in tools/README for documentation.
Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.
Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19
See NEVERALLOW CHECKING in tools/README for documentation.
Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.
Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Usage:
sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy
Displays duplicate allow rules, i.e. pairs of allow rules that grant
the same permissions where one allow rule is written directly in terms
of individual types and the other is written in terms of attributes
associated with those same types. The rule with individual types is
a candidate for removal. The rule with individual types may be directly
represented in the source policy or may be a result of expansion of
a type negation (e.g. domain -foo -bar is expanded to individual allow
rules by the policy compiler). Domains with unconfineddomain will
typically have such duplicate rules as a natural side effect and can
be ignored.
Also add a tools/README with a description of all of the tools.
Change-Id: I07838dbd22c5cc8a4a65b57003ccae38129050f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>