New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.
Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.
Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.
We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.
Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
(for the build-time tests)
treble_sepolicy_tests applies tests to the SEPolicy for devices which
implement the SEPolicy split introduced in Android O. For devices which
turn this on and also implement all of the other requirements which
together compose PRODUCT_FULL_TREBLE, these tests help ensure that the
backwards compatibility which this feature adds is possible.
When this test was originally written, devices which specified
PRODUCT_FULL_TREBLE_OVERRIDE were only those devices with a
PRODUCT_SHIPPING_API_LEVEL of < 26. This allowed them to update to use
these features but maintain some legacy behaviors. For these devices,
to achieve the same backwards compatibility guarantees, much
other/extra work would have to be done (if it is possible at all).
Since that time, a new category of devices take advantage of
PRODUCT_FULL_TREBLE_OVERRIDE. These devices must either not define a
PRODUCT_SHIPPING_API_LEVEL or they apply this flag even though it is
not required to be applied. For these cases, the full test suite not
being run has caused problems because these failures aren't discoverred
until later (when compliance tests are run).
Fixes: 112933807
Test: treble_sepolicy_tests on marlin, walleye, and 'some other device'
(mma here runs this with the correct parameters)
Change-Id: I04c42d3cb86cda3c82f285919b40ba94e1332daa
Steps taken to produce the mapping files:
1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng
2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.
Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
Use the user policy when running the compatibility tests.
Bug: 74344625
Test: Built policy for many devices. Booted one device.
Test: Delete some compat rules, verify error on userdebug.
Change-Id: Ib2df2dfc06cdf55a839011e9a528e76160a9e436
When building userdebug or eng builds, we still want to build the user
policy when checking neverallow rules so that we can catch compile
errors.
Commit c0713e86 split out a helper function but lost one instance of
using user instead of the real variant. This restores that one and
adds it to the neverallow check.
Bug: 74344625
Test: Added a rule that referred to a type defined only
in userdebug and eng and ensure we throw a compile error when building
userdebug mode.
Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae
(cherry picked from commit 053cb34130)
