These are the system_ext counterpart of $(ver).compat.cil. They would
contain device specific compat rules that compliment $(ver).compat.cil,
which are the platform specific compat rules.
Bug: 183362912
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I2fb9b10bb3bcf112e33f504964fb705e3b63782b
This reverts commit d869d02758.
Reason for revert: fixed breakage
The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf
Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
This replaces the following policy files with Android.bp modules:
- reqd_policy_mask.cil
- plat_sepolicy.cil
- system_ext_sepolicy.cil
- product_sepolicy.cil
- plat_pub_policy.cil
- system_ext_pub_policy.cil
- pub_policy.cil
- general_sepolicy.conf (for CTS)
Also microdroid's system policy now uses above.
Bug: 33691272
Bug: 178993690
Test: policy files stay same
Test: boot normal device and microdroid, see sepolicy works
Test: build CtsSecurityHostTestCases
Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
Now newer system policy and older vendor policy can be built together by
setting following variables:
- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
older system_ext and product policies)
Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
This reverts commit 6c99a6781c.
Reason for revert: build breaks on build test
Bug: 171847597
Test: None
Change-Id: I7d3556aa0f06684b43f80f09e4c8194c6c44336c
Devices launched with S must use the new variable naming
scheme introduced in If8188feb365eb9e500f2270241fa190a20e9de01
"Android.mk: Support SYSTEM_EXT* sepolicy".
The old variable name
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR` does no longer
accurately reflect its usage and as such is deprecated.
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=26
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=31
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe error
Signed-off-by: Felix Elsner <google@ix5.org>
Change-Id: Ic4d1164be611836f6aa697fbf1cb1f1c73a3cd39
Every property should have an appropriate owner attribute, which can be
one of: system_property_type, product_property_type, or
vendor_property_type. This will be enforced for devices launching with S
or later. Devices launching with R or eariler can relax this by setting
following under BoardConfig.mk:
BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true
Bug: 131162102
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I7914ef1b7463c9ec00812b9720094531fd63f0c7
The existing freeze test only covers the policy files in system/sepolicy
alone. There's demand from product teams that would like to implement a
freeze test for their sepolicy. Instead of letting them fork the freeze
test, we believe expanding the scope of the exising one is in the best
interest.
$FREEZE_TEST_EXTRA_DIRS and $FREEZE_TEST_EXTRA_PREBUILT_DIRS are added.
These build variables could be appended like $PRODUCT_PUBLIC_POLICY. The
product team are expected to maintain their policy prebuilts.
Bug: 166455099
Test: manual
Change-Id: I6f350e1e3db2807be4dbfd0ceb34f0d89f94d629
Separate selinux_policy_system_ext and selinux_policy_product from
the selinux_policy_nonsystem module. With this CL,
selinux_policy_nonsystem will include the files for /vendor and /odm
partitions only. It will still include selinux_policy_system_ext and
selinux_policy_product as required modules.
Bug: 170282998
Test: build and check boot
Change-Id: Ie2f646a217ec86ede95caec101622bc530d12cfc
Previously, soong emitted APEX_FILE_CONTEXTS_INFOS make var which lists
"all" APEXes and file_contexts.bin used all of them regardless whether
an APEX is installed or not.
This doesn't work when there's a vendor specific APEX which uses vendor
specific labels. Other lunch target may fail to build due to "unknown
label" which is introduced by the vendor APEX which is fact not supposed
to be installed.
Now build/make/core/Makefile creates file_contexts.modules.tmp which is
a collection of file_contexts for flattend apexes which are to be
intalled.
Bug: 166518492
Test: m file_contexts.bin
check contents of file_contexts.concat.tmp
Change-Id: I00c6b87bdc75fc1e04e6f8ecddae6f18762d888a
Call build_policy when determing which compat mapping files should be
included for a given partition.
Bug: 168637766
Test: Built aosp_bonito-userdebug and saw that the compat mapping files
in product/etc/sepolicy/mapping were no longer present.
Test: Added a test 30.0.cil file to bonito's product private compat
directory and saw that it was present at product/etc/sepolicy/mapping.
Change-Id: I83cc28a159b24c0a2c0717dae461983250ab6c25
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.
Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
The new variable name reflects its actual usage.
Keep compatibility with BOARD_PLAT_* because it has been a
convention for years.
Amend the README to document the new variables.
Test: `make selinux_policy` with
`SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Signed-off-by: Felix <google@ix5.org>
Change-Id: If8188feb365eb9e500f2270241fa190a20e9de01
Due to AIDL HAL introduction, vendors can publish services
with servicemanager. vendor_service_contexts is labeled as
vendor_service_contexts_file, not nonplat_service_contexts_file.
And pack it to vendor partition.
Bug: 154066722
Test: check file label
Change-Id: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
Steps taken to produce the mapping files:
1. Add prebuilts/api/30.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on rvc-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/30.0/vendor_sepolicy.cil
as an empty file.
2. Add new file private/compat/30.0/30.0.cil by doing the following:
- copy /system/etc/selinux/mapping/30.0.cil from rvc-dev aosp_arm64-eng
device to private/compat/30.0/30.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 30 sepolicy.
Find all such types using treble_sepolicy_tests_30.0 test.
- for all these types figure out where to map them by looking at
29.0.[ignore.]cil files and add approprite entries to 30.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_30.0 and installs
30.0.cil mapping file onto the device.
Bug: 153661471
Test: m treble_sepolicy_tests_30.0
Test: m 30.0_compat_test
Test: m selinux_policy
Change-Id: I6dfae41fbd5f245119ede540d2c321688d6e7929
Till now, file_contexts has been treated differently that other input
src files. Now it is tagged as `android:"path"` because it is.
Bug: 144732805
Test: m
Change-Id: I6b22a8d22417b75c5cb8cd3b2e534d67e958b074
A new sysprop neverallow rules are mandatory only for devices launching
with R or later. For devices already launched, neverallow rules can be
relaxed with adding following line to BoardConfig.mk:
BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
Bug: 131162102
Test: Set PRODUCT_SHIPPING_API_LEVEL := 30 and try building with
changing some system_public_prop to system_internal_prop
Test: m cts sepolicy_tests
Change-Id: Id978b4d81a8683a57304bb639961105e2d91fa9a
Merged-In: Id978b4d81a8683a57304bb639961105e2d91fa9a
(cherry picked from commit 3be11e7abb)
Error out if we detect that there is a security_classes or
access_vectors file outside of system/sepolicy.
Of course, this test can't enforce any requirements, as it's not part of
CTS. But it can still serve as an early signal.
Fixes: 142153384
Test: add access_vectors to device policy, observe build error
Change-Id: Ib94b7f85e184340de8ec7943c8da88a0af3427e8
Install mapping files in SYSTEM_EXT_PRIVATE_POLICY and
PRODUCT_PRIVATE_POLICY into /system_ext and /product respectively.
Bug: 141084341
Test: boot taimen
Test: system mapping files are unchanged
Test: create mapping files in device/google/wahoo/sepolicy/ and check
that they are correctly expanded and installed.
Change-Id: I4d251c957b30a16df71eec47c871e24e5fc773a4
APEX modules can be configured with apex_name and file_contexts
properties.
- apex_name overrides the activation point
for example, if apex_name is 'foo', it will be flattened under
/system/apex/foo even if its name is 'bar'.
- file_contexts overrides file_contexts filename
for example, it file_contexts is 'foo',
/system/sepolicy/apex/foo-file_contexts should be used even if its
name is 'bar'.
Previously, file_contexts files for flattened apexes are assumed to have
names like "/system/sepolicy/apex/<apex_name>-file_contexts". But, as
described above, calculating <apex_name> from file entries might be
wrong
Now, it relies on Soong's makevar APEX_FILE_CONTEXTS_INFOS which is list of
<apex_name>:<file_contexts> pairs.
Bug: 123314817
Bug: 142300241
Test: add apex module(foo) with apex_name:bar and file_contexts:baz
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m file_contexts.bin
Test: check intermediate files for file_contexts
Change-Id: I3793c0f01469baaa0ddb1965093a56304a10e99c
Android.mk now includes the SELinux denial metadata on user builds.
Bug: 141695494
Test: Generated a tracked denial on a user build and verified that the
bug number shows up in the logs.
Change-Id: I908c08e0d6542fa248d7c798c20a66027f39c390
Some targets just need to extend product context files, e.g.,
file_contexts, service_contexts, etc., without adding any
product-specific policy files, e.g., *.te files. Or just need to
add private product sepolicy without adding public product sepolicy.
Currently, this will lead to build errors. This CL allows
product_sepolicy.cil and the product mapping file to be empty.
It's now also possible to just set PRODUCT_PRIVATE_POLICY
without setting PRODUCT_PUBLIC_POLICY.
Bug: 131193755
Test: Only adds product private sepolicy, then `mmma system/sepolicy`
Change-Id: Ifed5af7413b2a1e20a0628518582615708c8c31a
Some targets just need to extend system_ext context files, e.g.,
file_contexts, service_contexts, etc., without adding any system_ext
policy files, e.g., *.te files.
Currently, this will lead to build errors. This CL allows
system_ext_sepolicy.cil and the system_ext mapping file
to be empty.
It's now also possible to just set BOARD_PLAT_PRIVATE_SEPOLICY_DIR
without setting BOARD_PLAT_PUBLIC_SEPOLICY_DIR.
Bug: 137712473
Bug: 141880898
Test: Only adds system_ext context files without policy files (e.g., *.te),
then `mmma system/sepolicy` can build pass
Change-Id: I72849f2d4aa43e5296cd15c07a8fd058186a6376
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
/system_ext/etc/selinux are identical to previous contents in
/product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9
Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: I53984e8a973eff15de0653916203020dbabe9c03
This is the flag for when sepolicy is split. Also removed other
commented-out heuristics around fake-treble. We should aim to remove it
entirely instead.
Fixes: 141348590
Test: build w/ and without adding binder_in_vendor_violators to a vendor
process (and see the expected error there)
Change-Id: I29fb335cc5b5d6e117d93038fe458b8c74acf321
Bug: http://b/135139675
Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type). Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.
Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.
Test: Build 32-bit cuttlefish with coverage:
m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
and verify that there are no selinux denials in kernel log and
logcat.
Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
bug_map is not picked up correctly when BOARD_VENDOR_SEPOLICY_DIRS is
used. And BOARD_SEPOLICY_DIRS is deprecated.
Test: m selinux_policy
Change-Id: I1dcc6ac6f7b6d0f41f29d5894bef81f3fbf841e6
Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I9e83e9bf118c8b8f8fcf84d5c0dcb6eb588e0d55
*_context_test / sepolicy_tests / treble_sepolicy_tests_* /
sepolicy_freeze_test files are installed on /system/etc.
By being FAKE modules, test files are not installed on target.
Additionally, we need to set up dependency from droidcore to
selinux_policy to make tests run on normal builds (m).
Bug: 133460071
Test: m & see if tests run and no test files on /system/etc
Test: m selinux_policy & see if tests run
Change-Id: Icacf004d5c1c8ec720c7cedef7bae8aa648cbe49
Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I59f6251e9baa6527a358dec024e9fae62388db2b
