Allows partners to add a new attribute definition to their public
policy without causing a compatibility failure with the AOSP system
image.
Bug: 67092827
Bug: 37915794
Test: build and boot aosp_sailfish with new type declared in public
policy
Change-Id: I015c26fa7c399423e8a6e7079b5689007d031479
FAILED:
out/target/product/sailfish/obj/ETC/treble_sepolicy_tests_intermediates/treble_sepolicy_tests
Error: library-path out/host/darwin-x86/lib64/libsepolwrap.so
does not exist
Note, fixing here instead of reverting to avoid reverting
changes in CTS.
Test: ctate testing on Mac
Change-Id: I95f483b152d9bece1a16267cbc49eedb1f902990
Bug: 37008075
Test: build, all tests pass. Modify some attributes locally to
cause tests to fail (verify that they are actually working).
Change-Id: If9f9ece61dff835f38ef9c8a57f5a7baddbae5cd
This is a necessary for enforcing these tests in CTS.
Bug: 37008075
Test: build
Change-Id: I36b4ce71c26a0ba01cd0289fe363f0a9f7db1214
(cherry picked from commit 8d614b3f81)
This file is necessary for using an mr1 system image in conjunction
with an oc-dev vendor image. This is currently needed by GSI testing,
for example.
(cherry-pick of commit: 03596f28a4)
Bug: 66358348
Test: File is included on system image.
Change-Id: I3a6b7ed5edf1c07941bbf835e70f2ae8d03fee25
sort respects locale settings, so the value of LC_ALL can affect
how sort orders things. This can cause labeling issues.
More information on locale and sort can be found via:
* locale(1) - man 1 locale
* sort(1) - man 1 sort
* https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28539
Rather than deal with this locale setting use fc_sort on
property contexts. This also has the side-effect of
stripping comments, and thus sed can be dropped.
Test: This was tested by:
* comparing outputs to previous runs
* compile tested *only*.
Change-Id: I1e1eb4dff76f717b5f82f697e677a108abb69892
Signed-off-by: William Roberts <william.c.roberts@intel.com>
sort respects locale settings, so the value of LC_ALL can affect
how sort orders things. Issues have surfaced when CTS build
servers locale differs from image build server locale. And thus
the prologue of property_contexts differs with what CTS was
expecting.
More information on locale and sort can be found via:
* locale(1) - man 1 locale
* sort(1) - man 1 sort
* https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28539
Rather than deal with this locale setting use fc_sort on
property contexts. This also has the side-effect of
stripping comments, and thus sed can be dropped.
Test: This was tested by:
* comparing outputs to previous runs
* booting the x86-64 emulator
Change-Id: I144ef549cc11d9c61849ffc0e1b1b000f1b8d1a8
Signed-off-by: William Roberts <william.c.roberts@intel.com>
On full Treble devices, servicemanager should only host services
served from processes on /system; nonplat_service_contexts
should not be created at all in this case.
Bug: 36866029
Test: Build marlin and make sure nonplat_service_contexts is not
created.
Change-Id: Id02c314abbb98fc69884198779488c52231d22c3
Merged-In: Id02c314abbb98fc69884198779488c52231d22c3
Some selinux build packages are defined in embedded.mk,
others are defined in system/sepolicy/Android.mk. Move all
to sepolicy as a dependency of the phony package selinux_policy
which is defined in embedded.mk.
Test: build Marlin (Treble) and Angler (non-Treble)
Merged-In: Ib0443ad3da600447fbb51f2e9f91de04dcf5f9f6
Change-Id: Ib0443ad3da600447fbb51f2e9f91de04dcf5f9f6
This will prevent us from breaking our own neverallow rules
in the platform sepolicy regardless of vendor policy adding
exceptions to the neverallow rules using "*_violators" attributes
Bug: 62616897
Bug: 62343727
Test: Build policy for sailfish
Test: Build policy with radio to rild socket rule enabled for all
and ensure the build fails
Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
Signed-off-by: Sandeep Patil <sspatil@google.com>
[ 7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)
Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
and recovery modes
Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.
Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.
Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy. There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.
Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files. Also test that specifying
multiple directories for public or private results in an error.
Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
(cherry picked from commit 1633da06af)
Add new build variables for partner customization (additions) to platform sepolicy.
This allows partners to add their own policy without having to touch the AOSP sepolicy
directories and potentially disrupting compatibility with an AOSP system image.
Bug: 36467375
Test: Add public and private files to sailfish policy and verify that they are
added to the appropriate policy files, but that the policy is otherwise identical.
Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
to trigger use of prebuilt mapping files and verify that they are appropriately
combined and built in policy.
Change-Id: I38efe2248520804a123603bb050bba75563fe45c
Merged-In: I38efe2248520804a123603bb050bba75563fe45c
(cherry picked from commit f893700c73)
Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.
For on-device compile use the -N flag to skip neverallow tests.
Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil 567664 -> 745230
For a total increase in system/vendor: 266182.
Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.
Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.
Bug: 3650825
Test: Build and boot Bullhead
Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.
Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.
Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.
Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.
With this patch the number of attributes in policy drops from
845 to 475. The number of attributes assigned to the bluetooth domain
drops from 41 to 11.
Bug: 3650825
Test: Build and boot Marlin
Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
commit 552fb53712 fixed an undefined
module error by removing the module when not defined (on non-treble
devices), but the sepolicy build on non-treble devices was changed
to rely on the split treble files, even though the split is not used.
Change this so that the file is always present, to allow policy
compilation.
Test: policy fully builds.
Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
Specifying an empty module causes a build error, so make sure that
if there is no $(platform_mapping_file) the MODULE is not included.
Test: Makefiles parsed without error.
Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the
specification of an alternate platform public policy, primarily for
testing purposes. This should not be a part of the released platform,
since the only public policy and corresponding mapping file construction
should be based on the current public platform policy, with compatibility
with vendor policy targeting previous versions provided by static mapping
files. Its continued presence muddles the generation of mapping files by
potentially introducing a situation in which an incorrect mapping file is
generated. Remove it.
Bug: 36783775
Test: Device boots with compiled SELinux policy (SHA256s don't match for
precompiled policy).
Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
Recovery is not meant to be versioned in the treble model, but rather
provided as part of the platform/framework component and self-sufficient.
Simplify its compilation by removing the attribute versioning steps, but
maintain device-specific policy, which is currently required for full
functionality.
Bug: 37240781
Bug: 36783775
Test: recovery boots and is able to select commands. Also tried:
reboot system, boot to bootloader, factory reset, sideload, view logs,
run graphics test, and power off.
Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions. This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this. Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.
Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.
Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.
Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.
Make version_policy replace the '.' in version by '_' so secilc is
happy too.
This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.
Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.
This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.
This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.
Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.
The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.
Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
