Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: I53984e8a973eff15de0653916203020dbabe9c03
This is the flag for when sepolicy is split. Also removed other
commented-out heuristics around fake-treble. We should aim to remove it
entirely instead.
Fixes: 141348590
Test: build w/ and without adding binder_in_vendor_violators to a vendor
process (and see the expected error there)
Change-Id: I29fb335cc5b5d6e117d93038fe458b8c74acf321
Bug: http://b/135139675
Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type). Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.
Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.
Test: Build 32-bit cuttlefish with coverage:
m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
and verify that there are no selinux denials in kernel log and
logcat.
Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
bug_map is not picked up correctly when BOARD_VENDOR_SEPOLICY_DIRS is
used. And BOARD_SEPOLICY_DIRS is deprecated.
Test: m selinux_policy
Change-Id: I1dcc6ac6f7b6d0f41f29d5894bef81f3fbf841e6
Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I9e83e9bf118c8b8f8fcf84d5c0dcb6eb588e0d55
*_context_test / sepolicy_tests / treble_sepolicy_tests_* /
sepolicy_freeze_test files are installed on /system/etc.
By being FAKE modules, test files are not installed on target.
Additionally, we need to set up dependency from droidcore to
selinux_policy to make tests run on normal builds (m).
Bug: 133460071
Test: m & see if tests run and no test files on /system/etc
Test: m selinux_policy & see if tests run
Change-Id: Icacf004d5c1c8ec720c7cedef7bae8aa648cbe49
Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I59f6251e9baa6527a358dec024e9fae62388db2b
This is to migrate sepolicy Makefiles into Soong. For the first part,
file_contexts, hwservice_contexts, property_contexts, and
service_contexts are migrated. Build-time tests for contexts files are
still in Makefile; they will also be done with Soong after porting the
module sepolicy.
The motivation of migrating is based on generating property_contexts
dynamically: if we were to amend contexts files at build time in the
future, it would be nicer to manage them in Soong. To do that, building
contexts files with Soong can be very helpful.
Bug: 127949646
Bug: 129377144
Test: 1) Build blueline-userdebug, flash, and boot.
Test: 2) Build blueline-userdebug with TARGET_FLATTEN_APEX=true, flash,
and boot.
Test: 3) Build aosp_arm-userdebug.
Change-Id: I576f6f20686f6f2121204f76657274696d652121
The userdebug sepolicy will be installed into debug ramdisk.
When the ramdisk is used, the device must be unlocked and init will load
this userdebug version of platform sepolicy to allow adb root.
Bug: 126493225
Test: 'make' and checks that the userdebug sepolicy is in debug ramdisk
Change-Id: I9df514054a86d63449b3ebfd1afdee2aee649418
Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.
Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.
Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
Simplifies our reasoning about product hashes. They are either
present on both sides of the Treble boundary or not.
Might be worth installing all four hashes unconditionally in the future.
Fixes: 123996710
Test: boot taimen, precompiled policy loaded
Change-Id: I749e4b0cc4c85870407a10b7d41a2e2001a75ffb
BOARD_PLAT_*_SEPOLICY_DIR extends system sepolicy.
PRODUCT_PUBLIC_SEPOLICY_DIRS and PRODUCT_PRIVATE_SEPOLICY_DIRS now
specify locations of public and private product sepolicy respectively.
Bug: 119305624
Test: m selinux_policy
Change-Id: I48d491f0dd22020d96ff0243142153871d2d6b2b
When TARGET_FLATTEN_APEX=true, APEX files are not packaged in *.apex
files but flattened to the system partition under /system/apex/<name>
directories. There was a bug that those flattened files are not labeled
because the per-APEX file_contexts were applied only when building
*.apex. Fixing this by converting the file_contexts files so that
/system/apex/<name> path is prepended and applying the generated
file_contexts file for system.img when TARGET_FLATTEN_APEX=true.
Bug: 123314817
Test: TARGET_FLATTEN_APEX=true m
ls -alZ /system/apex/*/* shows that the files are correctly labeled
Change-Id: Ia82740a1da0083d5bcfd71354a6d374d2a918342
system/sepolicy/Android.mk has become too large (~2k lines) and hard to
navigate. This patch reorganizes build rules for convenience. No
functional changes are made.
Test: m selinux_policy
Change-Id: I9a022b223b2387a4475da6d8209d561bfea228fb
selinux_denial_metadate is an concatenation of different bug maps on the
device, including vendor one. This file is only used for debugging, so
we simply move it to /vendor instead of splitting it up.
/vendor/etc/selinux/selinux_denial_metadata has vendor_configs_file
selinux type, which is logd readable.
Bug: 5159394
Test: bug information is still preserved in avc logs, e.g.
audit(0.0:248): avc: denied { read } for
name="u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=18012
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=0
b/79617173 app=com.android.systemui
Change-Id: Id5eb9abd3bdeed92feb2aca40880903533468d50
We need to be able to tell if /system was updated independently
/product, and vice versa. Otherwise, the device might accidentally load
the precompiled_policy after a /product sepolicy update.
Also change the name of the hash file to more closely reflect how its
generated.
Bug: 119305624
Test: boot aosp_taimen, precompiled policy is loaded
Test: If either of these hashes
/system/etc/selinux/plat_sepolicy_and_mapping.sha256
/product/etc/selinux/product_sepolicy_and_mapping.sha256
are removed, then init falls back to compiling sepolicy at boot time.
Change-Id: I14af81c8d3c5cb85c01592518e22077a8c8c3e5e
Both mapping files need to be included when building sepolicy at boot
time.
Bug: 119305624
Test: boot taimen
Test: "cnd" type is declared in /vendor; "dataservice_app" type is
declared in /product. This permission is preserved
"allow cnd dataservice_app:binder { transfer call };"
Change-Id: I138f34208ea05e170defd2b4ef4700ffa81f9573
Public policy that is available to vendor (and odm) sepolicy is a
combination of system and product public sepolicy. Since "plat_" prefix
implies a pure system sepolicy component, drop "plat_" prefix from
"plat_pub_policy" to be consistent with naming in this file.
Bug: 119305624
Test: m selinux_policy
Change-Id: Iaf094702556ce97371fa1c58c01d707103d7f7d6
Mapping files for previous releases are unconditionally packaged on the
device. No need to account for case when BOARD_SEPOLICY_VERS and
PLATFORM_SEPOLICY_VERSION are different.
Bug: 119305624
Test: m selinux_policy
Change-Id: I36c3c43f96870d9a71adf91c8fb8926587c5a50e
This line always prints when building master branch, it's not
particularly useful.
system/sepolicy/Android.mk:77: warning: BOARD_SEPOLICY_VERS not
specified, assuming current platform version
Test: build
Change-Id: I52f8dc2a77966bc0c21168b1339f3029185e5339
This change installs *_contexts files to the same location on Treble and
non-Treble devices.
This was previously not possible because first stage mount was not
required on all platforms. It is now b/79758715.
Bug: 70851112
Test: m selinux_policy
Change-Id: I8124c59b129aef86d78d2ae4ebcfaecd896032fc
sed "-i" flag on Mac has different syntax than on Linux. Replace use of
sed with grep.
A simple fix like this should suffice for this case, but ideally, we
should maintain our own utils instead of using tools on the host
machine.
Fixes: 121235932
Test: m selinux_policy
Change-Id: I46c3bdb90bf7de48d2c942b15a65ce82ae3041c5
Product-specific sepolicy will be installed into /product/etc/selinux/*.
This change separates out /product/etc/selinux/product_sepolicy.cil out
of system sepolicy.
This file is merged into precompiled_sepolicy at build-time. In case
precompiled_sepolicy can't be used (e.g. system-only-ota), init wll
merge this file with the rest of the sepolicy at runtime.
I left TODOs to separate other product-specific SELinux artifacts out of
system.
Bug: 119305624
Test: boot aosp_taimen with product_sepolicy.cil
Test: build selinux_policy for aosp_arm64; no product_sepolicy.cil
produced
Change-Id: Idb84a1c8ceb2de78f1460d954497c53fed08935f
grep can potentially run out of memory on Mac builds for large input
files. So we add a python util to handle filtering out files.
We will also need this util to filter plat_sepolicy.cil out of
product_sepolicy.cil
Bug: 119305624
Test: boot aosp_taimen
Change-Id: I61cd68f407ea5de43a06bf522a5fc149e5067e8c
It doesn't seem like any of our (Google's) devices use
BOARD_ODM_SEPOLICY_DIRS, but this will be helpful for partners.
Also, use BOARD_VENDOR_SEPOLICY_DIRS instead BOARD_SEPOLICY_DIRS for
readability.
Bug: n/a
Test: m selinux_policy
Change-Id: I23f64a24d51ccdb8aa616d0fd8a06d70b6efed32
All these modules are being unconditionally added to
LOCAL_REQUIRED_MODULES a few lines down.
Test: make
Change-Id: I474c5d41e1a6dd34fd2c2f2d10299048df4c2b70
The SELinux policy language supports an expandattribute statement.
Similar to the C "inline" declaration, this expands the permissions
associated with types, instead of using the attribute directly. Please
see
1089665e31
for more detail on this language option.
Expansion of attributes causes consistency problems with CTS. If a
neverallow rule exists which refers to an expanded attribute, the CTS
neverallow test will fail, because the policy does not have the
attribute embedded in it. Examples:
* b/119783042 (fixed in 536d3413b8)
* b/67296580 (fixed in 6f7e8609f9)
* b/63809360 (fixed in 89f215e6a0)
etc...
Instead of waiting for the CTS test to fail, modify the Android.mk file
so that we do checks similar to CTS. This allows us to fail at compile
time instead of waiting for a CTS bug. For example, for b/119783042,
instead of the compile succeeding, it will now fail with the following
error message:
[ 70% 190/268] build out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c
30 -o out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy.conf ) &&
(out/host/linux-x86/bin/sepolicy-analyze
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
neverallow -w -f out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy_2.conf
|| ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2;
echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2;
echo \"the policy.\" 1>&2; exit 1 ) ) &&
(touch out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp )
&& (mv out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow violated by allow vold hal_bootctl_default:binder { call };
libsepol.check_assertions: 1 neverallow failures occurred
sepolicy-analyze failed. This is most likely due to the use
of an expanded attribute in a neverallow assertion. Please fix
the policy.
15:44:27 ninja failed with: exit status 1
Test: Revert 536d3413b8 and verify compile
fails as above.
Test: Compile succeeds
Bug: 119783042
Change-Id: I5df405b337bb744b838dadf53a2234d8ed94bf39
During the build process, use a temporary file until we've determined
that every step of the build process has completed. Failure to do this
may cause subsequent invocations of the make command to improperly
assume that this step ran to completion when it didn't.
Test: code compiles.
Change-Id: I9a28e653e33b61446a87278975789376769bcc6a
Commit b4f17069b3 ("sepolicy: Drop
BOARD_SEPOLICY_IGNORE/REPLACE support.", Mar 2015) made it a compile
time failure to use BOARD_SEPOLICY_REPLACE or BOARD_SEPOLICY_IGNORE.
As these restrictions have been in place since 2015, we can safely
assume all usages of this have been cleaned up, and there is no further
need to check for this.
8 lines deleted from Android.mk, 1720 lines to go.
Test: compiles.
Change-Id: I23249e4b2e9ec83cb6356a6c5a6e187ae1fc9744
Pass LOCAL_ADDITIONAL_M4DEFS to m4 when building vendor_file_contexts
and odm_file_contexts. The build command attempts to use
PRIVATE_ADDITIONAL_M4DEFS - but this is not set in the target-specific
variables.
This allows using custom M4 macros when building non-platform
file_contexts.
Change-Id: I5fa8d9ec91f1a97bee1dd735ba85af93eef91252
Part of an effort to remove Treble-specifics in the way be build
sepolicy.
Fixes: 64541653
Test: m selinux_policy for aosp_arm64
Change-Id: I9e42c720018674e7d3a6c47e01995401c4e748a7
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.
We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.
Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
All the *.conf.dontaudit files are generated from *.conf
with the command of 'sed '/dontaudit/d' $@ > $@.dontaudit',
but this command can not be applied to multi-line dontaudit statement.
Test: Set plat_policy.conf.dontaudit as the input_file parameter of
checkpolicy tool, then selinux syntax error will occur during building.
Change-Id: I281de923d8a5f0b46256ec7de4df12a1c1d7e061
Do not attempt to build odm_sepolicy.cil if BOARD_ODM_SEPOLICY_DIRS is
not defined. Attempting to do so will create an empty file, which causes
build problems when
0c6ea1e812
is applied.
Test: "cd system/sepolicy && mma -j55" succeeds
Test: "make checkbuild" succeeds
Change-Id: Iefc458bddff3d08e5fcb86f8be3cad16d7e36e73
Error out if m4 generates a warning. This will help detect and prevent
malformed macros.
See 855084960f for motivation.
Test: policy compiles
Test: Policy doesn't compile if 855084960f
is reverted.
Change-Id: Iee6b6273bc2a24b1220861fd662573e76001defc
/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices. Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.
Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
Steps taken to produce the mapping files:
1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng
2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.
Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
Create one _system and one _nonsystem target, which together contains
the same artifacts as before, just split by whether they go on the
system partition or not.
The product build hierarchy is being refactored to be split by
partition, so these targets facilitate inclusion of just the
system parts where necessary. Also keep the selinux_policy target
around for products that don't need the split.
Bug: 80410283
Test: for t in eng userdebug user; do lunch mainline_arm64-${t}; m nothing; done
Test: verified walleye /system and /vendor identical before and after, via:
Test: /google/data/rw/users/cc/ccross/bin/compare-target-files.sh P6259983 walleye-userdebug "SYSTEM/*" "VENDOR/*"
Test: only diffs are in build.prop files (timestamps and the like)
Change-Id: I0f5d8a1558a164ce5cfb7d521f34b431855ac260
build_test_only is used to denote rules that should not verified
as part of compliance testing.
Use this macro to exclude neverallow rules which we want to check as
part of build, but not CTS.
Bug: 80499271
Test: SELinuxNeverallowRulesTest on walleye has no more failure of type
"Type or attribute * used in neverallow undefined in policy being checked."
Number of failing test cases is reduced by 142.
Test: policy.conf used to check neverallows at build-time still retains
all neverallow rules.
Change-Id: I5f1b383d9096bb5a7b8c0f1bc008b5dd07419580
