Now it can only load selinux mapping ignore file in system/sepolicy/private,
But for google's partners, we want to add selinux mapping ignore file in BOARD_PLAT_PRIVATE_SEPOLICY_DIR.
Test: it can load load selinux mapping ignore file in BOARD_PLAT_PRIVATE_SEPOLICY_DIR
Change-Id: I983422c21fe027fcb17c175357a26845eb977669
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.
Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.
Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
Steps taken to produce the mapping files:
1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng
2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.
Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
se_filegroup is used to export selinux files from board-specific
directories (e.g. device/google/wahoo/sepolicy).
Use se_filegroup module to export partner extension of compatibility
mapping to build logic in system/sepolicy.
Bug: 33691272
Bug: 74669108
Test: .cil mapping files can be correctly added from vendor directory.
Change-Id: Iaa2a95d0e326cb03a478fc12c1a14ba40e57e117
And migrate 26.0.cil and 27.0.cil build targets from Android.mk to
Android.bp
Bug: 33691272
Test: 26.0.cil and 27.0.cil mapping files on the device are unchanged.
Change-Id: Id0ea45c149e096996bc0657615ea98915df3c9e1
Current sepolicy CIL files are built by several command-line tools
in Android.mk. This change extracts some of the build logic into a
python script to relief the effort in Android.mk.
The first command is `build_sepolicy build_cil`. It's possible to add
more sub-commands under the build_sepolicy script in the future.
Bug: 64240127
Test: build bullhead/taimen
Change-Id: Ie0ae4fc5256a550c72954cde5d5dd213a22d159a
Current sepolicy CIL files are built by several command-line tools
in Android.mk. This change extracts some of the build logic into a
python script to relief the effort in Android.mk.
The first command is `build_sepolicy build_cil`. It's possible to add
more sub-commands under the build_sepolicy script in the future.
Bug: 64240127
Test: build and boot a device
Test: checks the content of $OUT/vendor/etc/selinux/vendor_sepolicy.cil
is the same as before
Change-Id: I0b64f1088f413172e97b579b4f7799fa392762df
With project Treble, we're relying heavily on attributes for
permission inheritance and enforcement of separation between
platform and vendor components.
We neead tests that verify those attributes are correctly applied.
This change adds the framework for those tests including a wrapper
around libsepol for loading and querying policy, and a python module
for running tests on policy and file_contexts.
Included with the testing framework is a test asserting that the
coredomain attribute is only applied to core processes. This
verification is done using the following rules:
1. Domain's entrypoint is on /system - coredomain
2. Domain's entrypoint is on /vendor - not coredomain
3. Domain belongs to a whitelist of known coredomains - coredomain
In a subsequent commit these tests will be applied at build time.
However, I first need to fix existing Treble violations exposed by
this test. These tests will also be applied during CTS.
Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
-f $OUT/vendor/etc/selinux/nonplat_file_contexts \
-f $OUT/system/etc/selinux/plat_file_contexts
Bug: 37008075
Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
(cherry picked from commit 0366afdf14)
