Commit graph

11 commits

Author SHA1 Message Date
Bowgo Tsai
9aa8496fc9 Renames nonplat_* to vendor_*
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot an existing device
Change-Id: Iea87a502bc6191cfaf8a2201f29e4a2add4ba7bf
2018-01-31 14:37:39 +08:00
Bo Hu
283dd9ebb9 Revert "Renames nonplat_* to vendor_*"
This reverts commit 8b562206bf.

Reason for revert: broke mac build

b/70273082

FAILED: out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil
/bin/bash -c "(out/host/darwin-x86/bin/version_policy -b out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil -t out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil -n 10000.0 -o out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp ) && (grep -Fxv -f out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp > out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil ) && (out/host/darwin-x86/bin/secilc -m -M true -G -N -c 30 		out/target/product/generic_x86/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/10000.0.cil_intermediates/10000.0.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil -o /dev/null -f /dev/null )"
Parsing out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil
Parsing out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil
grep: out of memory

Change-Id: I14f0801fdd6b9be28e53dfcc0f352b844005db59
2017-12-07 00:16:13 +00:00
kaichieh
8b562206bf Renames nonplat_* to vendor_*
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot an existing device
Change-Id: I53a9715b2f9ddccd214f4cf9ef081ac426721612
2017-12-06 12:57:19 +08:00
Hung-ying Tyan
e83f1e5609 Don't create nonplat_service_contexts on full_treble devices
On full Treble devices, servicemanager should only host services
served from processes on /system; nonplat_service_contexts
should not be created at all in this case.

Bug: 36866029
Test: Build marlin and make sure nonplat_service_contexts is not
      created.

Change-Id: Id02c314abbb98fc69884198779488c52231d22c3
Merged-In: Id02c314abbb98fc69884198779488c52231d22c3
2017-09-06 22:15:43 +08:00
Dan Cashman
4f9a648e90 Change mapping file name to reflect its platform version.
As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions.  This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this.  Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
2017-04-12 09:16:51 -07:00
Dan Cashman
0e9c47c0af Move mapping_sepolicy.cil to /system partition.
This is a necessary first step to finalizing the SELinux policy build
process.  The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.

This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.

Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.

Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
2017-04-06 10:00:42 -07:00
Alex Klyubin
935ddb20c1 Revert "Correct location of property_contexts for TREBLE devices"
This reverts commit 4cb628a3be.

Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.

Test: Clean build, flash, sailfish and bullhead boot up just fine,
      and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
2017-03-09 18:04:03 -08:00
Sandeep Patil
a86316e852 property_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-29 21:09:11 +00:00
Sandeep Patil
4ca1f427b9 Fix cleanspec for property_contexts
The CLs that split the property_contexts at
topic:prop_ctx_split status:merged broke incremental build,
which was later fixed in I22ecd1d3698404df352263fa99b56cb65247a23b.

The prop_ctx CLs were later reverted due to updater breakage as in
b/34370523. So, this change adds the property_contexts clean steps
to fix the incremental builds

Change-Id: Ic32b144dbfada3a6c34f9502099220e7e3c63682
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-26 13:38:30 -08:00
Colin Cross
596fa95fee Fix incremental builds
Some recent CLs changed the list of files that are installed in the
root directory.  Incremental builds have no way to uninstall files
that were previously installed, which results in old stray files lying
around.  If the root directory is contained in system.img, this causes
an error while building system.img:
error: build_directory_structure: cannot lookup security context for /service_contexts

Update CleanSpec.mk to remove files obsoleted by:
Ide67d37d85273c60b9e387e72fbeb87be6da306a
I7881af8922834dc69b37dae3b06d921e05206564
Ide67d37d85273c60b9e387e72fbeb87be6da306a

This is not seen on the incremental build servers because they run
make installclean between builds.

Test: incremental build passes
Change-Id: I22ecd1d3698404df352263fa99b56cb65247a23b
2017-01-18 10:33:55 -08:00
Richard Haines
c2d01914d1 Update Android.mk to support file_contexts.bin
This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-08-12 08:45:44 -07:00