Now that we have sepolicy module in Android.bp, we can migrate contexts
tests. Also vendor_service_contexts_test will be run, as we now include
vendor_service_contexts unconditionally.
Unfortunately, vendor_service_contexts_test is now broken, due to a
malformed type hal_power_stats_vendor_service. We will temporarily
exempt the type from the test, to speed up migrating to Android.bp.
Bug: 33691272
Test: m selinux_policy and see tests running
Test: add a malformed type other than hal_power_stats_vendor_service and
run tests
Change-Id: Ic60eb38b9a7c79006f0b5ff4453768e03006604b
This is safe because methods in VirtualDeviceManager are guarded by
the internal|role permission CREATE_VIRTUAL_DEVICE, and all subseuqent
methods can only be called on the returned binder.
Fixes: 209527778
Test: Manual
Change-Id: I60a5cf76eec1e45803cf09ab4924331f7c12ced4
Builds:
- sepolicy_test - file that init mounts in /dev/selinux to demonstrate
that updatable sepolicy is loaded.
- apex_sepolicy.cil - Initially includes a rule allowing shell
to read sepolicy_test.
- apex_file_contexts - Initially includes mapping of
/dev/selinux/sepolicy_test.
- apex_sepolicy.sha256. Used by init to determine of
precompiled_sepolicy can be used.
- apex_service_contexts - Currently empty.
- apex_property_contexts - Currently empty.
- apex_seapp_contexts - Currently empty.
Bug: 199914227
Test: Build, boot, ls -laZ /dev/selinux/sepolicy_test
Change-Id: I6aa625dda5235c6e7a0cfff777a9e15606084c12
compat_test tests whether {ver}.compat.cil is compatible to current
policy or not. This commit migrates all tests into a single module named
"sepolicy_compat_tests".
A minor issue is also resolved with this migration. Suppose that the
vendor's speolicy version is {VER}. Then the following cil files are
compiled in runtime.
- system/etc/selinux/plat_sepolicy.cil
- system/etc/selinux/mapping/{VER}.cil
- system/etc/selinux/mapping/{VER}.compat.cil (optional)
- system_ext/etc/selinux/system_ext_sepolicy.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.compat.cil (optional)
- product/etc/selinux/product_sepolicy.cil (optional)
- product/etc/selinux/mapping/{VER}.cil (optional)
- product/etc/selinux/mapping/{VER}.compat.cil (optional)
- vendor/etc/selinux/vendor_sepolicy.cil
- vendor/etc/selinux/plat_pub_versioned.cil
- odm/etc/selinux/odm_sepolicy.cil (optional)
That is, the vendor policy of version {VER} (vendor_sepolicy.cil,
plat_pub_versioned.cil, and odm_sepolicy.cil) is required to be
compatible only to {VER}.compat.cil. So, the vendor policy is included
only to $(BOARD_SEPOLICY_VERS)_compat_test. The other tests will be
built only with platform side policies.
Bug: 33691272
Test: boot
Test: manually edit {ver}.compat.cil files and try build
Change-Id: I16b30a9171f10ee8f08fc03b7bd7c047eec12b19
We run it in our domain since it requires fairly minimal access.
Bug: 210472252
Test: atest virtualizationservice_device_test
Test: composd_cmd test-compile
Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b
We run it in the compos domain, since it doesn't require very much
additional access.
Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e
If the directory is non-empty when we start we need to delete
everything in it, but didn't have enough access:
avc: denied { getattr } for
path="/data/misc/apexdata/com.android.art/staging/boot-framework.art"
dev="dm-37" ino=57755 scontext=u:r:composd:s0
tcontext=u:object_r:apex_art_staging_data_file:s0 tclass=file
permissive=0
Bug: 205750213
Test: create files in staging/, composd_cmd test-compile
Change-Id: I3a66db7f5fbff82abcf547cb1c2b24e9c53ab158
Because Go command line tooling assumes *_test.go files are tests and
not package sources.
Test: build
Change-Id: Ie332b89140b93c4ea448009cafa2556ef888497c
