plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.
- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform
Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
precompiled_system_ext_and_mapping.sha256 and
precompiled_product_and_mapping.sha256 has been installed, regardless of
existence of system_ext and product policies. This change only installs
such hash files when policy files exist, for consistency.
Bug: 186727553
Test: boot yukawa and see precompiled sepolicy is used
Change-Id: Iaad827cefdbe82e68288cd6cc59b55b5f28c229d
* changes:
Revert "Add a neverallow for debugfs mounting"
Revert "Add neverallows for debugfs access"
Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
Revert "Check that tracefs files are labelled as tracefs_type"
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
This reverts commit 57b64bd282.
Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.
Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
These are the system_ext counterpart of $(ver).compat.cil. They would
contain device specific compat rules that compliment $(ver).compat.cil,
which are the platform specific compat rules.
Bug: 183362912
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I2fb9b10bb3bcf112e33f504964fb705e3b63782b
This reverts commit d869d02758.
Reason for revert: fixed breakage
The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf
Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
This replaces the following policy files with Android.bp modules:
- reqd_policy_mask.cil
- plat_sepolicy.cil
- system_ext_sepolicy.cil
- product_sepolicy.cil
- plat_pub_policy.cil
- system_ext_pub_policy.cil
- pub_policy.cil
- general_sepolicy.conf (for CTS)
Also microdroid's system policy now uses above.
Bug: 33691272
Bug: 178993690
Test: policy files stay same
Test: boot normal device and microdroid, see sepolicy works
Test: build CtsSecurityHostTestCases
Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
Now newer system policy and older vendor policy can be built together by
setting following variables:
- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
older system_ext and product policies)
Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
This reverts commit 6c99a6781c.
Reason for revert: build breaks on build test
Bug: 171847597
Test: None
Change-Id: I7d3556aa0f06684b43f80f09e4c8194c6c44336c
Devices launched with S must use the new variable naming
scheme introduced in If8188feb365eb9e500f2270241fa190a20e9de01
"Android.mk: Support SYSTEM_EXT* sepolicy".
The old variable name
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR` does no longer
accurately reflect its usage and as such is deprecated.
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=26
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=31
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe error
Signed-off-by: Felix Elsner <google@ix5.org>
Change-Id: Ic4d1164be611836f6aa697fbf1cb1f1c73a3cd39
Every property should have an appropriate owner attribute, which can be
one of: system_property_type, product_property_type, or
vendor_property_type. This will be enforced for devices launching with S
or later. Devices launching with R or eariler can relax this by setting
following under BoardConfig.mk:
BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true
Bug: 131162102
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I7914ef1b7463c9ec00812b9720094531fd63f0c7
The existing freeze test only covers the policy files in system/sepolicy
alone. There's demand from product teams that would like to implement a
freeze test for their sepolicy. Instead of letting them fork the freeze
test, we believe expanding the scope of the exising one is in the best
interest.
$FREEZE_TEST_EXTRA_DIRS and $FREEZE_TEST_EXTRA_PREBUILT_DIRS are added.
These build variables could be appended like $PRODUCT_PUBLIC_POLICY. The
product team are expected to maintain their policy prebuilts.
Bug: 166455099
Test: manual
Change-Id: I6f350e1e3db2807be4dbfd0ceb34f0d89f94d629
Separate selinux_policy_system_ext and selinux_policy_product from
the selinux_policy_nonsystem module. With this CL,
selinux_policy_nonsystem will include the files for /vendor and /odm
partitions only. It will still include selinux_policy_system_ext and
selinux_policy_product as required modules.
Bug: 170282998
Test: build and check boot
Change-Id: Ie2f646a217ec86ede95caec101622bc530d12cfc
Previously, soong emitted APEX_FILE_CONTEXTS_INFOS make var which lists
"all" APEXes and file_contexts.bin used all of them regardless whether
an APEX is installed or not.
This doesn't work when there's a vendor specific APEX which uses vendor
specific labels. Other lunch target may fail to build due to "unknown
label" which is introduced by the vendor APEX which is fact not supposed
to be installed.
Now build/make/core/Makefile creates file_contexts.modules.tmp which is
a collection of file_contexts for flattend apexes which are to be
intalled.
Bug: 166518492
Test: m file_contexts.bin
check contents of file_contexts.concat.tmp
Change-Id: I00c6b87bdc75fc1e04e6f8ecddae6f18762d888a
Call build_policy when determing which compat mapping files should be
included for a given partition.
Bug: 168637766
Test: Built aosp_bonito-userdebug and saw that the compat mapping files
in product/etc/sepolicy/mapping were no longer present.
Test: Added a test 30.0.cil file to bonito's product private compat
directory and saw that it was present at product/etc/sepolicy/mapping.
Change-Id: I83cc28a159b24c0a2c0717dae461983250ab6c25
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.
Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
The new variable name reflects its actual usage.
Keep compatibility with BOARD_PLAT_* because it has been a
convention for years.
Amend the README to document the new variables.
Test: `make selinux_policy` with
`SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Signed-off-by: Felix <google@ix5.org>
Change-Id: If8188feb365eb9e500f2270241fa190a20e9de01
Due to AIDL HAL introduction, vendors can publish services
with servicemanager. vendor_service_contexts is labeled as
vendor_service_contexts_file, not nonplat_service_contexts_file.
And pack it to vendor partition.
Bug: 154066722
Test: check file label
Change-Id: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
Steps taken to produce the mapping files:
1. Add prebuilts/api/30.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on rvc-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/30.0/vendor_sepolicy.cil
as an empty file.
2. Add new file private/compat/30.0/30.0.cil by doing the following:
- copy /system/etc/selinux/mapping/30.0.cil from rvc-dev aosp_arm64-eng
device to private/compat/30.0/30.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 30 sepolicy.
Find all such types using treble_sepolicy_tests_30.0 test.
- for all these types figure out where to map them by looking at
29.0.[ignore.]cil files and add approprite entries to 30.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_30.0 and installs
30.0.cil mapping file onto the device.
Bug: 153661471
Test: m treble_sepolicy_tests_30.0
Test: m 30.0_compat_test
Test: m selinux_policy
Change-Id: I6dfae41fbd5f245119ede540d2c321688d6e7929
Till now, file_contexts has been treated differently that other input
src files. Now it is tagged as `android:"path"` because it is.
Bug: 144732805
Test: m
Change-Id: I6b22a8d22417b75c5cb8cd3b2e534d67e958b074
A new sysprop neverallow rules are mandatory only for devices launching
with R or later. For devices already launched, neverallow rules can be
relaxed with adding following line to BoardConfig.mk:
BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
Bug: 131162102
Test: Set PRODUCT_SHIPPING_API_LEVEL := 30 and try building with
changing some system_public_prop to system_internal_prop
Test: m cts sepolicy_tests
Change-Id: Id978b4d81a8683a57304bb639961105e2d91fa9a
Merged-In: Id978b4d81a8683a57304bb639961105e2d91fa9a
(cherry picked from commit 3be11e7abb)
Error out if we detect that there is a security_classes or
access_vectors file outside of system/sepolicy.
Of course, this test can't enforce any requirements, as it's not part of
CTS. But it can still serve as an early signal.
Fixes: 142153384
Test: add access_vectors to device policy, observe build error
Change-Id: Ib94b7f85e184340de8ec7943c8da88a0af3427e8
Install mapping files in SYSTEM_EXT_PRIVATE_POLICY and
PRODUCT_PRIVATE_POLICY into /system_ext and /product respectively.
Bug: 141084341
Test: boot taimen
Test: system mapping files are unchanged
Test: create mapping files in device/google/wahoo/sepolicy/ and check
that they are correctly expanded and installed.
Change-Id: I4d251c957b30a16df71eec47c871e24e5fc773a4
APEX modules can be configured with apex_name and file_contexts
properties.
- apex_name overrides the activation point
for example, if apex_name is 'foo', it will be flattened under
/system/apex/foo even if its name is 'bar'.
- file_contexts overrides file_contexts filename
for example, it file_contexts is 'foo',
/system/sepolicy/apex/foo-file_contexts should be used even if its
name is 'bar'.
Previously, file_contexts files for flattened apexes are assumed to have
names like "/system/sepolicy/apex/<apex_name>-file_contexts". But, as
described above, calculating <apex_name> from file entries might be
wrong
Now, it relies on Soong's makevar APEX_FILE_CONTEXTS_INFOS which is list of
<apex_name>:<file_contexts> pairs.
Bug: 123314817
Bug: 142300241
Test: add apex module(foo) with apex_name:bar and file_contexts:baz
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m file_contexts.bin
Test: check intermediate files for file_contexts
Change-Id: I3793c0f01469baaa0ddb1965093a56304a10e99c
Android.mk now includes the SELinux denial metadata on user builds.
Bug: 141695494
Test: Generated a tracked denial on a user build and verified that the
bug number shows up in the logs.
Change-Id: I908c08e0d6542fa248d7c798c20a66027f39c390
Some targets just need to extend product context files, e.g.,
file_contexts, service_contexts, etc., without adding any
product-specific policy files, e.g., *.te files. Or just need to
add private product sepolicy without adding public product sepolicy.
Currently, this will lead to build errors. This CL allows
product_sepolicy.cil and the product mapping file to be empty.
It's now also possible to just set PRODUCT_PRIVATE_POLICY
without setting PRODUCT_PUBLIC_POLICY.
Bug: 131193755
Test: Only adds product private sepolicy, then `mmma system/sepolicy`
Change-Id: Ifed5af7413b2a1e20a0628518582615708c8c31a
Some targets just need to extend system_ext context files, e.g.,
file_contexts, service_contexts, etc., without adding any system_ext
policy files, e.g., *.te files.
Currently, this will lead to build errors. This CL allows
system_ext_sepolicy.cil and the system_ext mapping file
to be empty.
It's now also possible to just set BOARD_PLAT_PRIVATE_SEPOLICY_DIR
without setting BOARD_PLAT_PUBLIC_SEPOLICY_DIR.
Bug: 137712473
Bug: 141880898
Test: Only adds system_ext context files without policy files (e.g., *.te),
then `mmma system/sepolicy` can build pass
Change-Id: I72849f2d4aa43e5296cd15c07a8fd058186a6376
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
/system_ext/etc/selinux are identical to previous contents in
/product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9