Commit graph

218 commits

Author SHA1 Message Date
Pawan Wagh
f38fb73371 Updating exisiting fuzzers in fuzzer bindings
Bug: 246590424
Test: m
Change-Id: I327a9d86b68b00e64ce0fd87395037c641fb5901
2022-10-07 19:04:17 +00:00
Peiyong Lin
33e03e09b4 Merge "Update SEPolicy for Thermal AIDL" 2022-10-07 04:00:17 +00:00
Peiyong Lin
4a5d0f13c4 Update SEPolicy for Thermal AIDL
Bug: b/205762943
Test: build and boot
Change-Id: I301b85dafbf8fbb1c4be388aa0291e22f4717c99
2022-10-05 00:55:20 +00:00
Steven Moreland
07c5387324 Merge "hidl2aidl: sepolicy changes for confirmationui aidl" 2022-10-03 19:10:31 +00:00
Subrahmanyaman
745efb4ced hidl2aidl: sepolicy changes for confirmationui aidl
Sepolicy changes for confirmationui while converting from hidl
to aidl.

Bug: b/205760172
Test: run vts -m VtsHalConfirmationUIV1_0Target
Change-Id: Ib21038fd89789755b978489f5293725b221d86c4
2022-09-23 19:00:15 +00:00
Amos Bianchi
3189fafa2a Add sepolicy for new module.
Bug: b/241442337
Test: TH
Change-Id: Ia58e2d4b205638509545a0a2c356cd68862beb1f
2022-09-23 10:40:47 -07:00
Vikram Gaur
f4382c5391 Merge "Add SELinux policy changes for rkpd" 2022-09-23 09:33:45 +00:00
Vikram Gaur
d25c80a951 Add SELinux policy changes for rkpd
This is a part of changes to bring up Remote Key Provisioning Daemon
module. See packages/modules/RemoteKeyProvisioning for more info.

Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616
Test: atest rkpd_client_test
2022-09-23 05:09:00 +00:00
Yu Shan
e799e9284c Merge "Create selinux policy for remoteaccess HAL." 2022-09-22 01:17:00 +00:00
Weilin Xu
52546635b2 Applying new IBroadcastRadio AIDL
Update Sepolicy for AIDL broadcast radio HAL. Ignore
fuzzer default AIDL implementation for now.

Bug: 170336130
Test: m -j
Change-Id: Ie55c08c6a721de1f8dc40acc81de68565f99f7d7
2022-09-21 23:17:20 +00:00
Steven Moreland
5043c02262 Merge "hidl2aidl: conversion of gatekeeper hidl to aidl" 2022-09-21 21:26:01 +00:00
Reema Bajwa
396d34b7c8 Merge "Add SELinux changes for Credential Manager Service in system server Test: Built & Deployed on device locally." 2022-09-21 17:34:09 +00:00
Yu Shan
05a7389aa9 Create selinux policy for remoteaccess HAL.
Will add fuzzer once the service is implemented.

Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
2022-09-20 18:09:49 -07:00
Anna Zhuravleva
2864a66331 Add sepolicy for Health Connect system service.
Add selinux policy so the healthconnect system service
can be accessed by other processes.

Bug: 246961138
Test: build
Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850
2022-09-20 17:14:35 +00:00
Reema Bajwa
5b57bfaf7e Add SELinux changes for Credential Manager Service in system server
Test: Built & Deployed on device locally.

Change-Id: I892107ed528e0ca7435aa29a0fa1e6dbf4f225c5
2022-09-19 17:51:06 +00:00
Subrahmanyaman
1d2a3fedcc hidl2aidl: conversion of gatekeeper hidl to aidl
Conversion of the gatekeeper hidl interface to stable aidl interface.

Bug: 205760843
Test: run vts -m VtsHalGatekeeperTarget
Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c
2022-09-19 17:43:26 +00:00
Pawan
0ecf99def5 sepolicy : Recommend fuzzers for new services
Adding soong module and tool to check if there is fuzzer present
for every service in private/service_contexts. Whenever a service is
added, its is recommended to update
$ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go
with service name and its corresponding fuzzer.

Test: m
Bug: 242104782
Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
2022-09-13 18:18:46 +00:00
Treehugger Robot
3da6089241 Merge "Add go.mod for build/soong" 2022-08-19 18:44:18 +00:00
Inseob Kim
79fdbeb1ce Reorganize Android.bp files and modules
Test: build and boot
Change-Id: Id8a1a2faecf37de81b91e2669f6afa4cbe91443c
2022-08-17 09:50:22 +09:00
Inseob Kim
6d79030d0c Build mac_permissions.xml with Soong
Bug: 33691272
Test: build and compare
Change-Id: Iacbd5bcf77f0b1c0b5e2c6691efb4c62bc78fdf8
2022-08-17 09:49:35 +09:00
Sasha Smundak
43e9a404bf Add go.mod for build/soong
Test: treehugger
Change-Id: Id69d6cb94cff7efd082a127ea6def7db6c5422fc
2022-08-11 17:18:13 -07:00
Sandro
143988dedb Add apex_sepolicy targets for running go/seamendc
This is a roll-forward of some of the changes rolled back in
aosp/2170746. I am rolling forward in smaller chunks so that it is
easier to identify and avoid possible breakages.

Bug: 236691128
Test: atest SeamendcHostTest
Change-Id: Ibe451325d471fe04cd52683ba90a22543fa84c7c
2022-08-09 09:33:09 +00:00
Lokesh Gidra
1269a179ac Revert "Move parts of sdk_sandbox from private to apex policy"
Revert "Add java SeamendcHostTest in cts"

Revert submission 2111065-seamendc

Reason for revert: b/240731742, b/240462388 and b/240463116
Reverted Changes:
I3ce2845f2:Move parts of sdk_sandbox from private to apex pol...
I0c10106e2:Add java SeamendcHostTest in cts

Test: revert cl
Change-Id: If9981796694b22b7cbfe1368cd815889c741e69d
2022-08-03 14:24:04 +00:00
sandrom
e6971f1330 Move parts of sdk_sandbox from private to apex policy
Bug: 236691128
Test: atest SeamendcHostTest

Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902
2022-07-27 13:39:06 +00:00
Inseob Kim
1e796342aa Fix policy file order for hal_attributes
Partners should be able to add hal_attributes to system_ext or product's
public/attributes file. However, if system_ext or product's
public/attributes contain any domain sets, numbers for base_typeattr
become inconsistent. It's because the order is now:

    ...
    te_macros
    attributes
    ioctl_defines
    ioctl_macros
    *.te
    roles_decl
    ...

That is, system_ext/public/attributes and product/public/attributes are
included prior to system/sepolicy/**/*.te. Thus, plat_sepolicy.cil and
system_ext_sepolicy.cil/product_sepolicy.cil can conflict.

This change fixes this issue by making attributes and *.te files have
the same rank. This way, system_ext/public/attributes is included after
system/sepolicy/**/*.te.

Bug: 234137981
Test: m selinux_policy after adding hal_attribute to
      system_ext/public/attributes
Change-Id: I85e1f6b8e4ab47c723724684d1938297a3305fe8
2022-06-09 11:26:35 +09:00
Inseob Kim
4196403c36 Replace se_filegroup to se_build_files
se_build_files is a replacement for se_filegroup module. se_build_files
can be used with the normal Soong convention ":module_name{.tag}" by
implementing android.OutputFileProducer. It's better than implementing
ad-hoc logics across various modules, which is the case for se_filegroup
module.

Test: build and boot
Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
2022-04-23 01:47:40 +09:00
Inseob Kim
6e384f3a4b Add mls_cats property to se_policy_conf
To support overriding mls_num_cats for devices which don't need MLS

Bug: 223596384
Test: build
Change-Id: I007d3bab51e0aa67b14c2af1e92bee1d644ef4c7
2022-03-10 13:15:05 +09:00
Inseob Kim
c7596c4e61 Build vndservice_contexts with Android.bp
Bug: 33691272
Test: boot a device which uses vndservice_contexts
Change-Id: I28c36b74d4176954099f3b7e80a4869b7c44640f
2022-03-02 17:26:44 +09:00
Treehugger Robot
8e6b55a13d Merge "Remove compat test from treble sepolicy tests" 2022-02-17 01:26:04 +00:00
Treehugger Robot
8817edcbb4 Merge "Revert^2 "Migrate contexts tests to Android.bp"" 2022-02-16 04:23:47 +00:00
Inseob Kim
73f43ff847 Remove compat test from treble sepolicy tests
Treble sepolicy tests check whether previous versions are compatible to
ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it,
but it also includes a compat test whether ToT sepolicy + {ver} mapping
+ {ver} plat_pub_versioned.cil can be built together or not. We
definitely need such tests, but we already have a test called "compat
test" which does exactly that, and testing it again with Treble sepolicy
tests is just redundant. The only difference between those two is that
Treble sepolicy tests can also test system_ext and product compat files,
which was contributed by a partner.

The ultimate goal here is to migrate *.mk to Soong, thus merging these
two tests (compat, Treble) into one. As we've already migrated the
compat test to Soong, this change removes the compat test part from
treble sepolicy tests. Instead, the compat test will be extended so it
can test system_ext and product compat files too.
prebuilts/api/{ver}/plat_pub_versioned.cil and
prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't
used anymore: vendor_sepolicy.cil is an empty stub, and
plat_pub_versioned.cil can be built from the prebuilt source files.

Bug: 33691272
Test: m selinux_policy
Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
2022-02-16 04:09:29 +00:00
Inseob Kim
b5e235346e Revert^2 "Migrate contexts tests to Android.bp"
This reverts commit baa93cc651.

Reason for revert: amlogic build fixed

Change-Id: I8b046dc810d47a2d87012f02a668873889fce705
2022-02-16 02:26:11 +00:00
Inseob Kim
6c5fa54a8b Fix se_policy_conf file output stem
OutputFileProducer interface has been returning "conf", not the
designated stem.

Test: try including se_policy_conf module as other module's srcs
Change-Id: I17de5e10ed9bd1d45dc9a8b1be11ea6f5290c179
2022-02-09 23:35:43 +09:00
Thiébaud Weksteen
9ebf0c8ecf Split sepolicy_neverallow rule
sepolicy_neverallow is based on a combination of calling checkpolicy
followed by sepolicy-analyze. If the first tool fails, the error message
associated with the second is returned, which is misleading.

Separate both part of the rule using a new build command.

Bug: 175911415
Test: Modify policy to trigger neverallow (checkpolicy); no misleading
    messages from sepolicy-analyze
Change-Id: I5977ced23dee09a28c7df334e4790d212e0db0c1
2022-01-28 13:51:36 +11:00
Treehugger Robot
dd75a576c5 Merge "Remove deprecated ToMakePath calls" 2022-01-19 10:07:45 +00:00
Inseob Kim
baa93cc651 Revert "Migrate contexts tests to Android.bp"
This reverts commit f612656adf.

Reason for revert: breaking amlogic build

Change-Id: I129b5cb74259c9c028483e84c9b2ac3597c24701
2022-01-14 06:13:28 +00:00
Inseob Kim
f612656adf Migrate contexts tests to Android.bp
Now that we have sepolicy module in Android.bp, we can migrate contexts
tests. Also vendor_service_contexts_test will be run, as we now include
vendor_service_contexts unconditionally.

Unfortunately, vendor_service_contexts_test is now broken, due to a
malformed type hal_power_stats_vendor_service. We will temporarily
exempt the type from the test, to speed up migrating to Android.bp.

Bug: 33691272
Test: m selinux_policy and see tests running
Test: add a malformed type other than hal_power_stats_vendor_service and
      run tests
Change-Id: Ic60eb38b9a7c79006f0b5ff4453768e03006604b
2022-01-14 10:59:59 +09:00
Colin Cross
6c7f937235 Remove deprecated ToMakePath calls
ToMakePath is a noop now, remove the calls to it.

Bug: 204136549
Test: m checkbuild
Change-Id: I01b865614f50a57ab357c5ffb8843ebcb382df20
2022-01-11 19:35:43 -08:00
Inseob Kim
483c0b3a7d Merge "Migrate seapp_contexts to Android.bp" 2022-01-10 11:15:28 +00:00
Inseob Kim
16d3be3dac Migrate sepolicy compat test to Android.bp
compat_test tests whether {ver}.compat.cil is compatible to current
policy or not. This commit migrates all tests into a single module named
"sepolicy_compat_tests".

A minor issue is also resolved with this migration. Suppose that the
vendor's speolicy version is {VER}. Then the following cil files are
compiled in runtime.

- system/etc/selinux/plat_sepolicy.cil
- system/etc/selinux/mapping/{VER}.cil
- system/etc/selinux/mapping/{VER}.compat.cil (optional)
- system_ext/etc/selinux/system_ext_sepolicy.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.compat.cil (optional)
- product/etc/selinux/product_sepolicy.cil (optional)
- product/etc/selinux/mapping/{VER}.cil (optional)
- product/etc/selinux/mapping/{VER}.compat.cil (optional)
- vendor/etc/selinux/vendor_sepolicy.cil
- vendor/etc/selinux/plat_pub_versioned.cil
- odm/etc/selinux/odm_sepolicy.cil (optional)

That is, the vendor policy of version {VER} (vendor_sepolicy.cil,
plat_pub_versioned.cil, and odm_sepolicy.cil) is required to be
compatible only to {VER}.compat.cil. So, the vendor policy is included
only to $(BOARD_SEPOLICY_VERS)_compat_test. The other tests will be
built only with platform side policies.

Bug: 33691272
Test: boot
Test: manually edit {ver}.compat.cil files and try build
Change-Id: I16b30a9171f10ee8f08fc03b7bd7c047eec12b19
2022-01-07 18:53:46 +09:00
Inseob Kim
2dac267dae Migrate seapp_contexts to Android.bp
Bug: 33691272
Test: build and boot
Test: atest SELinuxHostTest#testValidSeappContexts
Change-Id: I86f9d010d1628f9756cc152b4ee74dea1b9ff955
2021-12-29 17:54:57 +09:00
Inseob Kim
24401df041 Rename neverallow_test.go to sepolicy_neverallow
Because Go command line tooling assumes *_test.go files are tests and
not package sources.

Test: build
Change-Id: Ie332b89140b93c4ea448009cafa2556ef888497c
2021-12-29 04:58:17 +00:00
Inseob Kim
5bbcd68dcc Build recovery policy with Android.bp
Bug: 33691272
Test: enter recovery mode
Change-Id: Ifc38ed99e6615431d81ade76ec10ea4d34fbbf90
2021-12-28 17:51:51 +09:00
Inseob Kim
0de7fcc33a Migrate neverallow tests to Android.bp
A new module type se_neverallow_test is added, to migrate
sepolicy_neverallow modules. se_neverallow_test is affected by
SELINUX_IGNORE_NEVERALLOWS.

Bug: 33691272
Test: m selinux_policy
Test: intentionally create neverallow violations and m selinux_policy
Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
2021-12-28 10:23:22 +09:00
Inseob Kim
6d3d5a6daf Fix contexts modules to use android:"path"
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.

Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
2021-12-23 21:36:27 +09:00
Inseob Kim
3d5f9256a4 Perform permissive check on se_policy_binary
sepolicy is a module which outputs precompiled sepolicy and performs
permissive domain check on user builds. se_policy_binary module is
updated so it checks permissive domain in user builds.

sepolicy module is removed since we don't need it anymore. Instead,
precompiled_sepolicy is used.

Bug: 33691272
Test: build
Test: add "permissive adbd;" and build on aosp_arm64-user
Change-Id: I3dcf0c32d2fc1312dfceeee74894c08b38395d19
2021-12-23 21:34:29 +09:00
Inseob Kim
3ac62fe9f6 Build vendor/odm sepolicies with Android.bp
The following files are built with Android.bp:
- vendor_sepolicy.cil
- odm_sepolicy.cil
- prebuilt_sepolicy

Also, prebuilt_policy.mk is removed as it's now redundant.

Bug: 33691272
Test: build and compare artifacts
Test: build with rvc-dev sepolicy
Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-20 21:16:39 +09:00
Inseob Kim
95249165b5 Merge "Fix vendor contexts files in mixed build" 2021-12-10 12:13:36 +00:00
Inseob Kim
0a707fadb2 Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.

This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?

This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    // se_build_files automatically adds plat public and reqd mask
    srcs: [":se_build_files{.system_ext_public}"],
}

to:

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    // se_policy_conf automatically sorts the input files
    srcs: [
        ":se_build_files{.plat_public}",
        ":se_build_files{.system_ext_public}",
        ":se_build_files{.reqd_mask}",
    ],
}

Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-10 00:31:53 +09:00
Inseob Kim
7174ffec38 Fix vendor contexts files in mixed build
BOARD_PLAT_VENDOR_POLICY should be used for all vendor stuff, when in
mixed sepolicy build (BOARD_SEPOLICY_VERS != PLATFORM_SEPOLICY_VERSION).
This fixes an issue that system/sepolicy/vendor has been incorrectly
used in mixed sepolicy build.

Bug: 205924657
Test: Try AOSP + rvc-dev mixed sepolicy build
1) copy cuttlefish sepolicy prebuilts from rvc-dev branch.
2) set prebuilt variables:
  - BOARD_PLAT_VENDOR_POLICY
  - BOARD_REQD_MASK_POLICY
  - BOARD_(SYSTEM_EXT|PRODUCT)_PRIVATE_PREBUILT_DIRS
  - BOARD_SEPOLICY_VERS
3) lunch aosp_cf_x86_64_phone-userdebug; m selinux_policy
4) compare $OUT/vendor/etc/selinux with rvc-dev's artifacts.

Change-Id: I2ed1e25255c825c24dab99ae4903328b0400c414
2021-12-09 19:03:35 +09:00
Thiébaud Weksteen
b05a1a1f75 Migrate build/ to Python 3
Test: mm
Bug: 200119288
Change-Id: I0594074b9a74ec7272da325232e7bd8ec0ec705b
2021-12-08 10:03:00 +11:00
Yuntao Xu
42e732c861 Split property/file/service contexts modules
1. Splitted plat_property_contexts, plat_file_contexts, and
plat_service_contexts so they can be included by the
CtsSecurityHostTestCases module.

2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I99ba55b1a89f196b3c8504e623b65960a9262165
2021-11-19 18:23:12 +09:00
Vova Sharaienko
919fa4f9fc Merge "Revert "Split property and file contexts modules"" 2021-11-18 17:56:09 +00:00
Vova Sharaienko
bec08097c9 Revert "Split property and file contexts modules"
Revert "Convert security/Android.mk to Android.bp"

Revert "Add seapp_contexts to allowlist of makefile goal"

Revert submission 1795972-Convert security/Android.mk to Android.bp

Reason for revert: http://b/206976319 Broken build 7928060 on aosp-master on sdk_arm64-sdk
Reverted Changes:
I0e0e7f677:Split property and file contexts modules
I5596d6f00:Add seapp_contexts to allowlist of makefile goal
If685e5ccc:Convert security/Android.mk to Android.bp

Change-Id: Ibbca0a17886d15b3fd7ecaf974a06df7107fd9aa
2021-11-18 17:29:01 +00:00
Yuntao Xu
1b76673577 Merge "Split property and file contexts modules" 2021-11-18 17:05:46 +00:00
Yi-Yo Chiang
2c18965e27 Treblelize bug_map: split bug_map to multiple partitions
* plat_bug_map: Platform-specific bug_map definitions.
* system_ext_bug_map: Product-specific bug_map definitions.
* vendor_bug_map: SOC-specific bug_map definitions.

Bug: 177977370
Test: Boot and check auditd logs
Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
2021-11-08 22:44:34 +08:00
Inseob Kim
1b965988b7 Split property and file contexts modules
1. Splitted plat_property_contexts and plat_file_contexts so that they
can be included by the CtsSecurityHostTestCases module;
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I0e0e7f6778d42ab2fdae3a181f40216fe6719e7c
2021-11-08 15:44:29 +09:00
Colin Cross
f82aed0daa Don't use AndroidMkEntries.Custom
There's nothing special in the Custom method supplied, replace it
with normal AndroidMkEntries fields.

Bug: 204136549
Test: m checkbuild
Change-Id: I624005d2ee313aaa60397749b0726e393a842618
2021-11-04 17:25:55 -07:00
Inseob Kim
b9d0511de4 Add se_policy_binary module
se_policy_binary module compiles cil files to sepolicy binary file.

Bug: 33691272
Test: build
Change-Id: Id20183d0ac797fc68356feaad9df0d0bccc81c14
2021-09-27 13:13:46 +00:00
Inseob Kim
d58166165a Migrate freeze test to Soong
Bug: 33691272
Test: m selinux_policy on sc-dev
Change-Id: Ie536d885034e5d888f1329ac189fd0bf9723a6c4
2021-09-16 05:08:56 +00:00
Paul Duffin
532bde121b Stop using deprecated functionality for managing path deps
This change stops using deprecated functionality and migrates this
repository's custom Soong code to support current practices to manage
path property related dependencies. i.e. when a property includes
something that looks like ":module".

ExtractSourcesDeps has been deprecated in favor of tagging properties
with `android:"path"` which will cause the pathDepsMutator to add the
dependencies automatically.

android.SourceDepTag has been deprecated as the underlying type needs
to be changed and this will no longer work for its current uses.

* ctx.GetDirectDepWithTag(moduleName, android.SourceDepTag) will not
  work to retrieve a reference to the module dependency added for
  path properties. GetModuleFromPathDep(ctx, moduleName, "") must be
  used instead.

* depTag == android.SourceDepTag can no longer be used to check to
  see if depTag was used to add a module dependency for a module
  reference in a path property without any output tag.
  IsSourceDepTagWithOutputTag(depTag, "") must be used instead.

Bug: 193228441
Test: m nothing
Change-Id: I307039612f0f2a541ac7dbfddd052ef78c290f60
2021-07-09 23:15:17 +01:00
Inseob Kim
31db274078 Call SkipInstall before InstallFile
InstallFile skips install only if SkipInstall is called before
InstallFile.

Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
2021-06-08 10:31:09 +09:00
Yo Chiang
bb8d0050d9 Merge "Revert "se_compat_cil: Prepend generated files with a header"" 2021-05-12 05:35:51 +00:00
Yo Chiang
7c3ecf1356 Revert "se_compat_cil: Prepend generated files with a header"
This reverts commit b44e506223.

Reason for revert: secilc is fixed by aosp/1701846, so the workaround is no longer needed

Bug: 183362912
Test: S GSI on R CF boot test
Change-Id: Ic73c7cea1ebe42b483049cbc29f192e738748894
2021-05-12 01:54:27 +00:00
Hridya Valsaraju
a885dd84c7 Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
2021-05-02 21:41:53 -07:00
Inseob Kim
6cc75f4587 Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit a46d61cd3f.

Reason for revert: fixed debug_ramdisk partition problem

Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-30 14:53:25 +09:00
Inseob Kim
1c056b1ad0 Add sepolicy_vers for plat_sepolicy_vers.txt
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.

- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform

Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
2021-04-30 00:17:39 +09:00
Hridya Valsaraju
7362f58895 Merge changes from topic "revert-1668411-MWQWEZISXF"
* changes:
  Revert "Add a neverallow for debugfs mounting"
  Revert "Add neverallows for debugfs access"
  Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
  Revert "Check that tracefs files are labelled as tracefs_type"
2021-04-23 22:06:31 +00:00
Hridya Valsaraju
f9dbb72654 Revert "Add a neverallow for debugfs mounting"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
2021-04-23 16:38:20 +00:00
Treehugger Robot
f02af9d91c Merge "Revert^3 "Build userdebug_plat_sepolicy.cil with Android.bp"" 2021-04-23 13:09:24 +00:00
Inseob Kim
a46d61cd3f Revert^3 "Build userdebug_plat_sepolicy.cil with Android.bp"
e10ceab330

Change-Id: Ia1b38d6b709edb0e819ea4700e70ba68b1b61332
2021-04-22 23:14:58 +00:00
Florian Mayer
e10ceab330 Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"
0177004c7f

Change-Id: I40aa5025d487922decd9909c0d35c9e3a6b8dd61
2021-04-22 16:38:47 +00:00
Bowgo Tsai
0177004c7f Revert "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit 57b64bd282.

Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.

Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
2021-04-22 09:55:21 +08:00
Hridya Valsaraju
1c3d898d87 Add a neverallow for debugfs mounting
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
2021-04-21 14:13:02 -07:00
Treehugger Robot
8d2bfafcf5 Merge "Build userdebug_plat_sepolicy.cil with Android.bp" 2021-04-15 05:22:35 +00:00
Yo Chiang
466964d401 Merge "se_compat_cil: Prepend generated files with a header" 2021-04-14 08:30:38 +00:00
Yi-Yo Chiang
b44e506223 se_compat_cil: Prepend generated files with a header
to ensure the file size is greater than 0, as secilc cannot handle
zero-sized cil files.

Fixes: 185256986
Bug: 183362912
Test: Forrest re-run broken test
Change-Id: Ief3039d38728fbeff67c6e39d6b15bddb006e5f8
2021-04-14 07:41:23 +00:00
Yo Chiang
86a8275378 Merge "Remove references to BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR" 2021-04-14 06:55:59 +00:00
Inseob Kim
57b64bd282 Build userdebug_plat_sepolicy.cil with Android.bp
Bug: 33691272
Test: build and see $OUT/debug_ramdisk
Change-Id: I7994857a3dd4e54f2c2d35ff8e362ecae93ea7a2
2021-04-14 15:54:26 +09:00
Yi-Yo Chiang
41c34d6a70 Add se_compat_cil module
Installs backwards compatibility cil files.

Bug: 183362912
Test: Presubmit
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
  verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I5e2c6b8dfa8df431edfe96f29daae463b130367f
2021-04-13 02:58:21 +08:00
Yi-Yo Chiang
40073d4c7f Remove references to BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR
These variables are deprecated.

Bug: 183362912
Test: Presubmit; Noop
Change-Id: I80db5342044a06feb1451fbe661989fe4d191e74
2021-04-12 20:01:35 +08:00
Inseob Kim
39fbcf7c96 Add plat_vendor tag to se_build_files for microdroid
plat_vendor tag consists of vendor available policies in system/sepolicy
directory, and is for minimized vendor policies.

Bug: 33691272
Test: boot microdroid
Change-Id: Icb3c1be02ee41b526d7d95f0053e56bf8b34f49d
2021-04-05 09:50:47 +00:00
Inseob Kim
ebe6f385da Add se_versioned_policy module
se_versioned_policy module wraps version_sepolicy and generates mapping
files with Android.bp.

Bug: 33691272
Test: build
Change-Id: Iaba499db39b1214ef7b1f59c58232ec85d7c3bcb
2021-03-25 16:41:53 +09:00
Inseob Kim
4360c1975f Add target_with_dexpreopt option to policy
It was missing when migrating definitions.mk to Android.bp module.

Test: m selinux_policy on sc-arc
Change-Id: I3c943440295bc9064d50e1a2f9025715c76b539e
2021-03-23 20:52:53 +09:00
Inseob Kim
df1a0dee63 Add se_policy_cil module to build cil policy
This adds a new module se_policy_cil. It will consume the policy.conf
file (usually built with se_policy_conf) and outputs a compiled cil
policy file, which will be shipped to devices.

Bug: 33691272
Test: try building se_policy_cil from se_policy_conf
Change-Id: I7a33ab6cb5978e1a7d991be7514305c5e9f8159b
2021-03-18 19:54:30 +09:00
Inseob Kim
7e8bd1e657 Add se_policy_conf module to build policy.conf
This adds a new soong module that transforms selinux policy files to
policy.conf file. It uses m4 macro with various variables, and replaces
transform-policy-to-conf macro in system/sepolicy/definitions.mk.

The module will be used when building:
- policy cil files shipped to the device
- CTS tests that needs general_policy.conf

Bug: 33691272
Test: try building se_policy_conf with se_build_files
Change-Id: Ie1082a8193c2205992b425509b9d5bfa4b495b2f
2021-03-18 19:52:09 +09:00
Inseob Kim
619e4a7a82 Add se_build_files module
se_build_files module globs given srcs from sepolicy directories and
acts as a filegroup with the following tags, which can be used to build
system side policy files.

- plat
- plat_public
- system_ext
- system_ext_public
- product
- product_public
- reqd_mask

se_build_files module acts like the build_policy macro in Android.mk.
Normal genrule module can't easily handle that, because both file order
and directory order matter.

Support for vendor/odm is to be added in the future.

Bug: 33691272
Test: inspect se_build_files with above tags and compare it to ninja
Change-Id: Id7c57b01c78fc14ac5e8eeeb074a6fc21d271e84
2021-03-16 10:22:09 +09:00
Inseob Kim
2bcc045724 Check vendor_property_contexts namespaces
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.

To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.

Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
2021-02-17 12:41:38 +09:00
Bob Badour
601ebb43a3 [LSC] Add LOCAL_LICENSE_KINDS to system/sepolicy
Added SPDX-license-identifier-Apache-2.0 to:
  build/Android.bp
  build/soong/Android.bp
  tests/Android.bp
  tools/Android.bp

Added SPDX-license-identifier-Apache-2.0 legacy_unencumbered to:
  Android.bp
  Android.mk
  compat.mk
  contexts_tests.mk
  mac_permissions.mk
  seapp_contexts.mk
  treble_sepolicy_tests_for_release.mk

Added legacy_unencumbered to:
  apex/Android.bp
  tools/sepolicy-analyze/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: I1ab286543ef1bdcb494cf74f2b35e35a08225d28
2021-02-05 01:28:24 -08:00
Inseob Kim
fa6fe474f0 Remove mutator and use standard variant functions
As image variants are now supported directly by android.Module, this
removes a custom mutator in selinux_contexts and uses image variant
functions in android.Module.

InRecovery and InstallInRecovery may be confusing. But refactoring it is
out of scope for this CL.

Test: compare out/soong/build.ninja before and after
Change-Id: I9ebf665a1d50d24bb4e5568a4fd1af4c4eb02c90
2021-02-03 10:53:18 +09:00
Inseob Kim
3a3539a27b Allow sysprop library API files to be missing
If sysprop library contains only internal properties, the API txt file
will be empty. This allows the API files to be missing in such cases to
turn off API-Review bit.

Bug: 177036449
Test: manual test
Change-Id: I9792e46ce6d19e65ee83cb055f76069063bec281
2021-01-15 18:10:29 +09:00
Bob Badour
4eeb6a2eac Revert^2 "Export soong license data to make."
56f419d6c8

Change-Id: I5eebdea9dc8b6f3be1cda23225733df0d78cbbdc
2021-01-06 20:50:49 -08:00
Bob Badour
1135fd71cd Merge "Revert "Export soong license data to make."" 2021-01-06 19:17:44 +00:00
Jerome Gaillard
56f419d6c8 Revert "Export soong license data to make."
Revert "Add ability to declare licenses in soong."

Revert submission 1377717-metalics

Reason for revert: This has broken renderscript_mac target for aosp-master, see b/176909442

Reverted Changes:
I26ac54ca9:Define the standard license_kind rules.
I656486070:Export soong license data to make.
If9d661dfc:Export soong license data to make.
I97943de53:Add ability to declare licenses in soong.
Icaff40171:Rough-in license metadata support to make.
Ib8e538bd0:Add variables for notice deps, license kinds etc.

Change-Id: I9af3727fba03f6b40cd6d77c7e259ef4c9b7f29d
2021-01-06 19:00:05 +00:00
Bob Badour
c182ed7f74 Merge "Export soong license data to make." 2021-01-06 18:08:06 +00:00
Inseob Kim
8ada8a7c1b Support building mixed versions of sepolicy
Now newer system policy and older vendor policy can be built together by
setting following variables:

- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
  older system_ext and product policies)

Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
2021-01-06 10:46:15 +09:00
Bob Badour
bd8ca4af30 Export soong license data to make.
Bug: 151953481
Bug: 151177513
Bug: 67772237
Change-Id: I656486070103a2aeaab0e8cbfb3a0af097af8aa8
2021-01-05 08:42:48 -08:00
Colin Cross
242c8bc876 Follow argument changes to RuleBuilder
Pass pctx and ctx to NewRuleBuilder instead of RuleBuilder.Build,
and don't pass ctx to RuleBuilderCommand.BuiltTool.  Follows the
changes in I63e6597e19167393876dc2259d6f521363b7dabc.

Test: m checkbuild
Change-Id: I372e8ecc3c4ea7ca8f66a8e1054eddd1a9af9dbd
2020-11-30 20:22:31 -08:00
Treehugger Robot
9a0cff4756 Merge "build: Rename Plat->SystemExt*SepolicyDirs" 2020-10-12 03:49:24 +00:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
Felix
e0421d3746 build: Rename Plat->SystemExt*SepolicyDirs
Depends on changes in build/soong and build/make.

Make it more consistent with the change of `BOARD_PLAT_*`
behaviour and prepares introduction of
`SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS`.

Test: `make selinux_policy`with `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and
     `BOARD_PLAT_PRIVATE_SEPOLICY_DIR` set.

Signed-off-by: Felix <google@ix5.org>
Change-Id: I9885f0594da9b76ee51386a980dfa76af98e2171
2020-05-17 18:17:47 +02:00
Felix
0d6864aebd build/file_utils: Newline for mapping files
Previous behaviour:
Test: Set `PRODUCT_PUBLIC_SEPOLICY_DIRS`, causing
      `product_sepolicy.cil` and `product_mapping_file` to
      be generated. Do not use any `type` declarations that
      would require a mapping in product sepolicy, e.g. only
      define macros.
      Run `make selinux_policy`, observe error:
```
FAILED: out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil
/bin/bash -c "(out/host/linux-x86/bin/version_policy -b out/target/product/mydevice/obj/FAKE/sepolicy_neverallows_intermediates/pub_policy.cil -t out/target/product/mydevice/obj/FAKE/sepolicy_neverallows_intermediates/pub_policy.cil -n 10000.0 -o out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil ) && (out/host/linux-x86/bin/secilc -m -M true -G -N -c 30 		out/target/product/mydevice/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil  out/target/product/mydevice/obj/ETC/product_sepolicy.cil_intermediates/product_sepolicy.cil out/target/product/mydevice/obj/ETC/plat_mapping_file_intermediates/10000.0.cil  out/target/product/mydevice/obj/ETC/product_mapping_file_intermediates/10000.0.cil out/target/product/mydevice/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil -o /dev/null -f /dev/null )"
Failure reading file: out/target/product/mydevice/obj/ETC/product_mapping_file_intermediates/10000.0.cil
```
This is caused by `secilc.c` trying to read the empty file:
```
rc = fread(buffer, file_size, 1, file);
```

Fix: Append a newline to make sure any file processed by
`filter_out` is still readable by secilc.

After:
Test: `make selinux_policy` with same preconditions.

Signed-off-by: Felix <google@ix5.org>
Change-Id: I6dcfcccdfa83121bbdc09632f7a2b609ef932fc9
2020-03-31 17:56:49 +02:00
Inseob Kim
cd6164933f Implement sysprop type checker
sysprop type checker compares a sysprop_library API file and
property_contexts files, and detects if there are any mismatches of
property types. For example, the following snippets are detected.

// foo.sysprop
prop {
prop_name: "ro.foo.bar"
type: Integer
...
}

// property_contexts
ro.foo.bar u:object_r:foo_prop:s0 exact string

"ro.foo.bar" is an Integer in .sysprop file, but it's a string in
property_contexts file.

Bug: 151879375
Test: sysprop_test
Test: run "m PlatformProperties" and see existing mismatches.
Change-Id: Ieb9965d14b8c90cfc730c3d20d95a28ecaabeba4
2020-03-25 11:13:29 +09:00
Felix
342b58a2ee property_contexts: Drop COMPATIBLE_PROP guard
public/property_contexts needs to be included regardless of
API level so that the property *labels* are always included.
Else, devices without PRODUCT_COMPATIBLE_PROPERTY (shipping
API level <27) will run into denials because the props are
labeled `default_prop`.

As a side benefit, this reduces deviation in test matrices.

The guard was originally introduced in:
e49714542e "Whitelist exported platform properties"

Test: Build for device without PRODUCT_COMPATIBLE_PROPERTY,
no more denials for accessing `default_prop` from e.g. HALs.

Change-Id: I5bbe5d078040bb26dd48d353953661c9375d2009
Signed-off-by: Felix <google@ix5.org>
2020-03-02 16:28:38 +01:00
Tri Vo
6117855015 sepolicy: support /system_ext and /product mapping files
Install mapping files in SYSTEM_EXT_PRIVATE_POLICY and
PRODUCT_PRIVATE_POLICY into /system_ext and /product respectively.

Bug: 141084341
Test: boot taimen
Test: system mapping files are unchanged
Test: create mapping files in device/google/wahoo/sepolicy/ and check
that they are correctly expanded and installed.
Change-Id: I4d251c957b30a16df71eec47c871e24e5fc773a4
2019-10-11 12:32:12 -07:00
Colin Cross
040f151c3b Follow introduction of InstallPath and InstallInRoot
PathForModuleInstall now returns an InstallPath and supports an
InstallInRoot method to install into $OUT/recovery/root.

Bug: 141877526
Test: m checkbuild
Change-Id: I2c63024336e195e772171a24cb8d2a5b61663e61
2019-10-02 16:25:43 -07:00
Bowgo Tsai
86a048d4df Separate system_ext_file_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
2019-09-26 21:28:07 +08:00
Dan Willemsen
3c3e59b2a2 Use prebuilt m4 instead of system m4
Bug: 117561006
Test: treehugger
Change-Id: Id794aed10fdffef10490561d2cfeb2a92801b331
2019-06-19 10:59:57 -07:00
Inseob Kim
b554e594ca Build contexts files with Soong
This is to migrate sepolicy Makefiles into Soong. For the first part,
file_contexts, hwservice_contexts, property_contexts, and
service_contexts are migrated. Build-time tests for contexts files are
still in Makefile; they will also be done with Soong after porting the
module sepolicy.

The motivation of migrating is based on generating property_contexts
dynamically: if we were to amend contexts files at build time in the
future, it would be nicer to manage them in Soong. To do that, building
contexts files with Soong can be very helpful.

Bug: 127949646
Bug: 129377144
Test: 1) Build blueline-userdebug, flash, and boot.
Test: 2) Build blueline-userdebug with TARGET_FLATTEN_APEX=true, flash,
and boot.
Test: 3) Build aosp_arm-userdebug.

Change-Id: I576f6f20686f6f2121204f76657274696d652121
2019-04-25 09:59:28 +09:00
Colin Cross
4f78d19ddc Fix package path of android/soong/android pctx
android/soong/common was renamed to android/soong/android long
ago, but the pctx package path was still "android/soong/common".
This required all users of rules defined in android/soong/android
to import "android/soong/android" and then
pctx.Import("android/soong/common").

Test: m checkbuild
Change-Id: Ic9e8bf25e76dbd61bb1cb1d0e7d095e73c0f279b
2019-04-02 16:22:59 -07:00
Tri Vo
d57789fde8 Replace "grep -f" with python util.
grep can potentially run out of memory on Mac builds for large input
files. So we add a python util to handle filtering out files.

We will also need this util to filter plat_sepolicy.cil out of
product_sepolicy.cil

Bug: 119305624
Test: boot aosp_taimen
Change-Id: I61cd68f407ea5de43a06bf522a5fc149e5067e8c
2018-12-17 16:57:57 -08:00
Tri Vo
438684b39f Only maintain maps between current and previous selinux versions.
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.

Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.

Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-10-02 15:10:13 -07:00
Tri Vo
111cdce6ac Account for multiple BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR dirs
After https://android-review.googlesource.com/688488
BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR can now specify multiple
directories.

Bug: n/a
Test: build sepolicy
Change-Id: Ie2af81a4f9462cd05352db71fd1e515531d42334
2018-05-22 09:25:07 -07:00
Tri Vo
84e247abeb Soong module for selinux files including board-specific directories.
se_filegroup is used to export selinux files from board-specific
directories (e.g. device/google/wahoo/sepolicy).

Use se_filegroup module to export partner extension of compatibility
mapping to build logic in system/sepolicy.

Bug: 33691272
Bug: 74669108
Test: .cil mapping files can be correctly added from vendor directory.
Change-Id: Iaa2a95d0e326cb03a478fc12c1a14ba40e57e117
2018-05-08 11:28:47 -07:00
Tri Vo
a5cfd3e537 Soong module selinux compat maps
And migrate 26.0.cil and 27.0.cil build targets from Android.mk to
Android.bp

Bug: 33691272
Test: 26.0.cil and 27.0.cil mapping files on the device are unchanged.
Change-Id: Id0ea45c149e096996bc0657615ea98915df3c9e1
2018-05-08 11:28:47 -07:00
Bowgo Tsai
741a70a058 Using a python script to build sepolicy
Current sepolicy CIL files are built by several command-line tools
in Android.mk. This change extracts some of the build logic into a
python script to relief the effort in Android.mk.

The first command is `build_sepolicy build_cil`. It's possible to add
more sub-commands under the build_sepolicy script in the future.

Bug: 64240127
Test: build bullhead/taimen
Change-Id: Ie0ae4fc5256a550c72954cde5d5dd213a22d159a
2018-02-05 18:22:12 +08:00
Bowgo Tsai
d0cbb90509 Revert "Using a python script to build sepolicy"
This reverts commit 3506ad3f31.
Fix angler/bullhead boot failure.

Bug: 72787689
Test: build
2018-02-02 08:00:38 +08:00
Bowgo Tsai
3506ad3f31 Using a python script to build sepolicy
Current sepolicy CIL files are built by several command-line tools
in Android.mk. This change extracts some of the build logic into a
python script to relief the effort in Android.mk.

The first command is `build_sepolicy build_cil`. It's possible to add
more sub-commands under the build_sepolicy script in the future.

Bug: 64240127
Test: build and boot a device
Test: checks the content of $OUT/vendor/etc/selinux/vendor_sepolicy.cil
      is the same as before
Change-Id: I0b64f1088f413172e97b579b4f7799fa392762df
2018-01-31 14:37:47 +08:00