We are compiling regex more than 300000 times, and it's a main
bottleneck for slow sepolicy_tests. Actually we don't need to compile
regex that much; most of cases can be handled by simple string
comparison. This change introduces heuristics for optimization.
Bug: 301874100
Test: verified that return values of MatchPathPrefix are not changed.
Test: run cProfile, before and after.
Before
ncalls tottime percall cumtime percall filename:lineno(function)
21951 0.923 0.000 56.491 0.003 policy.py:33(MatchPathPrefix)
After
ncalls tottime percall cumtime percall filename:lineno(function)
21951 0.078 0.000 1.159 0.000 policy.py:40(MatchPathPrefix)
Change-Id: I1ebad586c2518e74a8ca67024df5e77d068e3ca5
Rationale for this change:
1) Vendors use only public files, so we should be able to use only
public cil files for compatibility test.
2) treble_sepolicy_tests_for_release.mk is too complex, because it
requires compiled sepolicy. Reducing the complexity will help migrate
into REL build.
3) This fixes a tiny bug of treble_sepolicy_tests that it can't catch
public types being moved to private types, and then removed. 29.0.cil
and 30.0.cil change contains such missing public types.
Bug: 296875906
Test: m selinux_policy (with/without intentional breakage)
Change-Id: Ia2c0733176df898f268b5680195da25b588b09c7
For now, freeze_test compares prebuilts against sources with diff, to
ensure that sources are identical to prebuilts. However, it could be the
case that the branch should be able to build both REL and ToT. In that
case, changes to the sources are inevitable and the freeze test will
fail.
To fix the issue, freeze_test will now only check compatibility. To be
specific, it will check if any public types or attributes are removed.
Contexts files and neverallow rules are not checked, but they may be
added later. Also to support the new freeze_test
- build_files module is changed to use glob (because REL version won't
be in compat versions list)
- plat_pub_policy modules are added under prebuilts/api (because
freeze_test needs that)
Bug: 296875906
Test: m selinux_policy
Change-Id: I39c40992965b98664facea3b760d9d6be1f6b87e
It fails in the build/test server due to `match` usage.
Bug: 277586190
Test: atest apex_sepolicy_tests_test
Change-Id: I34c90bae0f555042c8a4cc9308e9b7e1885d3b72
This is to prevent common mistakes when building an APEX. For example,
etc/vintf should be read-able by servicemanager.
Bug: 267269895
Test: apex_sepolicy_tests -f <(deapexer list --dir -Z foo.apex)
Test: atest apex_sepolicy_tests_test
Change-Id: I2e86096add1bb4c9daa0e841b10732c16a09efa3
To generate compat files, we need:
- base plat sepolicy
- old plat sepolicy
- base plat pub sepolicy
- mapping file from the device
- latest compat files
Generator now triggers the build system itself to get necessary base
files, and then uses the artifacts to extract new types and removed
types.
For the next step, the new/removed types will be mapped to old types,
based on the latest compat files.
Bug: 214336258
Test: sepolicy_generate_compat --branch sc-v2-dev --target-version \
32.0 --latest-version 31.0 -vvvv --build latest
Change-Id: I1f228233c1e3638e78bc0630ae51e48667a12ef5
In general, it appears that libselinux and libsepol interpret paths and
contexts as bytes. For instance, selabel_file(5) mentions about the path
field of file_contexts:
Strings representing paths are processed as bytes (as opposed to
Unicode), meaning that non-ASCII characters are not matched
by a single wildcard.
libsepol also uses primitives such as strchr[1], which explicitly
operate at the byte level (see strchr(3)). However, practically, Android
paths and contexts all uses ASCII characters.
Use the str type (i.e., Unicode) for all Python code to avoid a larger
refactoring. Ensure we convert to bytes for inputs and outputs of
libsepolwrap.so. The encoding "ascii" is used, which will raise an error
should a context or type contain non-ASCII characters.
Update headers to match development/docs/copyright-templates.
[1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4
Bug: 200119288
Test: lunch aosp_bramble-userdebug && m
Test: atest --host fc_sort_test
Test: manually run searchpolicy
Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
Clean up fc_sort to facilitate the migration to Python3. Use PEP8 for
naming scheme.
Test: atest --host fc_sort_test
Bug: 200119288
Change-Id: Ia2c40a850a48ec75e995d5233b5abaae10917a89
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.
To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.
Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
This is dlopened by sepolicy_tests, which uses embeds the python
interpreter built from our tree. That python interpreter links against
the shared version of libc++, so mixing it with this static copy was
causing segfaults on Mac 10.15 (but apparently not elsewhere).
Test: SANITIZE_HOST=address m treble_sepolicy_tests
Test: `m` on Mac 10.15
Change-Id: I31744acd018ea4c980c46a9979bbad17ae1c4f68
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.
Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.
Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
Two areas need better coverage:
1. Tests are not verifying that files in /data/vendor do not have the
core_data_file_type attribute.
2. No error is thrown if a type lives in both /data/vendor
/data/<not vendor>.
Bug: 72998741
Test: build all selinux policies on master (assert build time tests)
Test: build and boot Marlin and Taimen, verify no selinux denials and
everything works as expected.
Change-Id: I133a068123139a599b9b81ddcc254616894621eb
(cherry picked from commit 55d5e28472)
Bug: 37008075
Test: build, all tests pass. Modify some attributes locally to
cause tests to fail (verify that they are actually working).
Change-Id: If9f9ece61dff835f38ef9c8a57f5a7baddbae5cd
This is a necessary for enforcing these tests in CTS.
Bug: 37008075
Test: build
Change-Id: I36b4ce71c26a0ba01cd0289fe363f0a9f7db1214
(cherry picked from commit 8d614b3f81)
With project Treble, we're relying heavily on attributes for
permission inheritance and enforcement of separation between
platform and vendor components.
We neead tests that verify those attributes are correctly applied.
This change adds the framework for those tests including a wrapper
around libsepol for loading and querying policy, and a python module
for running tests on policy and file_contexts.
Included with the testing framework is a test asserting that the
coredomain attribute is only applied to core processes. This
verification is done using the following rules:
1. Domain's entrypoint is on /system - coredomain
2. Domain's entrypoint is on /vendor - not coredomain
3. Domain belongs to a whitelist of known coredomains - coredomain
In a subsequent commit these tests will be applied at build time.
However, I first need to fix existing Treble violations exposed by
this test. These tests will also be applied during CTS.
Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
-f $OUT/vendor/etc/selinux/nonplat_file_contexts \
-f $OUT/system/etc/selinux/plat_file_contexts
Bug: 37008075
Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
(cherry picked from commit 0366afdf14)
