Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.
Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.
Test: build sepolicy for all targets in master (this is a build time
test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d)
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.
Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Bug: 37008075
Test: build, all tests pass. Modify some attributes locally to
cause tests to fail (verify that they are actually working).
Change-Id: If9f9ece61dff835f38ef9c8a57f5a7baddbae5cd
This is a necessary for enforcing these tests in CTS.
Bug: 37008075
Test: build
Change-Id: I36b4ce71c26a0ba01cd0289fe363f0a9f7db1214
(cherry picked from commit 8d614b3f81)
With project Treble, we're relying heavily on attributes for
permission inheritance and enforcement of separation between
platform and vendor components.
We neead tests that verify those attributes are correctly applied.
This change adds the framework for those tests including a wrapper
around libsepol for loading and querying policy, and a python module
for running tests on policy and file_contexts.
Included with the testing framework is a test asserting that the
coredomain attribute is only applied to core processes. This
verification is done using the following rules:
1. Domain's entrypoint is on /system - coredomain
2. Domain's entrypoint is on /vendor - not coredomain
3. Domain belongs to a whitelist of known coredomains - coredomain
In a subsequent commit these tests will be applied at build time.
However, I first need to fix existing Treble violations exposed by
this test. These tests will also be applied during CTS.
Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
-f $OUT/vendor/etc/selinux/nonplat_file_contexts \
-f $OUT/system/etc/selinux/plat_file_contexts
Bug: 37008075
Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
(cherry picked from commit 0366afdf14)