Commit graph

234 commits

Author SHA1 Message Date
Jeff Vander Stoep
c85b859648 Run Treble sepolicy tests at build time
am: 1fc0682ec6

Change-Id: I5f6adf8043686e1dbc5327b6845d710e6f673256
2017-06-06 03:54:42 +00:00
Jeff Vander Stoep
1fc0682ec6 Run Treble sepolicy tests at build time
Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
(cherry picked from commit e1ddc6df75)
2017-06-05 08:09:32 -07:00
Dan Cashman
11b239f0b0 Merge changes I397ca4e7,I38efe224 into oc-dev
am: 33d7e90b51

Change-Id: I72b51db1d65df6a82b396187e982df1e4336c6be
2017-05-26 02:46:50 +00:00
Dan Cashman
51455fe977 Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir.
These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy.  There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.

Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files.  Also test that specifying
multiple directories for public or private results in an error.

Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
(cherry picked from commit 1633da06af)
2017-05-25 22:10:45 +08:00
Dan Cashman
1b0a71f308 Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
Add new build variables for partner customization (additions) to platform sepolicy.
This allows partners to add their own policy without having to touch the AOSP sepolicy
directories and potentially disrupting compatibility with an AOSP system image.

Bug: 36467375
Test: Add public and private files to sailfish policy and verify that they are
added to the appropriate policy files, but that the policy is otherwise identical.
Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
to trigger use of prebuilt mapping files and verify that they are appropriately
combined and built in policy.

Change-Id: I38efe2248520804a123603bb050bba75563fe45c
Merged-In: I38efe2248520804a123603bb050bba75563fe45c
(cherry picked from commit f893700c73)
2017-05-25 22:10:36 +08:00
Ian Pedowitz
ed4841cea0 Merge "Revert "Revert "O is API 26""" into oc-dev
am: 0f406a7a7f

Change-Id: I39ba184fe5b89a6cace60a4ea31f42e3e9940fce
2017-05-16 04:07:21 +00:00
Ian Pedowitz
998c2ff9d5 Merge "Revert "O is API 26"" into oc-dev
am: 47859a9370

Change-Id: I3ec67ae45f165601f22f7ebb446fc626300ee1b6
2017-05-04 00:18:37 +00:00
Ian Pedowitz
4816b8f00a Revert "Revert "O is API 26""
This reverts commit 6b04a961b4.

Bug: 37480230
Bug: 37896931
Bug: 37355569
Change-Id: I24ee1b4f0f23262cae25b2f575da9f16f4ebec34
2017-05-04 00:09:57 +00:00
Ian Pedowitz
6b04a961b4 Revert "O is API 26"
This reverts commit 8713882bb8.

Reason for revert:  b/37355569

Bug: 37480230
Bug: 37896931
Bug: 37355569
Change-Id: Ic07d948fd0b4a0a8434e1f4f0c8e559c4258cf5e
2017-05-03 22:00:06 +00:00
Michael Wright
a51923896a Merge "O is API 26" into oc-dev
am: 7cc3f0a909

Change-Id: Ie5fbe081e35116ee4751b43f323b83ac56993870
2017-05-02 22:17:43 +00:00
Michael Wright
8713882bb8 O is API 26
Bug: 37480230
Bug: 37896931
Test: build, boot
Change-Id: Ib8d4309d37b8818163a17e7d8b25155c4645edcf
2017-05-02 20:50:49 +01:00
Andreas Gampe
3ddc78b132 Sepolicy: Disable leak sanitizer for checkpolicy
Temporary workaround.

Bug: 37755687
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I001a42ea6463a1e137e1f5328755596f986323de
2017-04-28 17:52:35 +00:00
Jeff Vander Stoep
5edd96d915 Android.mk: fix dependency typo
Bug: 37646565
Test: build marlin-userdebug
Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc
2017-04-24 16:49:41 -07:00
Jeff Vander Stoep
b87876937b Retain neverallow rules in CIL files
Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.

For on-device compile use the -N flag to skip neverallow tests.

Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil    567664 -> 745230

For a total increase in system/vendor: 266182.

Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.

Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
2017-04-24 13:43:22 -07:00
Jeff Vander Stoep
748cae865d secilc: expand generated attributes on non-treble devices
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

Bug: 3650825
Test: Build and boot Bullhead
Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
2017-04-14 22:37:09 -07:00
Jeffrey Vander Stoep
9bdb66b25c Merge "secilc: expand generated attributes" into oc-dev 2017-04-13 18:11:08 +00:00
Martijn Coenen
f6daa78a82 Merge "Add hwservice_contexts and support for querying it." into oc-dev 2017-04-13 03:34:48 +00:00
Martijn Coenen
3ea47b9249 Add hwservice_contexts and support for querying it.
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
2017-04-12 18:07:12 -07:00
Jeff Vander Stoep
ac171b4437 secilc: expand generated attributes
Attributes added to the policy by the policy compiler are causing
performance issues. Telling the compiler to expand these
auto-generated attributes to their underlying types prevents
preemtion during policy lookup.

With this patch the number of attributes in policy drops from
845 to 475. The number of attributes assigned to the bluetooth domain
drops from 41 to 11.

Bug: 3650825
Test: Build and boot Marlin
Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
2017-04-12 17:01:54 -07:00
Dan Cashman
4d24a77551 Fix build part 2. Always create platform_mapping_file.
commit 552fb53712 fixed an undefined
module error by removing the module when not defined (on non-treble
devices), but the sepolicy build on non-treble devices was changed
to rely on the split treble files, even though the split is not used.
Change this so that the file is always present, to allow policy
compilation.

Test: policy fully builds.
Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
2017-04-12 14:28:34 -07:00
Dan Cashman
552fb53712 Fix build: encase $(platform_mapping_file) module in treble block.
Specifying an empty module causes a build error, so make sure that
if there is no $(platform_mapping_file) the MODULE is not included.

Test: Makefiles parsed without error.
Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
2017-04-12 14:06:30 -07:00
Dan Cashman
6bf50e5c14 Remove BOARD_SEPOLICY_VERS_DIR build variable.
The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the
specification of an alternate platform public policy, primarily for
testing purposes.  This should not be a part of the released platform,
since the only public policy and corresponding mapping file construction
should be based on the current public platform policy, with compatibility
with vendor policy targeting previous versions provided by static mapping
files.  Its continued presence muddles the generation of mapping files by
potentially introducing a situation in which an incorrect mapping file is
generated.  Remove it.

Bug: 36783775
Test: Device boots with compiled SELinux policy (SHA256s don't match for
precompiled policy).

Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
2017-04-12 11:12:17 -07:00
Dan Cashman
c8d4535cc2 Change recovery to static platform-only compilation.
Recovery is not meant to be versioned in the treble model, but rather
provided as part of the platform/framework component and self-sufficient.
Simplify its compilation by removing the attribute versioning steps, but
maintain device-specific policy, which is currently required for full
functionality.

Bug: 37240781
Bug: 36783775
Test: recovery boots and is able to select commands.  Also tried:
reboot system, boot to bootloader, factory reset, sideload, view logs,
run graphics test, and power off.

Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
2017-04-12 11:01:00 -07:00
Dan Cashman
4f9a648e90 Change mapping file name to reflect its platform version.
As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions.  This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this.  Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
2017-04-12 09:16:51 -07:00
Dan Cashman
6f14f6b7d9 Add PLATFORM_SEPOLICY_VERSION.
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.

Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
2017-04-10 09:59:19 -07:00
TreeHugger Robot
8612307083 Merge "sepolicy_version: change current version to NN.m format" into oc-dev 2017-04-07 23:14:06 +00:00
Sandeep Patil
42f95984b5 sepolicy_version: change current version to NN.m format
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
2017-04-07 14:18:48 -07:00
Alex Klyubin
df72094196 Merge "Preserve treble-only flag for CTS neverallows" into oc-dev 2017-04-07 20:09:22 +00:00
Alex Klyubin
446279a6b9 Preserve treble-only flag for CTS neverallows
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
2017-04-07 12:22:10 -07:00
Martijn Coenen
ee97662f17 Fix checkfc options order.
darwin's getopt() doesn't like putting arguments
in the wrong order.

Test: Mac/Linux builds
Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5
2017-04-07 10:08:55 -07:00
Martijn Coenen
d48d54a3a1 Modify checkfc to check (vnd|hw)service_manager_type.
added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
2017-04-06 17:25:07 -07:00
Dan Cashman
0e9c47c0af Move mapping_sepolicy.cil to /system partition.
This is a necessary first step to finalizing the SELinux policy build
process.  The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.

This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.

Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.

Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
2017-04-06 10:00:42 -07:00
Martijn Coenen
6676c234fc Add target for vndservice_contexts.
So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
2017-04-03 15:39:42 -07:00
Jeff Vander Stoep
d4a3e9dd48 Create selinux_policy phony target
Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.

Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
      included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235
2017-03-26 21:52:14 +00:00
William Roberts
5d0c2e417b build: stop generating $T/file_contexts
secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:

$ stat $T/file_contexts
  File: 'file_contexts'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fc00h/64512d	Inode: 5508958     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/wcrobert)   Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700

Test: remove $T/file_contexts, touch a policy file and make sepolicy,
      ensure file is not regenerated. Also, ensure hikey builds and
      boots.

Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-03-25 22:43:24 +00:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Jeff Vander Stoep
7443484831 Grant additional permissions for ASAN builds
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
2017-03-22 14:03:07 -07:00
Jeff Vander Stoep
d2053bd024 Specify intermediates dir for sepolicy
Policy intermediates are being placed in a seemingly random
intermediates directories.

Currently:
out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates

Instead, place intermediates in the sepolicy_intermediates dir.

Test: intermediates now placed in:
out/target/product/marlin/obj/ETC/sepolicy_intermediates
Test: Marlin builds, no change to sepolicy on device.
Bug: 36269118

Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe
2017-03-15 20:52:43 +00:00
Alex Klyubin
e8243518a7 Remove unused /selinux_version
This file is no longer needed because it was needed for supporting
reloadable/dynamic SELinux policy which is no longer supported.

Test: Clean build, flash, device boots without additional denials.
      Reboot to recovery works, no additional denials.
Bug: 33642277
Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce
2017-03-15 09:48:14 -07:00
Xin Li
ec6f393d07 Fix build under GitC client.
Test: build
Bug: 36229129
Change-Id: I0654ce44f344729b0bb1f8716afa151e134fdc6a
2017-03-14 17:23:54 -07:00
Alex Klyubin
9d59041f63 Correct location of property_contexts for TREBLE devices
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

This change was previously reverted because it affected the location
of property_contexts in recovery. Now that we have separate tagets for
recovery (see ec78c377c0), this change
no longer affects is recovery.

Test: *_property_contexts in correct locations when
      PRODUCT_FULL_TREBLE is set to true and when it is set to false.

Test: cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testAospPropertyContexts

      This test was performed on bullhead (non A/B device) and sailfish
      (A/B device).

Test: Clean build, flash, device boots with no additional denials.
      Rebooting to recovery, recovery boots fine with no denials.
      This test was performed on bullhead (non A/B device) and sailfish
      (A/B device).
Bug: 36002573

(cherry picked from commit 4cb628a3be)

Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328
2017-03-13 11:37:26 -07:00
Alex Klyubin
ec78c377c0 Targets for artifacts needed by recovery
This ensures that SELinux policy artifact needed by recovery at
runtime have targets in this build script. This is to make
recoveryimage/bootimage targets depend on these artifacts explicitly,
which reduces the element of surprise. Moreover, this enables us to
move non-recovery artifacts around without affecting recovery
artifacts.

Test: Clean build, flash, device boots just fine, no new denials.
      Reboot to recovery, recovery boots just fine, no denials.
      This was tested on bullhead (non A/B device) and sailfish (A/B
      device).
Bug: 33642277
Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57
2017-03-13 08:42:52 -07:00
Jeff Vander Stoep
bba9e7b92d Split mac_permissions.xml to /system and /vendor
Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756  1345  1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787  1345  1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167

Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9
2017-03-11 00:08:37 +00:00
Jeff Vander Stoep
0cb417a639 Move split file_contexts to /system and /vendor
Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
      /vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414

Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6
2017-03-10 22:11:35 +00:00
Alex Klyubin
84aa742184 Remove unnecessary recovery-related targets
Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.

Test: make clean && make sepolicy.recovery, then confirm that
      repolicy.recovery is identical to the one produced prior to this
      change.
Test: Clean build, flash, device boots up fine, no new denials. Device
      also boots into recovery just fine, no denials.
Bug: 31363362

Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
2017-03-10 10:06:26 -08:00
Alex Klyubin
935ddb20c1 Revert "Correct location of property_contexts for TREBLE devices"
This reverts commit 4cb628a3be.

Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.

Test: Clean build, flash, sailfish and bullhead boot up just fine,
      and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
2017-03-09 18:04:03 -08:00
Jeff Vander Stoep
4e3a4c7b21 Move service and seapp contexts to /system and /vendor
Test: Build and boot Marlin and Bullhead.
Test: Contexts split between /system and /vendor on Marlin.
      Remains stored in / on Bullhead.
Bug: 36002816
Bug: 36002427

Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2
2017-03-09 19:41:32 +00:00
Alex Klyubin
4cb628a3be Correct location of property_contexts for TREBLE devices
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

Test: *_property_contexts in correct locations when
      PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Bug: 36002573

Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7
2017-03-08 23:48:41 +00:00
Alex Klyubin
193dccda79 Precompiled kernel policy for on-device use
This adds build targets for outputing precompiled kernel policy usable
on devices with policy split between system and vendor partitions. On
such devices, precompiled policy must reside on the vendor partition.

Because such devices support updating these partitions independently
of each other, the precompiled policy must reference the system
partition's policy against which it was compiled. This enables init to
establish whether the precompiled policy is valid for the current
combination of system and vendor partitions.

The referencing is performed by both the system and vendor partitions
including the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil). Only the when the digest is the same on both
partitions can the precompiled policy be used.

Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the
      SHA-256 digest of plat_sepolicy.cil
Test: plat_sepolicy.cil.sha256 is identical
      precompiled_sepolicy.plat.sha256.
Bug: 31363362
Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3
2017-03-07 14:55:49 -08:00