Commit graph

37 commits

Author SHA1 Message Date
Inseob Kim
c7596c4e61 Build vndservice_contexts with Android.bp
Bug: 33691272
Test: boot a device which uses vndservice_contexts
Change-Id: I28c36b74d4176954099f3b7e80a4869b7c44640f
2022-03-02 17:26:44 +09:00
Treehugger Robot
8817edcbb4 Merge "Revert^2 "Migrate contexts tests to Android.bp"" 2022-02-16 04:23:47 +00:00
Inseob Kim
b5e235346e Revert^2 "Migrate contexts tests to Android.bp"
This reverts commit baa93cc651.

Reason for revert: amlogic build fixed

Change-Id: I8b046dc810d47a2d87012f02a668873889fce705
2022-02-16 02:26:11 +00:00
Treehugger Robot
dd75a576c5 Merge "Remove deprecated ToMakePath calls" 2022-01-19 10:07:45 +00:00
Inseob Kim
baa93cc651 Revert "Migrate contexts tests to Android.bp"
This reverts commit f612656adf.

Reason for revert: breaking amlogic build

Change-Id: I129b5cb74259c9c028483e84c9b2ac3597c24701
2022-01-14 06:13:28 +00:00
Inseob Kim
f612656adf Migrate contexts tests to Android.bp
Now that we have sepolicy module in Android.bp, we can migrate contexts
tests. Also vendor_service_contexts_test will be run, as we now include
vendor_service_contexts unconditionally.

Unfortunately, vendor_service_contexts_test is now broken, due to a
malformed type hal_power_stats_vendor_service. We will temporarily
exempt the type from the test, to speed up migrating to Android.bp.

Bug: 33691272
Test: m selinux_policy and see tests running
Test: add a malformed type other than hal_power_stats_vendor_service and
      run tests
Change-Id: Ic60eb38b9a7c79006f0b5ff4453768e03006604b
2022-01-14 10:59:59 +09:00
Colin Cross
6c7f937235 Remove deprecated ToMakePath calls
ToMakePath is a noop now, remove the calls to it.

Bug: 204136549
Test: m checkbuild
Change-Id: I01b865614f50a57ab357c5ffb8843ebcb382df20
2022-01-11 19:35:43 -08:00
Inseob Kim
2dac267dae Migrate seapp_contexts to Android.bp
Bug: 33691272
Test: build and boot
Test: atest SELinuxHostTest#testValidSeappContexts
Change-Id: I86f9d010d1628f9756cc152b4ee74dea1b9ff955
2021-12-29 17:54:57 +09:00
Inseob Kim
6d3d5a6daf Fix contexts modules to use android:"path"
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.

Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
2021-12-23 21:36:27 +09:00
Inseob Kim
7174ffec38 Fix vendor contexts files in mixed build
BOARD_PLAT_VENDOR_POLICY should be used for all vendor stuff, when in
mixed sepolicy build (BOARD_SEPOLICY_VERS != PLATFORM_SEPOLICY_VERSION).
This fixes an issue that system/sepolicy/vendor has been incorrectly
used in mixed sepolicy build.

Bug: 205924657
Test: Try AOSP + rvc-dev mixed sepolicy build
1) copy cuttlefish sepolicy prebuilts from rvc-dev branch.
2) set prebuilt variables:
  - BOARD_PLAT_VENDOR_POLICY
  - BOARD_REQD_MASK_POLICY
  - BOARD_(SYSTEM_EXT|PRODUCT)_PRIVATE_PREBUILT_DIRS
  - BOARD_SEPOLICY_VERS
3) lunch aosp_cf_x86_64_phone-userdebug; m selinux_policy
4) compare $OUT/vendor/etc/selinux with rvc-dev's artifacts.

Change-Id: I2ed1e25255c825c24dab99ae4903328b0400c414
2021-12-09 19:03:35 +09:00
Yuntao Xu
42e732c861 Split property/file/service contexts modules
1. Splitted plat_property_contexts, plat_file_contexts, and
plat_service_contexts so they can be included by the
CtsSecurityHostTestCases module.

2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I99ba55b1a89f196b3c8504e623b65960a9262165
2021-11-19 18:23:12 +09:00
Vova Sharaienko
bec08097c9 Revert "Split property and file contexts modules"
Revert "Convert security/Android.mk to Android.bp"

Revert "Add seapp_contexts to allowlist of makefile goal"

Revert submission 1795972-Convert security/Android.mk to Android.bp

Reason for revert: http://b/206976319 Broken build 7928060 on aosp-master on sdk_arm64-sdk
Reverted Changes:
I0e0e7f677:Split property and file contexts modules
I5596d6f00:Add seapp_contexts to allowlist of makefile goal
If685e5ccc:Convert security/Android.mk to Android.bp

Change-Id: Ibbca0a17886d15b3fd7ecaf974a06df7107fd9aa
2021-11-18 17:29:01 +00:00
Inseob Kim
1b965988b7 Split property and file contexts modules
1. Splitted plat_property_contexts and plat_file_contexts so that they
can be included by the CtsSecurityHostTestCases module;
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.

Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I0e0e7f6778d42ab2fdae3a181f40216fe6719e7c
2021-11-08 15:44:29 +09:00
Colin Cross
f82aed0daa Don't use AndroidMkEntries.Custom
There's nothing special in the Custom method supplied, replace it
with normal AndroidMkEntries fields.

Bug: 204136549
Test: m checkbuild
Change-Id: I624005d2ee313aaa60397749b0726e393a842618
2021-11-04 17:25:55 -07:00
Paul Duffin
532bde121b Stop using deprecated functionality for managing path deps
This change stops using deprecated functionality and migrates this
repository's custom Soong code to support current practices to manage
path property related dependencies. i.e. when a property includes
something that looks like ":module".

ExtractSourcesDeps has been deprecated in favor of tagging properties
with `android:"path"` which will cause the pathDepsMutator to add the
dependencies automatically.

android.SourceDepTag has been deprecated as the underlying type needs
to be changed and this will no longer work for its current uses.

* ctx.GetDirectDepWithTag(moduleName, android.SourceDepTag) will not
  work to retrieve a reference to the module dependency added for
  path properties. GetModuleFromPathDep(ctx, moduleName, "") must be
  used instead.

* depTag == android.SourceDepTag can no longer be used to check to
  see if depTag was used to add a module dependency for a module
  reference in a path property without any output tag.
  IsSourceDepTagWithOutputTag(depTag, "") must be used instead.

Bug: 193228441
Test: m nothing
Change-Id: I307039612f0f2a541ac7dbfddd052ef78c290f60
2021-07-09 23:15:17 +01:00
Inseob Kim
6cc75f4587 Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit a46d61cd3f.

Reason for revert: fixed debug_ramdisk partition problem

Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
2021-04-30 14:53:25 +09:00
Inseob Kim
a46d61cd3f Revert^3 "Build userdebug_plat_sepolicy.cil with Android.bp"
e10ceab330

Change-Id: Ia1b38d6b709edb0e819ea4700e70ba68b1b61332
2021-04-22 23:14:58 +00:00
Florian Mayer
e10ceab330 Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"
0177004c7f

Change-Id: I40aa5025d487922decd9909c0d35c9e3a6b8dd61
2021-04-22 16:38:47 +00:00
Bowgo Tsai
0177004c7f Revert "Build userdebug_plat_sepolicy.cil with Android.bp"
This reverts commit 57b64bd282.

Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.

Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
2021-04-22 09:55:21 +08:00
Inseob Kim
57b64bd282 Build userdebug_plat_sepolicy.cil with Android.bp
Bug: 33691272
Test: build and see $OUT/debug_ramdisk
Change-Id: I7994857a3dd4e54f2c2d35ff8e362ecae93ea7a2
2021-04-14 15:54:26 +09:00
Inseob Kim
2bcc045724 Check vendor_property_contexts namespaces
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.

To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.

Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
2021-02-17 12:41:38 +09:00
Inseob Kim
fa6fe474f0 Remove mutator and use standard variant functions
As image variants are now supported directly by android.Module, this
removes a custom mutator in selinux_contexts and uses image variant
functions in android.Module.

InRecovery and InstallInRecovery may be confusing. But refactoring it is
out of scope for this CL.

Test: compare out/soong/build.ninja before and after
Change-Id: I9ebf665a1d50d24bb4e5568a4fd1af4c4eb02c90
2021-02-03 10:53:18 +09:00
Inseob Kim
3a3539a27b Allow sysprop library API files to be missing
If sysprop library contains only internal properties, the API txt file
will be empty. This allows the API files to be missing in such cases to
turn off API-Review bit.

Bug: 177036449
Test: manual test
Change-Id: I9792e46ce6d19e65ee83cb055f76069063bec281
2021-01-15 18:10:29 +09:00
Bob Badour
4eeb6a2eac Revert^2 "Export soong license data to make."
56f419d6c8

Change-Id: I5eebdea9dc8b6f3be1cda23225733df0d78cbbdc
2021-01-06 20:50:49 -08:00
Bob Badour
1135fd71cd Merge "Revert "Export soong license data to make."" 2021-01-06 19:17:44 +00:00
Jerome Gaillard
56f419d6c8 Revert "Export soong license data to make."
Revert "Add ability to declare licenses in soong."

Revert submission 1377717-metalics

Reason for revert: This has broken renderscript_mac target for aosp-master, see b/176909442

Reverted Changes:
I26ac54ca9:Define the standard license_kind rules.
I656486070:Export soong license data to make.
If9d661dfc:Export soong license data to make.
I97943de53:Add ability to declare licenses in soong.
Icaff40171:Rough-in license metadata support to make.
Ib8e538bd0:Add variables for notice deps, license kinds etc.

Change-Id: I9af3727fba03f6b40cd6d77c7e259ef4c9b7f29d
2021-01-06 19:00:05 +00:00
Bob Badour
c182ed7f74 Merge "Export soong license data to make." 2021-01-06 18:08:06 +00:00
Inseob Kim
8ada8a7c1b Support building mixed versions of sepolicy
Now newer system policy and older vendor policy can be built together by
setting following variables:

- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
  older system_ext and product policies)

Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
2021-01-06 10:46:15 +09:00
Bob Badour
bd8ca4af30 Export soong license data to make.
Bug: 151953481
Bug: 151177513
Bug: 67772237
Change-Id: I656486070103a2aeaab0e8cbfb3a0af097af8aa8
2021-01-05 08:42:48 -08:00
Colin Cross
242c8bc876 Follow argument changes to RuleBuilder
Pass pctx and ctx to NewRuleBuilder instead of RuleBuilder.Build,
and don't pass ctx to RuleBuilderCommand.BuiltTool.  Follows the
changes in I63e6597e19167393876dc2259d6f521363b7dabc.

Test: m checkbuild
Change-Id: I372e8ecc3c4ea7ca8f66a8e1054eddd1a9af9dbd
2020-11-30 20:22:31 -08:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
Inseob Kim
cd6164933f Implement sysprop type checker
sysprop type checker compares a sysprop_library API file and
property_contexts files, and detects if there are any mismatches of
property types. For example, the following snippets are detected.

// foo.sysprop
prop {
prop_name: "ro.foo.bar"
type: Integer
...
}

// property_contexts
ro.foo.bar u:object_r:foo_prop:s0 exact string

"ro.foo.bar" is an Integer in .sysprop file, but it's a string in
property_contexts file.

Bug: 151879375
Test: sysprop_test
Test: run "m PlatformProperties" and see existing mismatches.
Change-Id: Ieb9965d14b8c90cfc730c3d20d95a28ecaabeba4
2020-03-25 11:13:29 +09:00
Felix
342b58a2ee property_contexts: Drop COMPATIBLE_PROP guard
public/property_contexts needs to be included regardless of
API level so that the property *labels* are always included.
Else, devices without PRODUCT_COMPATIBLE_PROPERTY (shipping
API level <27) will run into denials because the props are
labeled `default_prop`.

As a side benefit, this reduces deviation in test matrices.

The guard was originally introduced in:
e49714542e "Whitelist exported platform properties"

Test: Build for device without PRODUCT_COMPATIBLE_PROPERTY,
no more denials for accessing `default_prop` from e.g. HALs.

Change-Id: I5bbe5d078040bb26dd48d353953661c9375d2009
Signed-off-by: Felix <google@ix5.org>
2020-03-02 16:28:38 +01:00
Colin Cross
040f151c3b Follow introduction of InstallPath and InstallInRoot
PathForModuleInstall now returns an InstallPath and supports an
InstallInRoot method to install into $OUT/recovery/root.

Bug: 141877526
Test: m checkbuild
Change-Id: I2c63024336e195e772171a24cb8d2a5b61663e61
2019-10-02 16:25:43 -07:00
Bowgo Tsai
86a048d4df Separate system_ext_file_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
2019-09-26 21:28:07 +08:00
Dan Willemsen
3c3e59b2a2 Use prebuilt m4 instead of system m4
Bug: 117561006
Test: treehugger
Change-Id: Id794aed10fdffef10490561d2cfeb2a92801b331
2019-06-19 10:59:57 -07:00
Inseob Kim
b554e594ca Build contexts files with Soong
This is to migrate sepolicy Makefiles into Soong. For the first part,
file_contexts, hwservice_contexts, property_contexts, and
service_contexts are migrated. Build-time tests for contexts files are
still in Makefile; they will also be done with Soong after porting the
module sepolicy.

The motivation of migrating is based on generating property_contexts
dynamically: if we were to amend contexts files at build time in the
future, it would be nicer to manage them in Soong. To do that, building
contexts files with Soong can be very helpful.

Bug: 127949646
Bug: 129377144
Test: 1) Build blueline-userdebug, flash, and boot.
Test: 2) Build blueline-userdebug with TARGET_FLATTEN_APEX=true, flash,
and boot.
Test: 3) Build aosp_arm-userdebug.

Change-Id: I576f6f20686f6f2121204f76657274696d652121
2019-04-25 09:59:28 +09:00