16d3be3dac
compat_test tests whether {ver}.compat.cil is compatible to current
policy or not. This commit migrates all tests into a single module named
"sepolicy_compat_tests".
A minor issue is also resolved with this migration. Suppose that the
vendor's speolicy version is {VER}. Then the following cil files are
compiled in runtime.
- system/etc/selinux/plat_sepolicy.cil
- system/etc/selinux/mapping/{VER}.cil
- system/etc/selinux/mapping/{VER}.compat.cil (optional)
- system_ext/etc/selinux/system_ext_sepolicy.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.cil (optional)
- system_ext/etc/selinux/mapping/{VER}.compat.cil (optional)
- product/etc/selinux/product_sepolicy.cil (optional)
- product/etc/selinux/mapping/{VER}.cil (optional)
- product/etc/selinux/mapping/{VER}.compat.cil (optional)
- vendor/etc/selinux/vendor_sepolicy.cil
- vendor/etc/selinux/plat_pub_versioned.cil
- odm/etc/selinux/odm_sepolicy.cil (optional)
That is, the vendor policy of version {VER} (vendor_sepolicy.cil,
plat_pub_versioned.cil, and odm_sepolicy.cil) is required to be
compatible only to {VER}.compat.cil. So, the vendor policy is included
only to $(BOARD_SEPOLICY_VERS)_compat_test. The other tests will be
built only with platform side policies.
Bug: 33691272
Test: boot
Test: manually edit {ver}.compat.cil files and try build
Change-Id: I16b30a9171f10ee8f08fc03b7bd7c047eec12b19
132 lines
5.8 KiB
Go
132 lines
5.8 KiB
Go
// Copyright 2021 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package selinux
|
|
|
|
import (
|
|
"fmt"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"android/soong/android"
|
|
)
|
|
|
|
func init() {
|
|
android.RegisterModuleType("se_build_files", buildFilesFactory)
|
|
}
|
|
|
|
// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
|
|
// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
|
|
// Supported tags are: "plat_public", "plat_private", "system_ext_public", "system_ext_private",
|
|
// "product_public", "product_private", and "reqd_mask".
|
|
func buildFilesFactory() android.Module {
|
|
module := &buildFiles{}
|
|
module.AddProperties(&module.properties)
|
|
android.InitAndroidModule(module)
|
|
return module
|
|
}
|
|
|
|
type buildFilesProperties struct {
|
|
// list of source file suffixes used to collect selinux policy files.
|
|
// Source files will be looked up in the following local directories:
|
|
// system/sepolicy/{public, private, vendor, reqd_mask}
|
|
// and directories specified by following config variables:
|
|
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
|
|
// SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
|
|
Srcs []string
|
|
}
|
|
|
|
type buildFiles struct {
|
|
android.ModuleBase
|
|
properties buildFilesProperties
|
|
|
|
srcs map[string]android.Paths
|
|
}
|
|
|
|
func (b *buildFiles) findSrcsInDirs(ctx android.ModuleContext, dirs ...string) android.Paths {
|
|
result := android.Paths{}
|
|
for _, file := range b.properties.Srcs {
|
|
for _, dir := range dirs {
|
|
path := filepath.Join(dir, file)
|
|
files, err := ctx.GlobWithDeps(path, nil)
|
|
if err != nil {
|
|
ctx.ModuleErrorf("glob: %s", err.Error())
|
|
}
|
|
for _, f := range files {
|
|
result = append(result, android.PathForSource(ctx, f))
|
|
}
|
|
}
|
|
}
|
|
return result
|
|
}
|
|
|
|
func (b *buildFiles) DepsMutator(ctx android.BottomUpMutatorContext) {
|
|
// do nothing
|
|
}
|
|
|
|
func (b *buildFiles) OutputFiles(tag string) (android.Paths, error) {
|
|
if paths, ok := b.srcs[tag]; ok {
|
|
return paths, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
|
|
}
|
|
|
|
var _ android.OutputFileProducer = (*buildFiles)(nil)
|
|
|
|
type sepolicyDir struct {
|
|
tag string
|
|
paths []string
|
|
}
|
|
|
|
func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
|
|
b.srcs = make(map[string]android.Paths)
|
|
b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
|
|
b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
|
|
b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
|
|
b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
|
|
b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
|
|
b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
|
|
b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
|
|
b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)
|
|
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
|
|
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
|
|
|
|
if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
|
|
// vendor uses the same source with plat policy
|
|
b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
|
|
b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
|
|
b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
|
|
b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
|
|
b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
|
|
b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
|
|
b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
|
|
b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
|
|
} else {
|
|
// use vendor-supplied plat prebuilts
|
|
b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
|
|
b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
|
|
b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
|
|
b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
|
|
b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
|
|
b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
|
|
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
|
|
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
|
|
}
|
|
|
|
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
|
|
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
|
|
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
|
|
}
|
|
}
|