0ecf99def5
Adding soong module and tool to check if there is fuzzer present for every service in private/service_contexts. Whenever a service is added, its is recommended to update $ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go with service name and its corresponding fuzzer. Test: m Bug: 242104782 Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
84 lines
3.4 KiB
Text
84 lines
3.4 KiB
Text
This directory contains a number of tools related to policy, some of
|
|
which are used in building and validating the policy and others are
|
|
available for help in auditing and analyzing policy. The tools are
|
|
described further below.
|
|
|
|
build_policies.sh
|
|
A tool to build SELinux policy for multiple targets in parallel.
|
|
This is useful for quickly testing a new test or neverallow rule
|
|
on multiple targets.
|
|
|
|
Usage:
|
|
./build_policies.sh ~/android/master ~/tmp/build_policies
|
|
./build_policies.sh ~/android/master ~/tmp/build_policies sailfish-eng walleye-eng
|
|
|
|
checkfc
|
|
A utility for checking the validity of a file_contexts or a
|
|
property_contexts configuration file. Used as part of the policy
|
|
build to validate both files. Requires the sepolicy file as an
|
|
argument in order to check the validity of the security contexts
|
|
in the file_contexts or property_contexts file.
|
|
|
|
Usage1:
|
|
checkfc sepolicy file_contexts
|
|
checkfc -p sepolicy property_contexts
|
|
|
|
Also used to compare two file_contexts or file_contexts.bin files.
|
|
Displays one of subset, equal, superset, or incomparable.
|
|
|
|
Usage2:
|
|
checkfc -c file_contexts1 file_contexts2
|
|
|
|
Example:
|
|
$ checkfc -c out/target/product/shamu/system/etc/general_file_contexts out/target/product/shamu/root/file_contexts.bin
|
|
subset
|
|
|
|
checkseapp
|
|
A utility for merging together the main seapp_contexts
|
|
configuration and the device-specific one, and simultaneously
|
|
checking the validity of the configurations. Used as part of the
|
|
policy build process to merge and validate the configuration.
|
|
|
|
Usage:
|
|
checkseapp -p sepolicy input_seapp_contexts0 [input_seapp_contexts1...] -o seapp_contexts
|
|
|
|
insertkeys.py
|
|
A helper script for mapping tags in the signature stanzas of
|
|
mac_permissions.xml to public keys found in pem files. This
|
|
script is described further in the top-level sepolicy/README.
|
|
|
|
post_process_mac_perms
|
|
A tool to help modify an existing mac_permissions.xml with additional app
|
|
certs not already found in that policy. This becomes useful when a directory
|
|
containing apps is searched and the certs from those apps are added to the
|
|
policy not already explicitly listed.
|
|
|
|
Usage:
|
|
post_process_mac_perms [-h] -s SEINFO -d DIR -f POLICY
|
|
|
|
-s SEINFO, --seinfo SEINFO seinfo tag for each generated stanza
|
|
-d DIR, --dir DIR Directory to search for apks
|
|
-f POLICY, --file POLICY mac_permissions.xml policy file
|
|
|
|
sepolicy-check
|
|
A tool for auditing a sepolicy file for any allow rule that grants
|
|
a given permission.
|
|
|
|
Usage:
|
|
sepolicy-check -s <domain> -t <type> -c <class> -p <permission> -P out/target/product/<board>/root/sepolicy
|
|
|
|
sepolicy-analyze
|
|
A tool for performing various kinds of analysis on a sepolicy
|
|
file.
|
|
|
|
fuzzer_bindings_check
|
|
Tool to check if fuzzer is added for new services. it is used by fuzzer_bindings_test soong module internally.
|
|
Error will be generated if there is no fuzzer binding present for service added in service_contexts in
|
|
system/sepolicy/soong/build/service_fuzzer_bindings.go
|
|
|
|
Usage:
|
|
fuzzer_bindings_check.py -s [SRCs...] -b /path/to/binding.json
|
|
|
|
-s [SRCs...] list of service_contexts files. Tool will check if there is fuzzer for every service
|
|
in the context file.
|
|
-b /path/to/binding.json Path to json file containing "service":[fuzzers...] bindings.
|