commit 852545ad0eca1b8e370a023c1ad255beb653780c
author Jooyung Han <jooyung@google.com> Thu Jan 09 17:45:45 2025 +0900
committer Jooyung Han <jooyung@google.com> Thu Jan 09 17:45:45 2025 +0900
tree ec406195163ef8dbaef192ff250ffdfdb3786025
parent 420177f2e105f119df46c008f969dd41dd28be47

Run apex_sepolicy_tests with erofs apexes

This turns on apex_sepolicy_tests for erofs apexes. The test now uses
`apex-ls` (a new tool to print security contexts for apex contents).

Bug: 353896817
Test: OVERRIDE_PRODUCT_DEFAULT_APEX_PAYLOAD_TYPE=erofs m run_apex_sepolicy_tests
Change-Id: Ia42d0641be7a5007fb73337257893235f9a98f22

apex/builder.go

diff --git a/apex/builder.go b/apex/builder.go
index b74f4de..d9348c5 100644
--- a/apex/builder.go
+++ b/apex/builder.go
@@ -73,6 +73,7 @@
 	pctx.HostBinToolVariable("make_erofs", "mkfs.erofs")
 	pctx.HostBinToolVariable("apex_compression_tool", "apex_compression_tool")
 	pctx.HostBinToolVariable("dexdeps", "dexdeps")
+	pctx.HostBinToolVariable("apex_ls", "apex-ls")
 	pctx.HostBinToolVariable("apex_sepolicy_tests", "apex_sepolicy_tests")
 	pctx.HostBinToolVariable("deapexer", "deapexer")
 	pctx.HostBinToolVariable("debugfs_static", "debugfs_static")
@@ -210,9 +211,9 @@
 	}, "image_dir", "readelf")
 
 	apexSepolicyTestsRule = pctx.StaticRule("apexSepolicyTestsRule", blueprint.RuleParams{
-		Command: `${deapexer} --debugfs_path ${debugfs_static} list -Z ${in} > ${out}.fc` +
+		Command: `${apex_ls} -Z ${in} > ${out}.fc` +
 			` && ${apex_sepolicy_tests} -f ${out}.fc --partition ${partition_tag} && touch ${out}`,
-		CommandDeps: []string{"${apex_sepolicy_tests}", "${deapexer}", "${debugfs_static}"},
+		CommandDeps: []string{"${apex_sepolicy_tests}", "${apex_ls}"},
 		Description: "run apex_sepolicy_tests",
 	}, "partition_tag")
 
@@ -918,8 +919,7 @@
 	}
 	var validations android.Paths
 	validations = append(validations, runApexLinkerconfigValidation(ctx, unsignedOutputFile, imageDir))
-	// TODO(b/279688635) deapexer supports [ext4]
-	if !a.skipValidation(apexSepolicyTests) && suffix == imageApexSuffix && ext4 == a.payloadFsType {
+	if !a.skipValidation(apexSepolicyTests) && android.InList(a.payloadFsType, []fsType{ext4, erofs}) {
 		validations = append(validations, runApexSepolicyTests(ctx, a, unsignedOutputFile))
 	}
 	if !a.testApex && len(a.properties.Unwanted_transitive_deps) > 0 {
@@ -1204,7 +1204,7 @@
 
 // Runs apex_sepolicy_tests
 //
-// $ deapexer list -Z {apex_file} > {file_contexts}
+// $ apex-ls -Z {apex_file} > {file_contexts}
 // $ apex_sepolicy_tests -f {file_contexts}
 func runApexSepolicyTests(ctx android.ModuleContext, a *apexBundle, apexFile android.Path) android.Path {
 	timestamp := android.PathForModuleOut(ctx, "apex_sepolicy_tests.timestamp")