Migrate neverallow tests to Android.bp
A new module type se_neverallow_test is added, to migrate
sepolicy_neverallow modules. se_neverallow_test is affected by
SELINUX_IGNORE_NEVERALLOWS.
Bug: 33691272
Test: m selinux_policy
Test: intentionally create neverallow violations and m selinux_policy
Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
diff --git a/Android.mk b/Android.mk
index 0ef4f0b..1431841 100644
--- a/Android.mk
+++ b/Android.mk
@@ -549,165 +549,8 @@
product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
endif
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-# In a mixed build target, vendor policies are checked separately, on the module
-# sepolicy_neverallows_vendor.
-
-all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
-ifeq ($(mixed_sepolicy_build),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
-else
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-endif
-
-sepolicy_policy.conf := $(intermediates)/policy.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
- $(hide) mv $@.tmp $@
-
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
-
-#################################
-# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
-ifeq ($(mixed_sepolicy_build),true)
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy_neverallows_vendor
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Check neverallow with prebuilt policy files
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
- $(hide) mv $@.tmp $@
-
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
-
-endif # ifeq ($(mixed_sepolicy_build),true)
+built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
+built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
##################################
# Policy files are now built with Android.bp. Grab them from intermediate.