Add apex_sepolicy targets for running go/seamendc
This is a roll-forward of some of the changes rolled back in
aosp/2170746. I am rolling forward in smaller chunks so that it is
easier to identify and avoid possible breakages.
Bug: 236691128
Test: atest SeamendcHostTest
Change-Id: Ibe451325d471fe04cd52683ba90a22543fa84c7c
diff --git a/Android.bp b/Android.bp
index 467f80e..5909f8d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -388,6 +388,21 @@
stem: "apex_sepolicy.cil",
}
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -896,6 +911,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 3946a04..4161bb3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -287,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -338,17 +342,15 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
+ checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
Flag("-M"). // Enable MLS
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", cil).
Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ checkpolicyCmd.Flag("-b") // Read binary
}
if len(c.properties.Filter_out) > 0 {
@@ -359,6 +361,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..9b35268
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,8 @@
+(sid apex)
+(sidorder (apex))
+
+(classorder (file))
+
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read getattr lock map open watch watch_reads))