Treblelize bug_map: split bug_map to multiple partitions
* plat_bug_map: Platform-specific bug_map definitions.
* system_ext_bug_map: Product-specific bug_map definitions.
* vendor_bug_map: SOC-specific bug_map definitions.
Bug: 177977370
Test: Boot and check auditd logs
Change-Id: I6f26b421acfd060e8abb8e4e812c0f422cc6757b
diff --git a/Android.bp b/Android.bp
index e517356..8ee5cbc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1156,6 +1156,33 @@
installable: false,
}
+// bug_map - Bug tracking information for selinux denials loaded by auditd.
+se_filegroup {
+ name: "bug_map_files",
+ srcs: ["bug_map"],
+}
+
+se_bug_map {
+ name: "plat_bug_map",
+ srcs: [":bug_map_files"],
+ stem: "bug_map",
+}
+
+se_bug_map {
+ name: "system_ext_bug_map",
+ srcs: [":bug_map_files"],
+ stem: "bug_map",
+ system_ext_specific: true,
+}
+
+se_bug_map {
+ name: "vendor_bug_map",
+ srcs: [":bug_map_files"],
+ // Legacy file name of the vendor partition bug_map.
+ stem: "selinux_denial_metadata",
+ vendor: true,
+}
+
//////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables:
diff --git a/Android.mk b/Android.mk
index 6fd84e9..efacc1b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -381,6 +381,7 @@
plat_service_contexts_test \
plat_hwservice_contexts \
plat_hwservice_contexts_test \
+ plat_bug_map \
searchpolicy \
# This conditional inclusion closely mimics the conditional logic
@@ -455,6 +456,7 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
+ system_ext_bug_map \
$(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
@@ -549,6 +551,7 @@
vendor_service_contexts \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
+ vendor_bug_map \
vndservice_contexts \
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -567,9 +570,6 @@
LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
LOCAL_REQUIRED_MODULES += selinux_policy_product
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
@@ -1212,26 +1212,6 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_denial_metadata
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
-
-$(LOCAL_BUILT_MODULE) : $(bug_files)
- @mkdir -p $(dir $@)
- cat $^ > $@
-
-bug_files :=
-
-##################################
include $(LOCAL_PATH)/seapp_contexts.mk
##################################
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 3126430..e3b6541 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -31,6 +31,7 @@
"soong-sysprop",
],
srcs: [
+ "bug_map.go",
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
new file mode 100644
index 0000000..91c6347
--- /dev/null
+++ b/build/soong/bug_map.go
@@ -0,0 +1,112 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_bug_map", bugMapFactory)
+}
+
+// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
+func bugMapFactory() android.Module {
+ c := &bugMap{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type bugMap struct {
+ android.ModuleBase
+ properties bugMapProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type bugMapProperties struct {
+ // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (b *bugMap) stem() string {
+ return proptools.StringDefault(b.properties.Stem, b.Name())
+}
+
+func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
+ srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
+ for _, src := range b.properties.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ module := android.GetModuleFromPathDep(ctx, m, "")
+ if module == nil {
+ // Error would have been handled by ExtractSourcesDeps
+ continue
+ }
+ if fg, ok := module.(*fileGroup); ok {
+ if b.SocSpecific() {
+ srcPaths = append(srcPaths, fg.VendorSrcs()...)
+ srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
+ } else if b.SystemExtSpecific() {
+ srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+ } else {
+ srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+ }
+ } else {
+ ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+ }
+ } else {
+ srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+ }
+ }
+ return android.FirstUniquePaths(srcPaths)
+}
+
+func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
+ ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
+ }
+
+ srcPaths := b.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, b.Name())
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining bug_map for " + b.Name(),
+ })
+
+ b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ b.installSource = out
+ ctx.InstallFile(b.installPath, b.stem(), b.installSource)
+}
+
+func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(b.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
+ },
+ },
+ }}
+}