Perform permissive check on se_policy_binary
sepolicy is a module which outputs precompiled sepolicy and performs
permissive domain check on user builds. se_policy_binary module is
updated so it checks permissive domain in user builds.
sepolicy module is removed since we don't need it anymore. Instead,
precompiled_sepolicy is used.
Bug: 33691272
Test: build
Test: add "permissive adbd;" and build on aosp_arm64-user
Change-Id: I3dcf0c32d2fc1312dfceeee74894c08b38395d19
diff --git a/Android.mk b/Android.mk
index 160df1c..4eecbb4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -740,65 +740,7 @@
built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
endif
-#################################
-include $(CLEAR_VARS)
-# build this target so that we can still perform neverallow checks
-
-LOCAL_MODULE := sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil) \
- $(built_vendor_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
-endif
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
- echo "==========" 1>&2; \
- echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
- echo "List of invalid domains:" 1>&2; \
- cat $@.permissivedomains 1>&2; \
- exit 1; \
- fi
- $(hide) mv $@.tmp $@
-
-built_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
+built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
#################################
include $(CLEAR_VARS)
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8d0e1a4..3308e2c 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -452,7 +452,7 @@
ctx.PropertyErrorf("srcs", "must be specified")
return
}
- bin := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
rule := android.NewRuleBuilder(pctx, ctx)
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls
@@ -466,7 +466,39 @@
if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
secilcCmd.Flag("-N")
}
+ rule.Temporary(bin)
+ // permissive check is performed only in user build (not debuggable).
+ if !ctx.Config().Debuggable() {
+ permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
+ rule.Command().BuiltTool("sepolicy-analyze").
+ Input(bin).
+ Text("permissive").
+ Text(" > ").
+ Output(permissiveDomains)
+ rule.Temporary(permissiveDomains)
+
+ msg := `==========\n` +
+ `ERROR: permissive domains not allowed in user builds\n` +
+ `List of invalid domains:`
+
+ rule.Command().Text("if test").
+ FlagWithInput("-s ", permissiveDomains).
+ Text("; then echo").
+ Flag("-e").
+ Text(`"` + msg + `"`).
+ Text("&& cat ").
+ Input(permissiveDomains).
+ Text("; exit 1; fi")
+ }
+
+ out := android.PathForModuleOut(ctx, c.stem())
+ rule.Command().Text("cp").
+ Flag("-f").
+ Input(bin).
+ Output(out)
+
+ rule.DeleteTemporaryFiles()
rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
if !c.Installable() {
@@ -474,7 +506,7 @@
}
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- c.installSource = bin
+ c.installSource = out
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}