commit 3d5f9256a4395dcfff9992538d4a65da286ad339
author Inseob Kim <inseob@google.com> Tue Dec 21 20:42:35 2021 +0900
committer Inseob Kim <inseob@google.com> Thu Dec 23 21:34:29 2021 +0900
tree 316214cdc5b80348fde4a122a8f04427b7bb6bca
parent 4f85138c086bcaa6fc2370a1ab2aa7b14c0bca97

Perform permissive check on se_policy_binary

sepolicy is a module which outputs precompiled sepolicy and performs
permissive domain check on user builds. se_policy_binary module is
updated so it checks permissive domain in user builds.

sepolicy module is removed since we don't need it anymore. Instead,
precompiled_sepolicy is used.

Bug: 33691272
Test: build
Test: add "permissive adbd;" and build on aosp_arm64-user
Change-Id: I3dcf0c32d2fc1312dfceeee74894c08b38395d19

build/soong/policy.go

diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8d0e1a4..3308e2c 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -452,7 +452,7 @@
 		ctx.PropertyErrorf("srcs", "must be specified")
 		return
 	}
-	bin := android.PathForModuleOut(ctx, c.stem()).OutputPath
+	bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
 	rule := android.NewRuleBuilder(pctx, ctx)
 	secilcCmd := rule.Command().BuiltTool("secilc").
 		Flag("-m").                 // Multiple decls
@@ -466,7 +466,39 @@
 	if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
 		secilcCmd.Flag("-N")
 	}
+	rule.Temporary(bin)
 
+	// permissive check is performed only in user build (not debuggable).
+	if !ctx.Config().Debuggable() {
+		permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
+		rule.Command().BuiltTool("sepolicy-analyze").
+			Input(bin).
+			Text("permissive").
+			Text(" > ").
+			Output(permissiveDomains)
+		rule.Temporary(permissiveDomains)
+
+		msg := `==========\n` +
+			`ERROR: permissive domains not allowed in user builds\n` +
+			`List of invalid domains:`
+
+		rule.Command().Text("if test").
+			FlagWithInput("-s ", permissiveDomains).
+			Text("; then echo").
+			Flag("-e").
+			Text(`"` + msg + `"`).
+			Text("&& cat ").
+			Input(permissiveDomains).
+			Text("; exit 1; fi")
+	}
+
+	out := android.PathForModuleOut(ctx, c.stem())
+	rule.Command().Text("cp").
+		Flag("-f").
+		Input(bin).
+		Output(out)
+
+	rule.DeleteTemporaryFiles()
 	rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
 
 	if !c.Installable() {
@@ -474,7 +506,7 @@
 	}
 
 	c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
-	c.installSource = bin
+	c.installSource = out
 	ctx.InstallFile(c.installPath, c.stem(), c.installSource)
 }