Merge "Add bootctl for vold"
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..415166b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.pyc
+*.*~
diff --git a/Android.bp b/Android.bp
index 61c7605..545cc80 100644
--- a/Android.bp
+++ b/Android.bp
@@ -35,21 +35,36 @@
se_cil_compat_map {
name: "26.0.cil",
- srcs: [
- ":26.0.board.compat.map",
- ],
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "27.0.cil",
}
se_cil_compat_map {
name: "27.0.cil",
- srcs: [
- ":27.0.board.compat.map",
- ],
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "28.0.cil",
}
se_cil_compat_map {
name: "28.0.cil",
- srcs: [
- ":28.0.board.compat.map",
- ],
+ bottom_half: [":28.0.board.compat.map"],
+ // top_half: "29.0.cil",
+}
+
+se_cil_compat_map {
+ name: "26.0.ignore.cil",
+ bottom_half: ["private/compat/26.0/26.0.ignore.cil"],
+ top_half: "27.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "27.0.ignore.cil",
+ bottom_half: ["private/compat/27.0/27.0.ignore.cil"],
+ top_half: "28.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "28.0.ignore.cil",
+ bottom_half: ["private/compat/28.0/28.0.ignore.cil"],
+ // top_half: "29.0.ignore.cil",
}
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 8f55797..2402d75 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -21,10 +21,28 @@
"android/soong/android"
"fmt"
"io"
+
+ "github.com/google/blueprint/proptools"
+ "github.com/google/blueprint"
)
var (
pctx = android.NewPackageContext("android/soong/selinux")
+
+ combine_maps = pctx.HostBinToolVariable("combine_maps", "combine_maps")
+ combineMapsCmd = "${combine_maps} -t ${topHalf} -b ${bottomHalf} -o $out"
+ combineMapsRule = pctx.StaticRule(
+ "combineMapsRule",
+ blueprint.RuleParams{
+ Command: combineMapsCmd,
+ CommandDeps: []string{"${combine_maps}"},
+ },
+ "topHalf",
+ "bottomHalf",
+ )
+
+ String = proptools.String
+ TopHalfDepTag = dependencyTag{name: "top"}
)
func init() {
@@ -40,18 +58,43 @@
}
type cilCompatMapProperties struct {
- // list of source (.cil) files used to build an sepolicy compatibility mapping
- // file. srcs may reference the outputs of other modules that produce source
- // files like genrule or filegroup using the syntax ":module". srcs has to be
- // non-empty.
- Srcs []string
+ // se_cil_compat_map module representing a compatibility mapping file for
+ // platform versions (x->y). Bottom half represents a mapping (y->z).
+ // Together the halves are used to generate a (x->z) mapping.
+ Top_half *string
+ // list of source (.cil) files used to build an the bottom half of sepolicy
+ // compatibility mapping file. bottom_half may reference the outputs of
+ // other modules that produce source files like genrule or filegroup using
+ // the syntax ":module". srcs has to be non-empty.
+ Bottom_half []string
}
type cilCompatMap struct {
android.ModuleBase
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
- installSource android.OptionalPath
+ installSource android.Path
+}
+
+type CilCompatMapGenerator interface {
+ GeneratedMapFile() android.Path
+}
+
+type dependencyTag struct {
+ blueprint.BaseDependencyTag
+ name string
+}
+
+func expandTopHalf(ctx android.ModuleContext) android.OptionalPath {
+ var topHalf android.OptionalPath
+ ctx.VisitDirectDeps(func(dep android.Module) {
+ depTag := ctx.OtherModuleDependencyTag(dep)
+ switch depTag {
+ case TopHalfDepTag:
+ topHalf = android.OptionalPathForPath(dep.(CilCompatMapGenerator).GeneratedMapFile())
+ }
+ })
+ return topHalf
}
func expandSeSources(ctx android.ModuleContext, srcFiles []string) android.Paths {
@@ -81,29 +124,52 @@
}
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- srcFiles := expandSeSources(ctx, c.properties.Srcs)
+ srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
+
for _, src := range srcFiles {
if src.Ext() != ".cil" {
- ctx.PropertyErrorf("srcs", "%s has to be a .cil file.", src.String())
+ ctx.PropertyErrorf("bottom_half", "%s has to be a .cil file.", src.String())
}
}
- out := android.PathForModuleGen(ctx, c.Name())
+ bottomHalf := android.PathForModuleGen(ctx, "bottom_half")
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
- Output: out,
+ Output: bottomHalf,
Inputs: srcFiles,
})
- c.installSource = android.OptionalPathForPath(out)
+
+ topHalf := expandTopHalf(ctx)
+ if (topHalf.Valid()) {
+ out := android.PathForModuleGen(ctx, c.Name())
+ ctx.ModuleBuild(pctx, android.ModuleBuildParams{
+ Rule: combineMapsRule,
+ Output: out,
+ Implicits: []android.Path{
+ topHalf.Path(),
+ bottomHalf,
+ },
+ Args: map[string]string{
+ "topHalf": topHalf.String(),
+ "bottomHalf": bottomHalf.String(),
+ },
+ })
+ c.installSource = out
+ } else {
+ c.installSource = bottomHalf
+ }
}
func (c *cilCompatMap) DepsMutator(ctx android.BottomUpMutatorContext) {
- android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+ android.ExtractSourcesDeps(ctx, c.properties.Bottom_half)
+ if (c.properties.Top_half != nil) {
+ ctx.AddDependency(c, TopHalfDepTag, String(c.properties.Top_half))
+ }
}
func (c *cilCompatMap) AndroidMk() android.AndroidMkData {
ret := android.AndroidMkData{
- OutputFile: c.installSource,
+ OutputFile: android.OptionalPathForPath(c.installSource),
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
@@ -111,3 +177,9 @@
})
return ret
}
+
+var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
+
+func (c *cilCompatMap) GeneratedMapFile() android.Path {
+ return c.installSource
+}
diff --git a/private/apexd.te b/private/apexd.te
new file mode 100644
index 0000000..dcec248
--- /dev/null
+++ b/private/apexd.te
@@ -0,0 +1,42 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# Read /system/etc/security/apex_debug_key
+allow apexd apex_key_file:dir search;
+allow apexd apex_key_file:file r_file_perms;
+
+# Allow reading and writing of APEX files in the APEX data dir
+allow apexd apex_data_file:dir rw_dir_perms;
+allow apexd apex_data_file:file rw_file_perms;
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+# allow apexd to access /dev/block
+allow apexd block_device:dir r_dir_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow apexd self:global_capability_class_set sys_admin;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# Spawning a libbinder thread results in a dac_override deny,
+# /dev/cpuset/tasks is owned by system.
+#
+# See b/35323867#comment3
+dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
+
+neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index 2a7ccd0..37e9702 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,6 +31,7 @@
allow atrace {
service_manager_type
+ -apex_service
-incident_service
-netd_service
-stats_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 5f4950c..f985d95 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -1,12 +1,21 @@
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
- ( activity_task_service
+ ( new_objects
+ activity_task_service
adb_service
adbd_exec
app_binding_service
+ apex_data_file
+ apex_mnt_dir
+ apex_key_file
+ apex_service
+ apexd
+ apexd_exec
+ apexd_tmpfs
atrace
binder_calls_stats_service
biometric_service
@@ -182,8 +191,9 @@
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
;; Thus, these types are also not mapped, but recorded for checkapi tests
+(type priv_objects)
(typeattribute priv_objects)
(typeattributeset priv_objects
- ( adbd_tmpfs
- untrusted_app_27_tmpfs
- ))
+ ( priv_objects
+ adbd_tmpfs
+ untrusted_app_27_tmpfs))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 891f1a3..df3f95a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -1,11 +1,20 @@
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
- ( activity_task_service
+ ( new_objects
+ activity_task_service
adb_service
app_binding_service
+ apex_data_file
+ apex_mnt_dir
+ apex_key_file
+ apex_service
+ apexd
+ apexd_exec
+ apexd_tmpfs
atrace
binder_calls_stats_service
biometric_service
@@ -160,5 +169,8 @@
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
;; Thus, these types are also not mapped, but recorded for checkapi tests
+(type priv_objects)
(typeattribute priv_objects)
-(typeattributeset priv_objects (untrusted_app_27_tmpfs))
+(typeattributeset priv_objects
+ ( priv_objects
+ untrusted_app_27_tmpfs))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 4310f03..c1b126b 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -1,11 +1,20 @@
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
- ( activity_task_service
+ ( new_objects
+ activity_task_service
adb_service
app_binding_service
+ apex_data_file
+ apex_mnt_dir
+ apex_key_file
+ apex_service
+ apexd
+ apexd_exec
+ apexd_tmpfs
biometric_service
;; TODO(b/116344577): remove after the issue is resolved
buffer_hub_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 831ff04..fe25bad 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -2,6 +2,7 @@
allow crash_dump {
domain
+ -apexd
-bpfloader
-crash_dump
-init
diff --git a/private/file_contexts b/private/file_contexts
index 991f75b..2e78b80 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -30,6 +30,7 @@
/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
+/apex u:object_r:apex_mnt_dir:s0
# Symlinks
/bin u:object_r:rootfs:s0
@@ -287,6 +288,7 @@
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
+/system/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
@@ -305,6 +307,7 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
+/system/bin/apexd u:object_r:apexd_exec:s0
#############################
# Vendor files
@@ -387,6 +390,7 @@
/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
diff --git a/private/llkd.te b/private/llkd.te
index 3f84eb6..385f930 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -22,6 +22,7 @@
userdebug_or_eng(`
allow llkd {
domain
+ -apexd
-kernel
-keystore
-init
diff --git a/private/service_contexts b/private/service_contexts
index e04227b..b68ab8e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -8,6 +8,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
+apexservice u:object_r:apex_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 4ed1982..245496f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -70,6 +70,7 @@
# TODO: scope this down? Too broad?
allow system_app {
service_manager_type
+ -apex_service
-dumpstate_service
-installd_service
-netd_service
diff --git a/public/apexd.te b/public/apexd.te
new file mode 100644
index 0000000..73daf38
--- /dev/null
+++ b/public/apexd.te
@@ -0,0 +1,11 @@
+# apexd -- manager for APEX packages
+type apexd, domain;
+type apexd_exec, exec_type, file_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)
+
+neverallow { domain -init -apexd } apex_service:service_manager find;
+neverallow { domain -init -apexd } apexd:binder call;
+
+neverallow domain apexd:process ptrace;
diff --git a/public/domain.te b/public/domain.te
index 5e8fb23..176ab48 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,7 +434,7 @@
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2d226af..5663e80 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -205,6 +205,7 @@
allow dumpstate {
service_manager_type
+ -apex_service
-dumpstate_service
-gatekeeper_service
-incident_service
diff --git a/public/file.te b/public/file.te
index 755bb98..016807e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -140,6 +140,8 @@
type system_linker_config_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
+# Default type for APEX keys in /system/etc/security/apex/*
+type apex_key_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
type system_security_cacerts_file, system_file_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
@@ -197,6 +199,8 @@
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/vendor/tombstones/wifi - vendor wifi dumps
type tombstone_wifi_data_file, file_type, data_file_type;
+# /data/apex - APEX data files
+type apex_data_file, file_type, data_file_type, core_data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -252,6 +256,9 @@
# Mount location for read-write product partitions.
type mnt_product_file, file_type;
+# Mount point used for APEX images
+type apex_mnt_dir, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/init.te b/public/init.te
index 101c0c8..c337c82 100644
--- a/public/init.te
+++ b/public/init.te
@@ -80,6 +80,9 @@
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -514,6 +517,11 @@
# Allow init to use binder
binder_use(init);
+allow init apex_service:service_manager find;
+# Allow servicemanager to pass it
+allow servicemanager init:binder transfer;
+# Allow calls from init to apexd
+allow init apexd:binder call;
###
### neverallow rules
@@ -532,8 +540,11 @@
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
-# Init never adds or uses services via service_manager.
-neverallow init service_manager_type:service_manager { add find };
+# init can only find the APEX service
+neverallow init { service_manager_type -apex_service }:service_manager { find };
+# init can never add binder services
+neverallow init service_manager_type:service_manager { add };
+# init can never list binder services
neverallow init servicemanager:service_manager list;
# Init should not be creating subdirectories in /data/local/tmp
diff --git a/public/service.te b/public/service.te
index eaacabf..5e7ca4d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,3 +1,4 @@
+type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 7a0eb46..339b586 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -104,6 +104,7 @@
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell {
service_manager_type
+ -apex_service
-gatekeeper_service
-incident_service
-installd_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 355ae77..c18984e 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -7,6 +7,7 @@
allow traceur_app {
service_manager_type
+ -apex_service
-gatekeeper_service
-incident_service
-installd_service
diff --git a/tests/Android.bp b/tests/Android.bp
index abb5e35..a7d7023 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -63,3 +63,12 @@
required: ["libsepolwrap"],
defaults: ["py2_only"],
}
+
+python_binary_host {
+ name: "combine_maps",
+ srcs: [
+ "combine_maps.py",
+ "mini_parser.py",
+ ],
+ defaults: ["py2_only"],
+}
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
new file mode 100644
index 0000000..a2bf38d
--- /dev/null
+++ b/tests/combine_maps.py
@@ -0,0 +1,66 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Tool to combine SEPolicy mapping file.
+
+Say, x, y, z are platform SEPolicy versions such that x > y > z. Then given two
+mapping files from x to y (top) and y to z (bottom), it's possible to construct
+a mapping file from x to z. We do the following to combine two maps.
+1. Add all new types declarations from top to bottom.
+2. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
+"bar" to whatever "foo" is mapped to in the bottom map. We do this for all new
+types in the top map.
+
+More generally, we can correctly construct x->z from x->y' and y"->z as long as
+y">y'.
+
+This file contains the implementation of combining two mapping files.
+"""
+import argparse
+import re
+from mini_parser import MiniCilParser
+
+def Combine(top, bottom):
+ bottom.types.update(top.types)
+
+ for top_ta in top.typeattributesets:
+ top_type_set = top.typeattributesets[top_ta]
+ if len(top_type_set) == 1:
+ continue
+
+ m = re.match(r"(\w+)_\d+_\d+", top_ta)
+ # Typeattributes in V.v.cil have _V_v suffix, but not in V.v.ignore.cil
+ bottom_type = m.group(1) if m else top_ta
+
+ for bottom_ta in bottom.rTypeattributesets[bottom_type]:
+ bottom.typeattributesets[bottom_ta].update(top_type_set)
+
+ return bottom
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-t", "--top-map", dest="top_map",
+ required=True, help="top map file")
+ parser.add_argument("-b", "--bottom-map", dest="bottom_map",
+ required=True, help="bottom map file")
+ parser.add_argument("-o", "--output-file", dest="output_file",
+ required=True, help="output map file")
+ args = parser.parse_args()
+
+ top_map_cil = MiniCilParser(args.top_map)
+ bottom_map_cil = MiniCilParser(args.bottom_map)
+ result = Combine(top_map_cil, bottom_map_cil)
+
+ with open(args.output_file, "w") as output:
+ output.write(result.unparse())
diff --git a/tests/mini_parser.py b/tests/mini_parser.py
index 9182c5d..cba9e39 100644
--- a/tests/mini_parser.py
+++ b/tests/mini_parser.py
@@ -12,6 +12,7 @@
def __init__(self, policyFile):
self.types = set() # types declared in mapping
self.pubtypes = set()
+ self.expandtypeattributes = {}
self.typeattributes = set() # attributes declared in mapping
self.typeattributesets = {} # sets defined in mapping
self.rTypeattributesets = {} # reverse mapping of above sets
@@ -27,6 +28,32 @@
if m:
self.apiLevel = m.group(1)
+ def unparse(self):
+ def wrapParens(stmt):
+ return "(" + stmt + ")"
+
+ def joinWrapParens(entries):
+ return wrapParens(" ".join(entries))
+
+ result = ""
+ for ty in sorted(self.types):
+ result += joinWrapParens(["type", ty]) + "\n"
+
+ for ta in sorted(self.typeattributes):
+ result += joinWrapParens(["typeattribute", ta]) + "\n"
+
+ for eta in sorted(self.expandtypeattributes.items(),
+ key=lambda x: x[0]):
+ result += joinWrapParens(
+ ["expandtypeattribute", wrapParens(eta[0]), eta[1]]) + "\n"
+
+ for tas in sorted(self.typeattributesets.items(), key=lambda x: x[0]):
+ result += joinWrapParens(
+ ["typeattributeset", tas[0],
+ joinWrapParens(sorted(tas[1]))]) + "\n"
+
+ return result
+
def _getNextStmt(self, infile):
parens = 0
s = ""
@@ -55,6 +82,11 @@
self.types.add(m.group(1))
return
+ def _parseExpandtypeattribute(self, stmt):
+ m = re.match(r"expandtypeattribute\s+\((.+)\)\s+(true|false)", stmt)
+ self.expandtypeattributes[m.group(1)] = m.group(2)
+ return
+
def _parseTypeattribute(self, stmt):
m = re.match(r"typeattribute\s+(.+)", stmt)
self.typeattributes.add(m.group(1))
@@ -73,7 +105,7 @@
for t in tas:
if self.rTypeattributesets.get(t) is None:
self.rTypeattributesets[t] = set()
- self.rTypeattributesets[t].update(set(ta))
+ self.rTypeattributesets[t].update([ta])
# check to see if this typeattributeset is a versioned public type
pub = re.match(r"(\w+)_\d+_\d+", ta)
@@ -88,6 +120,8 @@
self._parseTypeattribute(stmt)
elif re.match(r"typeattributeset\s+.+", stmt):
self._parseTypeattributeset(stmt)
+ elif re.match(r"expandtypeattribute\s+.+", stmt):
+ self._parseExpandtypeattribute(stmt)
return
if __name__ == '__main__':
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 70b036f..f8dc466 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,8 +11,8 @@
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
-# def TestSystemTypeViolations(pol):
-# return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+def TestSystemTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -58,7 +58,7 @@
"TestDataTypeViolators",
"TestProcTypeViolations",
"TestSysfsTypeViolations",
- # "TestSystemTypeViolators",
+ "TestSystemTypeViolators",
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
@@ -107,8 +107,8 @@
results += TestProcTypeViolations(pol)
if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
- # if options.test is None or "TestSystemTypeViolations" in options.test:
- # results += TestSystemTypeViolations(pol)
+ if options.test is None or "TestSystemTypeViolations" in options.test:
+ results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 05549a1..f2d600a 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -240,8 +240,8 @@
if len(violators) > 0:
ret += "SELinux: The following public types were found added to the "
ret += "policy without an entry into the compatibility mapping file(s) "
- ret += "found in private/compat/" + compatMapping.apiLevel + "/"
- ret += compatMapping.apiLevel + "[.ignore].cil\n"
+ ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
+ ret += "latest API level.\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
@@ -263,7 +263,8 @@
if len(violators) > 0:
ret += "SELinux: The following formerly public types were removed from "
ret += "policy without a declaration in the compatibility mapping "
- ret += "file(s) found in prebuilts/api/" + compatMapping.apiLevel + "/\n"
+ ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
+ ret += "latest API level.\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 1ab29b5..e7c73c9 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -51,8 +51,9 @@
# targeting the $(version) SELinux release. This ensures that our policy will build
# when used on a device that has non-platform policy targetting the $(version) release.
$(version)_compat := $(intermediates)/$(version)_compat
-$(version)_mapping.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).cil
-$(version)_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).ignore.cil
+$(version)_mapping.cil := $(call intermediates-dir-for,ETC,$(version).cil)/$(version).cil
+$(version)_mapping.ignore.cil := \
+ $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace