Merge changes from topic "sepolicy_test"
* changes:
Build vndservice_contexts with Android.bp
Move sepolicy_test to Android.bp
diff --git a/Android.bp b/Android.bp
index 0ca82a6..8e2a966 100644
--- a/Android.bp
+++ b/Android.bp
@@ -189,6 +189,11 @@
srcs: ["seapp_contexts"],
}
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -1103,3 +1108,29 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+ name: "sepolicy_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_test"],
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) && " +
+ "touch $(out)",
+}
diff --git a/Android.mk b/Android.mk
index 27123d7..c98de45 100644
--- a/Android.mk
+++ b/Android.mk
@@ -347,9 +347,13 @@
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
- sepolicy_tests \
sepolicy_compat_test \
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -505,6 +509,7 @@
vendor_hwservice_contexts_test \
vendor_bug_map \
vndservice_contexts \
+ vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \
@@ -664,50 +669,8 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
-$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
-$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
-
-vnd_svcfiles :=
-vndservice_contexts.tmp :=
-
-##################################
include $(LOCAL_PATH)/mac_permissions.mk
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -721,13 +684,6 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
- $(hide) touch $@
-
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 8894931..463a978 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -93,11 +93,13 @@
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
+ android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
+ android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -495,6 +497,18 @@
return m
}
+func vndServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ android.AddLoadHook(m, func(ctx android.LoadHookContext) {
+ if !ctx.SocSpecific() {
+ ctx.ModuleErrorf(m.Name(), "must set vendor: true")
+ return
+ }
+ })
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
@@ -565,6 +579,14 @@
return m
}
+// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
+func vndServiceContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
tool := m.tool
if tool != "checkfc" && tool != "property_info_checker" {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 3062a61..2a5a058 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -67,28 +67,55 @@
":file_contexts_files{.vendor}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts.recovery",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ stem: "vendor_file_contexts",
+ recovery: true,
}
file_contexts {
name: "system_ext_file_contexts",
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts.recovery",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ stem: "system_ext_file_contexts",
+ recovery: true,
}
file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts.recovery",
+ srcs: [":file_contexts_files{.product_private}"],
+ stem: "product_file_contexts",
+ recovery: true,
}
file_contexts {
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts.recovery",
+ srcs: [":file_contexts_files{.odm}"],
+ stem: "odm_file_contexts",
+ recovery: true,
}
hwservice_contexts {
@@ -287,6 +314,16 @@
sepolicy: ":precompiled_sepolicy",
}
+vndservice_contexts {
+ name: "vndservice_contexts",
+ srcs: [
+ ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.vendor}",
+ ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
// for CTS
genrule {
name: "plat_seapp_neverallows",
@@ -432,3 +469,9 @@
srcs: [":vendor_service_contexts"],
sepolicy: ":precompiled_sepolicy",
}
+
+vndservice_contexts_test {
+ name: "vndservice_contexts_test",
+ srcs: [":vndservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}