Correctly handle line markers
For better debuggability upon neverallow violations, this change leaves
line markers as-is.
* build_sepolicy filter_out tool leaves line markers as-is. It may cause
markers to be redundant, so it also cleans up such markers.
* remove_line_marker property is removed as it is not needed.
* fixed odm_sepolicy.cil filtering.
Bug: 400544895
Test: check sepolicy artifacts
Change-Id: I793ffe728488422fc31de2705889869b2ea7d050
diff --git a/build/Android.bp b/build/Android.bp
index dbe17c8..ef898e8 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -32,3 +32,15 @@
"version_policy",
],
}
+
+python_test_host {
+ name: "sepolicy_file_utils_test",
+ srcs: [
+ "file_utils.py",
+ "file_utils_test.py",
+ ],
+ main: "file_utils_test.py",
+ test_options: {
+ unit_test: true,
+ },
+}
diff --git a/build/file_utils.py b/build/file_utils.py
index e3210ed..5023fd0 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -30,19 +30,72 @@
os.makedirs(parent_dir)
+def remove_redundant_line_markers(lines):
+ """
+ Removes any redundant line markers.
+
+ Line markers are to support better error reporting for neverallow rules.
+ Line markers, possibly nested, look like:
+
+ ;;* lm(s|x) LINENO FILENAME
+ (CIL STATEMENTS)
+ ;;* lme
+
+ * lms is used when each of the following CIL statements corresponds to a line
+ in the original file.
+
+ * lmx is used when the following CIL statements are all expanded from a
+ single high-level language line.
+
+ * lme ends a line mark block.
+
+ Redundant line markers are markers without any statements inside. Normally
+ there are no such redundant line markers, but CIL files filtered out by
+ filter_out function below may contain those. remove_redundant_line_markers
+ find all such redundant line markers and removes all of them. See
+ file_utils_test.py for an example.
+ """
+
+ marker_stk = []
+ valid = [False] * len(lines)
+
+ for idx in range(len(lines)):
+ line = lines[idx]
+ if line.startswith(";;* lmx") or line.startswith(";;* lms"):
+ # line start marker
+ marker_stk.append(idx)
+ elif line.startswith(";;* lme"): # line end marker
+ if valid[marker_stk[-1]]:
+ valid[idx] = True
+ # propagate valid to parent markers
+ if len(marker_stk) >= 2:
+ valid[marker_stk[-2]] = True
+ marker_stk.pop()
+ else:
+ # any other expressions
+ valid[idx] = True
+ # set the current marker as valid
+ if marker_stk:
+ valid[marker_stk[-1]] = True
+
+ return [lines[idx] for idx in range(len(lines)) if valid[idx]]
+
def filter_out(pattern_files, input_file):
""""Removes lines in input_file that match any line in pattern_files."""
# Prepares patterns.
patterns = []
for f in pattern_files:
- patterns.extend(open(f).readlines())
+ patterns.extend([x for x in open(f).readlines() if not x.startswith(";;*")])
# Copy lines that are not in the pattern.
tmp_output = tempfile.NamedTemporaryFile(mode='w+')
with open(input_file, 'r') as in_file:
- tmp_output.writelines(line for line in in_file.readlines()
- if line not in patterns)
+ lines = [line for line in in_file.readlines()
+ if line not in patterns and line.strip()]
+ lines = remove_redundant_line_markers(lines)
+ tmp_output.writelines(lines)
+
# Append empty line because a completely empty file
# will trip up secilc later on:
tmp_output.write("\n")
diff --git a/build/file_utils_test.py b/build/file_utils_test.py
new file mode 100644
index 0000000..91ae498
--- /dev/null
+++ b/build/file_utils_test.py
@@ -0,0 +1,59 @@
+# Copyright 2025 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Tests for file_utils"""
+
+import file_utils
+import unittest
+
+
+# pylint: disable=missing-docstring
+class FileUtilsTest(unittest.TestCase):
+
+ # tests
+
+ def test_removing_markers(self):
+ lines = [
+ ";;* lms 1 test_sepolicy.cil",
+ "(type foo)",
+ ";;* lmx 1 foo.te",
+ ";;* lme",
+ ";;* lmx 1 bar.te",
+ ";;* lmx 2 bar.te",
+ ";;* lme",
+ ";;* lme",
+ ";;* lmx 3 bar.te",
+ "(allow foo self (file (read)))",
+ "(neverallow foo self (file (write)))",
+ ";;* lme",
+ ";;* lme", # lms 1 test_sepolicy.cil
+ ]
+
+ expected = [
+ ";;* lms 1 test_sepolicy.cil",
+ "(type foo)",
+ ";;* lmx 3 bar.te",
+ "(allow foo self (file (read)))",
+ "(neverallow foo self (file (write)))",
+ ";;* lme",
+ ";;* lme", # lms 1 test_sepolicy.cil
+ ]
+
+ actual = file_utils.remove_redundant_line_markers(lines)
+
+ # Line markers without any statements must be removed
+ self.assertEqual(actual, expected)
+
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8bdf01b..9d71d87 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -324,9 +324,6 @@
// exported policies
Filter_out []string `android:"path"`
- // Whether to remove line markers (denoted by ;;) out of compiled cil files. Defaults to false
- Remove_line_marker *bool
-
// Whether to run secilc to check compiled policy or not. Defaults to true
Secilc_check *bool
@@ -392,17 +389,6 @@
Text(">> ").Output(cil)
}
- if proptools.Bool(c.properties.Remove_line_marker) {
- rule.Command().Text("grep -v").
- Text(proptools.ShellEscape(";;")).
- Text(cil.String()).
- Text(">").
- Text(cil.String() + ".tmp").
- Text("&& mv").
- Text(cil.String() + ".tmp").
- Text(cil.String())
- }
-
if proptools.BoolDefault(c.properties.Secilc_check, true) {
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls