Build platform side policy with Soong
This replaces the following policy files with Android.bp modules:
- reqd_policy_mask.cil
- plat_sepolicy.cil
- system_ext_sepolicy.cil
- product_sepolicy.cil
- plat_pub_policy.cil
- system_ext_pub_policy.cil
- pub_policy.cil
- general_sepolicy.conf (for CTS)
Also microdroid's system policy now uses above.
Bug: 33691272
Bug: 178993690
Test: policy files stay same
Test: boot normal device and microdroid, see sepolicy works
Test: build CtsSecurityHostTestCases
Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
diff --git a/Android.bp b/Android.bp
index aca6e40..80da56b 100644
--- a/Android.bp
+++ b/Android.bp
@@ -493,137 +493,190 @@
],
}
-// This is a minimized cil modules to test microdroid.
-// TODO(b/178993690): migrate cil files to Android.bp and remove below
-filegroup {
- name: "microdroid_sepolicy_build_files",
+se_build_files {
+ name: "se_build_files",
srcs: [
- // This order is important. Should be identical to sepolicy_build_files in Android.mk
- "private/security_classes",
- "private/initial_sids",
- "private/access_vectors",
- "public/global_macros",
- "public/neverallow_macros",
- "private/mls_macros",
- "private/mls_decl",
- "private/mls",
- "private/policy_capabilities",
- "public/te_macros",
- "public/attributes",
- "private/attributes",
- "public/ioctl_defines",
- "public/ioctl_macros",
- "public/*.te",
- "private/*.te",
- "private/roles_decl",
- "public/roles",
- "private/users",
- "private/initial_sid_contexts",
- "private/fs_use",
- "private/genfs_contexts",
- "private/port_contexts",
+ "security_classes",
+ "initial_sids",
+ "access_vectors",
+ "global_macros",
+ "neverallow_macros",
+ "mls_macros",
+ "mls_decl",
+ "mls",
+ "policy_capabilities",
+ "te_macros",
+ "attributes",
+ "ioctl_defines",
+ "ioctl_macros",
+ "*.te",
+ "roles_decl",
+ "roles",
+ "users",
+ "initial_sid_contexts",
+ "fs_use",
+ "genfs_contexts",
+ "port_contexts",
],
}
-filegroup {
- name: "microdroid_sepolicy_public_and_reqd_mask_build_files",
- srcs: [
- // This order is important. Should be identical to sepolicy_build_files in Android.mk
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "public/global_macros",
- "public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "public/te_macros",
- "public/attributes",
- "public/ioctl_defines",
- "public/ioctl_macros",
- "public/*.te",
- "reqd_mask/*.te",
- "reqd_mask/roles_decl",
- "public/roles",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
- ],
-}
-
-filegroup {
- name: "microdroid_sepolicy_reqd_mask_build_files",
- srcs: [
- // This order is important. Should be identical to sepolicy_build_files in Android.mk
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "reqd_mask/*.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
- ],
-}
-
-// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
-// these configurations should be fine to test microdroid on normal devices with full treble.
-// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
-// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
-// migrated into Soong, these will have correct values.
-policy_to_conf_flags = "$(location m4) --fatal-warnings " +
-"-D mls_num_sens=1 -D mls_num_cats=1024 " +
-"-D target_build_variant=userdebug " +
-"-D target_with_asan=false " +
-"-D target_with_native_coverage=false " +
-"-D target_full_treble=true " +
-"-D target_compatible_property=true " +
-"-D target_treble_sysprop_neverallow=true " +
-"-D target_enforce_sysprop_owner=true "
-
-genrule {
- name: "microdroid_plat_sepolicy.cil_gen",
- srcs: [":microdroid_sepolicy_build_files"],
- tools: ["m4", "checkpolicy"],
- out: ["plat_sepolicy.cil"],
- cmd: policy_to_conf_flags +
- "-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" +
- "&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf",
- visibility: ["//visibility:private"],
-}
-
-prebuilt_etc {
- name: "microdroid_plat_sepolicy.cil",
- src: ":microdroid_plat_sepolicy.cil_gen",
- filename: "plat_sepolicy.cil",
- relative_install_path: "selinux",
+// reqd_policy_mask - a policy.conf file which contains only the bare minimum
+// policy necessary to use checkpolicy.
+//
+// This bare-minimum policy needs to be present in all policy.conf files, but
+// should not necessarily be exported as part of the public policy.
+//
+// The rules generated by reqd_policy_mask will allow the compilation of public
+// policy and subsequent removal of CIL policy that should not be exported.
+se_policy_conf {
+ name: "reqd_policy_mask.conf",
+ srcs: [":se_build_files{.reqd_mask}"],
installable: false,
}
-genrule {
- name: "microdroid_reqd_policy_mask.cil_gen",
- srcs: [":microdroid_sepolicy_reqd_mask_build_files"],
- tools: ["m4", "checkpolicy"],
- out: ["reqd_policy_mask.cil"],
- cmd: policy_to_conf_flags +
- "-s $(in) > $(out).conf" +
- "&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf",
- visibility: ["//visibility:private"],
+se_policy_cil {
+ name: "reqd_policy_mask.cil",
+ src: ":reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
}
+// pub_policy - policy that will be exported to be a part of non-platform
+// policy corresponding to this platform version.
+//
+// This is a limited subset of policy that would not compile in checkpolicy on
+// its own.
+//
+// To get around this limitation, add only the required files from private
+// policy, which will generate CIL policy that will then be filtered out by the
+// reqd_policy_mask.
+//
+// There are three pub_policy.cil files below:
+// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+// - plat_pub_policy.cil: exported 'system' policy.
+//
+// Those above files will in turn be used to generate the following versioned cil files:
+// - product_mapping_file: the versioned, exported 'product' policy in product partition.
+// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
+// in vendor partition.
+//
+se_policy_conf {
+ name: "pub_policy.conf",
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy.cil",
+ src: ":pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "system_ext_pub_policy.conf",
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_pub_policy.cil",
+ src: ":system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_pub_policy.cil",
+ src: ":plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+// plat_policy.conf - A combination of the private and public platform policy
+// which will ship with the device.
+//
+// The platform will always reflect the most recent platform version and is not
+// currently being attributized.
+se_policy_conf {
+ name: "plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_sepolicy.cil",
+ src: ":plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+}
+
+// system_ext_policy.conf - A combination of the private and public system_ext
+// policy which will ship with the device. System_ext policy is not attributized
+se_policy_conf {
+ name: "system_ext_sepolicy.conf",
+ srcs: [":se_build_files{.system_ext}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_sepolicy.cil",
+ src: ":system_ext_sepolicy.conf",
+ system_ext_specific: true,
+ filter_out: [":plat_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// product_policy.conf - A combination of the private and public product policy
+// which will ship with the device. Product policy is not attributized
+se_policy_conf {
+ name: "product_sepolicy.conf",
+ srcs: [":se_build_files{.product}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "product_sepolicy.cil",
+ src: ":product_sepolicy.conf",
+ product_specific: true,
+ filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+//////////////////////////////////
+// SELinux policy embedded into CTS.
+// CTS checks neverallow rules of this policy against the policy of the device under test.
+//////////////////////////////////
+se_policy_conf {
+ name: "general_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "user",
+ cts: true,
+ exclude_build_test: true,
+}
+
+//////////////////////////////////
+// modules for microdroid
+// TODO(b/178993690): migrate Android.mk to Android.bp and remove below
+//////////////////////////////////
genrule {
name: "microdroid_plat_mapping_file_gen",
- srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"],
- tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"],
+ srcs: [":plat_pub_policy.cil", ":reqd_policy_mask.cil"],
+ tools: ["build_sepolicy", "version_policy"],
out: ["10000.0.cil"],
- cmd: policy_to_conf_flags +
- "-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" +
- "&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" +
- "&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" +
- "&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)",
+ cmd: "$(location build_sepolicy) filter_out -f $(location :reqd_policy_mask.cil) -t $(location :plat_pub_policy.cil)" +
+ "&& $(location version_policy) -b $(location :plat_pub_policy.cil) -m -n 10000.0 -o $(out)",
visibility: ["//visibility:private"],
}
@@ -635,34 +688,29 @@
installable: false,
}
-///////////////////////////////////////////////////////////////////
-genrule {
- name: "microdroid_pub_policy.cil_gen",
- srcs: [
- ":microdroid_sepolicy_public_and_reqd_mask_build_files",
- ":microdroid_reqd_policy_mask.cil_gen",
- ],
- tools: ["m4", "checkpolicy", "build_sepolicy"],
- out: ["pub_policy.cil"],
- cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
- "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
- "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
- visibility: ["//visibility:private"],
-}
-
+// Normally plat_pub_versioned.cil is built from pub_policy.cil (including system_ext and product).
+// But microdroid only has system, so its plat_pub_versioned.cil uses plat_pub_policy.cil.
genrule {
name: "microdroid_plat_pub_versioned.cil_gen",
- srcs: [":microdroid_pub_policy.cil_gen"],
+ srcs: [":plat_pub_policy.cil"],
tools: ["version_policy"],
out: ["plat_pub_versioned.cil"],
cmd: "$(location version_policy) " +
- "-b $(location :microdroid_pub_policy.cil_gen) " +
- "-t $(location :microdroid_pub_policy.cil_gen) " +
+ "-b $(location :plat_pub_policy.cil) " +
+ "-t $(location :plat_pub_policy.cil) " +
"-n 10000.0 " +
"-o $(out)",
visibility: ["//visibility:private"],
}
+prebuilt_etc {
+ name: "microdroid_plat_pub_versioned.cil",
+ src: ":microdroid_plat_pub_versioned.cil_gen",
+ filename: "plat_pub_versioned.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
filegroup {
name: "microdroid_vendor_sepolicy_build_files",
srcs: [
@@ -689,13 +737,28 @@
],
}
+// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
+// these configurations should be fine to test microdroid on normal devices with full treble.
+// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
+// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
+// migrated into Soong, these will have correct values.
+policy_to_conf_flags = "$(location m4) --fatal-warnings " +
+"-D mls_num_sens=1 -D mls_num_cats=1024 " +
+"-D target_build_variant=userdebug " +
+"-D target_with_asan=false " +
+"-D target_with_native_coverage=false " +
+"-D target_full_treble=true " +
+"-D target_compatible_property=true " +
+"-D target_treble_sysprop_neverallow=true " +
+"-D target_enforce_sysprop_owner=true "
+
genrule {
name: "microdroid_vendor_sepolicy.cil_gen",
srcs: [
":microdroid_vendor_sepolicy_build_files",
":microdroid_plat_pub_versioned.cil_gen",
- ":microdroid_pub_policy.cil_gen",
- ":microdroid_reqd_policy_mask.cil_gen",
+ ":pub_policy.cil",
+ ":reqd_policy_mask.cil",
],
tools: [
"m4",
@@ -711,9 +774,9 @@
"build_cil " +
"--input_policy_conf $(out).conf " +
"--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
- "--base_policy $(location :microdroid_pub_policy.cil_gen) " +
+ "--base_policy $(location :pub_policy.cil) " +
"--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
- "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
+ "--reqd_mask $(location :reqd_policy_mask.cil) " +
"--treble_sepolicy_vers 10000.0 " +
"--policy_vers 30 " +
"--output_cil $(out)",
@@ -727,38 +790,3 @@
relative_install_path: "selinux",
installable: false,
}
-
-prebuilt_etc {
- name: "microdroid_plat_pub_versioned.cil",
- src: ":microdroid_plat_pub_versioned.cil_gen",
- filename: "plat_pub_versioned.cil",
- relative_install_path: "selinux",
- installable: false,
-}
-
-se_build_files {
- name: "se_build_files",
- srcs: [
- "security_classes",
- "initial_sids",
- "access_vectors",
- "global_macros",
- "neverallow_macros",
- "mls_macros",
- "mls_decl",
- "mls",
- "policy_capabilities",
- "te_macros",
- "attributes",
- "ioctl_defines",
- "ioctl_macros",
- "*.te",
- "roles_decl",
- "roles",
- "users",
- "initial_sid_contexts",
- "fs_use",
- "genfs_contexts",
- "port_contexts",
- ],
-}