Merge "Remove obsolete ioctl allow"
diff --git a/Android.bp b/Android.bp
index 438b13f..6aeb27b 100644
--- a/Android.bp
+++ b/Android.bp
@@ -184,6 +184,11 @@
srcs: ["keystore2_key_contexts"],
}
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -1044,17 +1049,3 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
-
-//////////////////////////////////
-// Makefile rules temporary imported to Soong
-// TODO(b/33691272): remove these after migrating seapp to Soong
-//////////////////////////////////
-makefile_goal {
- name: "plat_seapp_contexts_rule",
- product_out_path: "obj/ETC/plat_seapp_contexts_intermediates/plat_seapp_contexts",
-}
-
-makefile_goal {
- name: "plat_seapp_neverallows_rule",
- product_out_path: "obj/ETC/plat_seapp_neverallows_intermediates/plat_seapp_neverallows",
-}
diff --git a/Android.mk b/Android.mk
index e235bde..361c7c4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -349,7 +349,7 @@
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
- $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ sepolicy_compat_test \
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
@@ -680,9 +680,6 @@
file_contexts.modules.tmp :=
##################################
-include $(LOCAL_PATH)/seapp_contexts.mk
-
-##################################
include $(LOCAL_PATH)/contexts_tests.mk
##################################
@@ -747,8 +744,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
@@ -770,11 +766,6 @@
)
endif # PRODUCT_SEPOLICY_SPLIT
-$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(eval version_under_treble_tests := $(v)) \
- $(eval include $(LOCAL_PATH)/compat.mk) \
-)
-
built_plat_sepolicy :=
built_system_ext_sepolicy :=
built_product_sepolicy :=
diff --git a/OWNERS b/OWNERS
index c5b61ae..61eecb2 100644
--- a/OWNERS
+++ b/OWNERS
@@ -5,7 +5,6 @@
inseob@google.com
jbires@google.com
jeffv@google.com
-jgalenson@google.com
jiyong@google.com
smoreland@google.com
trong@google.com
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 865dbb4..0909f70 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -124,4 +124,9 @@
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
}
+
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
+ b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+ }
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 46b0f71..3044425 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -15,13 +15,21 @@
package selinux
import (
+ "fmt"
+
"github.com/google/blueprint/proptools"
"android/soong/android"
)
+var (
+ compatTestDepTag = dependencyTag{name: "compat_test"}
+)
+
func init() {
- android.RegisterModuleType("se_compat_cil", compatCilFactory)
+ ctx := android.InitRegistrationContext
+ ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
+ ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -107,3 +115,154 @@
},
}}
}
+
+func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
+ switch tag {
+ case "":
+ return android.Paths{c.installSource}, nil
+ default:
+ return nil, fmt.Errorf("unsupported module reference tag %q", tag)
+ }
+}
+
+var _ android.OutputFileProducer = (*compatCil)(nil)
+
+// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
+// current policy.
+func compatTestFactory() android.SingletonModule {
+ f := &compatTestModule{}
+ android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
+ return f
+}
+
+type compatTestModule struct {
+ android.SingletonModuleBase
+
+ compatTestTimestamp android.ModuleOutPath
+}
+
+func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
+ confName := fmt.Sprintf("pub_policy_%s.conf", ver)
+ cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
+ platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
+
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(confName),
+ }, &policyConfProperties{
+ Srcs: []string{
+ fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
+ ":se_build_files{.reqd_mask}",
+ },
+ Installable: proptools.BoolPtr(false),
+ })
+
+ ctx.CreateModule(policyCilFactory, &nameProperties{
+ Name: proptools.StringPtr(cilName),
+ }, &policyCilProperties{
+ Src: proptools.StringPtr(":" + confName),
+ Filter_out: []string{":reqd_policy_mask.cil"},
+ Secilc_check: proptools.BoolPtr(false),
+ Installable: proptools.BoolPtr(false),
+ })
+
+ ctx.CreateModule(versionedPolicyFactory, &nameProperties{
+ Name: proptools.StringPtr(platPubVersionedName),
+ }, &versionedPolicyProperties{
+ Base: proptools.StringPtr(":" + cilName),
+ Target_policy: proptools.StringPtr(":" + cilName),
+ Version: proptools.StringPtr(ver),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
+ srcs := []string{
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ fmt.Sprintf(":plat_%s.cil", ver),
+ fmt.Sprintf(":%s.compat.cil", ver),
+ fmt.Sprintf(":system_ext_%s.cil", ver),
+ fmt.Sprintf(":system_ext_%s.compat.cil", ver),
+ fmt.Sprintf(":product_%s.cil", ver),
+ }
+
+ if ver == ctx.DeviceConfig().BoardSepolicyVers() {
+ srcs = append(srcs,
+ ":plat_pub_versioned.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ )
+ } else {
+ srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
+ }
+
+ compatTestName := fmt.Sprintf("%s_compat_test", ver)
+ ctx.CreateModule(policyBinaryFactory, &nameProperties{
+ Name: proptools.StringPtr(compatTestName),
+ }, &policyBinaryProperties{
+ Srcs: srcs,
+ Ignore_neverallow: proptools.BoolPtr(true),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ f.createPlatPubVersionedModule(ctx, ver)
+ f.createCompatTestModule(ctx, ver)
+ }
+}
+
+func (f *compatTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ ctx.AddDependency(f, compatTestDepTag, fmt.Sprintf("%s_compat_test", ver))
+ }
+}
+
+func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
+}
+
+func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var inputs android.Paths
+ ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
+ o, ok := child.(android.OutputFileProducer)
+ if !ok {
+ panic(fmt.Errorf("Module %q should be an OutputFileProducer but it isn't", ctx.OtherModuleName(child)))
+ }
+
+ outputs, err := o.OutputFiles("")
+ if err != nil {
+ panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
+ }
+ if len(outputs) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output, but did %q", ctx.OtherModuleName(child), outputs.Strings()))
+ }
+
+ inputs = append(inputs, outputs[0])
+ })
+
+ f.compatTestTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("touch").Output(f.compatTestTimestamp).Implicits(inputs)
+ rule.Build("compat", "compat test timestamp for: "+f.Name())
+}
+
+func (f *compatTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(f.compatTestTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.compatTestTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 71de38a..c55fba2 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,6 +17,7 @@
import (
"fmt"
"io"
+ "os"
"strings"
"github.com/google/blueprint"
@@ -58,11 +59,20 @@
}
}
+type seappProperties struct {
+ // Files containing neverallow rules.
+ Neverallow_files []string `android:"path"`
+
+ // Precompiled sepolicy binary file which will be fed to checkseapp.
+ Sepolicy *string `android:"path"`
+}
+
type selinuxContextsModule struct {
android.ModuleBase
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
+ seappProperties seappProperties
build func(ctx android.ModuleContext, inputs android.Paths) android.Path
deps func(ctx android.BottomUpMutatorContext)
outputPath android.Path
@@ -82,6 +92,7 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
+ android.RegisterModuleType("seapp_contexts", seappFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -147,6 +158,7 @@
m.AddProperties(
&m.properties,
&m.fileContextsProperties,
+ &m.seappProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -422,6 +434,31 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ neverallowFile := android.PathForModuleGen(ctx, "neverallow")
+ ret := android.PathForModuleGen(ctx, m.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("(grep").
+ Flag("-ihe").
+ Text("'^neverallow'").
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Text(">").
+ Output(neverallowFile).
+ Text("|| true)") // to make ninja happy even when result is empty
+
+ rule.Temporary(neverallowFile)
+ rule.Command().BuiltTool("checkseapp").
+ FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
+ FlagWithOutput("-o ", ret).
+ Inputs(inputs).
+ Input(neverallowFile)
+
+ rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
+ return ret
+}
+
func hwServiceFactory() android.Module {
m := newModule()
m.build = m.buildHwServiceContexts
@@ -447,6 +484,12 @@
return m
}
+func seappFactory() android.Module {
+ m := newModule()
+ m.build = m.buildSeappContexts
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
diff --git a/compat.mk b/compat.mk
deleted file mode 100644
index 4aed864..0000000
--- a/compat.mk
+++ /dev/null
@@ -1,56 +0,0 @@
-version := $(version_under_treble_tests)
-
-include $(CLEAR_VARS)
-#################################
-# build this target to ensure the compat permissions files all build against the current policy
-#
-LOCAL_MODULE := $(version)_compat_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_REQUIRED_MODULES := $(version).compat.cil
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
- $(ALL_MODULES.$(version).compat.cil.BUILT) \
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
-endif
-
-ifneq ($(mixed_sepolicy_build),true)
-
-all_cil_files += $(built_vendor_cil)
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-endif # ifneq ($(mixed_sepolicy_build),true)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
- @mkdir -p $(dir $@)
- $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-all_cil_files :=
-version :=
-version_under_treble_tests :=
diff --git a/compat/Android.bp b/compat/Android.bp
index fd1a864..bc8409a 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -269,3 +269,7 @@
stem: "32.0.compat.cil",
system_ext_specific: true,
}
+
+se_compat_test {
+ name: "sepolicy_compat_test",
+}
diff --git a/contexts/Android.bp b/contexts/Android.bp
index ed183ef..1dc710a 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -231,3 +231,70 @@
],
soc_specific: true,
}
+
+seapp_contexts {
+ name: "plat_seapp_contexts",
+ srcs: [":seapp_contexts_files{.plat_private}"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "system_ext_seapp_contexts",
+ srcs: [":seapp_contexts_files{.system_ext_private}"],
+ neverallow_files: [":seapp_contexts_files{.plat_private}"],
+ system_ext_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "product_seapp_contexts",
+ srcs: [":seapp_contexts_files{.product_private}"],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ],
+ product_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "vendor_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.vendor}",
+ ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ soc_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "odm_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.odm}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ device_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+// for CTS
+genrule {
+ name: "plat_seapp_neverallows",
+ srcs: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
+ ],
+ out: ["plat_seapp_neverallows"],
+ cmd: "grep -ihe '^neverallow' $(in) > $(out) || true",
+}
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
deleted file mode 100644
index c0c3abb..0000000
--- a/seapp_contexts.mk
+++ /dev/null
@@ -1,142 +0,0 @@
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-
-built_plat_sc := $(LOCAL_BUILT_MODULE)
-plat_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := system_ext_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-system_ext_sc_files := $(call build_policy, seapp_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(system_ext_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(system_ext_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-system_ext_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-product_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_sc_files := $(call build_policy, seapp_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_vendor_sc := $(LOCAL_BUILT_MODULE)
-vendor_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_odm_sc := $(LOCAL_BUILT_MODULE)
-odm_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- - $(hide) grep -ihe '^neverallow' $< > $@
-
-plat_sc_neverallow_files :=
diff --git a/tests/Android.bp b/tests/Android.bp
index 959a214..78a631f 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,6 +11,7 @@
srcs: ["sepol_wrap.cpp"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
+ stl: "c++_static",
// libsepolwrap gets loaded from the system python, which does not have the
// ASAN runtime. So turn off sanitization for ourself, and use static
@@ -32,7 +33,7 @@
"policy.py",
"treble_sepolicy_tests.py",
],
- required: ["libsepolwrap"],
+ data: [":libsepolwrap"],
}
python_binary_host {
@@ -42,7 +43,7 @@
"policy.py",
"sepolicy_tests.py",
],
- required: ["libsepolwrap"],
+ data: [":libsepolwrap"],
}
python_binary_host {
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index a05d8f2..0a87a13 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,6 +18,7 @@
import policy
import re
import sys
+import distutils.ccompiler
#############################################################
# Tests
@@ -141,24 +142,21 @@
]
if __name__ == '__main__':
- usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
- usage += "-f vendor_file_contexts -f "
+ usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
help="Test options include "+str(Tests))
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
@@ -173,7 +171,7 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
results = ""
# If an individual test is not specified, run all tests.
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1c5b8e2..a3bf661 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,6 +20,7 @@
from policy import MatchPathPrefix
import re
import sys
+import distutils.ccompiler
DEBUG=False
@@ -341,7 +342,7 @@
"ViolatorAttributes": TestViolatorAttributes}
if __name__ == '__main__':
- usage = "treble_sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
@@ -351,7 +352,6 @@
metavar="FILE")
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
@@ -362,11 +362,6 @@
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
if not options.policy:
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -379,6 +374,11 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -394,8 +394,8 @@
if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, options.libpath)
- oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
+ basepol = policy.Policy(options.basepolicy, None, libpath)
+ oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
compatSetup(basepol, oldpol, mapping, pubpol.types)
@@ -403,7 +403,7 @@
if options.faketreble:
FakeTreble = True
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
setup(pol)
if DEBUG:
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 77945b7..011001b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -164,8 +164,7 @@
$(public_cil_files) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-u $(PRIVATE_PLAT_PUB_SEPOLICY) \