Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f9348b5509bfb0141029072fe18de3923e8da576^! / .
commitf9348b5509bfb0141029072fe18de3923e8da576[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Tue Dec 14 13:32:12 2021 +0100
committerJeff Vander Stoep <jeffv@google.com>Tue Jan 11 12:52:09 2022 +0100
tree6aae1dd7be7d00a6bc9dcfa4e55ef314a6f6635e
parente9b0ec455d01d83359db881bea85b4005662b2ec [diff]
Support for APEX updatable sepolicy

Builds:
 - sepolicy_test - file that init mounts in /dev/selinux to demonstrate
   that updatable sepolicy is loaded.
 - apex_sepolicy.cil - Initially includes a rule allowing shell
   to read sepolicy_test.
 - apex_file_contexts - Initially includes mapping of
    /dev/selinux/sepolicy_test.
 - apex_sepolicy.sha256. Used by init to determine of
    precompiled_sepolicy can be used.
 - apex_service_contexts - Currently empty.
 - apex_property_contexts - Currently empty.
 - apex_seapp_contexts - Currently empty.

Bug: 199914227
Test: Build, boot, ls -laZ /dev/selinux/sepolicy_test
Change-Id: I6aa625dda5235c6e7a0cfff777a9e15606084c12

diff --git a/Android.bp b/Android.bp
index 438b13f..fdd97ff 100644
--- a/Android.bp
+++ b/Android.bp

@@ -342,6 +342,21 @@
     additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
 }
 
+
+se_policy_conf {
+    name: "apex_sepolicy-33.conf",
+    srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+    installable: false,
+}
+
+se_policy_cil {
+    name: "apex_sepolicy-33.cil",
+    src: ":apex_sepolicy-33.conf",
+    filter_out: [":plat_sepolicy.cil"],
+    installable: false,
+    stem: "apex_sepolicy.cil",
+}
+
 // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
 se_policy_conf {
     name: "userdebug_plat_sepolicy.conf",
@@ -659,6 +674,9 @@
 // AND
 // - product_sepolicy_and_mapping.sha256 equals
 //   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// AND
+// - apex_sepolicy.sha256 equals
+//   precompiled_sepolicy.apex_sepolicy.sha256
 // See system/core/init/selinux.cpp for details.
 //////////////////////////////////
 genrule {
@@ -676,6 +694,20 @@
 }
 
 genrule {
+    name: "apex_sepolicy.sha256_gen",
+    srcs: [":apex_sepolicy-33.cil"],
+    out: ["apex_sepolicy.sha256"],
+    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+    name: "apex_sepolicy.sha256",
+    filename: "apex_sepolicy.sha256",
+    src: ":apex_sepolicy.sha256_gen",
+    installable: false,
+}
+
+genrule {
     name: "system_ext_sepolicy_and_mapping.sha256_gen",
     srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
     out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -744,6 +776,18 @@
 }
 
 //////////////////////////////////
+// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
+// was built.
+//////////////////////////////////
+prebuilt_etc {
+    defaults: ["precompiled_sepolicy_prebuilts"],
+    name: "precompiled_sepolicy.apex_sepolicy.sha256",
+    filename: "precompiled_sepolicy.apex_sepolicy.sha256",
+    src: ":apex_sepolicy.sha256_gen",
+    relative_install_path: "selinux",
+}
+
+//////////////////////////////////
 // SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
 // which precompiled_policy was built.
 //////////////////////////////////
@@ -780,6 +824,7 @@
     name: "precompiled_sepolicy",
     srcs: [
         ":plat_sepolicy.cil",
+        ":apex_sepolicy-33.cil",
         ":plat_pub_versioned.cil",
         ":system_ext_sepolicy.cil",
         ":product_sepolicy.cil",

diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
new file mode 100644
index 0000000..f3387ac
--- /dev/null
+++ b/com.android.sepolicy/33/Android.bp

@@ -0,0 +1,56 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // the below license kinds from "system_sepolicy_license":
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule {
+    name: "apex_file_contexts-33.gen",
+    defaults: ["sepolicy_file_contexts_gen_default"],
+    srcs: ["file_contexts"],
+    out: ["apex_file_contexts-33"],
+}
+
+prebuilt_etc {
+    name: "apex_file_contexts-33",
+    filename: "apex_file_contexts",
+    src: ":apex_file_contexts-33.gen",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "apex_property_contexts-33",
+    filename: "apex_property_contexts",
+    src: "property_contexts",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "apex_service_contexts-33",
+    filename: "apex_service_contexts",
+    src: "service_contexts",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "apex_seapp_contexts-33",
+    filename: "apex_seapp_contexts",
+    src: "seapp_contexts",
+    installable: false,
+}

diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
new file mode 100644
index 0000000..14f99f9
--- /dev/null
+++ b/com.android.sepolicy/33/file_contexts

@@ -0,0 +1 @@
+/dev/selinux/apex_test	u:object_r:sepolicy_test_file:s0

diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/property_contexts

diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/seapp_contexts

diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/service_contexts

diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
new file mode 100644
index 0000000..757328e
--- /dev/null
+++ b/com.android.sepolicy/33/shell.te

@@ -0,0 +1,2 @@
+allow shell sepolicy_test_file:file r_file_perms;
+

diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
new file mode 100644
index 0000000..1e042f3
--- /dev/null
+++ b/com.android.sepolicy/Android.bp

@@ -0,0 +1,28 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // the below license kinds from "system_sepolicy_license":
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule_defaults {
+    name: "sepolicy_file_contexts_gen_default",
+    tools: ["fc_sort"],
+    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+         "$(location fc_sort) -i $(out).tmp -o $(out)",
+}