Skip to content
Snippets Groups Projects
  1. Feb 05, 2018
    • Bowgo Tsai's avatar
      Using a python script to build sepolicy · 741a70a0
      Bowgo Tsai authored
      Current sepolicy CIL files are built by several command-line tools
      in Android.mk. This change extracts some of the build logic into a
      python script to relief the effort in Android.mk.
      
      The first command is `build_sepolicy build_cil`. It's possible to add
      more sub-commands under the build_sepolicy script in the future.
      
      Bug: 64240127
      Test: build bullhead/taimen
      Change-Id: Ie0ae4fc5256a550c72954cde5d5dd213a22d159a
      741a70a0
  2. Feb 02, 2018
  3. Jan 31, 2018
    • Bowgo Tsai's avatar
      Using a python script to build sepolicy · 3506ad3f
      Bowgo Tsai authored
      Current sepolicy CIL files are built by several command-line tools
      in Android.mk. This change extracts some of the build logic into a
      python script to relief the effort in Android.mk.
      
      The first command is `build_sepolicy build_cil`. It's possible to add
      more sub-commands under the build_sepolicy script in the future.
      
      Bug: 64240127
      Test: build and boot a device
      Test: checks the content of $OUT/vendor/etc/selinux/vendor_sepolicy.cil
            is the same as before
      Change-Id: I0b64f1088f413172e97b579b4f7799fa392762df
      3506ad3f
  4. Jun 05, 2017
    • Jeff Vander Stoep's avatar
      Verify correct application of labels and attributes · bdfc0301
      Jeff Vander Stoep authored
      With project Treble, we're relying heavily on attributes for
      permission inheritance and enforcement of separation between
      platform and vendor components.
      
      We neead tests that verify those attributes are correctly applied.
      This change adds the framework for those tests including a wrapper
      around libsepol for loading and querying policy, and a python module
      for running tests on policy and file_contexts.
      
      Included with the testing framework is a test asserting that the
      coredomain attribute is only applied to core processes. This
      verification is done using the following rules:
      1. Domain's entrypoint is on /system - coredomain
      2. Domain's entrypoint is on /vendor - not coredomain
      3. Domain belongs to a whitelist of known coredomains - coredomain
      
      In a subsequent commit these tests will be applied at build time.
      However, I first need to fix existing Treble violations exposed by
      this test. These tests will also be applied during CTS.
      
      Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
          treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
          -f $OUT/vendor/etc/selinux/nonplat_file_contexts \
          -f $OUT/system/etc/selinux/plat_file_contexts
      Bug: 37008075
      Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
      (cherry picked from commit 0366afdf)
      bdfc0301
  5. May 31, 2017
    • Jeff Vander Stoep's avatar
      Verify correct application of labels and attributes · 0366afdf
      Jeff Vander Stoep authored
      With project Treble, we're relying heavily on attributes for
      permission inheritance and enforcement of separation between
      platform and vendor components.
      
      We neead tests that verify those attributes are correctly applied.
      This change adds the framework for those tests including a wrapper
      around libsepol for loading and querying policy, and a python module
      for running tests on policy and file_contexts.
      
      Included with the testing framework is a test asserting that the
      coredomain attribute is only applied to core processes. This
      verification is done using the following rules:
      1. Domain's entrypoint is on /system - coredomain
      2. Domain's entrypoint is on /vendor - not coredomain
      3. Domain belongs to a whitelist of known coredomains - coredomain
      
      In a subsequent commit these tests will be applied at build time.
      However, I first need to fix existing Treble violations exposed by
      this test. These tests will also be applied during CTS.
      
      Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
          treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
          -f $OUT/vendor/etc/selinux/nonplat_file_contexts \
          -f $OUT/system/etc/selinux/plat_file_contexts
      Bug: 37008075
      Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
      0366afdf
Loading