- Mar 30, 2018
-
-
Tri Vo authoredThis will test that system/sepolicy/{public/, private/} are identical to prebuilts if PLATFORM_SEPOLICY_VERSION is not 10000.0. Bug: 74622750 Test: build policy Test: correctly catches divergence from prebuilts for frozen policies Change-Id: I2fa14b672544a021c2d42ad5968dfbac21b72f6a (cherry picked from commit 81198bb8)
-
- Mar 27, 2018
-
-
Joel Galenson authored
Use the user policy when running the compatibility tests. Bug: 74344625 Test: Built policy for many devices. Booted one device. Test: Delete some compat rules, verify error on userdebug. Change-Id: Ib2df2dfc06cdf55a839011e9a528e76160a9e436 (cherry picked from commit c1486218)
-
- Mar 26, 2018
-
-
Tom Cherry authored
Verify that the SELabels used in property_contexts correspond to a real type in the SEPolicy and that this type has the property_type attribute. Additionally add a check that vendor property_context files do not duplicate entries in plat property_contexts, and a similar check that odm property_contexts doesn't duplicate either plat or vendor property_contexts. Bug: 74078792 Test: Build property_contexts on bullhead successfully Test: See failure when using a faulty SELabel in property_contexts Test: See failure when duplicating label in vendor and plat property_contexts Change-Id: I4d2338dab68f1c5a8ed110aa7821f0677f61bafb (cherry picked from commit a15df75d)
-
- Mar 20, 2018
-
-
Bowgo Tsai authored
Bug: 64240127 Test: normal boot a device Change-Id: I276ba6bc88eabb0d5562e4e96d3860eedb76aed5 Merged-In: I276ba6bc88eabb0d5562e4e96d3860eedb76aed5 (cherry picked from commit af7d85f8)
-
Bowgo Tsai authored
Bug: 64240127 Test: normal boot and recovery boot a device Change-Id: I22d29e8476380d19aca1be359e0228ab6bbc3b0f Merged-In: I22d29e8476380d19aca1be359e0228ab6bbc3b0f (cherry picked from commit ad6231f5)
-
Bowgo Tsai authored
Bug: 64240127 Test: normal boot and recovery boot a device Change-Id: Ibd71219f60644e57370c0293decf11d82f1cb35c Merged-In: Ibd71219f60644e57370c0293decf11d82f1cb35c (cherry picked from commit 1f717b10)
-
Bowgo Tsai authored
Bug: 64240127 Test: normal boot a device Change-Id: I3626357237cc18a99511f1ebd9dd3ff5a7655963 Merged-In: I3626357237cc18a99511f1ebd9dd3ff5a7655963 (cherry picked from commit ecf656b0)
-
Bowgo Tsai authored
Bug: 64240127 Test: normal boot and recovery boot a device Change-Id: I087292fb23d05fc17272778d668ac78a721b2593 Merged-In: I087292fb23d05fc17272778d668ac78a721b2593 (cherry picked from commit bae1517a)
-
Bowgo Tsai authored
This change adds the support of odm sepolicy customization, which can be configured through the newly added build varaible: - BOARD_ODM_SEPOLICY_DIRS += device/${ODM_NAME}/${BOM_NAME}/sepolicy Also moving precompiled sepolicy to /odm when BOARD_ODM_SEPOLICY_DIRS is set. On a DUT, precompiled sepolicy on /odm will override the one in /vendor. This is intentional because /odm is the hardware customization for /vendor and both should be updated together if desired. Bug: 64240127 Test: boot a device with /odm partition Change-Id: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09 Merged-In: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09 (cherry picked from commit 45457e3a)
-
- Mar 07, 2018
-
-
Joel Galenson authored
When building userdebug or eng builds, we still want to build the user policy when checking neverallow rules so that we can catch compile errors. Commit c0713e86 split out a helper function but lost one instance of using user instead of the real variant. This restores that one and adds it to the neverallow check. Bug: 74344625 Test: Added a rule that referred to a type defined only in userdebug and eng and ensure we throw a compile error when building userdebug mode. Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae
-
- Feb 27, 2018
- Feb 14, 2018
-
-
Jeff Vander Stoep authored
The intent of this flag is to disable tests during early device bringup so that vendor drops can occur without build breakages. When SELINUX_IGNORE_NEVERALLOWS=true also disable labeling tests sepolicy_tests, and treble_sepolicy_tests. Bug: 73322735 Test: build, verify known tests failures do not cause build breakage. Change-Id: I3e7165938d4e34c066bfa0a20e68b7e02dae4a24
-
- Feb 07, 2018
-
-
Yifan Hong authored
Test: m framework_compatibility_matrix.xml -j Test: device boots Bug: 67920434 Bug: 69390067 Change-Id: I3461873c22f704b9bbaa3a4e6f7e1df34d6b61a3
-
Yifan Hong authored
This is a list of sepolicy versions that the framework supports. Test: builds and boots Bug: 67920434 Change-Id: I0f408fa3967214b47a64101760dbbb2542023dcf
-
- Feb 06, 2018
-
-
Tri Vo authored
Bug: 69390067 Test: 27.0.cil is installed to /system/etc/selinux/mapping/27.0.cil Change-Id: If5b37ca7920a66b4fceaa031b6e8e9bafd18ac47
-
- Feb 05, 2018
-
-
Jaekyun Seok authored
The feature of compatible property has its own neverallow rules and it is enforced on devices launchig with Android P. This CL changes hal_nfc to hal_nfc_server in neverallow rules because sepolicy-analyze doesn't recognize it. Additionally one more neverallow rule is added to restrict reading nfc_prop. Bug: 72013705 Bug: 72678352 Test: 'run cts -m CtsSecurityHostTestCases' on walleye with ro.product.first_api_level=28 Change-Id: I753cc81f7ca0e4ad6a2434b2a047052678f57671
-
Bowgo Tsai authored
Current sepolicy CIL files are built by several command-line tools in Android.mk. This change extracts some of the build logic into a python script to relief the effort in Android.mk. The first command is `build_sepolicy build_cil`. It's possible to add more sub-commands under the build_sepolicy script in the future. Bug: 64240127 Test: build bullhead/taimen Change-Id: Ie0ae4fc5256a550c72954cde5d5dd213a22d159a
-
Bowgo Tsai authored
This change renames the non-platform sepolicy files on a DUT from nonplat_* to vendor_*. It also splits the versioned platform sepolicy from vendor_sepolicy.cil to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps vendor customizations in vendor_sepolicy.cil. Build variable BOARD_SEPOLICY_DIRS is also renamed to BOARD_VENDOR_SEPOLICY_DIRS. Bug: 64240127 Test: boot bullhead/taimen Change-Id: Iea2210c9c8ab30c9ecbcd8146f074e76e90e6943
-
- Feb 02, 2018
-
-
Bowgo Tsai authored
This reverts commit 9aa8496f. Fix angler/bullhead boot failure. Bug: 72787689 Test: build Change-Id: I77671a74cd952544a1dbb3daabc2bb449a7c2cf2
-
Bowgo Tsai authored
This reverts commit 3506ad3f. Fix angler/bullhead boot failure. Bug: 72787689 Test: build
-
- Jan 31, 2018
-
-
Bowgo Tsai authored
Current sepolicy CIL files are built by several command-line tools in Android.mk. This change extracts some of the build logic into a python script to relief the effort in Android.mk. The first command is `build_sepolicy build_cil`. It's possible to add more sub-commands under the build_sepolicy script in the future. Bug: 64240127 Test: build and boot a device Test: checks the content of $OUT/vendor/etc/selinux/vendor_sepolicy.cil is the same as before Change-Id: I0b64f1088f413172e97b579b4f7799fa392762df -
Bowgo Tsai authored
This change renames the non-platform sepolicy files on a DUT from nonplat_* to vendor_*. It also splits the versioned platform sepolicy from vendor_sepolicy.cil to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps vendor customizations in vendor_sepolicy.cil. Build variable BOARD_SEPOLICY_DIRS is also renamed to BOARD_VENDOR_SEPOLICY_DIRS. Bug: 64240127 Test: boot an existing device Change-Id: Iea87a502bc6191cfaf8a2201f29e4a2add4ba7bf
-
- Jan 12, 2018
-
-
Joel Galenson authored
This patch adds a flag that can be used to ignore neverallow rules. By adding SELINUX_IGNORE_NEVERALLOWS := true into the BoardConfig.mk file, neverallow violations will be ignored silently. This flag can only be enabled on userdebug and eng builds. Users of this flag should be very careful. Since it does not work on user builds, it must be disabled to pass CTS, and enabling it for too long could hide issues that need to be addressed. As a happy side effect, this patch should also improve the error messages when violating a neverallow rules. Specifically, the file and line number should be correct. Bug: 70950899 Bug: 33960443 Test: Built walleye-{user,eng} with and without this new option and a neverallow violation. Built policy for all targets. Change-Id: Id0d65123cdd230d6b90faa6bb460d544054bb906
-
- Jan 10, 2018
-
-
Jaekyun Seok authored
This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
-
- Jan 04, 2018
-
-
Tom Cherry authored
1) fc_sort is not needed as there is no reason to sort system properties, so this is removed and replaced with a simply copy 2) Use the new property_info_checker instead of checkfc for validating property information. This supports exact match properties and will be extended to verify property schemas in the future. Bug: 36001741 Test: verify bullhead's property contexts correct Test: verify faulty property contexts result in failures Change-Id: Id9bbf401f385206e6907449a510e3111424ce59e
-
- Dec 07, 2017
-
-
Bo Hu authored
This reverts commit 8b562206. Reason for revert: broke mac build b/70273082 FAILED: out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil /bin/bash -c "(out/host/darwin-x86/bin/version_policy -b out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil -t out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil -n 10000.0 -o out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp ) && (grep -Fxv -f out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp > out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil ) && (out/host/darwin-x86/bin/secilc -m -M true -G -N -c 30 out/target/product/generic_x86/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/10000.0.cil_intermediates/10000.0.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil -o /dev/null -f /dev/null )" Parsing out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil Parsing out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil grep: out of memory (cherry picked from commit 283dd9eb) Change-Id: I83e2fb53c56f6e45181620c7bd416f7287c874c5
-
Bo Hu authored
This reverts commit 8b562206. Reason for revert: broke mac build b/70273082 FAILED: out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil /bin/bash -c "(out/host/darwin-x86/bin/version_policy -b out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil -t out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil -n 10000.0 -o out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp ) && (grep -Fxv -f out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil.tmp > out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil ) && (out/host/darwin-x86/bin/secilc -m -M true -G -N -c 30 out/target/product/generic_x86/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/generic_x86/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil out/target/product/generic_x86/obj/ETC/10000.0.cil_intermediates/10000.0.cil out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil -o /dev/null -f /dev/null )" Parsing out/target/product/generic_x86/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil Parsing out/target/product/generic_x86/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy_raw.cil grep: out of memory Change-Id: I14f0801fdd6b9be28e53dfcc0f352b844005db59
-
- Dec 06, 2017
-
-
kaichieh authored
This change renames the non-platform sepolicy files on a DUT from nonplat_* to vendor_*. It also splits the versioned platform sepolicy from vendor_sepolicy.cil to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps vendor customizations in vendor_sepolicy.cil. Build variable BOARD_SEPOLICY_DIRS is also renamed to BOARD_VENDOR_SEPOLICY_DIRS. Bug: 64240127 Test: boot an existing device Change-Id: I53a9715b2f9ddccd214f4cf9ef081ac426721612
-
- Nov 20, 2017
-
-
Jeff Vander Stoep authored
Unconditionally compile treble_sepolicy_tests. Make compat files conditional on running the compat tests. Bug: 37008075 Test: build Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
-
- Nov 10, 2017
-
-
Steven Moreland authored
PRODUCT_FULL_TREBLE is being broken up into smaller, more manageable components. Bug: 62019611 Test: manual Change-Id: I9b65f120851d9ea134a0059a417f0282777717fc
-
- Oct 18, 2017
-
-
Dan Cashman authored
This file is necessary for using an mr1 system image in conjunction with an oc-dev vendor image. This is currently needed by GSI testing, for example. (cherry-pick of commit: 03596f28) Bug: 66358348 Test: File is included on system image. Change-Id: Ie694061d08acf17453feb596480e42974f8c714c
-
- Oct 07, 2017
-
-
Jeff Vander Stoep authored
Allows partners to add a new attribute definition to their public policy without causing a compatibility failure with the AOSP system image. Bug: 67092827 Bug: 37915794 Test: build and boot aosp_sailfish with new type declared in public policy Change-Id: I015c26fa7c399423e8a6e7079b5689007d031479
-
- Oct 05, 2017
-
-
Jeff Vander Stoep authored
FAILED: out/target/product/sailfish/obj/ETC/treble_sepolicy_tests_intermediates/treble_sepolicy_tests Error: library-path out/host/darwin-x86/lib64/libsepolwrap.so does not exist Note, fixing here instead of reverting to avoid reverting changes in CTS. Test: ctate testing on Mac Change-Id: I95f483b152d9bece1a16267cbc49eedb1f902990 (cherry picked from commit e06e4c1e)
-
Jeff Vander Stoep authored
FAILED: out/target/product/sailfish/obj/ETC/treble_sepolicy_tests_intermediates/treble_sepolicy_tests Error: library-path out/host/darwin-x86/lib64/libsepolwrap.so does not exist Note, fixing here instead of reverting to avoid reverting changes in CTS. Test: ctate testing on Mac Change-Id: I95f483b152d9bece1a16267cbc49eedb1f902990
-
- Oct 04, 2017
-
-
Jeff Vander Stoep authored
Bug: 37008075 Test: build, all tests pass. Modify some attributes locally to cause tests to fail (verify that they are actually working). Change-Id: If9f9ece61dff835f38ef9c8a57f5a7baddbae5cd -
Jeff Vander Stoep authored
This is a necessary for enforcing these tests in CTS. Bug: 37008075 Test: build Change-Id: I36b4ce71c26a0ba01cd0289fe363f0a9f7db1214 (cherry picked from commit 8d614b3f)
-
- Oct 03, 2017
-
-
Daniel Cashman authored
This reverts commit f9cd76b1. Change-Id: I4f753f3159b422fbca94be78e620bee2c39de38a
-
- Oct 02, 2017
-
-
Dan Cashman authored
Bug: 67018095 Test: None. Relying on treehugger. Change-Id: I68221183cf56b666c81f224a533b56a0761f8c15
-
Dan Cashman authored
This file is necessary for using an mr1 system image in conjunction with an oc-dev vendor image. This is currently needed by GSI testing, for example. (cherry-pick of commit: 03596f28) Bug: 66358348 Test: File is included on system image. Change-Id: I3a6b7ed5edf1c07941bbf835e70f2ae8d03fee25
-