Skip to content
Snippets Groups Projects
  1. Aug 08, 2017
    • Dan Cashman's avatar
      Add 26.0 api compatibility check infrastructure. · 7f7c3b82
      Dan Cashman authored
      Add support to the treble_sepolicy_tests suite that explicitly look at
      the old and current policy versions, as well as the compatibility file,
      to determine if any new types have been added without a compatibility
      entry.  This first test catches the most common and likely changes that
      could change the type label of an object for which vendor policy may have
      needed access.  It also should prove the basis for additional compatibility
      checks between old and new policies.
      
      Bug: 36899958
      Test: Policy builds and tests pass.
      Change-Id: I609c913e6354eb10a04cc1a029ddd9fa0e592a4c
      7f7c3b82
  2. Jul 11, 2017
  3. Jul 10, 2017
    • Dan Cashman's avatar
      Make sure platform policy builds with compatible versions. · b04df6e3
      Dan Cashman authored
      Platform SELinux policy may be updated without a corresponding
      update to non-platform policy.  This is meant to be accomplished by
      maintaining a compatibility mapping file which will be built along
      with the current platform policy to link older non-platform policy.
      
      Introduce an example vendor policy built from 26.0 public policy and
      make sure that the current platform policy and mapping file, for that
      version, build with it.  Add this as a dependency for the
      selinux_treble_tests, which are meant to ensure treble properties,
      ultimately to provide this compatibility guarantee.
      
      Bug: 36899958
      Test: Current platform policy builds with oc-dev vendor policy and
      oc-dev mapping file.  Removed private type with no effect.  Removed
      public type without corresponding mapping entry causes build to fail.
      
      Change-Id: I7994ed651352e2da632fc91e598f819b64c05753
      b04df6e3
  4. Jun 15, 2017
    • Dan Cashman's avatar
      Exempt ASAN from selinux build-checks. · ccdd6e11
      Dan Cashman authored
      ASAN makes use of shenanigans that violate our policy best-practices.
      This is by design.  Exempt them from these tests to get it building
      again.
      
      Bug: 37740897
      Test: Builds with ASAN enabled.
      Change-Id: Iffde28c2741466da5862b2dfe1fffa2c0d93caeb
      ccdd6e11
  5. Jun 14, 2017
    • Sandeep Patil's avatar
      build: run neverallow checks on platform sepolicy · cfb6f352
      Sandeep Patil authored
      
      This will prevent us from breaking our own neverallow rules
      in the platform sepolicy regardless of vendor policy adding
      exceptions to the neverallow rules using "*_violators" attributes
      
      Bug: 62616897
      Bug: 62343727
      
      Test: Build policy for sailfish
      Test: Build policy with radio to rild socket rule enabled for all
            and ensure the build fails
      
      Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      cfb6f352
  6. Jun 13, 2017
    • Jeff Vander Stoep's avatar
      Assert filesystem types must have their associated attr · 11d096fc
      Jeff Vander Stoep authored
      Test that:
      - File types on /sys have attr sysfs_type
      - File types on /sys/kernel/debug have attr debugfs_type
      - File types on /data have attr data_file_type
      
      Test: build policy
      Change-Id: Ie4f1f1c7e5345da0999082962f084fdac6b85428
      11d096fc
    • Jeff Vander Stoep's avatar
      Build split file_contexts for recovery · b236eb6c
      Jeff Vander Stoep authored
      [    7.674739] selinux: selinux_android_file_context: Error getting
      file context handle (No such file or directory)
      
      Bug: 62564629
      Test: build and flash marlin. Successfully switch between regular
          and recovery modes
      
      Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
      b236eb6c
  7. Jun 10, 2017
    • Jeff Vander Stoep's avatar
      Move non-treble devices to split file_contexts · 7a68c5ae
      Jeff Vander Stoep authored
      This change is primarily to fix CTS which checks file ordering of
      file_contexts. Having two separate means of loading file_contexts
      has resulted in ordering variations.
      
      Previously the binary file_contexts was preferred since it
      loaded faster. However with the move to libpcre2, there is no
      difference in loading time between text and binary file_contexts.
      This leaves us with build system complexity with no benefit.
      Thus removing this unnecessary difference between devices.
      
      Bug: 38502071
      Test: build and boot non-Treble Bullhead, run CTS tests below
      Test: build and boot Treble Marlin, run CTS tests below
      Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
          --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospFileContexts
      Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
          --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testValidFileContexts
      Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
      7a68c5ae
    • Jeff Vander Stoep's avatar
      Move non-treble devices to split file_contexts · f965a0a1
      Jeff Vander Stoep authored
      This change is primarily to fix CTS which checks file ordering of
      file_contexts. Having two separate means of loading file_contexts
      has resulted in ordering variations.
      
      Previously the binary file_contexts was preferred since it
      loaded faster. However with the move to libpcre2, there is no
      difference in loading time between text and binary file_contexts.
      This leaves us with build system complexity with no benefit.
      Thus removing this unnecessary difference between devices.
      
      Bug: 38502071
      Test: build and boot non-Treble Bullhead, run CTS tests below
      Test: build and boot Treble Marlin, run CTS tests below
      Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
          --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospFileContexts
      Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
          --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testValidFileContexts
      Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
      f965a0a1
  8. Jun 06, 2017
    • Dan Cashman's avatar
      Hide grep filename output. · c234ba38
      Dan Cashman authored
      checkseapp does not expect filenames before the appearance of neverallow
      rules against which to check.  They had previously been hidden by default
      because they were only gathered from one file, but with the addition of
      the BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to allow for /system policy
      extensions, this may change.
      
      Bug: 36467375
      Bug: 62357603
      Test: Builds with seapp_contexts extension.
      Change-Id: I270bd60ae368aa3c082299d57c4bf12936ac2073
      c234ba38
  9. Jun 05, 2017
  10. Jun 02, 2017
  11. May 25, 2017
    • Dan Cashman's avatar
      Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir. · 51455fe9
      Dan Cashman authored
      These directories were added to allow for partner extensions to the
      android framework without needing to add changes to the AOSP global
      sepolicy.  There should only ever be one owner of the framework and
      corresponding updates, so enforce this restriction to prevent
      accidental accrual of policy in the system image.
      
      Bug: 36467375
      Test: Add public and private files to policy and verify that they are
      added to the appropriate policy files.  Also test that specifying
      multiple directories for public or private results in an error.
      
      Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
      Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
      (cherry picked from commit 1633da06)
      51455fe9
    • Dan Cashman's avatar
      Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS · 1b0a71f3
      Dan Cashman authored
      Add new build variables for partner customization (additions) to platform sepolicy.
      This allows partners to add their own policy without having to touch the AOSP sepolicy
      directories and potentially disrupting compatibility with an AOSP system image.
      
      Bug: 36467375
      Test: Add public and private files to sailfish policy and verify that they are
      added to the appropriate policy files, but that the policy is otherwise identical.
      Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
      to trigger use of prebuilt mapping files and verify that they are appropriately
      combined and built in policy.
      
      Change-Id: I38efe2248520804a123603bb050bba75563fe45c
      Merged-In: I38efe2248520804a123603bb050bba75563fe45c
      (cherry picked from commit f893700c)
      1b0a71f3
  12. May 23, 2017
    • Dan Cashman's avatar
      Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir. · 1633da06
      Dan Cashman authored
      These directories were added to allow for partner extensions to the
      android framework without needing to add changes to the AOSP global
      sepolicy.  There should only ever be one owner of the framework and
      corresponding updates, so enforce this restriction to prevent
      accidental accrual of policy in the system image.
      
      Bug: 36467375
      Test: Add public and private files to policy and verify that they are
      added to the appropriate policy files.  Also test that specifying
      multiple directories for public or private results in an error.
      
      Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
      1633da06
  13. May 11, 2017
    • Dan Cashman's avatar
      Fix ASAN build. · 5e9451b1
      Dan Cashman authored
      Test: Build with ASAN on.
      Bug: 36467375
      Change-Id: Id6a07b7bd48f39326b7c7ab47cfde396f7cfd033
      5e9451b1
  14. May 09, 2017
    • Dan Cashman's avatar
      Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS · f893700c
      Dan Cashman authored
      Add new build variables for partner customization (additions) to platform sepolicy.
      This allows partners to add their own policy without having to touch the AOSP sepolicy
      directories and potentially disrupting compatibility with an AOSP system image.
      
      Bug: 36467375
      Test: Add public and private files to sailfish policy and verify that they are
      added to the appropriate policy files, but that the policy is otherwise identical.
      Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
      to trigger use of prebuilt mapping files and verify that they are appropriately
      combined and built in policy.
      Change-Id: I38efe2248520804a123603bb050bba75563fe45c
      f893700c
  15. May 04, 2017
  16. May 03, 2017
    • Ian Pedowitz's avatar
      Revert "O is API 26" · 6b04a961
      Ian Pedowitz authored
      This reverts commit 8713882b.
      
      Reason for revert:  b/37355569
      
      Bug: 37480230
      Bug: 37896931
      Bug: 37355569
      Change-Id: Ic07d948fd0b4a0a8434e1f4f0c8e559c4258cf5e
      6b04a961
  17. May 02, 2017
    • Michael Wright's avatar
      O is API 26 · 8713882b
      Michael Wright authored
      Bug: 37480230
      Bug: 37896931
      Test: build, boot
      Change-Id: Ib8d4309d37b8818163a17e7d8b25155c4645edcf
      8713882b
  18. May 01, 2017
  19. Apr 28, 2017
  20. Apr 24, 2017
    • Jeff Vander Stoep's avatar
      Android.mk: fix dependency typo · 5edd96d9
      Jeff Vander Stoep authored
      Bug: 37646565
      Test: build marlin-userdebug
      Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc
      5edd96d9
    • Jeff Vander Stoep's avatar
      Retain neverallow rules in CIL files · b8787693
      Jeff Vander Stoep authored
      Fixes issue where attributes used exlusively in neverallow
      rules were removed from policy.
      
      For on-device compile use the -N flag to skip neverallow tests.
      
      Policy size increases:
      vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
      vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
      system/etc/selinux/plat_sepolicy.cil    567664 -> 745230
      
      For a total increase in system/vendor: 266182.
      
      Boot time changes:
      Pixel uses precompiled policy so boot time is not impacted.
      When forcing on-device compile on Marlin selinux policy compile
      time increases 510-520 ms -> 550-560 ms.
      
      Bug: 37357742
      Test: Build and boot Marlin.
      Test: Verify both precompiled and on-device compile work.
      Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
      b8787693
  21. Apr 15, 2017
    • Jeff Vander Stoep's avatar
      secilc: expand generated attributes on non-treble devices · 748cae86
      Jeff Vander Stoep authored
      Attributes added to the policy by the policy compiler are causing
      performance issues. Telling the compiler to expand these
      auto-generated attributes to their underlying types prevents
      preemtion during policy lookup.
      
      Bug: 3650825
      Test: Build and boot Bullhead
      Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
      748cae86
  22. Apr 13, 2017
    • Martijn Coenen's avatar
      Add hwservice_contexts and support for querying it. · 3ea47b92
      Martijn Coenen authored
      hwservicemanager can check hwservice_contexts files
      both from the framework and vendor partitions.
      
      Initially, have a wildcard '*' in hwservice_contexts
      that maps to a label that can be added/found from
      domain. This needs to be removed when the proper policy
      is in place.
      
      Also, grant su/shell access to hwservicemanager list
      operations, so tools like 'lshal' continue to work.
      
      Bug: 34454312
      Test: Marlin boots
      Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
      3ea47b92
    • Jeff Vander Stoep's avatar
      secilc: expand generated attributes · ac171b44
      Jeff Vander Stoep authored
      Attributes added to the policy by the policy compiler are causing
      performance issues. Telling the compiler to expand these
      auto-generated attributes to their underlying types prevents
      preemtion during policy lookup.
      
      With this patch the number of attributes in policy drops from
      845 to 475. The number of attributes assigned to the bluetooth domain
      drops from 41 to 11.
      
      Bug: 3650825
      Test: Build and boot Marlin
      Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
      ac171b44
  23. Apr 12, 2017
    • Dan Cashman's avatar
      Fix build part 2. Always create platform_mapping_file. · 4d24a775
      Dan Cashman authored
      commit 552fb537 fixed an undefined
      module error by removing the module when not defined (on non-treble
      devices), but the sepolicy build on non-treble devices was changed
      to rely on the split treble files, even though the split is not used.
      Change this so that the file is always present, to allow policy
      compilation.
      
      Test: policy fully builds.
      Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
      4d24a775
    • Dan Cashman's avatar
      Fix build: encase $(platform_mapping_file) module in treble block. · 552fb537
      Dan Cashman authored
      Specifying an empty module causes a build error, so make sure that
      if there is no $(platform_mapping_file) the MODULE is not included.
      
      Test: Makefiles parsed without error.
      Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
      552fb537
    • Dan Cashman's avatar
      Remove BOARD_SEPOLICY_VERS_DIR build variable. · 6bf50e5c
      Dan Cashman authored
      The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the
      specification of an alternate platform public policy, primarily for
      testing purposes.  This should not be a part of the released platform,
      since the only public policy and corresponding mapping file construction
      should be based on the current public platform policy, with compatibility
      with vendor policy targeting previous versions provided by static mapping
      files.  Its continued presence muddles the generation of mapping files by
      potentially introducing a situation in which an incorrect mapping file is
      generated.  Remove it.
      
      Bug: 36783775
      Test: Device boots with compiled SELinux policy (SHA256s don't match for
      precompiled policy).
      
      Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
      6bf50e5c
    • Dan Cashman's avatar
      Change recovery to static platform-only compilation. · c8d4535c
      Dan Cashman authored
      Recovery is not meant to be versioned in the treble model, but rather
      provided as part of the platform/framework component and self-sufficient.
      Simplify its compilation by removing the attribute versioning steps, but
      maintain device-specific policy, which is currently required for full
      functionality.
      
      Bug: 37240781
      Bug: 36783775
      Test: recovery boots and is able to select commands.  Also tried:
      reboot system, boot to bootloader, factory reset, sideload, view logs,
      run graphics test, and power off.
      
      Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
      c8d4535c
    • Dan Cashman's avatar
      Change mapping file name to reflect its platform version. · 4f9a648e
      Dan Cashman authored
      As the platform progresses in the split SELinux world, the platform
      will need to maintain mapping files back to previous platform versions
      to maintain backwards compatibility with vendor images which have SELinux
      policy written based on the older versions.  This requires shipping multiple
      mapping files with the system image so that the right one can be selected.
      Change the name and location of the mapping file to reflect this.  Also add
      a file to the vendor partition indicating which version is being targeted that
      the platform can use to determine which mapping file to choose.
      
      Bug: 36783775
      Test: Force compilation of sepolicy on-device with mapping file changed
      to new location and name, using the value reported on /vendor.
      
      Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
      4f9a648e
  24. Apr 11, 2017
    • Dan Cashman's avatar
      Add PLATFORM_SEPOLICY_VERSION. · bec5e57e
      Dan Cashman authored
      Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
      the platform sepolicy of the form "NN.m" where "NN" mirrors the
      PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
      incremented with every policy change that requires a new backward-compatible
      mapping file to be added to allow for future-proofing vendor policy against
      future platform policy.
      
      (cherry-pick of commit 6f14f6b7)
      
      Bug: 36783775
      Test: Device boots when sha256 doesn't match and compilation is forced.
      Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
      bec5e57e
    • Sandeep Patil's avatar
      sepolicy_version: change current version to NN.m format · 9a3a6a81
      Sandeep Patil authored
      
      The sepolicy version takes SDK_INT.<minor> format. Make sure our
      'current' policy version reflects the format and make it '100000.0'.
      This ensures any vendor.img compiled with this will never work with
      a production framework image either.
      
      Make version_policy replace the '.' in version by '_' so secilc is
      happy too.
      
      This unblocks libvintf from giving out a runtme API to check vendor's
      sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
      eventually be picked up from the build system.
      
      (cherry-pick of commit 42f95984)
      
      Bug: 35217573
      Test: Build and boot sailfish.
            Boot sailfish with sepolicy compilation on device.
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      
      Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
      9a3a6a81
  25. Apr 10, 2017
    • Dan Cashman's avatar
      Add PLATFORM_SEPOLICY_VERSION. · 6f14f6b7
      Dan Cashman authored
      Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
      the platform sepolicy of the form "NN.m" where "NN" mirrors the
      PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
      incremented with every policy change that requires a new backward-compatible
      mapping file to be added to allow for future-proofing vendor policy against
      future platform policy.
      
      Bug: 36783775
      Test: Device boots when sha256 doesn't match and compilation is forced.
      Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
      6f14f6b7
  26. Apr 07, 2017
    • Sandeep Patil's avatar
      sepolicy_version: change current version to NN.m format · 42f95984
      Sandeep Patil authored
      
      The sepolicy version takes SDK_INT.<minor> format. Make sure our
      'current' policy version reflects the format and make it '100000.0'.
      This ensures any vendor.img compiled with this will never work with
      a production framework image either.
      
      Make version_policy replace the '.' in version by '_' so secilc is
      happy too.
      
      This unblocks libvintf from giving out a runtme API to check vendor's
      sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
      eventually be picked up from the build system.
      
      Bug: 35217573
      Test: Build and boot sailfish.
            Boot sailfish with sepolicy compilation on device.
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      
      Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
      42f95984
    • Alex Klyubin's avatar
      Preserve treble-only flag for CTS neverallows · 446279a6
      Alex Klyubin authored
      CTS includes general_sepolicy.conf built from this project. CTS then
      tests this file's neverallow rules against the policy of the device
      under test. Prior to this commit, neverallow rules which must be
      enforced only for Treble devices we not included into
      general_sepolicy.conf. As a result, these rules were not enforced for
      Treble devices.
      
      This commit fixes the issue as follows. Because CTS includes only one
      policy, the policy now contains also the rules which are only for
      Treble devices. To enable CTS to distinguish rules needed for all
      devices from rules needed only on Treble devices, the latter rules are
      contained in sections delimited with BEGIN_TREBLE_ONLY and
      END_TREBLE_ONLY comments.
      
      This commit also removes the unnecessary sepolicy.general target. This
      target is not used anywhere and is causing trouble because it is
      verifying neverallows of the policy meant to be used by CTS. This
      policy can no longer be verified with checkpolicy without
      conditionally including or excluding Treble-only neverallows.
      
      Test: mmm system/sepolicy
      Test: Device boots -- no new denials
      Bug: 37082262
      Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
      446279a6
    • Martijn Coenen's avatar
      Fix checkfc options order. · ee97662f
      Martijn Coenen authored
      darwin's getopt() doesn't like putting arguments
      in the wrong order.
      
      Test: Mac/Linux builds
      Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5
      ee97662f
    • Martijn Coenen's avatar
      Modify checkfc to check (vnd|hw)service_manager_type. · d48d54a3
      Martijn Coenen authored
      added checkfc options 'l' and 'v' to verify hwservice_manager_type
      and vndservice_manager_type on service context files, respectively.
      
      The checkfc call to verify the new hwservice_contexts files will
      be added together with hwservicemanager ACL CLs later.
      
      Bug: 34454312
      Bug: 36052864
      Test: device boots, works
      Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783
      d48d54a3
Loading