- Aug 14, 2017
-
-
Dan Cashman authored
The treble compatibility tests check for policy differences between old and new policy. To do this correctly, we must not modify the policy which represents the older policies. Move the files meant to be changed to a different location from the ones that are not meant to be touched to avoid any undesired changes to old policy, e.g. commit: 2bdefd65078d890889672938c6f0d2accdd25bc5 Bug: 36899958 Test: Build-time tests build. Change-Id: I8fa3947cfae756f37556fb34e1654382e2e48372
-
- Aug 08, 2017
-
-
Dan Cashman authored
Add support to the treble_sepolicy_tests suite that explicitly look at the old and current policy versions, as well as the compatibility file, to determine if any new types have been added without a compatibility entry. This first test catches the most common and likely changes that could change the type label of an object for which vendor policy may have needed access. It also should prove the basis for additional compatibility checks between old and new policies. Bug: 36899958 Test: Policy builds and tests pass. Change-Id: I609c913e6354eb10a04cc1a029ddd9fa0e592a4c
-
- Jul 11, 2017
-
-
Dan Cashman authored
Bug: 36899958 Test: Builds 'n' boots. Change-Id: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
-
- Jul 10, 2017
-
-
Dan Cashman authored
Platform SELinux policy may be updated without a corresponding update to non-platform policy. This is meant to be accomplished by maintaining a compatibility mapping file which will be built along with the current platform policy to link older non-platform policy. Introduce an example vendor policy built from 26.0 public policy and make sure that the current platform policy and mapping file, for that version, build with it. Add this as a dependency for the selinux_treble_tests, which are meant to ensure treble properties, ultimately to provide this compatibility guarantee. Bug: 36899958 Test: Current platform policy builds with oc-dev vendor policy and oc-dev mapping file. Removed private type with no effect. Removed public type without corresponding mapping entry causes build to fail. Change-Id: I7994ed651352e2da632fc91e598f819b64c05753
-
- Jun 15, 2017
-
-
Dan Cashman authored
ASAN makes use of shenanigans that violate our policy best-practices. This is by design. Exempt them from these tests to get it building again. Bug: 37740897 Test: Builds with ASAN enabled. Change-Id: Iffde28c2741466da5862b2dfe1fffa2c0d93caeb
-
- Jun 14, 2017
-
-
Sandeep Patil authored
This will prevent us from breaking our own neverallow rules in the platform sepolicy regardless of vendor policy adding exceptions to the neverallow rules using "*_violators" attributes Bug: 62616897 Bug: 62343727 Test: Build policy for sailfish Test: Build policy with radio to rild socket rule enabled for all and ensure the build fails Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809 Signed-off-by:
Sandeep Patil <sspatil@google.com>
-
- Jun 13, 2017
-
-
Jeff Vander Stoep authored
Test that: - File types on /sys have attr sysfs_type - File types on /sys/kernel/debug have attr debugfs_type - File types on /data have attr data_file_type Test: build policy Change-Id: Ie4f1f1c7e5345da0999082962f084fdac6b85428
-
Jeff Vander Stoep authored
[ 7.674739] selinux: selinux_android_file_context: Error getting file context handle (No such file or directory) Bug: 62564629 Test: build and flash marlin. Successfully switch between regular and recovery modes Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
-
- Jun 10, 2017
-
-
Jeff Vander Stoep authored
This change is primarily to fix CTS which checks file ordering of file_contexts. Having two separate means of loading file_contexts has resulted in ordering variations. Previously the binary file_contexts was preferred since it loaded faster. However with the move to libpcre2, there is no difference in loading time between text and binary file_contexts. This leaves us with build system complexity with no benefit. Thus removing this unnecessary difference between devices. Bug: 38502071 Test: build and boot non-Treble Bullhead, run CTS tests below Test: build and boot Treble Marlin, run CTS tests below Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testAospFileContexts Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testValidFileContexts Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
-
Jeff Vander Stoep authored
This change is primarily to fix CTS which checks file ordering of file_contexts. Having two separate means of loading file_contexts has resulted in ordering variations. Previously the binary file_contexts was preferred since it loaded faster. However with the move to libpcre2, there is no difference in loading time between text and binary file_contexts. This leaves us with build system complexity with no benefit. Thus removing this unnecessary difference between devices. Bug: 38502071 Test: build and boot non-Treble Bullhead, run CTS tests below Test: build and boot Treble Marlin, run CTS tests below Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testAospFileContexts Test: cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testValidFileContexts Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
-
- Jun 06, 2017
-
-
Dan Cashman authored
checkseapp does not expect filenames before the appearance of neverallow rules against which to check. They had previously been hidden by default because they were only gathered from one file, but with the addition of the BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to allow for /system policy extensions, this may change. Bug: 36467375 Bug: 62357603 Test: Builds with seapp_contexts extension. Change-Id: I270bd60ae368aa3c082299d57c4bf12936ac2073
-
- Jun 05, 2017
-
-
Jeff Vander Stoep authored
Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df)
-
- Jun 02, 2017
-
-
Jeff Vander Stoep authored
Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
-
- May 25, 2017
-
-
Dan Cashman authored
These directories were added to allow for partner extensions to the android framework without needing to add changes to the AOSP global sepolicy. There should only ever be one owner of the framework and corresponding updates, so enforce this restriction to prevent accidental accrual of policy in the system image. Bug: 36467375 Test: Add public and private files to policy and verify that they are added to the appropriate policy files. Also test that specifying multiple directories for public or private results in an error. Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f (cherry picked from commit 1633da06)
-
Dan Cashman authored
Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c Merged-In: I38efe2248520804a123603bb050bba75563fe45c (cherry picked from commit f893700c)
-
- May 23, 2017
-
-
Dan Cashman authored
These directories were added to allow for partner extensions to the android framework without needing to add changes to the AOSP global sepolicy. There should only ever be one owner of the framework and corresponding updates, so enforce this restriction to prevent accidental accrual of policy in the system image. Bug: 36467375 Test: Add public and private files to policy and verify that they are added to the appropriate policy files. Also test that specifying multiple directories for public or private results in an error. Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
-
- May 11, 2017
-
-
Dan Cashman authored
Test: Build with ASAN on. Bug: 36467375 Change-Id: Id6a07b7bd48f39326b7c7ab47cfde396f7cfd033
-
- May 09, 2017
-
-
Dan Cashman authored
Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c
-
- May 04, 2017
-
-
Ian Pedowitz authored
This reverts commit 6b04a961. Bug: 37480230 Bug: 37896931 Bug: 37355569 Change-Id: I24ee1b4f0f23262cae25b2f575da9f16f4ebec34
-
- May 03, 2017
-
-
Ian Pedowitz authored
This reverts commit 8713882b. Reason for revert: b/37355569 Bug: 37480230 Bug: 37896931 Bug: 37355569 Change-Id: Ic07d948fd0b4a0a8434e1f4f0c8e559c4258cf5e
-
- May 02, 2017
-
-
Michael Wright authored
Bug: 37480230 Bug: 37896931 Test: build, boot Change-Id: Ib8d4309d37b8818163a17e7d8b25155c4645edcf
-
- May 01, 2017
-
-
Andreas Gampe authored
Temporary workaround. Bug: 37755687 Test: ASAN_OPTIONS= SANITIZE_HOST=address m Merged-In: I001a42ea6463a1e137e1f5328755596f986323de Change-Id: I001a42ea6463a1e137e1f5328755596f986323de
-
- Apr 28, 2017
-
-
Andreas Gampe authored
Temporary workaround. Bug: 37755687 Test: ASAN_OPTIONS= SANITIZE_HOST=address m Change-Id: I001a42ea6463a1e137e1f5328755596f986323de
-
Andreas Gampe authored
Temporary workaround. Bug: 37755687 Test: ASAN_OPTIONS= SANITIZE_HOST=address m Change-Id: I001a42ea6463a1e137e1f5328755596f986323de
-
- Apr 24, 2017
-
-
Jeff Vander Stoep authored
Bug: 37646565 Test: build marlin-userdebug Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc
-
Jeff Vander Stoep authored
Fixes issue where attributes used exlusively in neverallow rules were removed from policy. For on-device compile use the -N flag to skip neverallow tests. Policy size increases: vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637 vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076 system/etc/selinux/plat_sepolicy.cil 567664 -> 745230 For a total increase in system/vendor: 266182. Boot time changes: Pixel uses precompiled policy so boot time is not impacted. When forcing on-device compile on Marlin selinux policy compile time increases 510-520 ms -> 550-560 ms. Bug: 37357742 Test: Build and boot Marlin. Test: Verify both precompiled and on-device compile work. Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7
-
- Apr 15, 2017
-
-
Jeff Vander Stoep authored
Attributes added to the policy by the policy compiler are causing performance issues. Telling the compiler to expand these auto-generated attributes to their underlying types prevents preemtion during policy lookup. Bug: 3650825 Test: Build and boot Bullhead Change-Id: I9a33f5efb1e7c25d83dda1ea5dfe663b22846a2f
-
- Apr 13, 2017
-
-
Martijn Coenen authored
hwservicemanager can check hwservice_contexts files both from the framework and vendor partitions. Initially, have a wildcard '*' in hwservice_contexts that maps to a label that can be added/found from domain. This needs to be removed when the proper policy is in place. Also, grant su/shell access to hwservicemanager list operations, so tools like 'lshal' continue to work. Bug: 34454312 Test: Marlin boots Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
-
Jeff Vander Stoep authored
Attributes added to the policy by the policy compiler are causing performance issues. Telling the compiler to expand these auto-generated attributes to their underlying types prevents preemtion during policy lookup. With this patch the number of attributes in policy drops from 845 to 475. The number of attributes assigned to the bluetooth domain drops from 41 to 11. Bug: 3650825 Test: Build and boot Marlin Change-Id: Ica06e82001eca323c435fe13c5cf4beba74999e2
-
- Apr 12, 2017
-
-
Dan Cashman authored
commit 552fb537 fixed an undefined module error by removing the module when not defined (on non-treble devices), but the sepolicy build on non-treble devices was changed to rely on the split treble files, even though the split is not used. Change this so that the file is always present, to allow policy compilation. Test: policy fully builds. Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
-
Dan Cashman authored
Specifying an empty module causes a build error, so make sure that if there is no $(platform_mapping_file) the MODULE is not included. Test: Makefiles parsed without error. Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
-
Dan Cashman authored
The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the specification of an alternate platform public policy, primarily for testing purposes. This should not be a part of the released platform, since the only public policy and corresponding mapping file construction should be based on the current public platform policy, with compatibility with vendor policy targeting previous versions provided by static mapping files. Its continued presence muddles the generation of mapping files by potentially introducing a situation in which an incorrect mapping file is generated. Remove it. Bug: 36783775 Test: Device boots with compiled SELinux policy (SHA256s don't match for precompiled policy). Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
-
Dan Cashman authored
Recovery is not meant to be versioned in the treble model, but rather provided as part of the platform/framework component and self-sufficient. Simplify its compilation by removing the attribute versioning steps, but maintain device-specific policy, which is currently required for full functionality. Bug: 37240781 Bug: 36783775 Test: recovery boots and is able to select commands. Also tried: reboot system, boot to bootloader, factory reset, sideload, view logs, run graphics test, and power off. Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
-
Dan Cashman authored
As the platform progresses in the split SELinux world, the platform will need to maintain mapping files back to previous platform versions to maintain backwards compatibility with vendor images which have SELinux policy written based on the older versions. This requires shipping multiple mapping files with the system image so that the right one can be selected. Change the name and location of the mapping file to reflect this. Also add a file to the vendor partition indicating which version is being targeted that the platform can use to determine which mapping file to choose. Bug: 36783775 Test: Force compilation of sepolicy on-device with mapping file changed to new location and name, using the value reported on /vendor. Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
-
- Apr 11, 2017
-
-
Dan Cashman authored
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent the platform sepolicy of the form "NN.m" where "NN" mirrors the PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is incremented with every policy change that requires a new backward-compatible mapping file to be added to allow for future-proofing vendor policy against future platform policy. (cherry-pick of commit 6f14f6b7) Bug: 36783775 Test: Device boots when sha256 doesn't match and compilation is forced. Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
-
Sandeep Patil authored
The sepolicy version takes SDK_INT.<minor> format. Make sure our 'current' policy version reflects the format and make it '100000.0'. This ensures any vendor.img compiled with this will never work with a production framework image either. Make version_policy replace the '.' in version by '_' so secilc is happy too. This unblocks libvintf from giving out a runtme API to check vendor's sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will eventually be picked up from the build system. (cherry-pick of commit 42f95984) Bug: 35217573 Test: Build and boot sailfish. Boot sailfish with sepolicy compilation on device. Signed-off-by:
Sandeep Patil <sspatil@google.com> Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
-
- Apr 10, 2017
-
-
Dan Cashman authored
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent the platform sepolicy of the form "NN.m" where "NN" mirrors the PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is incremented with every policy change that requires a new backward-compatible mapping file to be added to allow for future-proofing vendor policy against future platform policy. Bug: 36783775 Test: Device boots when sha256 doesn't match and compilation is forced. Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
-
- Apr 07, 2017
-
-
Sandeep Patil authored
The sepolicy version takes SDK_INT.<minor> format. Make sure our 'current' policy version reflects the format and make it '100000.0'. This ensures any vendor.img compiled with this will never work with a production framework image either. Make version_policy replace the '.' in version by '_' so secilc is happy too. This unblocks libvintf from giving out a runtme API to check vendor's sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will eventually be picked up from the build system. Bug: 35217573 Test: Build and boot sailfish. Boot sailfish with sepolicy compilation on device. Signed-off-by:
Sandeep Patil <sspatil@google.com> Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
-
Alex Klyubin authored
CTS includes general_sepolicy.conf built from this project. CTS then tests this file's neverallow rules against the policy of the device under test. Prior to this commit, neverallow rules which must be enforced only for Treble devices we not included into general_sepolicy.conf. As a result, these rules were not enforced for Treble devices. This commit fixes the issue as follows. Because CTS includes only one policy, the policy now contains also the rules which are only for Treble devices. To enable CTS to distinguish rules needed for all devices from rules needed only on Treble devices, the latter rules are contained in sections delimited with BEGIN_TREBLE_ONLY and END_TREBLE_ONLY comments. This commit also removes the unnecessary sepolicy.general target. This target is not used anywhere and is causing trouble because it is verifying neverallows of the policy meant to be used by CTS. This policy can no longer be verified with checkpolicy without conditionally including or excluding Treble-only neverallows. Test: mmm system/sepolicy Test: Device boots -- no new denials Bug: 37082262 Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
-
Martijn Coenen authored
darwin's getopt() doesn't like putting arguments in the wrong order. Test: Mac/Linux builds Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5
-