aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBowgo Tsai2018-02-01 18:00:38 -0600
committerBowgo Tsai2018-02-01 18:00:38 -0600
commitd0cbb90509c1d23e38c8fc075eb0a93ac9a88309 (patch)
tree70df1703593d710ec766da6311ee64570d98c4f6
parent518ad4aaa520b3ca1894e561327a26bed2d9a13a (diff)
downloadsystem-sepolicy-d0cbb90509c1d23e38c8fc075eb0a93ac9a88309.tar.gz
system-sepolicy-d0cbb90509c1d23e38c8fc075eb0a93ac9a88309.tar.xz
system-sepolicy-d0cbb90509c1d23e38c8fc075eb0a93ac9a88309.zip
Revert "Using a python script to build sepolicy"
This reverts commit 3506ad3f310d46ace11ecb9f1a0b6d8abc4951c4. Fix angler/bullhead boot failure. Bug: 72787689 Test: build
-rw-r--r--Android.bp5
-rw-r--r--Android.mk38
-rw-r--r--build/Android.bp34
-rw-r--r--build/build_sepolicy.py140
-rw-r--r--build/file_utils.py49
5 files changed, 25 insertions, 241 deletions
diff --git a/Android.bp b/Android.bp
index 17853420..9952a8fd 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1,4 +1 @@
1subdirs = [ subdirs = ["tests"]
2 "tests",
3 "build",
4]
diff --git a/Android.mk b/Android.mk
index 0d4d67fb..40c45706 100644
--- a/Android.mk
+++ b/Android.mk
@@ -222,7 +222,6 @@ LOCAL_REQUIRED_MODULES += \
222 plat_and_mapping_sepolicy.cil.sha256 \ 222 plat_and_mapping_sepolicy.cil.sha256 \
223 secilc \ 223 secilc \
224 plat_sepolicy_vers.txt \ 224 plat_sepolicy_vers.txt \
225 vendor_service_contexts \
226 225
227# Include precompiled policy, unless told otherwise 226# Include precompiled policy, unless told otherwise
228ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 227ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -234,7 +233,6 @@ LOCAL_REQUIRED_MODULES += sepolicy
234endif 233endif
235 234
236LOCAL_REQUIRED_MODULES += \ 235LOCAL_REQUIRED_MODULES += \
237 build_sepolicy \
238 vendor_file_contexts \ 236 vendor_file_contexts \
239 vendor_mac_permissions.xml \ 237 vendor_mac_permissions.xml \
240 vendor_property_contexts \ 238 vendor_property_contexts \
@@ -249,6 +247,10 @@ LOCAL_REQUIRED_MODULES += \
249 searchpolicy \ 247 searchpolicy \
250 vndservice_contexts \ 248 vndservice_contexts \
251 249
250ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
251LOCAL_REQUIRED_MODULES += vendor_service_contexts
252endif
253
252ifneq ($(TARGET_BUILD_VARIANT), user) 254ifneq ($(TARGET_BUILD_VARIANT), user)
253LOCAL_REQUIRED_MODULES += \ 255LOCAL_REQUIRED_MODULES += \
254 selinux_denial_metadata \ 256 selinux_denial_metadata \
@@ -538,23 +540,31 @@ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_S
538 $(transform-policy-to-conf) 540 $(transform-policy-to-conf)
539 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 541 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
540 542
541$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) 543vendor_policy_raw := $(intermediates)/vendor_policy_raw.cil
542$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 544$(vendor_policy_raw): PRIVATE_POL_CONF := $(vendor_policy.conf)
543$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) 545$(vendor_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
544$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 546$(vendor_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(vendor_policy.conf) \
545$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) 547$(reqd_policy_mask.cil)
546$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil) 548 @mkdir -p $(dir $@)
547$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 549 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
548 $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ 550 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
551
552$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
553$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(vendor_policy_raw)
554$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
555$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil)
556$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(vendor_policy_raw) \
557 $(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
549 $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) 558 $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
550 @mkdir -p $(dir $@) 559 @mkdir -p $(dir $@)
551 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 560 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@.tmp
552 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 561 $(hide) grep -Fxv -f $(PRIVATE_FILTER_CIL) $@.tmp > $@
553 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ 562 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
554 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 563 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
555 564
556built_vendor_cil := $(LOCAL_BUILT_MODULE) 565built_vendor_cil := $(LOCAL_BUILT_MODULE)
557vendor_policy.conf := 566vendor_policy.conf :=
567vendor_policy_raw :=
558 568
559################################# 569#################################
560include $(CLEAR_VARS) 570include $(CLEAR_VARS)
diff --git a/build/Android.bp b/build/Android.bp
deleted file mode 100644
index d3f1fc36..00000000
--- a/build/Android.bp
+++ /dev/null
@@ -1,34 +0,0 @@
1// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15python_binary_host {
16 name: "build_sepolicy",
17 srcs: [
18 "build_sepolicy.py",
19 "file_utils.py",
20 ],
21 required: [
22 "checkpolicy",
23 "secilc",
24 "version_policy",
25 ],
26 version: {
27 py2: {
28 enabled: true,
29 },
30 py3: {
31 enabled: false,
32 },
33 },
34}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
deleted file mode 100644
index ff2ff075..00000000
--- a/build/build_sepolicy.py
+++ /dev/null
@@ -1,140 +0,0 @@
1# Copyright 2018 - The Android Open Source Project
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15"""Command-line tool to build SEPolicy files."""
16
17import argparse
18import os
19import subprocess
20import sys
21
22import file_utils
23
24
25# All supported commands in this module.
26# For each command, need to add two functions. Take 'build_cil' for example:
27# - setup_build_cil()
28# - Sets up command parsers and sets default function to do_build_cil().
29# - do_build_cil()
30_SUPPORTED_COMMANDS = ('build_cil',)
31
32
33def run_host_command(args, **kwargs):
34 """Runs a host command and prints output."""
35 if kwargs.get('shell'):
36 command_log = args
37 else:
38 command_log = ' '.join(args) # For args as a sequence.
39
40 try:
41 subprocess.check_call(args, **kwargs)
42 except subprocess.CalledProcessError as err:
43 sys.stderr.write(
44 'build_sepolicy - failed to run command: {!r} (ret:{})\n'.format(
45 command_log, err.returncode))
46 sys.exit(err.returncode)
47
48
49def do_build_cil(args):
50 """Builds a sepolicy CIL (Common Intermediate Language) file.
51
52 This functions invokes some host utils (e.g., secilc, checkpolicy,
53 version_sepolicy) to generate a .cil file.
54
55 Args:
56 args: the parsed command arguments.
57 """
58 # Determines the raw CIL file name.
59 input_file_name = os.path.splitext(args.input_policy_conf)[0]
60 raw_cil_file = input_file_name + '_raw.cil'
61 # Builds the raw CIL.
62 file_utils.make_parent_dirs(raw_cil_file)
63 checkpolicy_cmd = [args.checkpolicy_env]
64 checkpolicy_cmd += [os.path.join(args.android_host_path, 'checkpolicy'),
65 '-C', '-M', '-c', args.policy_vers,
66 '-o', raw_cil_file, args.input_policy_conf]
67 # Using shell=True to setup args.checkpolicy_env variables.
68 run_host_command(' '.join(checkpolicy_cmd), shell=True)
69 file_utils.filter_out([args.reqd_mask], raw_cil_file)
70
71 # Builds the output CIL by versioning the above raw CIL.
72 output_file = args.output_cil
73 if output_file is None:
74 output_file = input_file_name + '.cil'
75 file_utils.make_parent_dirs(output_file)
76
77 run_host_command([os.path.join(args.android_host_path, 'version_policy'),
78 '-b', args.base_policy, '-t', raw_cil_file,
79 '-n', args.treble_sepolicy_vers, '-o', output_file])
80 if args.filter_out_files:
81 file_utils.filter_out(args.filter_out_files, output_file)
82
83 # Tests that the output file can be merged with the given CILs.
84 if args.dependent_cils:
85 merge_cmd = [os.path.join(args.android_host_path, 'secilc'),
86 '-m', '-M', 'true', '-G', '-N', '-c', args.policy_vers]
87 merge_cmd += args.dependent_cils # the give CILs to merge
88 merge_cmd += [output_file, '-o', '/dev/null', '-f', '/dev/null']
89 run_host_command(merge_cmd)
90
91
92def setup_build_cil(subparsers):
93 """Sets up command args for 'build_cil' command."""
94
95 # Required arguments.
96 parser = subparsers.add_parser('build_cil', help='build CIL files')
97 parser.add_argument('-i', '--input_policy_conf', required=True,
98 help='source policy.conf')
99 parser.add_argument('-m', '--reqd_mask', required=True,
100 help='the bare minimum policy.conf to use checkpolicy')
101 parser.add_argument('-b', '--base_policy', required=True,
102 help='base policy for versioning')
103 parser.add_argument('-t', '--treble_sepolicy_vers', required=True,
104 help='the version number to use for Treble-OTA')
105 parser.add_argument('-p', '--policy_vers', required=True,
106 help='SELinux policy version')
107
108 # Optional arguments.
109 parser.add_argument('-c', '--checkpolicy_env',
110 help='environment variables passed to checkpolicy')
111 parser.add_argument('-f', '--filter_out_files', nargs='+',
112 help='the pattern files to filter out the output cil')
113 parser.add_argument('-d', '--dependent_cils', nargs='+',
114 help=('check the output file can be merged with '
115 'the dependent cil files'))
116 parser.add_argument('-o', '--output_cil', help='the output cil file')
117
118 # The function that performs the actual works.
119 parser.set_defaults(func=do_build_cil)
120
121
122def run(argv):
123 """Sets up command parser and execuates sub-command."""
124 parser = argparse.ArgumentParser()
125
126 # Adds top-level arguments.
127 parser.add_argument('-a', '--android_host_path', default='',
128 help='a path to host out executables')
129
130 # Adds subparsers for each COMMAND.
131 subparsers = parser.add_subparsers(title='COMMAND')
132 for command in _SUPPORTED_COMMANDS:
133 globals()['setup_' + command](subparsers)
134
135 args = parser.parse_args(argv[1:])
136 args.func(args)
137
138
139if __name__ == '__main__':
140 run(sys.argv)
diff --git a/build/file_utils.py b/build/file_utils.py
deleted file mode 100644
index 1559a9b9..00000000
--- a/build/file_utils.py
+++ /dev/null
@@ -1,49 +0,0 @@
1# Copyright 2018 - The Android Open Source Project
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15"""File-related utilities."""
16
17
18import os
19import shutil
20import tempfile
21
22
23def make_parent_dirs(file_path):
24 """Creates parent directories for the file_path."""
25 if os.path.exists(file_path):
26 return
27
28 parent_dir = os.path.dirname(file_path)
29 if parent_dir and not os.path.exists(parent_dir):
30 os.makedirs(parent_dir)
31
32
33def filter_out(pattern_files, input_file):
34 """"Removes lines in input_file that match any line in pattern_files."""
35
36 # Prepares patterns.
37 patterns = []
38 for f in pattern_files:
39 patterns.extend(open(f).readlines())
40
41 # Copy lines that are not in the pattern.
42 tmp_output = tempfile.NamedTemporaryFile()
43 with open(input_file, 'r') as in_file:
44 tmp_output.writelines(line for line in in_file.readlines()
45 if line not in patterns)
46 tmp_output.flush()
47
48 # Replaces the input_file.
49 shutil.copyfile(tmp_output.name, input_file)