diff options
author | Bowgo Tsai | 2018-02-01 18:00:38 -0600 |
---|---|---|
committer | Bowgo Tsai | 2018-02-01 18:00:38 -0600 |
commit | d0cbb90509c1d23e38c8fc075eb0a93ac9a88309 (patch) | |
tree | 70df1703593d710ec766da6311ee64570d98c4f6 | |
parent | 518ad4aaa520b3ca1894e561327a26bed2d9a13a (diff) | |
download | system-sepolicy-d0cbb90509c1d23e38c8fc075eb0a93ac9a88309.tar.gz system-sepolicy-d0cbb90509c1d23e38c8fc075eb0a93ac9a88309.tar.xz system-sepolicy-d0cbb90509c1d23e38c8fc075eb0a93ac9a88309.zip |
Revert "Using a python script to build sepolicy"
This reverts commit 3506ad3f310d46ace11ecb9f1a0b6d8abc4951c4.
Fix angler/bullhead boot failure.
Bug: 72787689
Test: build
-rw-r--r-- | Android.bp | 5 | ||||
-rw-r--r-- | Android.mk | 38 | ||||
-rw-r--r-- | build/Android.bp | 34 | ||||
-rw-r--r-- | build/build_sepolicy.py | 140 | ||||
-rw-r--r-- | build/file_utils.py | 49 |
5 files changed, 25 insertions, 241 deletions
@@ -1,4 +1 @@ | |||
1 | subdirs = [ | subdirs = ["tests"] | |
2 | "tests", | ||
3 | "build", | ||
4 | ] | ||
@@ -222,7 +222,6 @@ LOCAL_REQUIRED_MODULES += \ | |||
222 | plat_and_mapping_sepolicy.cil.sha256 \ | 222 | plat_and_mapping_sepolicy.cil.sha256 \ |
223 | secilc \ | 223 | secilc \ |
224 | plat_sepolicy_vers.txt \ | 224 | plat_sepolicy_vers.txt \ |
225 | vendor_service_contexts \ | ||
226 | 225 | ||
227 | # Include precompiled policy, unless told otherwise | 226 | # Include precompiled policy, unless told otherwise |
228 | ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) | 227 | ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
@@ -234,7 +233,6 @@ LOCAL_REQUIRED_MODULES += sepolicy | |||
234 | endif | 233 | endif |
235 | 234 | ||
236 | LOCAL_REQUIRED_MODULES += \ | 235 | LOCAL_REQUIRED_MODULES += \ |
237 | build_sepolicy \ | ||
238 | vendor_file_contexts \ | 236 | vendor_file_contexts \ |
239 | vendor_mac_permissions.xml \ | 237 | vendor_mac_permissions.xml \ |
240 | vendor_property_contexts \ | 238 | vendor_property_contexts \ |
@@ -249,6 +247,10 @@ LOCAL_REQUIRED_MODULES += \ | |||
249 | searchpolicy \ | 247 | searchpolicy \ |
250 | vndservice_contexts \ | 248 | vndservice_contexts \ |
251 | 249 | ||
250 | ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) | ||
251 | LOCAL_REQUIRED_MODULES += vendor_service_contexts | ||
252 | endif | ||
253 | |||
252 | ifneq ($(TARGET_BUILD_VARIANT), user) | 254 | ifneq ($(TARGET_BUILD_VARIANT), user) |
253 | LOCAL_REQUIRED_MODULES += \ | 255 | LOCAL_REQUIRED_MODULES += \ |
254 | selinux_denial_metadata \ | 256 | selinux_denial_metadata \ |
@@ -538,23 +540,31 @@ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_S | |||
538 | $(transform-policy-to-conf) | 540 | $(transform-policy-to-conf) |
539 | $(hide) sed '/dontaudit/d' $@ > $@.dontaudit | 541 | $(hide) sed '/dontaudit/d' $@ > $@.dontaudit |
540 | 542 | ||
541 | $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) | 543 | vendor_policy_raw := $(intermediates)/vendor_policy_raw.cil |
542 | $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) | 544 | $(vendor_policy_raw): PRIVATE_POL_CONF := $(vendor_policy.conf) |
543 | $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) | 545 | $(vendor_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
544 | $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) | 546 | $(vendor_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(vendor_policy.conf) \ |
545 | $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) | 547 | $(reqd_policy_mask.cil) |
546 | $(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil) | 548 | @mkdir -p $(dir $@) |
547 | $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ | 549 | $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF) |
548 | $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ | 550 | $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@ |
551 | |||
552 | $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) | ||
553 | $(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(vendor_policy_raw) | ||
554 | $(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) | ||
555 | $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil) | ||
556 | $(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(vendor_policy_raw) \ | ||
557 | $(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \ | ||
549 | $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) | 558 | $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) |
550 | @mkdir -p $(dir $@) | 559 | @mkdir -p $(dir $@) |
551 | $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ | 560 | $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@.tmp |
552 | -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ | 561 | $(hide) grep -Fxv -f $(PRIVATE_FILTER_CIL) $@.tmp > $@ |
553 | -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ | 562 | $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ |
554 | -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ | 563 | $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null |
555 | 564 | ||
556 | built_vendor_cil := $(LOCAL_BUILT_MODULE) | 565 | built_vendor_cil := $(LOCAL_BUILT_MODULE) |
557 | vendor_policy.conf := | 566 | vendor_policy.conf := |
567 | vendor_policy_raw := | ||
558 | 568 | ||
559 | ################################# | 569 | ################################# |
560 | include $(CLEAR_VARS) | 570 | include $(CLEAR_VARS) |
diff --git a/build/Android.bp b/build/Android.bp deleted file mode 100644 index d3f1fc36..00000000 --- a/build/Android.bp +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | // Copyright (C) 2018 The Android Open Source Project | ||
2 | // | ||
3 | // Licensed under the Apache License, Version 2.0 (the "License"); | ||
4 | // you may not use this file except in compliance with the License. | ||
5 | // You may obtain a copy of the License at | ||
6 | // | ||
7 | // http://www.apache.org/licenses/LICENSE-2.0 | ||
8 | // | ||
9 | // Unless required by applicable law or agreed to in writing, software | ||
10 | // distributed under the License is distributed on an "AS IS" BASIS, | ||
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
12 | // See the License for the specific language governing permissions and | ||
13 | // limitations under the License. | ||
14 | |||
15 | python_binary_host { | ||
16 | name: "build_sepolicy", | ||
17 | srcs: [ | ||
18 | "build_sepolicy.py", | ||
19 | "file_utils.py", | ||
20 | ], | ||
21 | required: [ | ||
22 | "checkpolicy", | ||
23 | "secilc", | ||
24 | "version_policy", | ||
25 | ], | ||
26 | version: { | ||
27 | py2: { | ||
28 | enabled: true, | ||
29 | }, | ||
30 | py3: { | ||
31 | enabled: false, | ||
32 | }, | ||
33 | }, | ||
34 | } | ||
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py deleted file mode 100644 index ff2ff075..00000000 --- a/build/build_sepolicy.py +++ /dev/null | |||
@@ -1,140 +0,0 @@ | |||
1 | # Copyright 2018 - The Android Open Source Project | ||
2 | # | ||
3 | # Licensed under the Apache License, Version 2.0 (the "License"); | ||
4 | # you may not use this file except in compliance with the License. | ||
5 | # You may obtain a copy of the License at | ||
6 | # | ||
7 | # http://www.apache.org/licenses/LICENSE-2.0 | ||
8 | # | ||
9 | # Unless required by applicable law or agreed to in writing, software | ||
10 | # distributed under the License is distributed on an "AS IS" BASIS, | ||
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
12 | # See the License for the specific language governing permissions and | ||
13 | # limitations under the License. | ||
14 | |||
15 | """Command-line tool to build SEPolicy files.""" | ||
16 | |||
17 | import argparse | ||
18 | import os | ||
19 | import subprocess | ||
20 | import sys | ||
21 | |||
22 | import file_utils | ||
23 | |||
24 | |||
25 | # All supported commands in this module. | ||
26 | # For each command, need to add two functions. Take 'build_cil' for example: | ||
27 | # - setup_build_cil() | ||
28 | # - Sets up command parsers and sets default function to do_build_cil(). | ||
29 | # - do_build_cil() | ||
30 | _SUPPORTED_COMMANDS = ('build_cil',) | ||
31 | |||
32 | |||
33 | def run_host_command(args, **kwargs): | ||
34 | """Runs a host command and prints output.""" | ||
35 | if kwargs.get('shell'): | ||
36 | command_log = args | ||
37 | else: | ||
38 | command_log = ' '.join(args) # For args as a sequence. | ||
39 | |||
40 | try: | ||
41 | subprocess.check_call(args, **kwargs) | ||
42 | except subprocess.CalledProcessError as err: | ||
43 | sys.stderr.write( | ||
44 | 'build_sepolicy - failed to run command: {!r} (ret:{})\n'.format( | ||
45 | command_log, err.returncode)) | ||
46 | sys.exit(err.returncode) | ||
47 | |||
48 | |||
49 | def do_build_cil(args): | ||
50 | """Builds a sepolicy CIL (Common Intermediate Language) file. | ||
51 | |||
52 | This functions invokes some host utils (e.g., secilc, checkpolicy, | ||
53 | version_sepolicy) to generate a .cil file. | ||
54 | |||
55 | Args: | ||
56 | args: the parsed command arguments. | ||
57 | """ | ||
58 | # Determines the raw CIL file name. | ||
59 | input_file_name = os.path.splitext(args.input_policy_conf)[0] | ||
60 | raw_cil_file = input_file_name + '_raw.cil' | ||
61 | # Builds the raw CIL. | ||
62 | file_utils.make_parent_dirs(raw_cil_file) | ||
63 | checkpolicy_cmd = [args.checkpolicy_env] | ||
64 | checkpolicy_cmd += [os.path.join(args.android_host_path, 'checkpolicy'), | ||
65 | '-C', '-M', '-c', args.policy_vers, | ||
66 | '-o', raw_cil_file, args.input_policy_conf] | ||
67 | # Using shell=True to setup args.checkpolicy_env variables. | ||
68 | run_host_command(' '.join(checkpolicy_cmd), shell=True) | ||
69 | file_utils.filter_out([args.reqd_mask], raw_cil_file) | ||
70 | |||
71 | # Builds the output CIL by versioning the above raw CIL. | ||
72 | output_file = args.output_cil | ||
73 | if output_file is None: | ||
74 | output_file = input_file_name + '.cil' | ||
75 | file_utils.make_parent_dirs(output_file) | ||
76 | |||
77 | run_host_command([os.path.join(args.android_host_path, 'version_policy'), | ||
78 | '-b', args.base_policy, '-t', raw_cil_file, | ||
79 | '-n', args.treble_sepolicy_vers, '-o', output_file]) | ||
80 | if args.filter_out_files: | ||
81 | file_utils.filter_out(args.filter_out_files, output_file) | ||
82 | |||
83 | # Tests that the output file can be merged with the given CILs. | ||
84 | if args.dependent_cils: | ||
85 | merge_cmd = [os.path.join(args.android_host_path, 'secilc'), | ||
86 | '-m', '-M', 'true', '-G', '-N', '-c', args.policy_vers] | ||
87 | merge_cmd += args.dependent_cils # the give CILs to merge | ||
88 | merge_cmd += [output_file, '-o', '/dev/null', '-f', '/dev/null'] | ||
89 | run_host_command(merge_cmd) | ||
90 | |||
91 | |||
92 | def setup_build_cil(subparsers): | ||
93 | """Sets up command args for 'build_cil' command.""" | ||
94 | |||
95 | # Required arguments. | ||
96 | parser = subparsers.add_parser('build_cil', help='build CIL files') | ||
97 | parser.add_argument('-i', '--input_policy_conf', required=True, | ||
98 | help='source policy.conf') | ||
99 | parser.add_argument('-m', '--reqd_mask', required=True, | ||
100 | help='the bare minimum policy.conf to use checkpolicy') | ||
101 | parser.add_argument('-b', '--base_policy', required=True, | ||
102 | help='base policy for versioning') | ||
103 | parser.add_argument('-t', '--treble_sepolicy_vers', required=True, | ||
104 | help='the version number to use for Treble-OTA') | ||
105 | parser.add_argument('-p', '--policy_vers', required=True, | ||
106 | help='SELinux policy version') | ||
107 | |||
108 | # Optional arguments. | ||
109 | parser.add_argument('-c', '--checkpolicy_env', | ||
110 | help='environment variables passed to checkpolicy') | ||
111 | parser.add_argument('-f', '--filter_out_files', nargs='+', | ||
112 | help='the pattern files to filter out the output cil') | ||
113 | parser.add_argument('-d', '--dependent_cils', nargs='+', | ||
114 | help=('check the output file can be merged with ' | ||
115 | 'the dependent cil files')) | ||
116 | parser.add_argument('-o', '--output_cil', help='the output cil file') | ||
117 | |||
118 | # The function that performs the actual works. | ||
119 | parser.set_defaults(func=do_build_cil) | ||
120 | |||
121 | |||
122 | def run(argv): | ||
123 | """Sets up command parser and execuates sub-command.""" | ||
124 | parser = argparse.ArgumentParser() | ||
125 | |||
126 | # Adds top-level arguments. | ||
127 | parser.add_argument('-a', '--android_host_path', default='', | ||
128 | help='a path to host out executables') | ||
129 | |||
130 | # Adds subparsers for each COMMAND. | ||
131 | subparsers = parser.add_subparsers(title='COMMAND') | ||
132 | for command in _SUPPORTED_COMMANDS: | ||
133 | globals()['setup_' + command](subparsers) | ||
134 | |||
135 | args = parser.parse_args(argv[1:]) | ||
136 | args.func(args) | ||
137 | |||
138 | |||
139 | if __name__ == '__main__': | ||
140 | run(sys.argv) | ||
diff --git a/build/file_utils.py b/build/file_utils.py deleted file mode 100644 index 1559a9b9..00000000 --- a/build/file_utils.py +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | # Copyright 2018 - The Android Open Source Project | ||
2 | # | ||
3 | # Licensed under the Apache License, Version 2.0 (the "License"); | ||
4 | # you may not use this file except in compliance with the License. | ||
5 | # You may obtain a copy of the License at | ||
6 | # | ||
7 | # http://www.apache.org/licenses/LICENSE-2.0 | ||
8 | # | ||
9 | # Unless required by applicable law or agreed to in writing, software | ||
10 | # distributed under the License is distributed on an "AS IS" BASIS, | ||
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
12 | # See the License for the specific language governing permissions and | ||
13 | # limitations under the License. | ||
14 | |||
15 | """File-related utilities.""" | ||
16 | |||
17 | |||
18 | import os | ||
19 | import shutil | ||
20 | import tempfile | ||
21 | |||
22 | |||
23 | def make_parent_dirs(file_path): | ||
24 | """Creates parent directories for the file_path.""" | ||
25 | if os.path.exists(file_path): | ||
26 | return | ||
27 | |||
28 | parent_dir = os.path.dirname(file_path) | ||
29 | if parent_dir and not os.path.exists(parent_dir): | ||
30 | os.makedirs(parent_dir) | ||
31 | |||
32 | |||
33 | def filter_out(pattern_files, input_file): | ||
34 | """"Removes lines in input_file that match any line in pattern_files.""" | ||
35 | |||
36 | # Prepares patterns. | ||
37 | patterns = [] | ||
38 | for f in pattern_files: | ||
39 | patterns.extend(open(f).readlines()) | ||
40 | |||
41 | # Copy lines that are not in the pattern. | ||
42 | tmp_output = tempfile.NamedTemporaryFile() | ||
43 | with open(input_file, 'r') as in_file: | ||
44 | tmp_output.writelines(line for line in in_file.readlines() | ||
45 | if line not in patterns) | ||
46 | tmp_output.flush() | ||
47 | |||
48 | # Replaces the input_file. | ||
49 | shutil.copyfile(tmp_output.name, input_file) | ||