diff options
author | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-04-15 16:10:32 -0700 |
---|---|---|
committer | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-04-18 18:29:50 +0000 |
commit | f17f2c66532aa2386f6c9fe9d8e9ab2810b0dafb (patch) | |
tree | db536f64928a4e98881a7c454a751116396543de | |
parent | 67c0d997bb129ad7aebaeaa6a72292f30670e72b (diff) | |
download | bdk-f17f2c66532aa2386f6c9fe9d8e9ab2810b0dafb.tar.gz |
Generate SELinux policy files with the BDK and use them.
The Android build usually passes the 'file_contexts.bin' file to
'make_ext4fs':
make_ext4fs -S out/target/product/brilloemulator_arm/root/file_contexts.bin
Passing the 'file_contexts' text file also works, but that file has not
been checked against the SELinux policy to see if labels are defined.
Fix this by:
1-Compiling SELinux policy files *before* calling _CreateBuildProps().
2-Skipping the hardcoded definition of
'{odm|system}(/.*)? u:object_r:system_file:s0'.
3-Including the 'file_contexts' text file found in the cache directory
when generating the 'file_contexts.bin' file.
4-Putting the compiled files in the cache directory.
5-Telling 'make_ext4fs' to use the newly-generated 'file_contexts.bin'
files from the cache directory.
Bug: 27409446
Change-Id: I33d8c8d9a843e5efca39042248b16a30b423f891
-rw-r--r-- | cli/lib/core/image_build.py | 20 | ||||
-rw-r--r-- | cli/lib/selinux/policy.py | 15 |
2 files changed, 17 insertions, 18 deletions
diff --git a/cli/lib/core/image_build.py b/cli/lib/core/image_build.py index 152daad..60db423 100644 --- a/cli/lib/core/image_build.py +++ b/cli/lib/core/image_build.py @@ -143,9 +143,7 @@ def CreateTargetCache(spec, target, cache_dir, mountpoint='/', update=True, cache = sysroot.Sysroot(cache_root, copy_newer_only=update) fs_config_files = {} fs_config_dirs = {} - # Set the default selabel for the tree as per: - # https://android.googlesource.com/platform/external/sepolicy/+/master/file_contexts - file_context = set(['{}(/.*)? u:object_r:system_file:s0'.format(mountpoint)]) + file_context = set() uncached = {} # pack.Copy._reconcile_paths() *should* make these always what is seen here. @@ -281,7 +279,7 @@ def _CreateBuildProps(build_root, product_out, image_type, info_file): 'partition_size': '134217728', 'extfs_sparse_flag': '-s', 'skip_fsck': 'true', - 'selinux_fc': build_root.Path('file_contexts'), + 'selinux_fc': build_root.Path('root', 'file_contexts.bin'), } build_root.WriteFile(info_file, '\n'.join( ['{}={}'.format(k, v) for k, v in build_props.iteritems()])) @@ -295,12 +293,7 @@ def _CreateBuildProps(build_root, product_out, image_type, info_file): for line in fileinput.input(build_root.Path(info_file), inplace=True): # We just want to change the SELinux file contexts. if line.startswith('selinux_fc'): - # For now, use the file context generated during the build. - # TODO(b/27409446): use a different generated file_contexts.bin - # based on system image spec. - line = 'selinux_fc=' + os.path.join(product_out, - 'root', - 'file_contexts.bin') + line = 'selinux_fc=' + build_root.Path('root', 'file_contexts.bin') print line else: build_root.WriteFile(info_file, 'mount_point={}'.format(image_type)) @@ -360,12 +353,13 @@ def BuildImage(image_type, target, platform_out, cache_dir, output_dir): build_root.AddDir(os.path.join(product_out, 'system'), os.path.join('root', 'system'), symlinks=True) - _CreateBuildProps(build_root, product_out, image_type, 'image_info.txt') # Build 'filecontexts.bin' and 'sepolicy' SELinux files. with target.get_device().linked(target.os_version): - policy.BuildSepolicy(target, platform_out, product_out) - policy.BuildFileContexts(target, platform_out, product_out) + policy.BuildSepolicy(target, platform_out, cache_dir) + policy.BuildFileContexts(target, platform_out, cache_dir) + + _CreateBuildProps(build_root, product_out, image_type, 'image_info.txt') # Build an image from the build root. additional_path = host_tools + os.pathsep + build_tools diff --git a/cli/lib/selinux/policy.py b/cli/lib/selinux/policy.py index 2d62686..04bd9e3 100644 --- a/cli/lib/selinux/policy.py +++ b/cli/lib/selinux/policy.py @@ -154,7 +154,7 @@ def LoadCachedSepolicyDirs(platform_out, target): return board_sepolicy_dirs -def BuildSepolicy(target, platform_out, product_out): +def BuildSepolicy(target, platform_out, cache_dir): """Builds the main 'sepolicy' SELinux policy file. This needs to be built before attempting to build @@ -178,7 +178,7 @@ def BuildSepolicy(target, platform_out, product_out): '-D target_build_variant=%s' % target.build_type] _RunM4(policy_inputs, policy_conf, m4_opts) - sepolicy_path = os.path.join(product_out, 'root', 'sepolicy') + sepolicy_path = os.path.join(cache_dir, 'root', 'sepolicy') runner.run('checkpolicy', ('-M -c %d -o %s %s' % (POLICYVERS, sepolicy_path, policy_conf)).split()) @@ -186,10 +186,10 @@ def BuildSepolicy(target, platform_out, product_out): shutil.rmtree(interm_dir, ignore_errors=True) -def BuildFileContexts(target, platform_out, product_out): +def BuildFileContexts(target, platform_out, cache_dir): """Builds the 'file_contexts.bin' SELinux policy file. - This requires a valid 'sepolicy' file in |product_out|. + This requires a valid 'sepolicy' file in |cache_dir|. """ interm_dir = tempfile.mkdtemp() runner = tool.HostToolRunner(platform_out) @@ -203,7 +203,7 @@ def BuildFileContexts(target, platform_out, product_out): 'file_contexts.device.sorted.tmp') fc_concat = os.path.join(interm_dir, 'file_contexts.concat.tmp') - target_root_out = os.path.join(product_out, 'root') + target_root_out = os.path.join(cache_dir, 'root') filecontextsdotbin = os.path.join(target_root_out, 'file_contexts.bin') main_sepolicy_dir = os.path.join(os_path, 'system', 'sepolicy') @@ -212,6 +212,11 @@ def BuildFileContexts(target, platform_out, product_out): _RunM4([main_fc], fc_local) board_sepolicy_dirs = LoadCachedSepolicyDirs(platform_out, target) + if os.access(os.path.join(cache_dir, FC), os.R_OK): + # There's a 'file_contexts' file in |cache_dir| that we need to + # include. + board_sepolicy_dirs.append(cache_dir) + _RunM4(_ExpandSepolicyPaths(os_path, board_sepolicy_dirs, [FC]), fc_device) sepolicy_path = os.path.join(target_root_out, 'sepolicy') |