Generate SELinux policy files with the BDK and use them.

The Android build usually passes the 'file_contexts.bin' file to 'make_ext4fs': make_ext4fs -S out/target/product/brilloemulator_arm/root/file_contexts.bin Passing the 'file_contexts' text file also works, but that file has not been checked against the SELinux policy to see if labels are defined. Fix this by: 1-Compiling SELinux policy files *before* calling _CreateBuildProps(). 2-Skipping the hardcoded definition of '{odm|system}(/.*)? u:object_r:system_file:s0'. 3-Including the 'file_contexts' text file found in the cache directory when generating the 'file_contexts.bin' file. 4-Putting the compiled files in the cache directory. 5-Telling 'make_ext4fs' to use the newly-generated 'file_contexts.bin' files from the cache directory. Bug: 27409446 Change-Id: I33d8c8d9a843e5efca39042248b16a30b423f891
author: Jorge Lucangeli Obes <jorgelo@google.com> 2016-04-15 16:10:32 -0700
committer: Jorge Lucangeli Obes <jorgelo@google.com> 2016-04-18 18:29:50 +0000
commit: f17f2c66532aa2386f6c9fe9d8e9ab2810b0dafb (patch)
tree: db536f64928a4e98881a7c454a751116396543de
parent: 67c0d997bb129ad7aebaeaa6a72292f30670e72b (diff)
download: bdk-f17f2c66532aa2386f6c9fe9d8e9ab2810b0dafb.tar.gz
2 files changed, 17 insertions, 18 deletions
diff --git a/cli/lib/core/image_build.py b/cli/lib/core/image_build.py
index 152daad..60db423 100644
--- a/cli/lib/core/image_build.py
+++ b/cli/lib/core/image_build.py
@@ -143,9 +143,7 @@ def CreateTargetCache(spec, target, cache_dir, mountpoint='/', update=True,
   cache = sysroot.Sysroot(cache_root, copy_newer_only=update)
   fs_config_files = {}
   fs_config_dirs = {}
-  # Set the default selabel for the tree as per:
-  # https://android.googlesource.com/platform/external/sepolicy/+/master/file_contexts
-  file_context = set(['{}(/.*)?  u:object_r:system_file:s0'.format(mountpoint)])
+  file_context = set()
   uncached = {}
 
   # pack.Copy._reconcile_paths() *should* make these always what is seen here.
@@ -281,7 +279,7 @@ def _CreateBuildProps(build_root, product_out, image_type, info_file):
         'partition_size': '134217728',
         'extfs_sparse_flag': '-s',
         'skip_fsck': 'true',
-        'selinux_fc': build_root.Path('file_contexts'),
+        'selinux_fc': build_root.Path('root', 'file_contexts.bin'),
     }
     build_root.WriteFile(info_file, '\n'.join(
         ['{}={}'.format(k, v) for k, v in build_props.iteritems()]))
@@ -295,12 +293,7 @@ def _CreateBuildProps(build_root, product_out, image_type, info_file):
     for line in fileinput.input(build_root.Path(info_file), inplace=True):
       # We just want to change the SELinux file contexts.
       if line.startswith('selinux_fc'):
-        # For now, use the file context generated during the build.
-        # TODO(b/27409446): use a different generated file_contexts.bin
-        #   based on system image spec.
-        line = 'selinux_fc=' + os.path.join(product_out,
-                                            'root',
-                                            'file_contexts.bin')
+        line = 'selinux_fc=' + build_root.Path('root', 'file_contexts.bin')
       print line
   else:
     build_root.WriteFile(info_file, 'mount_point={}'.format(image_type))
@@ -360,12 +353,13 @@ def BuildImage(image_type, target, platform_out, cache_dir, output_dir):
     build_root.AddDir(os.path.join(product_out, 'system'),
                       os.path.join('root', 'system'),
                       symlinks=True)
-  _CreateBuildProps(build_root, product_out, image_type, 'image_info.txt')
 
   # Build 'filecontexts.bin' and 'sepolicy' SELinux files.
   with target.get_device().linked(target.os_version):
-    policy.BuildSepolicy(target, platform_out, product_out)
-    policy.BuildFileContexts(target, platform_out, product_out)
+    policy.BuildSepolicy(target, platform_out, cache_dir)
+    policy.BuildFileContexts(target, platform_out, cache_dir)
+
+  _CreateBuildProps(build_root, product_out, image_type, 'image_info.txt')
 
   # Build an image from the build root.
   additional_path = host_tools + os.pathsep + build_tools
diff --git a/cli/lib/selinux/policy.py b/cli/lib/selinux/policy.py
index 2d62686..04bd9e3 100644
--- a/cli/lib/selinux/policy.py
+++ b/cli/lib/selinux/policy.py
@@ -154,7 +154,7 @@ def LoadCachedSepolicyDirs(platform_out, target):
     return board_sepolicy_dirs
 
 
-def BuildSepolicy(target, platform_out, product_out):
+def BuildSepolicy(target, platform_out, cache_dir):
     """Builds the main 'sepolicy' SELinux policy file.
 
     This needs to be built before attempting to build
@@ -178,7 +178,7 @@ def BuildSepolicy(target, platform_out, product_out):
                    '-D target_build_variant=%s' % target.build_type]
         _RunM4(policy_inputs, policy_conf, m4_opts)
 
-        sepolicy_path = os.path.join(product_out, 'root', 'sepolicy')
+        sepolicy_path = os.path.join(cache_dir, 'root', 'sepolicy')
         runner.run('checkpolicy',
                    ('-M -c %d -o %s %s' % (POLICYVERS, sepolicy_path,
                                            policy_conf)).split())
@@ -186,10 +186,10 @@ def BuildSepolicy(target, platform_out, product_out):
         shutil.rmtree(interm_dir, ignore_errors=True)
 
 
-def BuildFileContexts(target, platform_out, product_out):
+def BuildFileContexts(target, platform_out, cache_dir):
     """Builds the 'file_contexts.bin' SELinux policy file.
 
-    This requires a valid 'sepolicy' file in |product_out|.
+    This requires a valid 'sepolicy' file in |cache_dir|.
     """
     interm_dir = tempfile.mkdtemp()
     runner = tool.HostToolRunner(platform_out)
@@ -203,7 +203,7 @@ def BuildFileContexts(target, platform_out, product_out):
                                         'file_contexts.device.sorted.tmp')
         fc_concat = os.path.join(interm_dir, 'file_contexts.concat.tmp')
 
-        target_root_out = os.path.join(product_out, 'root')
+        target_root_out = os.path.join(cache_dir, 'root')
         filecontextsdotbin = os.path.join(target_root_out, 'file_contexts.bin')
 
         main_sepolicy_dir = os.path.join(os_path, 'system', 'sepolicy')
@@ -212,6 +212,11 @@ def BuildFileContexts(target, platform_out, product_out):
         _RunM4([main_fc], fc_local)
         board_sepolicy_dirs = LoadCachedSepolicyDirs(platform_out, target)
 
+        if os.access(os.path.join(cache_dir, FC), os.R_OK):
+            # There's a 'file_contexts' file in |cache_dir| that we need to
+            # include.
+            board_sepolicy_dirs.append(cache_dir)
+
         _RunM4(_ExpandSepolicyPaths(os_path, board_sepolicy_dirs, [FC]),
                fc_device)
         sepolicy_path = os.path.join(target_root_out, 'sepolicy')
author	Jorge Lucangeli Obes <jorgelo@google.com>	2016-04-15 16:10:32 -0700
committer	Jorge Lucangeli Obes <jorgelo@google.com>	2016-04-18 18:29:50 +0000
commit	f17f2c66532aa2386f6c9fe9d8e9ab2810b0dafb (patch)
tree	db536f64928a4e98881a7c454a751116396543de
parent	67c0d997bb129ad7aebaeaa6a72292f30670e72b (diff)
download	bdk-f17f2c66532aa2386f6c9fe9d8e9ab2810b0dafb.tar.gz