From 446279a6b9bcc9689c73c5e27f3f4757e1edd661 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 6 Apr 2017 14:45:50 -0700
Subject: [PATCH] Preserve treble-only flag for CTS neverallows

CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
---
 Android.mk       | 25 ++++---------------------
 public/te_macros |  7 ++++++-
 2 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/Android.mk b/Android.mk
index 3f691e904..025347e2e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -647,6 +647,9 @@ plat_policy_nvr.recovery :=
 mapping_policy_nvr.recovery :=
 nonplat_policy_nvr.recovery :=
 
+##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
 ##################################
 include $(CLEAR_VARS)
 
@@ -667,28 +670,10 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=false \
+		-D target_full_treble=cts \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-
 ##################################
 # TODO - remove this.   Keep around until we get the filesystem creation stuff taken care of.
 #
@@ -1164,8 +1149,6 @@ build_device_policy :=
 build_policy :=
 built_plat_fc :=
 built_nonplat_fc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
 built_nl :=
 built_plat_cil :=
 built_mapping_cil :=
diff --git a/public/te_macros b/public/te_macros
index bc672788e..020bdc505 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -387,7 +387,12 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 # Full TREBLE only
 # SELinux rules which apply only to full TREBLE devices
 #
-define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
 
 #####################################
 # Not full TREBLE
-- 
GitLab