Android Selinux policy build分析

Sepolicy的最终编译生成

编译生成中间文件目录：

out\soong.intermediates\system\sepolicy

在此目录下可以看到所有的编译中间文件和策略等级：

28.0.board.compat.cil      file_contexts_overlayfs_files            pub_policy_for_vendor.cil
28.0.board.compat.map      hwservice_contexts_files                 pub_policy_for_vendor.conf
29.0.board.compat.cil      keystore2_key_contexts_files             reqd_policy_mask.cil
29.0.board.compat.map      odm_sepolicy.conf                        reqd_policy_mask.conf
30.0.board.compat.cil      plat_bug_map                             reqd_policy_mask_for_vendor.cil
30.0.board.compat.map      plat_mapping_file                        reqd_policy_mask_for_vendor.conf
31.0.board.compat.cil      plat_mapping_file_for_vendor             seapp_contexts_files
31.0.board.compat.map      plat_policy_for_vendor.cil               se_build_files
32.0.board.compat.cil      plat_policy_for_vendor.conf              selinux_policy_version
32.0.board.compat.map      plat_pub_policy.cil                      sepolicy_freeze_test
apex                       plat_pub_policy.conf                     sepolicy_neverallows
apex_sepolicy-33.cil       plat_pub_versioned.cil                   sepolicy_neverallows.checkpolicy.conf
apex_sepolicy-33.conf      plat_sepolicy_and_mapping.sha256         sepolicy_neverallows.sepolicy_analyze.conf
base_plat_pub_policy.conf  plat_sepolicy_and_mapping.sha256_gen     sepolicy_neverallows_vendor
base_plat_sepolicy         plat_sepolicy.cil                        sepolicy_neverallows_vendor.checkpolicy.conf
base_plat_sepolicy.cil     plat_sepolicy.conf                       sepolicy_neverallows_vendor.sepolicy_analyze.conf
base_plat_sepolicy.conf    plat_sepolicy_vers.txt                   sepolicy_technical_debt
bug_map_files              product_sepolicy_and_mapping.sha256_gen  sepolicy_test
compat                     product_sepolicy.conf                    service_contexts_files
contexts                   property_contexts_files                  tests
file_contexts_asan_files   pub_policy.cil                           tools
file_contexts_files        pub_policy.conf

编译过程分析

cli是最终使用的文件，依赖关系如下：

cli -> conf文件 -> se_build_files

Cli 文件

编译的最终目标是cli文件

conf文件

Cli文件依赖conf文件

plat_policy_for_vendor.conf

meta_lic

package_name:  ""
module_types:  "se_policy_conf"
module_classes:  "UNKNOWN"
projects:  "system/sepolicy"
license_kinds:  "SPDX-license-identifier-Apache-2.0"
license_kinds:  "legacy_unencumbered"
license_conditions:  "notice"
license_conditions:  "unencumbered"
license_texts:  "system/sepolicy/NOTICE"
is_container:  false
built:  "out/soong/.intermediates/system/sepolicy/plat_policy_for_vendor.conf/android_common/plat_policy_for_vendor.conf"
deps:  {
  file:  "out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic"
}
deps:  {
  file:  "out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic"
}
deps:  {
  file:  "out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic"
}
deps:  {
  file:  "out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic"
}
deps:  {
  file:  "out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic"
}
deps:  {
  file:  "out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic"
}

meta_lic.rsp

-mt se_policy_conf -r system/sepolicy -mc UNKNOWN -k SPDX-license-identifier-Apache-2.0 -k legacy_unencumbered -c notice -c unencumbered -n system/sepolicy/NOTICE -d out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic -d out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic -d out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic -d out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic -d out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic -d out/soong/.intermediates/system/sepolicy/se_build_files/meta_lic   -t out/soong/.intermediates/system/sepolicy/plat_policy_for_vendor.conf/android_common/plat_policy_for_vendor.conf 

se_build_files

out\soong.intermediates\system\sepolicy\se_build_files\meta_lic.rsp

meta_lic

package_name:  ""
module_types:  ""
module_classes:  "UNKNOWN"
projects:  "system/sepolicy"
license_kinds:  "SPDX-license-identifier-Apache-2.0"
license_kinds:  "legacy_unencumbered"
license_conditions:  "notice"
license_conditions:  "unencumbered"
license_texts:  "system/sepolicy/NOTICE"
is_container:  false
built:  "//system/sepolicy:se_build_files"

meta_lic.rsp

-mt se_build_files 
-r system/sepolicy 
-mc UNKNOWN 
-k SPDX-license-identifier-Apache-2.0 
-k legacy_unencumbered 
-c notice 
-c unencumbered 
-n system/sepolicy/NOTICE    
-t //system/sepolicy:se_build_files 

se_build_files {
    name: "se_build_files",
    srcs: [
        "security_classes",
        "initial_sids",
        "access_vectors",
        "global_macros",
        "neverallow_macros",
        "mls_macros",
        "mls_decl",
        "mls",
        "policy_capabilities",
        "te_macros",
        "attributes",
        "ioctl_defines",
        "ioctl_macros",
        "*.te",
        "roles_decl",
        "roles",
        "users",
        "initial_sid_contexts",
        "fs_use",
        "genfs_contexts",
        "port_contexts",
    ],
}

Sepolicy编译过程文档分析

system\sepolicy\Android.mk

# sepolicy is now divided into multiple portions:
# public - policy exported on which non-platform policy developers may write
#   additional policy.  types and attributes are versioned and included in
#   delivered non-platform policy, which is to be combined with platform policy.
# private - platform-only policy required for platform functionality but which
#  is not exported to vendor policy developers and as such may not be assumed
#  to exist.
# vendor - vendor-only policy required for vendor functionality. This policy can
#  reference the public policy but cannot reference the private policy. This
#  policy is for components which are produced from the core/non-vendor tree and
#  placed into a vendor partition.
# mapping - This contains policy statements which map the attributes
#  exposed in the public policy of previous versions to the concrete types used
#  in this policy to ensure that policy targeting attributes from public
#  policy from an older platform version continues to work.

# build process for device:
# 1) convert policies to CIL:
#    - private + public platform policy to CIL
#    - mapping file to CIL (should already be in CIL form)
#    - non-platform public policy to CIL
#    - non-platform public + private policy to CIL
# 2) attributize policy
#    - run script which takes non-platform public and non-platform combined
#      private + public policy and produces attributized and versioned
#      non-platform policy
# 3) combine policy files
#    - combine mapping, platform and non-platform policy.
#    - compile output binary policy file

Sepolicy源文件Makefile变量汇总

selinux变量	含义	分区
BOARD_PLAT_PRIVATE_SEPOLICY_DIR	已废弃，使用SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS替换	vendor
BOARD_PLAT_PUBLIC_SEPOLICY_DIR	已废弃，使用SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS替换	vendor
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS	安装到system_ext的可以被vendor使用的标签	system_ext
SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS	安装到system_ext的不可以被vendor使用的标签	system_ext
PRODUCT_PUBLIC_SEPOLICY_DIRS	安装到product中的可以被vendor使用的标签	product
PRODUCT_PRIVATE_SEPOLICY_DIRS	安装到product中的不可以被vendor使用的标签	product
BOARD_SEPOLICY_DIRS	已被废弃，使用BOARD_VENDOR_SEPOLICY_DIRS替代，供vendor/odm使用	vendor
BOARD_VENDOR_SEPOLICY_DIRS	vendor使用的selinux规则，system不可使用	vendor
BOARD_ODM_SEPOLICY_DIRS	odm使用的selinux规则，system不可使用	vendor

• BOARD_PLAT_PRIVATE_SEPOLICY_DIR和BOARD_PLAT_PUBLIC_SEPOLICY_DIR被废弃的说明：

https://cs.android.com/android/platform/superproject/+/master:system/sepolicy/README.md?q=BOARD_PLAT_PRIVATE_SEPOLICY_DIR&ss=android%2Fplatform%2Fsuperproject:system%2Fsepolicy%2F

• BOARD_SEPOLICY_DIRS 被废弃的说明

# 1. BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
# 2. It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.

• BOARD_VENDOR_SEPOLICY_DIRS

• BOARD_PLAT_PUB_VERSIONED_POLICY

Sepolicy调试日志

system/sepolicy/Android.mk:147: warning: zdm debug build_vendor_policy=system/sepolicy/vendor/file_contexts vendor/Long/common/sepolicy/common/file_contexts vendor/Long/hal/vehicle/sepolicy/file_contexts vendor/Long/hal/broadcastradio/2.0/sepolicy/file_contexts vendor/Long/hal/KDSHal/1.0/sepolicy/vendor/file_contexts vendor/Long/hal/MBAudioControl/sepolicy/file_contexts vendor/Long/hal/timesync/sepolicy/file_contexts vendor/Long/hal/rsu_hsdlmanager/sepolicy/file_contexts vendor/Long/packages/services/MBCar/sepolicy/file_contexts vendor/Long/hal/bluetooth/1.0/sepolicy/file_contexts vendor/Long/packages/engineeringMode/MBLog/sepolicy/file_contexts vendor/Long/frameworks/security-services/cathi/1.0/sepolicy/file_contexts vendor/Long/frameworks/security-services/security-ca/CAthiOemServiceClient/1.0/default/sepolicy/file_contexts vendor/Long/frameworks/security-services/security-ca/kp-securelink-ta-client/1.0/default/sepolicy/file_contexts vendor/Long/frameworks/security-services/security-ca/kp-widevinekeyprov-ta-client/1.0/default/sepolicy/file_contexts vendor/Long/frameworks/security-services/security-ca/security-ta-client/1.0/default/sepolicy/file_contexts vendor/Long/frameworks/security-services/kp-gw-lvm/kp-gw-lvm/1.0/default/sepolicy/file_contexts vendor/Long/frameworks/packages/StartupService/demos/sepolicy/file_contexts vendor/Long/frameworks/security-services/SecureLogEvent/rselogmonitor/sepolicy/file_contexts vendor/Long/packages/PerformanceMonitor/sepolicy/file_contexts vendor/Long/hal/phone/sepolicy/file_contexts vendor/Long/hal/gnss/sepolicy/file_contexts vendor/Long/packages/services/TraceICCService/sepolicy/file_contexts /home/test/disk/new2/Android_13_qssi/vendor/Long/common/sepolicy/vendor/file_contexts packages/services/Car/car_product/sepolicy/test/file_contexts packages/services/Car/cpp/watchdog/testclient/sepolicy/file_contexts