1#!/usr/bin/env python3 2 3# Copyright 2022 The Android Open Source Project 4# 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17from pathlib import Path 18import argparse 19import glob 20import logging 21import mini_parser 22import os 23import policy 24import shutil 25import subprocess 26import sys 27import tempfile 28import zipfile 29"""This tool generates a mapping file for {ver} core sepolicy.""" 30 31temp_dir = '' 32mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n" 33compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors. 34;; will be compiled along with other normal policy files, on %s vendors. 35;; 36""" 37ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy 38;; that have no analogue in %s policy. Thus, we do not need to map these types to 39;; previous ones. Add here to pass checkapi tests. 40(type new_objects) 41(typeattribute new_objects) 42(typeattributeset new_objects 43 ( new_objects 44 %s 45 )) 46""" 47 48SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so' 49 50def check_run(cmd, cwd=None): 51 if cwd: 52 logging.debug('Running cmd at %s: %s' % (cwd, cmd)) 53 else: 54 logging.debug('Running cmd: %s' % cmd) 55 subprocess.run(cmd, cwd=cwd, check=True) 56 57 58def check_output(cmd): 59 logging.debug('Running cmd: %s' % cmd) 60 return subprocess.run(cmd, check=True, stdout=subprocess.PIPE) 61 62 63def get_android_build_top(): 64 ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP') 65 if not ANDROID_BUILD_TOP: 66 sys.exit( 67 'Error: Missing ANDROID_BUILD_TOP env variable. Please run ' 68 '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.') 69 return ANDROID_BUILD_TOP 70 71 72def fetch_artifact(branch, build, pattern, destination='.'): 73 """Fetches build artifacts from Android Build server. 74 75 Args: 76 branch: string, branch to pull build artifacts from 77 build: string, build ID or "latest" 78 pattern: string, pattern of build artifact file name 79 destination: string, destination to pull build artifact to 80 """ 81 fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact' 82 cmd = [ 83 fetch_artifact_path, '--branch', branch, '--target', 84 'aosp_arm64-userdebug' 85 ] 86 if build == 'latest': 87 cmd.append('--latest') 88 else: 89 cmd.extend(['--bid', build]) 90 cmd.extend([pattern, destination]) 91 check_run(cmd) 92 93 94def extract_mapping_file_from_img(img_path, ver, destination='.'): 95 """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file. 96 97 Args: 98 img_path: string, path to system.img file 99 ver: string, version of designated mapping file 100 destination: string, destination to pull the mapping file to 101 102 Returns: 103 string, path to extracted mapping file 104 """ 105 106 cmd = [ 107 'debugfs', '-R', 108 'cat system/etc/selinux/mapping/10000.0.cil', img_path 109 ] 110 path = os.path.join(destination, '%s.cil' % ver) 111 with open(path, 'wb') as f: 112 logging.debug('Extracting %s.cil to %s' % (ver, destination)) 113 f.write(check_output(cmd).stdout.replace(b'10000_0', ver.replace('.', '_').encode())) 114 return path 115 116 117def download_mapping_file(branch, build, ver, destination='.'): 118 """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server. 119 120 Args: 121 branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev") 122 build: string, build ID or "latest" 123 ver: string, version of designated mapping file (e.g. "32.0") 124 destination: string, destination to pull build artifact to 125 126 Returns: 127 string, path to extracted mapping file 128 """ 129 logging.info('Downloading %s mapping file from branch %s build %s...' % 130 (ver, branch, build)) 131 artifact_pattern = 'aosp_arm64-img-*.zip' 132 fetch_artifact(branch, build, artifact_pattern, temp_dir) 133 134 # glob must succeed 135 zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0] 136 with zipfile.ZipFile(zip_path) as zip_file: 137 logging.debug('Extracting system.img to %s' % temp_dir) 138 zip_file.extract('system.img', temp_dir) 139 140 system_img_path = os.path.join(temp_dir, 'system.img') 141 return extract_mapping_file_from_img(system_img_path, ver, destination) 142 143 144def build_base_files(target_version): 145 """ Builds needed base policy files from the source code. 146 147 Args: 148 target_version: string, target version to gerenate the mapping file 149 150 Returns: 151 (string, string, string), paths to base policy, old policy, and pub policy 152 cil 153 """ 154 logging.info('building base sepolicy files') 155 build_top = get_android_build_top() 156 157 cmd = [ 158 'build/soong/soong_ui.bash', 159 '--make-mode', 160 'dist', 161 'base-sepolicy-files-for-mapping', 162 'TARGET_PRODUCT=aosp_arm64', 163 'TARGET_BUILD_VARIANT=userdebug', 164 ] 165 check_run(cmd, cwd=build_top) 166 167 dist_dir = os.path.join(build_top, 'out', 'dist') 168 base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy') 169 old_policy_path = os.path.join(dist_dir, 170 '%s_plat_sepolicy' % target_version) 171 pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil') 172 173 return base_policy_path, old_policy_path, pub_policy_cil_path 174 175 176def change_api_level(versioned_type, api_from, api_to): 177 """ Verifies the API version of versioned_type, and changes it to new API level. 178 179 For example, change_api_level("foo_32_0", "32.0", "31.0") will return 180 "foo_31_0". 181 182 Args: 183 versioned_type: string, type with version suffix 184 api_from: string, api version of versioned_type 185 api_to: string, new api version for versioned_type 186 187 Returns: 188 string, a new versioned type 189 """ 190 old_suffix = api_from.replace('.', '_') 191 new_suffix = api_to.replace('.', '_') 192 if not versioned_type.endswith(old_suffix): 193 raise ValueError('Version of type %s is different from %s' % 194 (versioned_type, api_from)) 195 return versioned_type.removesuffix(old_suffix) + new_suffix 196 197 198def create_target_compat_modules(bp_path, target_ver): 199 """ Creates compat modules to Android.bp. 200 201 Args: 202 bp_path: string, path to Android.bp 203 target_ver: string, api version to generate 204 """ 205 206 module_template = """ 207se_build_files {{ 208 name: "{ver}.board.compat.map", 209 srcs: ["compat/{ver}/{ver}.cil"], 210}} 211 212se_build_files {{ 213 name: "{ver}.board.compat.cil", 214 srcs: ["compat/{ver}/{ver}.compat.cil"], 215}} 216 217se_build_files {{ 218 name: "{ver}.board.ignore.map", 219 srcs: ["compat/{ver}/{ver}.ignore.cil"], 220}} 221 222se_cil_compat_map {{ 223 name: "plat_{ver}.cil", 224 stem: "{ver}.cil", 225 bottom_half: [":{ver}.board.compat.map{{.plat_private}}"], 226 version: "{ver}", 227}} 228 229se_cil_compat_map {{ 230 name: "system_ext_{ver}.cil", 231 stem: "{ver}.cil", 232 bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"], 233 system_ext_specific: true, 234 version: "{ver}", 235}} 236 237se_cil_compat_map {{ 238 name: "product_{ver}.cil", 239 stem: "{ver}.cil", 240 bottom_half: [":{ver}.board.compat.map{{.product_private}}"], 241 product_specific: true, 242 version: "{ver}", 243}} 244 245se_cil_compat_map {{ 246 name: "{ver}.ignore.cil", 247 bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"], 248 version: "{ver}", 249}} 250 251se_cil_compat_map {{ 252 name: "system_ext_{ver}.ignore.cil", 253 stem: "{ver}.ignore.cil", 254 bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"], 255 system_ext_specific: true, 256 version: "{ver}", 257}} 258 259se_cil_compat_map {{ 260 name: "product_{ver}.ignore.cil", 261 stem: "{ver}.ignore.cil", 262 bottom_half: [":{ver}.board.ignore.map{{.product_private}}"], 263 product_specific: true, 264 version: "{ver}", 265}} 266 267se_compat_cil {{ 268 name: "{ver}.compat.cil", 269 srcs: [":{ver}.board.compat.cil{{.plat_private}}"], 270 version: "{ver}", 271}} 272 273se_compat_cil {{ 274 name: "system_ext_{ver}.compat.cil", 275 stem: "{ver}.compat.cil", 276 srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"], 277 system_ext_specific: true, 278 version: "{ver}", 279}} 280""" 281 282 with open(bp_path, 'a') as f: 283 f.write(module_template.format(ver=target_ver)) 284 285 286def patch_top_half_of_latest_compat_modules(bp_path, latest_ver, target_ver): 287 """ Adds top_half property to latest compat modules in Android.bp. 288 289 Args: 290 bp_path: string, path to Android.bp 291 latest_ver: string, previous api version 292 target_ver: string, api version to generate 293 """ 294 295 modules_to_patch = [ 296 "plat_{ver}.cil", 297 "system_ext_{ver}.cil", 298 "product_{ver}.cil", 299 "{ver}.ignore.cil", 300 "system_ext_{ver}.ignore.cil", 301 "product_{ver}.ignore.cil", 302 ] 303 304 for module in modules_to_patch: 305 # set latest_ver module's top_half property to target_ver 306 # e.g. 307 # 308 # se_cil_compat_map { 309 # name: "plat_33.0.cil", 310 # top_half: "plat_34.0.cil", <== this 311 # ... 312 # } 313 check_run([ 314 "bpmodify", 315 "-m", module.format(ver=latest_ver), 316 "-property", "top_half", 317 "-str", module.format(ver=target_ver), 318 "-w", 319 bp_path 320 ]) 321 322def get_args(): 323 parser = argparse.ArgumentParser() 324 parser.add_argument( 325 '--branch', 326 required=True, 327 help='Branch to pull build from. e.g. "sc-v2-dev"') 328 parser.add_argument('--build', required=True, help='Build ID, or "latest"') 329 parser.add_argument( 330 '--target-version', 331 required=True, 332 help='Target version of designated mapping file. e.g. "32.0"') 333 parser.add_argument( 334 '--latest-version', 335 required=True, 336 help='Latest version for mapping of newer types. e.g. "31.0"') 337 parser.add_argument( 338 '-v', 339 '--verbose', 340 action='count', 341 default=0, 342 help='Increase output verbosity, e.g. "-v", "-vv".') 343 return parser.parse_args() 344 345 346def main(): 347 args = get_args() 348 349 verbosity = min(args.verbose, 2) 350 logging.basicConfig( 351 format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s', 352 level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity]) 353 354 global temp_dir 355 temp_dir = tempfile.mkdtemp() 356 357 try: 358 libpath = os.path.join( 359 os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' + SHARED_LIB_EXTENSION) 360 if not os.path.exists(libpath): 361 sys.exit( 362 'Error: libsepolwrap does not exist. Is this binary corrupted?\n' 363 ) 364 365 build_top = get_android_build_top() 366 sepolicy_path = os.path.join(build_top, 'system', 'sepolicy') 367 368 # Step 0. Create a placeholder files and compat modules 369 # These are needed to build base policy files below. 370 compat_bp_path = os.path.join(sepolicy_path, 'compat', 'Android.bp') 371 create_target_compat_modules(compat_bp_path, args.target_version) 372 patch_top_half_of_latest_compat_modules(compat_bp_path, args.latest_version, 373 args.target_version) 374 375 target_compat_path = os.path.join(sepolicy_path, 'private', 'compat', 376 args.target_version) 377 target_mapping_file = os.path.join(target_compat_path, 378 args.target_version + '.cil') 379 target_compat_file = os.path.join(target_compat_path, 380 args.target_version + '.compat.cil') 381 target_ignore_file = os.path.join(target_compat_path, 382 args.target_version + '.ignore.cil') 383 Path(target_compat_path).mkdir(parents=True, exist_ok=True) 384 Path(target_mapping_file).touch() 385 Path(target_compat_file).touch() 386 Path(target_ignore_file).touch() 387 388 # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes 389 mapping_file = download_mapping_file( 390 args.branch, args.build, args.target_version, destination=temp_dir) 391 mapping_file_cil = mini_parser.MiniCilParser(mapping_file) 392 mapping_file_cil.types = set() 393 mapping_file_cil.typeattributes = set() 394 395 # Step 2. Build base policy files and parse latest mapping files 396 base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files( 397 args.target_version) 398 base_policy = policy.Policy(base_policy_path, None, libpath) 399 old_policy = policy.Policy(old_policy_path, None, libpath) 400 pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path) 401 402 all_types = base_policy.GetAllTypes(False) 403 old_all_types = old_policy.GetAllTypes(False) 404 pub_types = pub_policy_cil.types 405 406 # Step 3. Find new types and removed types 407 new_types = pub_types & (all_types - old_all_types) 408 removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & ( 409 old_all_types - all_types) 410 411 logging.info('new types: %s' % new_types) 412 logging.info('removed types: %s' % removed_types) 413 414 # Step 4. Map new types and removed types appropriately, based on the latest mapping 415 latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat', 416 args.latest_version) 417 latest_mapping_cil = mini_parser.MiniCilParser( 418 os.path.join(latest_compat_path, args.latest_version + '.cil')) 419 latest_ignore_cil = mini_parser.MiniCilParser( 420 os.path.join(latest_compat_path, 421 args.latest_version + '.ignore.cil')) 422 423 latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys()) 424 latest_removed_types = latest_mapping_cil.types 425 logging.debug('types ignored in latest policy: %s' % 426 latest_ignored_types) 427 logging.debug('types removed in latest policy: %s' % 428 latest_removed_types) 429 430 target_ignored_types = set() 431 target_removed_types = set() 432 invalid_new_types = set() 433 invalid_mapping_types = set() 434 invalid_removed_types = set() 435 436 logging.info('starting mapping') 437 for new_type in new_types: 438 # Either each new type should be in latest_ignore_cil, or mapped to existing types 439 if new_type in latest_ignored_types: 440 logging.debug('adding %s to ignore' % new_type) 441 target_ignored_types.add(new_type) 442 elif new_type in latest_mapping_cil.rTypeattributesets: 443 latest_mapped_types = latest_mapping_cil.rTypeattributesets[ 444 new_type] 445 target_mapped_types = {change_api_level(t, args.latest_version, 446 args.target_version) 447 for t in latest_mapped_types} 448 logging.debug('mapping %s to %s' % 449 (new_type, target_mapped_types)) 450 451 for t in target_mapped_types: 452 if t not in mapping_file_cil.typeattributesets: 453 logging.error( 454 'Cannot find desired type %s in mapping file' % t) 455 invalid_mapping_types.add(t) 456 continue 457 mapping_file_cil.typeattributesets[t].add(new_type) 458 else: 459 logging.error('no mapping information for new type %s' % 460 new_type) 461 invalid_new_types.add(new_type) 462 463 for removed_type in removed_types: 464 # Removed type should be in latest_mapping_cil 465 if removed_type in latest_removed_types: 466 logging.debug('adding %s to removed' % removed_type) 467 target_removed_types.add(removed_type) 468 else: 469 logging.error('no mapping information for removed type %s' % 470 removed_type) 471 invalid_removed_types.add(removed_type) 472 473 error_msg = '' 474 475 if invalid_new_types: 476 error_msg += ('The following new types were not in the latest ' 477 'mapping: %s\n') % sorted(invalid_new_types) 478 if invalid_mapping_types: 479 error_msg += ( 480 'The following existing types were not in the ' 481 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types) 482 if invalid_removed_types: 483 error_msg += ('The following removed types were not in the latest ' 484 'mapping: %s\n') % sorted(invalid_removed_types) 485 486 if error_msg: 487 error_msg += '\n' 488 error_msg += ('Please make sure the source tree and the build ID is' 489 ' up to date.\n') 490 sys.exit(error_msg) 491 492 # Step 5. Write to system/sepolicy/private/compat 493 with open(target_mapping_file, 'w') as f: 494 logging.info('writing %s' % target_mapping_file) 495 if removed_types: 496 f.write(';; types removed from current policy\n') 497 f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types))) 498 f.write('\n\n') 499 f.write(mapping_cil_footer % args.target_version) 500 f.write(mapping_file_cil.unparse()) 501 502 with open(target_compat_file, 'w') as f: 503 logging.info('writing %s' % target_compat_file) 504 f.write(compat_cil_template % (args.target_version, args.target_version)) 505 506 with open(target_ignore_file, 'w') as f: 507 logging.info('writing %s' % target_ignore_file) 508 f.write(ignore_cil_template % 509 (args.target_version, '\n '.join(sorted(target_ignored_types)))) 510 finally: 511 logging.info('Deleting temporary dir: {}'.format(temp_dir)) 512 shutil.rmtree(temp_dir) 513 514 515if __name__ == '__main__': 516 main() 517