1#!/usr/bin/env python3 2 3# Copyright 2022 The Android Open Source Project 4# 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17import argparse 18import distutils.ccompiler 19import glob 20import logging 21import mini_parser 22import os 23import policy 24import shutil 25import subprocess 26import sys 27import tempfile 28import zipfile 29"""This tool generates a mapping file for {ver} core sepolicy.""" 30 31temp_dir = '' 32compat_cil_template = ";; This file can't be empty.\n" 33ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no 34;; analogue in older policy. Thus, we do not need to map these types to 35;; previous ones. Add here to pass checkapi tests. 36(type new_objects) 37(typeattribute new_objects) 38(typeattributeset new_objects 39 ( new_objects 40 %s 41 )) 42""" 43 44 45def check_run(cmd, cwd=None): 46 if cwd: 47 logging.debug('Running cmd at %s: %s' % (cwd, cmd)) 48 else: 49 logging.debug('Running cmd: %s' % cmd) 50 subprocess.run(cmd, cwd=cwd, check=True) 51 52 53def check_output(cmd): 54 logging.debug('Running cmd: %s' % cmd) 55 return subprocess.run(cmd, check=True, stdout=subprocess.PIPE) 56 57 58def get_android_build_top(): 59 ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP') 60 if not ANDROID_BUILD_TOP: 61 sys.exit( 62 'Error: Missing ANDROID_BUILD_TOP env variable. Please run ' 63 '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.') 64 return ANDROID_BUILD_TOP 65 66 67def fetch_artifact(branch, build, pattern, destination='.'): 68 """Fetches build artifacts from Android Build server. 69 70 Args: 71 branch: string, branch to pull build artifacts from 72 build: string, build ID or "latest" 73 pattern: string, pattern of build artifact file name 74 destination: string, destination to pull build artifact to 75 """ 76 fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact' 77 cmd = [ 78 fetch_artifact_path, '--branch', branch, '--target', 79 'aosp_arm64-userdebug' 80 ] 81 if build == 'latest': 82 cmd.append('--latest') 83 else: 84 cmd.extend(['--bid', build]) 85 cmd.extend([pattern, destination]) 86 check_run(cmd) 87 88 89def extract_mapping_file_from_img(img_path, ver, destination='.'): 90 """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file. 91 92 Args: 93 img_path: string, path to system.img file 94 ver: string, version of designated mapping file 95 destination: string, destination to pull the mapping file to 96 97 Returns: 98 string, path to extracted mapping file 99 """ 100 101 cmd = [ 102 'debugfs', '-R', 103 'cat system/etc/selinux/mapping/10000.0.cil', img_path 104 ] 105 path = os.path.join(destination, '%s.cil' % ver) 106 with open(path, 'wb') as f: 107 logging.debug('Extracting %s.cil to %s' % (ver, destination)) 108 f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0')) 109 return path 110 111 112def download_mapping_file(branch, build, ver, destination='.'): 113 """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server. 114 115 Args: 116 branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev") 117 build: string, build ID or "latest" 118 ver: string, version of designated mapping file (e.g. "32.0") 119 destination: string, destination to pull build artifact to 120 121 Returns: 122 string, path to extracted mapping file 123 """ 124 logging.info('Downloading %s mapping file from branch %s build %s...' % 125 (ver, branch, build)) 126 artifact_pattern = 'aosp_arm64-img-*.zip' 127 fetch_artifact(branch, build, artifact_pattern, temp_dir) 128 129 # glob must succeed 130 zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0] 131 with zipfile.ZipFile(zip_path) as zip_file: 132 logging.debug('Extracting system.img to %s' % temp_dir) 133 zip_file.extract('system.img', temp_dir) 134 135 system_img_path = os.path.join(temp_dir, 'system.img') 136 return extract_mapping_file_from_img(system_img_path, ver, destination) 137 138 139def build_base_files(target_version): 140 """ Builds needed base policy files from the source code. 141 142 Args: 143 target_version: string, target version to gerenate the mapping file 144 145 Returns: 146 (string, string, string), paths to base policy, old policy, and pub policy 147 cil 148 """ 149 logging.info('building base sepolicy files') 150 build_top = get_android_build_top() 151 152 cmd = [ 153 'build/soong/soong_ui.bash', 154 '--make-mode', 155 'dist', 156 'base-sepolicy-files-for-mapping', 157 'TARGET_PRODUCT=aosp_arm64', 158 'TARGET_BUILD_VARIANT=userdebug', 159 ] 160 check_run(cmd, cwd=build_top) 161 162 dist_dir = os.path.join(build_top, 'out', 'dist') 163 base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy') 164 old_policy_path = os.path.join(dist_dir, 165 '%s_plat_sepolicy' % target_version) 166 pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil') 167 168 return base_policy_path, old_policy_path, pub_policy_cil_path 169 170 171def change_api_level(versioned_type, api_from, api_to): 172 """ Verifies the API version of versioned_type, and changes it to new API level. 173 174 For example, change_api_level("foo_32_0", "32.0", "31.0") will return 175 "foo_31_0". 176 177 Args: 178 versioned_type: string, type with version suffix 179 api_from: string, api version of versioned_type 180 api_to: string, new api version for versioned_type 181 182 Returns: 183 string, a new versioned type 184 """ 185 old_suffix = api_from.replace('.', '_') 186 new_suffix = api_to.replace('.', '_') 187 if not versioned_type.endswith(old_suffix): 188 raise ValueError('Version of type %s is different from %s' % 189 (versioned_type, api_from)) 190 return versioned_type.removesuffix(old_suffix) + new_suffix 191 192 193def get_args(): 194 parser = argparse.ArgumentParser() 195 parser.add_argument( 196 '--branch', 197 required=True, 198 help='Branch to pull build from. e.g. "sc-v2-dev"') 199 parser.add_argument('--build', required=True, help='Build ID, or "latest"') 200 parser.add_argument( 201 '--target-version', 202 required=True, 203 help='Target version of designated mapping file. e.g. "32.0"') 204 parser.add_argument( 205 '--latest-version', 206 required=True, 207 help='Latest version for mapping of newer types. e.g. "31.0"') 208 parser.add_argument( 209 '-v', 210 '--verbose', 211 action='count', 212 default=0, 213 help='Increase output verbosity, e.g. "-v", "-vv".') 214 return parser.parse_args() 215 216 217def main(): 218 args = get_args() 219 220 verbosity = min(args.verbose, 2) 221 logging.basicConfig( 222 format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s', 223 level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity]) 224 225 global temp_dir 226 temp_dir = tempfile.mkdtemp() 227 228 try: 229 libpath = os.path.join( 230 os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' + 231 distutils.ccompiler.new_compiler().shared_lib_extension) 232 if not os.path.exists(libpath): 233 sys.exit( 234 'Error: libsepolwrap does not exist. Is this binary corrupted?\n' 235 ) 236 237 build_top = get_android_build_top() 238 sepolicy_path = os.path.join(build_top, 'system', 'sepolicy') 239 240 # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes 241 mapping_file = download_mapping_file( 242 args.branch, args.build, args.target_version, destination=temp_dir) 243 mapping_file_cil = mini_parser.MiniCilParser(mapping_file) 244 mapping_file_cil.types = set() 245 mapping_file_cil.typeattributes = set() 246 247 # Step 2. Build base policy files and parse latest mapping files 248 base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files( 249 args.target_version) 250 base_policy = policy.Policy(base_policy_path, None, libpath) 251 old_policy = policy.Policy(old_policy_path, None, libpath) 252 pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path) 253 254 all_types = base_policy.GetAllTypes(False) 255 old_all_types = old_policy.GetAllTypes(False) 256 pub_types = pub_policy_cil.types 257 258 # Step 3. Find new types and removed types 259 new_types = pub_types & (all_types - old_all_types) 260 removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & ( 261 old_all_types - all_types) 262 263 logging.info('new types: %s' % new_types) 264 logging.info('removed types: %s' % removed_types) 265 266 # Step 4. Map new types and removed types appropriately, based on the latest mapping 267 latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat', 268 args.latest_version) 269 latest_mapping_cil = mini_parser.MiniCilParser( 270 os.path.join(latest_compat_path, args.latest_version + '.cil')) 271 latest_ignore_cil = mini_parser.MiniCilParser( 272 os.path.join(latest_compat_path, 273 args.latest_version + '.ignore.cil')) 274 275 latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys()) 276 latest_removed_types = latest_mapping_cil.types 277 logging.debug('types ignored in latest policy: %s' % 278 latest_ignored_types) 279 logging.debug('types removed in latest policy: %s' % 280 latest_removed_types) 281 282 target_ignored_types = set() 283 target_removed_types = set() 284 invalid_new_types = set() 285 invalid_mapping_types = set() 286 invalid_removed_types = set() 287 288 logging.info('starting mapping') 289 for new_type in new_types: 290 # Either each new type should be in latest_ignore_cil, or mapped to existing types 291 if new_type in latest_ignored_types: 292 logging.debug('adding %s to ignore' % new_type) 293 target_ignored_types.add(new_type) 294 elif new_type in latest_mapping_cil.rTypeattributesets: 295 latest_mapped_types = latest_mapping_cil.rTypeattributesets[ 296 new_type] 297 target_mapped_types = {change_api_level(t, args.latest_version, 298 args.target_version) 299 for t in latest_mapped_types} 300 logging.debug('mapping %s to %s' % 301 (new_type, target_mapped_types)) 302 303 for t in target_mapped_types: 304 if t not in mapping_file_cil.typeattributesets: 305 logging.error( 306 'Cannot find desired type %s in mapping file' % t) 307 invalid_mapping_types.add(t) 308 continue 309 mapping_file_cil.typeattributesets[t].add(new_type) 310 else: 311 logging.error('no mapping information for new type %s' % 312 new_type) 313 invalid_new_types.add(new_type) 314 315 for removed_type in removed_types: 316 # Removed type should be in latest_mapping_cil 317 if removed_type in latest_removed_types: 318 logging.debug('adding %s to removed' % removed_type) 319 target_removed_types.add(removed_type) 320 else: 321 logging.error('no mapping information for removed type %s' % 322 removed_type) 323 invalid_removed_types.add(removed_type) 324 325 error_msg = '' 326 327 if invalid_new_types: 328 error_msg += ('The following new types were not in the latest ' 329 'mapping: %s\n') % sorted(invalid_new_types) 330 if invalid_mapping_types: 331 error_msg += ( 332 'The following existing types were not in the ' 333 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types) 334 if invalid_removed_types: 335 error_msg += ('The following removed types were not in the latest ' 336 'mapping: %s\n') % sorted(invalid_removed_types) 337 338 if error_msg: 339 error_msg += '\n' 340 error_msg += ('Please make sure the source tree and the build ID is' 341 ' up to date.\n') 342 sys.exit(error_msg) 343 344 # Step 5. Write to system/sepolicy/private/compat 345 target_compat_path = os.path.join(sepolicy_path, 'private', 'compat', 346 args.target_version) 347 target_mapping_file = os.path.join(target_compat_path, 348 args.target_version + '.cil') 349 target_compat_file = os.path.join(target_compat_path, 350 args.target_version + '.compat.cil') 351 target_ignore_file = os.path.join(target_compat_path, 352 args.target_version + '.ignore.cil') 353 354 with open(target_mapping_file, 'w') as f: 355 logging.info('writing %s' % target_mapping_file) 356 if removed_types: 357 f.write(';; types removed from current policy\n') 358 f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types))) 359 f.write('\n\n') 360 f.write(mapping_file_cil.unparse()) 361 362 with open(target_compat_file, 'w') as f: 363 logging.info('writing %s' % target_compat_file) 364 f.write(compat_cil_template) 365 366 with open(target_ignore_file, 'w') as f: 367 logging.info('writing %s' % target_ignore_file) 368 f.write(ignore_cil_template % 369 ('\n '.join(sorted(target_ignored_types)))) 370 finally: 371 logging.info('Deleting temporary dir: {}'.format(temp_dir)) 372 shutil.rmtree(temp_dir) 373 374 375if __name__ == '__main__': 376 main() 377