1#!/usr/bin/env python3 2 3# Copyright 2022 The Android Open Source Project 4# 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17from pathlib import Path 18import argparse 19import glob 20import logging 21import mini_parser 22import os 23import policy 24import shutil 25import subprocess 26import sys 27import tempfile 28import zipfile 29"""This tool generates a mapping file for {ver} core sepolicy.""" 30 31temp_dir = '' 32mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n" 33compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors. 34;; will be compiled along with other normal policy files, on %s vendors. 35;; 36""" 37ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy 38;; that have no analogue in %s policy. Thus, we do not need to map these types to 39;; previous ones. Add here to pass checkapi tests. 40(type new_objects) 41(typeattribute new_objects) 42(typeattributeset new_objects 43 ( new_objects 44 %s 45 )) 46""" 47 48SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so' 49 50def check_run(cmd, cwd=None): 51 if cwd: 52 logging.debug('Running cmd at %s: %s' % (cwd, cmd)) 53 else: 54 logging.debug('Running cmd: %s' % cmd) 55 subprocess.run(cmd, cwd=cwd, check=True) 56 57 58def check_output(cmd): 59 logging.debug('Running cmd: %s' % cmd) 60 return subprocess.run(cmd, check=True, stdout=subprocess.PIPE) 61 62 63def get_android_build_top(): 64 ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP') 65 if not ANDROID_BUILD_TOP: 66 sys.exit( 67 'Error: Missing ANDROID_BUILD_TOP env variable. Please run ' 68 '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.') 69 return ANDROID_BUILD_TOP 70 71 72def fetch_artifact(branch, build, pattern, destination='.'): 73 """Fetches build artifacts from Android Build server. 74 75 Args: 76 branch: string, branch to pull build artifacts from 77 build: string, build ID or "latest" 78 pattern: string, pattern of build artifact file name 79 destination: string, destination to pull build artifact to 80 """ 81 fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact' 82 cmd = [ 83 fetch_artifact_path, '--branch', branch, '--target', 84 'aosp_arm64-userdebug' 85 ] 86 if build == 'latest': 87 cmd.append('--latest') 88 else: 89 cmd.extend(['--bid', build]) 90 cmd.extend([pattern, destination]) 91 check_run(cmd) 92 93 94def extract_mapping_file_from_img(img_path, ver, destination='.'): 95 """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file. 96 97 Args: 98 img_path: string, path to system.img file 99 ver: string, version of designated mapping file 100 destination: string, destination to pull the mapping file to 101 102 Returns: 103 string, path to extracted mapping file 104 """ 105 106 cmd = [ 107 'debugfs', '-R', 108 'cat system/etc/selinux/mapping/10000.0.cil', img_path 109 ] 110 path = os.path.join(destination, '%s.cil' % ver) 111 with open(path, 'wb') as f: 112 logging.debug('Extracting %s.cil to %s' % (ver, destination)) 113 f.write(check_output(cmd).stdout.replace(b'10000_0', ver.replace('.', '_').encode())) 114 return path 115 116 117def download_mapping_file(branch, build, ver, destination='.'): 118 """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server. 119 120 Args: 121 branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev") 122 build: string, build ID or "latest" 123 ver: string, version of designated mapping file (e.g. "32.0") 124 destination: string, destination to pull build artifact to 125 126 Returns: 127 string, path to extracted mapping file 128 """ 129 logging.info('Downloading %s mapping file from branch %s build %s...' % 130 (ver, branch, build)) 131 artifact_pattern = 'aosp_arm64-img-*.zip' 132 fetch_artifact(branch, build, artifact_pattern, temp_dir) 133 134 # glob must succeed 135 zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0] 136 with zipfile.ZipFile(zip_path) as zip_file: 137 logging.debug('Extracting system.img to %s' % temp_dir) 138 zip_file.extract('system.img', temp_dir) 139 140 system_img_path = os.path.join(temp_dir, 'system.img') 141 return extract_mapping_file_from_img(system_img_path, ver, destination) 142 143 144def build_base_files(target_version): 145 """ Builds needed base policy files from the source code. 146 147 Args: 148 target_version: string, target version to gerenate the mapping file 149 150 Returns: 151 (string, string, string), paths to base policy, old policy, and pub policy 152 cil 153 """ 154 logging.info('building base sepolicy files') 155 build_top = get_android_build_top() 156 157 cmd = [ 158 'build/soong/soong_ui.bash', 159 '--make-mode', 160 'dist', 161 'base-sepolicy-files-for-mapping', 162 'TARGET_PRODUCT=aosp_arm64', 163 'TARGET_BUILD_VARIANT=userdebug', 164 ] 165 check_run(cmd, cwd=build_top) 166 167 dist_dir = os.path.join(build_top, 'out', 'dist') 168 base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy') 169 old_policy_path = os.path.join(dist_dir, 170 '%s_plat_sepolicy' % target_version) 171 pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil') 172 173 return base_policy_path, old_policy_path, pub_policy_cil_path 174 175 176def change_api_level(versioned_type, api_from, api_to): 177 """ Verifies the API version of versioned_type, and changes it to new API level. 178 179 For example, change_api_level("foo_32_0", "32.0", "31.0") will return 180 "foo_31_0". 181 182 Args: 183 versioned_type: string, type with version suffix 184 api_from: string, api version of versioned_type 185 api_to: string, new api version for versioned_type 186 187 Returns: 188 string, a new versioned type 189 """ 190 old_suffix = api_from.replace('.', '_') 191 new_suffix = api_to.replace('.', '_') 192 if not versioned_type.endswith(old_suffix): 193 raise ValueError('Version of type %s is different from %s' % 194 (versioned_type, api_from)) 195 return versioned_type.removesuffix(old_suffix) + new_suffix 196 197 198def create_target_compat_modules(bp_path, target_ver): 199 """ Creates compat modules to Android.bp. 200 201 Args: 202 bp_path: string, path to Android.bp 203 target_ver: string, api version to generate 204 """ 205 206 module_template = """ 207se_build_files {{ 208 name: "{ver}.board.compat.map", 209 srcs: ["compat/{ver}/{ver}.cil"], 210}} 211 212se_build_files {{ 213 name: "{ver}.board.compat.cil", 214 srcs: ["compat/{ver}/{ver}.compat.cil"], 215}} 216 217se_build_files {{ 218 name: "{ver}.board.ignore.map", 219 srcs: ["compat/{ver}/{ver}.ignore.cil"], 220}} 221 222se_cil_compat_map {{ 223 name: "plat_{ver}.cil", 224 stem: "{ver}.cil", 225 bottom_half: [":{ver}.board.compat.map{{.plat_private}}"], 226}} 227 228se_cil_compat_map {{ 229 name: "system_ext_{ver}.cil", 230 stem: "{ver}.cil", 231 bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"], 232 system_ext_specific: true, 233}} 234 235se_cil_compat_map {{ 236 name: "product_{ver}.cil", 237 stem: "{ver}.cil", 238 bottom_half: [":{ver}.board.compat.map{{.product_private}}"], 239 product_specific: true, 240}} 241 242se_cil_compat_map {{ 243 name: "{ver}.ignore.cil", 244 bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"], 245}} 246 247se_cil_compat_map {{ 248 name: "system_ext_{ver}.ignore.cil", 249 stem: "{ver}.ignore.cil", 250 bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"], 251 system_ext_specific: true, 252}} 253 254se_cil_compat_map {{ 255 name: "product_{ver}.ignore.cil", 256 stem: "{ver}.ignore.cil", 257 bottom_half: [":{ver}.board.ignore.map{{.product_private}}"], 258 product_specific: true, 259}} 260 261se_compat_cil {{ 262 name: "{ver}.compat.cil", 263 srcs: [":{ver}.board.compat.cil{{.plat_private}}"], 264}} 265 266se_compat_cil {{ 267 name: "system_ext_{ver}.compat.cil", 268 stem: "{ver}.compat.cil", 269 srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"], 270 system_ext_specific: true, 271}} 272""" 273 274 with open(bp_path, 'a') as f: 275 f.write(module_template.format(ver=target_ver)) 276 277 278def patch_top_half_of_latest_compat_modules(bp_path, latest_ver, target_ver): 279 """ Adds top_half property to latest compat modules in Android.bp. 280 281 Args: 282 bp_path: string, path to Android.bp 283 latest_ver: string, previous api version 284 target_ver: string, api version to generate 285 """ 286 287 modules_to_patch = [ 288 "plat_{ver}.cil", 289 "system_ext_{ver}.cil", 290 "product_{ver}.cil", 291 "{ver}.ignore.cil", 292 "system_ext_{ver}.ignore.cil", 293 "product_{ver}.ignore.cil", 294 ] 295 296 for module in modules_to_patch: 297 # set latest_ver module's top_half property to target_ver 298 # e.g. 299 # 300 # se_cil_compat_map { 301 # name: "plat_33.0.cil", 302 # top_half: "plat_34.0.cil", <== this 303 # ... 304 # } 305 check_run([ 306 "bpmodify", 307 "-m", module.format(ver=latest_ver), 308 "-property", "top_half", 309 "-str", module.format(ver=target_ver), 310 "-w", 311 bp_path 312 ]) 313 314def get_args(): 315 parser = argparse.ArgumentParser() 316 parser.add_argument( 317 '--branch', 318 required=True, 319 help='Branch to pull build from. e.g. "sc-v2-dev"') 320 parser.add_argument('--build', required=True, help='Build ID, or "latest"') 321 parser.add_argument( 322 '--target-version', 323 required=True, 324 help='Target version of designated mapping file. e.g. "32.0"') 325 parser.add_argument( 326 '--latest-version', 327 required=True, 328 help='Latest version for mapping of newer types. e.g. "31.0"') 329 parser.add_argument( 330 '-v', 331 '--verbose', 332 action='count', 333 default=0, 334 help='Increase output verbosity, e.g. "-v", "-vv".') 335 return parser.parse_args() 336 337 338def main(): 339 args = get_args() 340 341 verbosity = min(args.verbose, 2) 342 logging.basicConfig( 343 format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s', 344 level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity]) 345 346 global temp_dir 347 temp_dir = tempfile.mkdtemp() 348 349 try: 350 libpath = os.path.join( 351 os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' + SHARED_LIB_EXTENSION) 352 if not os.path.exists(libpath): 353 sys.exit( 354 'Error: libsepolwrap does not exist. Is this binary corrupted?\n' 355 ) 356 357 build_top = get_android_build_top() 358 sepolicy_path = os.path.join(build_top, 'system', 'sepolicy') 359 360 # Step 0. Create a placeholder files and compat modules 361 # These are needed to build base policy files below. 362 compat_bp_path = os.path.join(sepolicy_path, 'compat', 'Android.bp') 363 create_target_compat_modules(compat_bp_path, args.target_version) 364 patch_top_half_of_latest_compat_modules(compat_bp_path, args.latest_version, 365 args.target_version) 366 367 target_compat_path = os.path.join(sepolicy_path, 'private', 'compat', 368 args.target_version) 369 target_mapping_file = os.path.join(target_compat_path, 370 args.target_version + '.cil') 371 target_compat_file = os.path.join(target_compat_path, 372 args.target_version + '.compat.cil') 373 target_ignore_file = os.path.join(target_compat_path, 374 args.target_version + '.ignore.cil') 375 Path(target_compat_path).mkdir(parents=True, exist_ok=True) 376 Path(target_mapping_file).touch() 377 Path(target_compat_file).touch() 378 Path(target_ignore_file).touch() 379 380 # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes 381 mapping_file = download_mapping_file( 382 args.branch, args.build, args.target_version, destination=temp_dir) 383 mapping_file_cil = mini_parser.MiniCilParser(mapping_file) 384 mapping_file_cil.types = set() 385 mapping_file_cil.typeattributes = set() 386 387 # Step 2. Build base policy files and parse latest mapping files 388 base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files( 389 args.target_version) 390 base_policy = policy.Policy(base_policy_path, None, libpath) 391 old_policy = policy.Policy(old_policy_path, None, libpath) 392 pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path) 393 394 all_types = base_policy.GetAllTypes(False) 395 old_all_types = old_policy.GetAllTypes(False) 396 pub_types = pub_policy_cil.types 397 398 # Step 3. Find new types and removed types 399 new_types = pub_types & (all_types - old_all_types) 400 removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & ( 401 old_all_types - all_types) 402 403 logging.info('new types: %s' % new_types) 404 logging.info('removed types: %s' % removed_types) 405 406 # Step 4. Map new types and removed types appropriately, based on the latest mapping 407 latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat', 408 args.latest_version) 409 latest_mapping_cil = mini_parser.MiniCilParser( 410 os.path.join(latest_compat_path, args.latest_version + '.cil')) 411 latest_ignore_cil = mini_parser.MiniCilParser( 412 os.path.join(latest_compat_path, 413 args.latest_version + '.ignore.cil')) 414 415 latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys()) 416 latest_removed_types = latest_mapping_cil.types 417 logging.debug('types ignored in latest policy: %s' % 418 latest_ignored_types) 419 logging.debug('types removed in latest policy: %s' % 420 latest_removed_types) 421 422 target_ignored_types = set() 423 target_removed_types = set() 424 invalid_new_types = set() 425 invalid_mapping_types = set() 426 invalid_removed_types = set() 427 428 logging.info('starting mapping') 429 for new_type in new_types: 430 # Either each new type should be in latest_ignore_cil, or mapped to existing types 431 if new_type in latest_ignored_types: 432 logging.debug('adding %s to ignore' % new_type) 433 target_ignored_types.add(new_type) 434 elif new_type in latest_mapping_cil.rTypeattributesets: 435 latest_mapped_types = latest_mapping_cil.rTypeattributesets[ 436 new_type] 437 target_mapped_types = {change_api_level(t, args.latest_version, 438 args.target_version) 439 for t in latest_mapped_types} 440 logging.debug('mapping %s to %s' % 441 (new_type, target_mapped_types)) 442 443 for t in target_mapped_types: 444 if t not in mapping_file_cil.typeattributesets: 445 logging.error( 446 'Cannot find desired type %s in mapping file' % t) 447 invalid_mapping_types.add(t) 448 continue 449 mapping_file_cil.typeattributesets[t].add(new_type) 450 else: 451 logging.error('no mapping information for new type %s' % 452 new_type) 453 invalid_new_types.add(new_type) 454 455 for removed_type in removed_types: 456 # Removed type should be in latest_mapping_cil 457 if removed_type in latest_removed_types: 458 logging.debug('adding %s to removed' % removed_type) 459 target_removed_types.add(removed_type) 460 else: 461 logging.error('no mapping information for removed type %s' % 462 removed_type) 463 invalid_removed_types.add(removed_type) 464 465 error_msg = '' 466 467 if invalid_new_types: 468 error_msg += ('The following new types were not in the latest ' 469 'mapping: %s\n') % sorted(invalid_new_types) 470 if invalid_mapping_types: 471 error_msg += ( 472 'The following existing types were not in the ' 473 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types) 474 if invalid_removed_types: 475 error_msg += ('The following removed types were not in the latest ' 476 'mapping: %s\n') % sorted(invalid_removed_types) 477 478 if error_msg: 479 error_msg += '\n' 480 error_msg += ('Please make sure the source tree and the build ID is' 481 ' up to date.\n') 482 sys.exit(error_msg) 483 484 # Step 5. Write to system/sepolicy/private/compat 485 with open(target_mapping_file, 'w') as f: 486 logging.info('writing %s' % target_mapping_file) 487 if removed_types: 488 f.write(';; types removed from current policy\n') 489 f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types))) 490 f.write('\n\n') 491 f.write(mapping_cil_footer % args.target_version) 492 f.write(mapping_file_cil.unparse()) 493 494 with open(target_compat_file, 'w') as f: 495 logging.info('writing %s' % target_compat_file) 496 f.write(compat_cil_template % (args.target_version, args.target_version)) 497 498 with open(target_ignore_file, 'w') as f: 499 logging.info('writing %s' % target_ignore_file) 500 f.write(ignore_cil_template % 501 (args.target_version, '\n '.join(sorted(target_ignored_types)))) 502 finally: 503 logging.info('Deleting temporary dir: {}'.format(temp_dir)) 504 shutil.rmtree(temp_dir) 505 506 507if __name__ == '__main__': 508 main() 509