chromeos-base/selinux-policy/selinux-policy-9999.ebuild - mirrors/cros/chromiumos/overlays/chromiumos-overlay - Git at Google

 # Copyright 2018 The Chromium Authors. All rights reserved.
 # Distributed under the terms of the GNU General Public License v2.

 EAPI=5

 CROS_WORKON_INCREMENTAL_BUILD=1
 CROS_WORKON_LOCALNAME="platform2"
 CROS_WORKON_PROJECT="chromiumos/platform2"
 CROS_WORKON_SUBTREE="sepolicy"

 inherit cros-workon

 DESCRIPTION="Chrome OS SELinux Policy Package"
 LICENSE="BSD-Google"
 SLOT="0"
 KEYWORDS="~*"
 IUSE="android-container-pi android-container-master-arc-dev +combine_chromeos_policy"
 # When developers are doing something not Android. This required use is to let
 # the developer know, disabling combine_chromeos_policy flag doesn't change
 # anything.
 REQUIRED_USE="
 	!combine_chromeos_policy? ( ^^ ( android-container-pi android-container-master-arc-dev ) )
 "

 DEPEND="
 	android-container-pi? ( chromeos-base/android-container-pi:0= )
 	android-container-master-arc-dev? ( chromeos-base/android-container-master-arc-dev:0= )
 "

 RDEPEND="
 	${DEPEND}
 	!!chromeos-base/android-container-nyc
 "

 SELINUX_VERSION="30"
 SEPOLICY_FILENAME="policy.${SELINUX_VERSION}"

 MLS_NUM_SENS=1
 MLS_NUM_CATS=1024
 CHROME_POLICY_FILES_PATTERN=(
 	security_classes
 	initial_sids
 	access_vectors
 	global_macros
 	chromeos_macros
 	neverallow_macros
 	mls_macros
 	mls_decl
 	mls
 	te_macros
 	attributes
 	ioctl_defines
 	ioctl_macros
 	"*.te"
 	roles_decl
 	roles
 	users
 	initial_sid_contexts
 	fs_use
 	genfs_contexts
 )

 # Files under $SEPATH are built by android-container-* in DEPEND.
 SEPATH="${SYSROOT}/etc/selinux/intermediates/"

 # -M Build MLS policy.
 # -G expand and remove auto-generated attributes.
 # -N ignore neverallow rules (checked during Android build)
 # -m allow multiple declaration (combination of rules of multiple source)
 SECILC_ARGS=(
 	-M true -G -N -m
 	-c "${SELINUX_VERSION}"
 	-o "${SEPOLICY_FILENAME}"
 	-f /dev/null
 )

 # Remove all lines existed in $1 from /dev/stdin.
 # and remove all lines begin with "^;" (cil comment)
 # remove cil comment is necessary for clearing unmatched line marker
 # after base policy definitions are removed.
 filter_file_line_by_line() {
 	grep -F -x -v -f "$1" | grep -v "^;"
 }

 has_arc() {
 	use android-container-pi || use android-container-master-arc-dev;
 }

 # Build SELinux intermediate language files.
 # Look into SELinux policies in given directories, and
 # pre-compile with m4 macro preprocessor, and merge them into
 # a monothilic SELinux policy, and then compile it into
 # intermediate files using checkpolicy compiler.
 build_cil() {
 	local policy_files=()
 	local output="$1"
 	shift
 	local pattern
 	for pattern in "${CHROME_POLICY_FILES_PATTERN[@]}"; do
 		local path
 		for path in "$@"; do
 			local file
 			while read -r -d $'\0' file; do
 				policy_files+=("${file}")
 			done < <(find "${path}" -xtype f -name "${pattern}" -print0)
 		done
 	done
 	local arc_version="none"
 	if use android-container-pi; then
 		arc_version="p"
 	elif use android-container-master-arc-dev; then
 		arc_version="master"
 	fi
 	m4 "-Dmls_num_sens=${MLS_NUM_SENS}" "-Dmls_num_cats=${MLS_NUM_CATS}" \
 		"-Darc_version=${arc_version}" \
 		-s "${policy_files[@]}" > "${output}.conf" \
 		|| die "failed to generate ${output}.conf"
 	checkpolicy -M -C -c "${SELINUX_VERSION}" "${output}.conf" \
 		-o "${output}" || die "failed to build $output"
 }

 build_android_reqd_cil() {
 	build_cil "android_reqd.cil" "sepolicy/policy/base/" "sepolicy/policy/mask_only/"
 }

 build_chromeos_policy() {
 	build_android_reqd_cil

 	build_cil "chromeos.raw.cil" "sepolicy/policy/base/" "sepolicy/policy/chromeos/"
 	filter_file_line_by_line android_reqd.cil < chromeos.raw.cil > chromeos.cil ||
 		die "failed to convert raw cil to filtered cil"
 }

 src_compile() {
 	build_chromeos_policy

 	if has_arc; then
 		if use combine_chromeos_policy; then
 			einfo "combining Chrome OS and Android SELinux policy"

 			secilc "${SECILC_ARGS[@]}" "${SEPATH}/plat_sepolicy.cil" \
 				"${SEPATH}/mapping.cil" \
 				"${SEPATH}/plat_pub_versioned.cil" \
 				"${SEPATH}/vendor_sepolicy.cil" \
 				chromeos.cil || die "fail to build sepolicy"
 		else
 			einfo "use ARC++ policy"

 			secilc "${SECILC_ARGS[@]}" "${SEPATH}/plat_sepolicy.cil" \
 				"${SEPATH}/mapping.cil" \
 				"${SEPATH}/plat_pub_versioned.cil" \
 				"${SEPATH}/vendor_sepolicy.cil" || die "fail to build sepolicy"
 		fi

 		cat "sepolicy/file_contexts/chromeos_file_contexts" \
 			"${SYSROOT}/etc/selinux/intermediates/arc_file_contexts" \
 			> file_contexts \
 			|| die "failed to combine *_file_contexts files"

 	else
 		# Chrome OS without ARC++ only. Chrome OS with Android N doesn't
 		# fall here. Chrome OS with Android N currently has Android
 		# policy only.
 		einfo "Use Chrome OS-only SELinux policy."

 		secilc "${SECILC_ARGS[@]}" chromeos.raw.cil || die "fail to build sepolicy"
 		cp "sepolicy/file_contexts/chromeos_file_contexts" file_contexts \
 			|| die "didn't find chromeos_file_contexts for file_contexts"
 	fi
 }

 src_install() {
 	insinto /etc/selinux/arc/contexts/files/
 	doins file_contexts

 	insinto /etc/selinux/
 	newins "${FILESDIR}"/selinux_config config

 	insinto /etc/selinux/arc/policy
 	doins "${SEPOLICY_FILENAME}"

 	if has_arc; then
 		# Install ChromeOS cil so push_to_device.py can compile a new
 		# version of SELinux policy.
 		insinto /etc/selinux/intermediates.raw/
 		doins chromeos.cil
 	fi
 }
	# Copyright 2018 The Chromium Authors. All rights reserved.
	# Distributed under the terms of the GNU General Public License v2.

	EAPI=5

	CROS_WORKON_INCREMENTAL_BUILD=1
	CROS_WORKON_LOCALNAME="platform2"
	CROS_WORKON_PROJECT="chromiumos/platform2"
	CROS_WORKON_SUBTREE="sepolicy"

	inherit cros-workon

	DESCRIPTION="Chrome OS SELinux Policy Package"
	LICENSE="BSD-Google"
	SLOT="0"
	KEYWORDS="~*"
	IUSE="android-container-pi android-container-master-arc-dev +combine_chromeos_policy"
	# When developers are doing something not Android. This required use is to let
	# the developer know, disabling combine_chromeos_policy flag doesn't change
	# anything.
	REQUIRED_USE="
	!combine_chromeos_policy? ( ^^ ( android-container-pi android-container-master-arc-dev ) )
	"

	DEPEND="
	android-container-pi? ( chromeos-base/android-container-pi:0= )
	android-container-master-arc-dev? ( chromeos-base/android-container-master-arc-dev:0= )
	"

	RDEPEND="
	${DEPEND}
	!!chromeos-base/android-container-nyc
	"

	SELINUX_VERSION="30"
	SEPOLICY_FILENAME="policy.${SELINUX_VERSION}"

	MLS_NUM_SENS=1
	MLS_NUM_CATS=1024
	CHROME_POLICY_FILES_PATTERN=(
	security_classes
	initial_sids
	access_vectors
	global_macros
	chromeos_macros
	neverallow_macros
	mls_macros
	mls_decl
	mls
	te_macros
	attributes
	ioctl_defines
	ioctl_macros
	"*.te"
	roles_decl
	roles
	users
	initial_sid_contexts
	fs_use
	genfs_contexts
	)

	# Files under $SEPATH are built by android-container-* in DEPEND.
	SEPATH="${SYSROOT}/etc/selinux/intermediates/"

	# -M Build MLS policy.
	# -G expand and remove auto-generated attributes.
	# -N ignore neverallow rules (checked during Android build)
	# -m allow multiple declaration (combination of rules of multiple source)
	SECILC_ARGS=(
	-M true -G -N -m
	-c "${SELINUX_VERSION}"
	-o "${SEPOLICY_FILENAME}"
	-f /dev/null
	)

	# Remove all lines existed in $1 from /dev/stdin.
	# and remove all lines begin with "^;" (cil comment)
	# remove cil comment is necessary for clearing unmatched line marker
	# after base policy definitions are removed.
	filter_file_line_by_line() {
	grep -F -x -v -f "$1" \| grep -v "^;"
	}

	has_arc() {
	use android-container-pi \|\| use android-container-master-arc-dev;
	}

	# Build SELinux intermediate language files.
	# Look into SELinux policies in given directories, and
	# pre-compile with m4 macro preprocessor, and merge them into
	# a monothilic SELinux policy, and then compile it into
	# intermediate files using checkpolicy compiler.
	build_cil() {
	local policy_files=()
	local output="$1"
	shift
	local pattern
	for pattern in "${CHROME_POLICY_FILES_PATTERN[@]}"; do
	local path
	for path in "$@"; do
	local file
	while read -r -d $'\0' file; do
	policy_files+=("${file}")
	done < <(find "${path}" -xtype f -name "${pattern}" -print0)
	done
	done
	local arc_version="none"
	if use android-container-pi; then
	arc_version="p"
	elif use android-container-master-arc-dev; then
	arc_version="master"
	fi
	m4 "-Dmls_num_sens=${MLS_NUM_SENS}" "-Dmls_num_cats=${MLS_NUM_CATS}" \
	"-Darc_version=${arc_version}" \
	-s "${policy_files[@]}" > "${output}.conf" \
	\|\| die "failed to generate ${output}.conf"
	checkpolicy -M -C -c "${SELINUX_VERSION}" "${output}.conf" \
	-o "${output}" \|\| die "failed to build $output"
	}

	build_android_reqd_cil() {
	build_cil "android_reqd.cil" "sepolicy/policy/base/" "sepolicy/policy/mask_only/"
	}

	build_chromeos_policy() {
	build_android_reqd_cil

	build_cil "chromeos.raw.cil" "sepolicy/policy/base/" "sepolicy/policy/chromeos/"
	filter_file_line_by_line android_reqd.cil < chromeos.raw.cil > chromeos.cil \|\|
	die "failed to convert raw cil to filtered cil"
	}

	src_compile() {
	build_chromeos_policy

	if has_arc; then
	if use combine_chromeos_policy; then
	einfo "combining Chrome OS and Android SELinux policy"

	secilc "${SECILC_ARGS[@]}" "${SEPATH}/plat_sepolicy.cil" \
	"${SEPATH}/mapping.cil" \
	"${SEPATH}/plat_pub_versioned.cil" \
	"${SEPATH}/vendor_sepolicy.cil" \
	chromeos.cil \|\| die "fail to build sepolicy"
	else
	einfo "use ARC++ policy"

	secilc "${SECILC_ARGS[@]}" "${SEPATH}/plat_sepolicy.cil" \
	"${SEPATH}/mapping.cil" \
	"${SEPATH}/plat_pub_versioned.cil" \
	"${SEPATH}/vendor_sepolicy.cil" \|\| die "fail to build sepolicy"
	fi

	cat "sepolicy/file_contexts/chromeos_file_contexts" \
	"${SYSROOT}/etc/selinux/intermediates/arc_file_contexts" \
	> file_contexts \
	\|\| die "failed to combine *_file_contexts files"

	else
	# Chrome OS without ARC++ only. Chrome OS with Android N doesn't
	# fall here. Chrome OS with Android N currently has Android
	# policy only.
	einfo "Use Chrome OS-only SELinux policy."

	secilc "${SECILC_ARGS[@]}" chromeos.raw.cil \|\| die "fail to build sepolicy"
	cp "sepolicy/file_contexts/chromeos_file_contexts" file_contexts \
	\|\| die "didn't find chromeos_file_contexts for file_contexts"
	fi
	}

	src_install() {
	insinto /etc/selinux/arc/contexts/files/
	doins file_contexts

	insinto /etc/selinux/
	newins "${FILESDIR}"/selinux_config config

	insinto /etc/selinux/arc/policy
	doins "${SEPOLICY_FILENAME}"

	if has_arc; then
	# Install ChromeOS cil so push_to_device.py can compile a new
	# version of SELinux policy.
	insinto /etc/selinux/intermediates.raw/
	doins chromeos.cil
	fi
	}