Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_build / e78ad74b2be076ac4aeb64ebf096cfcc141d66a6^! / . / core / Makefile
commite78ad74b2be076ac4aeb64ebf096cfcc141d66a6[log] [tgz]
authorJooyung Han <jooyung@google.com>Mon Sep 11 13:40:52 2023 +0900
committerJooyung Han <jooyung@google.com>Mon Sep 11 13:40:52 2023 +0900
tree6008c255d1436031ec4301526a6732d4a3fdcad7
parent6f0db025d012e01136d6e777cd12196c48fddada [diff] [blame]
Run apex_sepolicy_tests for all installed APEXes

This is to check if unknown file context labels are used in APEX. The
reason why this is done in Makefile is to cover vendor-specific SE
policy and prebuilt APEXes. Note that there's already a validation check
when building APEXes (in Soong), which only checks the generic rules,
not vendor-specific.

Bug: 299391194
Test: atest apex_sepolicy_tests_test
Test: m
Change-Id: I4378b7530e8433d2bf188db95cb5bf791e3bf778

diff --git a/core/Makefile b/core/Makefile
index 82545de..8184af0 100644
--- a/core/Makefile
+++ b/core/Makefile

@@ -4930,6 +4930,50 @@
     $(INTERNAL_PVMFWIMAGE_FILES) \
 
 # -----------------------------------------------------------------
+# Run apex_sepolicy_tests for all installed APEXes
+
+ifeq (,$(TARGET_BUILD_UNBUNDLED))
+intermediate := $(call intermediates-dir-for,PACKAGING,apex_sepolicy_tests)
+apex_dirs := \
+  $(TARGET_OUT)/apex/% \
+  $(TARGET_OUT_SYSTEM_EXT)/apex/% \
+  $(TARGET_OUT_VENDOR)/apex/% \
+  $(TARGET_OUT_PRODUCT)/apex/% \
+
+apex_files := $(sort $(filter $(apex_dirs), $(INTERNAL_ALLIMAGES_FILES)))
+apex_dirs :=
+
+# $1: apex file
+# $2: output file
+define _run_apex_sepolicy_tests
+$2: $1 \
+    $(HOST_OUT_EXECUTABLES)/apex_sepolicy_tests \
+    $(HOST_OUT_EXECUTABLES)/deapexer \
+    $(HOST_OUT_EXECUTABLES)/debugfs_static
+	@rm -rf $$@
+	@mkdir -p $(dir $$@)
+	$(HOST_OUT_EXECUTABLES)/apex_sepolicy_tests --all -f <($(HOST_OUT_EXECUTABLES)/deapexer --debugfs_path $(HOST_OUT_EXECUTABLES)/debugfs_static list -Z $$<)
+	@touch $$@
+endef
+
+# $1: apex file list
+define run_apex_sepolicy_tests
+$(foreach apex_file,$1, \
+  $(eval passfile := $(patsubst $(PRODUCT_OUT)/%,$(intermediate)/%.pass,$(apex_file))) \
+  $(eval $(call _run_apex_sepolicy_tests,$(apex_file),$(passfile))) \
+  $(passfile))
+endef
+
+.PHONY: run_apex_sepolicy_tests
+run_apex_sepolicy_tests: $(call run_apex_sepolicy_tests,$(apex_files))
+
+droid_targets: run_apex_sepolicy_tests
+
+apex_files :=
+intermediate :=
+endif # TARGET_BUILD_UNBUNDLED
+
+# -----------------------------------------------------------------
 # Check VINTF of build
 
 # Note: vendor_dlkm, odm_dlkm, and system_dlkm does not have VINTF files.