1#!/bin/bash 2# 3# This script must be run in the location of the script! 4# 5# This script generates Android.bp files for this and all subdirs of this 6# 7DIR="${ANDROID_BUILD_TOP}/external/crosvm/jail/seccomp" 8 9function remove_trailing_slash { 10 if [[ $1 == "/" ]]; then 11 echo $i 12 else 13 echo ${1%/} 14 fi 15} 16 17set -o errexit 18 19function check_location() { 20 local my_loc="$(realpath ${DIR})" 21 my_loc=$(remove_trailing_slash ${my_loc}) 22 23 local my_pwd="$(realpath $PWD)" 24 my_pwd="$(remove_trailing_slash ${my_pwd})" 25 if [[ "${my_loc}" != "${my_pwd}" ]]; then 26 echo ${my_loc} 27 echo ${my_pwd} 28 >&2 echo "the script location must be run where the script is located" 29 exit 10 30 fi 31} 32 33my_name=`basename $0` 34all_archs=("x86_64" "aarch64" "arm" "x86" "riscv64") 35seccomp_archs=("x86_64" "aarch64") 36 37# define arch dir pattern: e.g. ${ARCH}-linux-gnu 38function get_arch_dir() { 39 local suffix="-linux-gnu" 40 local arch=$1 41 echo ${arch}${suffix} 42} 43 44# convert seccomp arch to bp arch 45function get_bp_arch() { 46 [ $1 = "aarch64" ] && echo "arm64" || echo $1 47} 48 49# utility function to enumerate policy files 50# 51# 1: seccomp dir to scan 52function scan_policy_name() { 53 local seccomp_dir=$1 54 ( 55 # pushd but no output to stdout/stderr 56 # the output is taken and used by the caller 57 pushd $seccomp_dir > /dev/null 2>&1 58 ls \ 59 `# Not policy files.` \ 60 --hide=constants.json \ 61 `# Non-root policy files.` \ 62 --hide=common_device.policy \ 63 --hide=common_device.frequency \ 64 --hide=gpu_common.policy \ 65 --hide=serial.policy \ 66 --hide=net.policy \ 67 --hide=block.policy \ 68 --hide=vhost_user.policy \ 69 --hide=vhost_vsock.policy \ 70 `# Root policy files we don't need yet.` \ 71 --hide=net_device_vhost_user.policy \ 72 --hide=swap_monitor.policy \ 73 --hide=vhost_vsock_device_vhost_user.policy \ 74 -1 75 popd > /dev/null 2>&1 76 ) 77} 78 79function gen_license() { 80 local cchars=${1:-"//"} 81 local year=${2:-"2020"} 82cat <<EOF 83${cchars} Autogenerated via ${my_name} 84${cchars} 85${cchars} Copyright (C) ${year} The Android Open Source Project 86${cchars} 87${cchars} Licensed under the Apache License, Version 2.0 (the "License"); 88${cchars} you may not use this file except in compliance with the License. 89${cchars} You may obtain a copy of the License at 90${cchars} 91${cchars} http://www.apache.org/licenses/LICENSE-2.0 92${cchars} 93${cchars} Unless required by applicable law or agreed to in writing, software 94${cchars} distributed under the License is distributed on an "AS IS" BASIS, 95${cchars} WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 96${cchars} See the License for the specific language governing permissions and 97${cchars} limitations under the License. 98 99${cchars} DO NOT MODIFY DIRECTLY, ALL CHANGES WILL BE OVERWRITTEN BY ${my_name} 100 101EOF 102} 103 104function gen_blueprint_boilerplate() { 105cat <<EOF 106package { 107 // See: http://go/android-license-faq 108 // A large-scale-change added 'default_applicable_licenses' to import 109 // all of the 'license_kinds' from "external_crosvm_license" 110 // to get the below license kinds: 111 // SPDX-license-identifier-Apache-2.0 112 // SPDX-license-identifier-BSD 113 default_applicable_licenses: ["external_crosvm_license"], 114} 115 116python_binary_host { 117 name: "detect_duplication", 118 main: "detect_duplication.py", 119 srcs: [ 120 "detect_duplication.py", 121 ], 122} 123 124genrule_defaults { 125 name: "crosvm_inline_seccomp_policy_x86_64", 126 cmd: "set -o pipefail; \$(location policy-inliner.sh) \$(location x86_64/common_device.policy) \$(location x86_64/gpu_common.policy) \$(location x86_64/serial.policy) \$(location x86_64/net.policy) \$(location x86_64/block.policy) \$(location x86_64/vhost_user.policy) \$(location x86_64/vhost_vsock.policy) < \$(in) | \$(location detect_duplication) > \$(out)", 127 tools: [ 128 "detect_duplication", 129 ], 130 tool_files: [ 131 "policy-inliner.sh", 132 "x86_64/common_device.policy", 133 "x86_64/gpu_common.policy", 134 "x86_64/serial.policy", 135 "x86_64/net.policy", 136 "x86_64/block.policy", 137 "x86_64/vhost_user.policy", 138 "x86_64/vhost_vsock.policy", 139 ], 140} 141 142genrule_defaults { 143 name: "crosvm_inline_seccomp_policy_aarch64", 144 cmd: "set -o pipefail; \$(location policy-inliner.sh) \$(location aarch64/common_device.policy) \$(location aarch64/gpu_common.policy) \$(location aarch64/serial.policy) \$(location aarch64/net.policy) DOESNT_EXIST DOESNT_EXIST DOESNT_EXIST DOESNT_EXIST < \$(in) | \$(location detect_duplication) > \$(out)", 145 tools: [ 146 "detect_duplication", 147 ], 148 tool_files: [ 149 "policy-inliner.sh", 150 "aarch64/common_device.policy", 151 "aarch64/gpu_common.policy", 152 "aarch64/serial.policy", 153 "aarch64/net.policy", 154 ], 155} 156 157EOF 158} 159 160function gen_blueprint_arch_policy_files() { 161 local archs=("$@") 162 declare -A policy_genrules 163 for arch in ${archs[@]}; do 164 for file in $(scan_policy_name ${arch}); do 165 local base_name="$(basename $file)" 166 policy_genrules[${base_name}]="${policy_genrules[${base_name}]} $arch" 167 done 168 done 169 for file in "${!policy_genrules[@]}"; do 170 for arch in ${policy_genrules[$file]}; do 171 echo "genrule {" 172 echo " name: \"${file}_inline_${arch}\"," 173 echo " defaults: [\"crosvm_inline_seccomp_policy_${arch}\"]," 174 echo " out: [\"${file}\"]," 175 echo " srcs: [\"${arch}/${file}\"]," 176 echo "}" 177 echo 178 if [[ $arch != "arm" ]]; then 179 echo "prebuilt_usr_share_host {" 180 echo " name: \"${file}_${arch}\"," 181 echo " filename: \"${file}\"," 182 echo " relative_install_path: \"crosvm/$(get_arch_dir ${arch})/seccomp\"," 183 echo " src: \":${file}_inline_${arch}\"," 184 echo "}" 185 echo 186 fi 187 done 188 echo "prebuilt_etc {" 189 echo " name: \"${file}\"," 190 echo " relative_install_path: \"seccomp_policy/crosvm\"," 191 declare -a target_archs 192 echo " arch: {" 193 declare -a disabled_archs=${all_archs[@]} 194 for arch in ${policy_genrules[$file]}; do 195 disabled_archs=("${disabled_archs[@]/$arch}") 196 local bp_arch=$(get_bp_arch ${arch}) 197 echo " ${bp_arch}: {" 198 echo " src: \":${file}_inline_${arch}\"," 199 echo " }," 200 done 201 echo " }," 202 echo " target: {" 203 for arch in ${disabled_archs[@]}; do 204 local bp_arch=$(get_bp_arch ${arch}) 205 echo " android_${bp_arch}: {" 206 echo " enabled: false," 207 echo " }," 208 done 209 echo " }," 210 echo "}" 211 echo 212 done 213} 214 215function gen_crosvm_seccomp_policy_product_packages_mk_fragment() { 216 local archs=("$@") 217 declare -A policy_genrules 218 for arch in ${archs[@]}; do 219 for file in $(scan_policy_name ${arch}); do 220 local base_name="$(basename $file)" 221 policy_genrules[${base_name}]="${policy_genrules[${base_name}]} $arch" 222 done 223 done 224 echo "PRODUCT_PACKAGES += \\" 225 for file in "${!policy_genrules[@]}"; do 226 echo " ${file} \\" 227 done | sort 228 echo 229 230 echo "# TODO: Remove this when crosvm is added to generic system image" 231 echo "PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST += \\" 232 for file in "${!policy_genrules[@]}"; do 233 echo " system/etc/seccomp_policy/crosvm/${file} \\" 234 done | sort 235} 236 237function print_host_seccomp_policy_lists() { 238 local archs=("$@") 239 echo "Please update the following blocks in device/google/cuttlefish/build/Android.bp:" 240 for arch in ${archs[@]}; do 241 echo 242 echo "cvd_host_seccomp_policy_${arch} = [" 243 for file in $(scan_policy_name ${arch}); do 244 local base_name="$(basename $file)" 245 echo " \"${file}_${arch}\"," 246 done | sort 247 echo "]" 248 done 249} 250 251# main 252check_location 253gen_license >Android.bp 254gen_license \# >crosvm_seccomp_policy_product_packages.mk 255gen_blueprint_boilerplate >>Android.bp 256gen_blueprint_arch_policy_files "${seccomp_archs[@]}" >>Android.bp 257gen_crosvm_seccomp_policy_product_packages_mk_fragment \ 258 "${seccomp_archs[@]}" >>crosvm_seccomp_policy_product_packages.mk 259print_host_seccomp_policy_lists "${seccomp_archs[@]}" 260