1*bb4ee6a4SAndroid Build Coastguard Worker#!/bin/bash 2*bb4ee6a4SAndroid Build Coastguard Worker# 3*bb4ee6a4SAndroid Build Coastguard Worker# This script must be run in the location of the script! 4*bb4ee6a4SAndroid Build Coastguard Worker# 5*bb4ee6a4SAndroid Build Coastguard Worker# This script generates Android.bp files for this and all subdirs of this 6*bb4ee6a4SAndroid Build Coastguard Worker# 7*bb4ee6a4SAndroid Build Coastguard WorkerDIR="${ANDROID_BUILD_TOP}/external/crosvm/jail/seccomp" 8*bb4ee6a4SAndroid Build Coastguard Worker 9*bb4ee6a4SAndroid Build Coastguard Workerfunction remove_trailing_slash { 10*bb4ee6a4SAndroid Build Coastguard Worker if [[ $1 == "/" ]]; then 11*bb4ee6a4SAndroid Build Coastguard Worker echo $i 12*bb4ee6a4SAndroid Build Coastguard Worker else 13*bb4ee6a4SAndroid Build Coastguard Worker echo ${1%/} 14*bb4ee6a4SAndroid Build Coastguard Worker fi 15*bb4ee6a4SAndroid Build Coastguard Worker} 16*bb4ee6a4SAndroid Build Coastguard Worker 17*bb4ee6a4SAndroid Build Coastguard Workerset -o errexit 18*bb4ee6a4SAndroid Build Coastguard Worker 19*bb4ee6a4SAndroid Build Coastguard Workerfunction check_location() { 20*bb4ee6a4SAndroid Build Coastguard Worker local my_loc="$(realpath ${DIR})" 21*bb4ee6a4SAndroid Build Coastguard Worker my_loc=$(remove_trailing_slash ${my_loc}) 22*bb4ee6a4SAndroid Build Coastguard Worker 23*bb4ee6a4SAndroid Build Coastguard Worker local my_pwd="$(realpath $PWD)" 24*bb4ee6a4SAndroid Build Coastguard Worker my_pwd="$(remove_trailing_slash ${my_pwd})" 25*bb4ee6a4SAndroid Build Coastguard Worker if [[ "${my_loc}" != "${my_pwd}" ]]; then 26*bb4ee6a4SAndroid Build Coastguard Worker echo ${my_loc} 27*bb4ee6a4SAndroid Build Coastguard Worker echo ${my_pwd} 28*bb4ee6a4SAndroid Build Coastguard Worker >&2 echo "the script location must be run where the script is located" 29*bb4ee6a4SAndroid Build Coastguard Worker exit 10 30*bb4ee6a4SAndroid Build Coastguard Worker fi 31*bb4ee6a4SAndroid Build Coastguard Worker} 32*bb4ee6a4SAndroid Build Coastguard Worker 33*bb4ee6a4SAndroid Build Coastguard Workermy_name=`basename $0` 34*bb4ee6a4SAndroid Build Coastguard Workerall_archs=("x86_64" "aarch64" "arm" "x86" "riscv64") 35*bb4ee6a4SAndroid Build Coastguard Workerseccomp_archs=("x86_64" "aarch64") 36*bb4ee6a4SAndroid Build Coastguard Worker 37*bb4ee6a4SAndroid Build Coastguard Worker# define arch dir pattern: e.g. ${ARCH}-linux-gnu 38*bb4ee6a4SAndroid Build Coastguard Workerfunction get_arch_dir() { 39*bb4ee6a4SAndroid Build Coastguard Worker local suffix="-linux-gnu" 40*bb4ee6a4SAndroid Build Coastguard Worker local arch=$1 41*bb4ee6a4SAndroid Build Coastguard Worker echo ${arch}${suffix} 42*bb4ee6a4SAndroid Build Coastguard Worker} 43*bb4ee6a4SAndroid Build Coastguard Worker 44*bb4ee6a4SAndroid Build Coastguard Worker# convert seccomp arch to bp arch 45*bb4ee6a4SAndroid Build Coastguard Workerfunction get_bp_arch() { 46*bb4ee6a4SAndroid Build Coastguard Worker [ $1 = "aarch64" ] && echo "arm64" || echo $1 47*bb4ee6a4SAndroid Build Coastguard Worker} 48*bb4ee6a4SAndroid Build Coastguard Worker 49*bb4ee6a4SAndroid Build Coastguard Worker# utility function to enumerate policy files 50*bb4ee6a4SAndroid Build Coastguard Worker# 51*bb4ee6a4SAndroid Build Coastguard Worker# 1: seccomp dir to scan 52*bb4ee6a4SAndroid Build Coastguard Workerfunction scan_policy_name() { 53*bb4ee6a4SAndroid Build Coastguard Worker local seccomp_dir=$1 54*bb4ee6a4SAndroid Build Coastguard Worker ( 55*bb4ee6a4SAndroid Build Coastguard Worker # pushd but no output to stdout/stderr 56*bb4ee6a4SAndroid Build Coastguard Worker # the output is taken and used by the caller 57*bb4ee6a4SAndroid Build Coastguard Worker pushd $seccomp_dir > /dev/null 2>&1 58*bb4ee6a4SAndroid Build Coastguard Worker ls \ 59*bb4ee6a4SAndroid Build Coastguard Worker `# Not policy files.` \ 60*bb4ee6a4SAndroid Build Coastguard Worker --hide=constants.json \ 61*bb4ee6a4SAndroid Build Coastguard Worker `# Non-root policy files.` \ 62*bb4ee6a4SAndroid Build Coastguard Worker --hide=common_device.policy \ 63*bb4ee6a4SAndroid Build Coastguard Worker --hide=common_device.frequency \ 64*bb4ee6a4SAndroid Build Coastguard Worker --hide=gpu_common.policy \ 65*bb4ee6a4SAndroid Build Coastguard Worker --hide=serial.policy \ 66*bb4ee6a4SAndroid Build Coastguard Worker --hide=net.policy \ 67*bb4ee6a4SAndroid Build Coastguard Worker --hide=block.policy \ 68*bb4ee6a4SAndroid Build Coastguard Worker --hide=vhost_user.policy \ 69*bb4ee6a4SAndroid Build Coastguard Worker --hide=vhost_vsock.policy \ 70*bb4ee6a4SAndroid Build Coastguard Worker `# Root policy files we don't need yet.` \ 71*bb4ee6a4SAndroid Build Coastguard Worker --hide=net_device_vhost_user.policy \ 72*bb4ee6a4SAndroid Build Coastguard Worker --hide=swap_monitor.policy \ 73*bb4ee6a4SAndroid Build Coastguard Worker --hide=vhost_vsock_device_vhost_user.policy \ 74*bb4ee6a4SAndroid Build Coastguard Worker -1 75*bb4ee6a4SAndroid Build Coastguard Worker popd > /dev/null 2>&1 76*bb4ee6a4SAndroid Build Coastguard Worker ) 77*bb4ee6a4SAndroid Build Coastguard Worker} 78*bb4ee6a4SAndroid Build Coastguard Worker 79*bb4ee6a4SAndroid Build Coastguard Workerfunction gen_license() { 80*bb4ee6a4SAndroid Build Coastguard Worker local cchars=${1:-"//"} 81*bb4ee6a4SAndroid Build Coastguard Worker local year=${2:-"2020"} 82*bb4ee6a4SAndroid Build Coastguard Workercat <<EOF 83*bb4ee6a4SAndroid Build Coastguard Worker${cchars} Autogenerated via ${my_name} 84*bb4ee6a4SAndroid Build Coastguard Worker${cchars} 85*bb4ee6a4SAndroid Build Coastguard Worker${cchars} Copyright (C) ${year} The Android Open Source Project 86*bb4ee6a4SAndroid Build Coastguard Worker${cchars} 87*bb4ee6a4SAndroid Build Coastguard Worker${cchars} Licensed under the Apache License, Version 2.0 (the "License"); 88*bb4ee6a4SAndroid Build Coastguard Worker${cchars} you may not use this file except in compliance with the License. 89*bb4ee6a4SAndroid Build Coastguard Worker${cchars} You may obtain a copy of the License at 90*bb4ee6a4SAndroid Build Coastguard Worker${cchars} 91*bb4ee6a4SAndroid Build Coastguard Worker${cchars} http://www.apache.org/licenses/LICENSE-2.0 92*bb4ee6a4SAndroid Build Coastguard Worker${cchars} 93*bb4ee6a4SAndroid Build Coastguard Worker${cchars} Unless required by applicable law or agreed to in writing, software 94*bb4ee6a4SAndroid Build Coastguard Worker${cchars} distributed under the License is distributed on an "AS IS" BASIS, 95*bb4ee6a4SAndroid Build Coastguard Worker${cchars} WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 96*bb4ee6a4SAndroid Build Coastguard Worker${cchars} See the License for the specific language governing permissions and 97*bb4ee6a4SAndroid Build Coastguard Worker${cchars} limitations under the License. 98*bb4ee6a4SAndroid Build Coastguard Worker 99*bb4ee6a4SAndroid Build Coastguard Worker${cchars} DO NOT MODIFY DIRECTLY, ALL CHANGES WILL BE OVERWRITTEN BY ${my_name} 100*bb4ee6a4SAndroid Build Coastguard Worker 101*bb4ee6a4SAndroid Build Coastguard WorkerEOF 102*bb4ee6a4SAndroid Build Coastguard Worker} 103*bb4ee6a4SAndroid Build Coastguard Worker 104*bb4ee6a4SAndroid Build Coastguard Workerfunction gen_blueprint_boilerplate() { 105*bb4ee6a4SAndroid Build Coastguard Workercat <<EOF 106*bb4ee6a4SAndroid Build Coastguard Workerpackage { 107*bb4ee6a4SAndroid Build Coastguard Worker // See: http://go/android-license-faq 108*bb4ee6a4SAndroid Build Coastguard Worker // A large-scale-change added 'default_applicable_licenses' to import 109*bb4ee6a4SAndroid Build Coastguard Worker // all of the 'license_kinds' from "external_crosvm_license" 110*bb4ee6a4SAndroid Build Coastguard Worker // to get the below license kinds: 111*bb4ee6a4SAndroid Build Coastguard Worker // SPDX-license-identifier-Apache-2.0 112*bb4ee6a4SAndroid Build Coastguard Worker // SPDX-license-identifier-BSD 113*bb4ee6a4SAndroid Build Coastguard Worker default_applicable_licenses: ["external_crosvm_license"], 114*bb4ee6a4SAndroid Build Coastguard Worker} 115*bb4ee6a4SAndroid Build Coastguard Worker 116*bb4ee6a4SAndroid Build Coastguard Workerpython_binary_host { 117*bb4ee6a4SAndroid Build Coastguard Worker name: "detect_duplication", 118*bb4ee6a4SAndroid Build Coastguard Worker main: "detect_duplication.py", 119*bb4ee6a4SAndroid Build Coastguard Worker srcs: [ 120*bb4ee6a4SAndroid Build Coastguard Worker "detect_duplication.py", 121*bb4ee6a4SAndroid Build Coastguard Worker ], 122*bb4ee6a4SAndroid Build Coastguard Worker} 123*bb4ee6a4SAndroid Build Coastguard Worker 124*bb4ee6a4SAndroid Build Coastguard Workergenrule_defaults { 125*bb4ee6a4SAndroid Build Coastguard Worker name: "crosvm_inline_seccomp_policy_x86_64", 126*bb4ee6a4SAndroid Build Coastguard Worker cmd: "set -o pipefail; \$(location policy-inliner.sh) \$(location x86_64/common_device.policy) \$(location x86_64/gpu_common.policy) \$(location x86_64/serial.policy) \$(location x86_64/net.policy) \$(location x86_64/block.policy) \$(location x86_64/vhost_user.policy) \$(location x86_64/vhost_vsock.policy) < \$(in) | \$(location detect_duplication) > \$(out)", 127*bb4ee6a4SAndroid Build Coastguard Worker tools: [ 128*bb4ee6a4SAndroid Build Coastguard Worker "detect_duplication", 129*bb4ee6a4SAndroid Build Coastguard Worker ], 130*bb4ee6a4SAndroid Build Coastguard Worker tool_files: [ 131*bb4ee6a4SAndroid Build Coastguard Worker "policy-inliner.sh", 132*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/common_device.policy", 133*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/gpu_common.policy", 134*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/serial.policy", 135*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/net.policy", 136*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/block.policy", 137*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/vhost_user.policy", 138*bb4ee6a4SAndroid Build Coastguard Worker "x86_64/vhost_vsock.policy", 139*bb4ee6a4SAndroid Build Coastguard Worker ], 140*bb4ee6a4SAndroid Build Coastguard Worker} 141*bb4ee6a4SAndroid Build Coastguard Worker 142*bb4ee6a4SAndroid Build Coastguard Workergenrule_defaults { 143*bb4ee6a4SAndroid Build Coastguard Worker name: "crosvm_inline_seccomp_policy_aarch64", 144*bb4ee6a4SAndroid Build Coastguard Worker cmd: "set -o pipefail; \$(location policy-inliner.sh) \$(location aarch64/common_device.policy) \$(location aarch64/gpu_common.policy) \$(location aarch64/serial.policy) \$(location aarch64/net.policy) DOESNT_EXIST DOESNT_EXIST DOESNT_EXIST DOESNT_EXIST < \$(in) | \$(location detect_duplication) > \$(out)", 145*bb4ee6a4SAndroid Build Coastguard Worker tools: [ 146*bb4ee6a4SAndroid Build Coastguard Worker "detect_duplication", 147*bb4ee6a4SAndroid Build Coastguard Worker ], 148*bb4ee6a4SAndroid Build Coastguard Worker tool_files: [ 149*bb4ee6a4SAndroid Build Coastguard Worker "policy-inliner.sh", 150*bb4ee6a4SAndroid Build Coastguard Worker "aarch64/common_device.policy", 151*bb4ee6a4SAndroid Build Coastguard Worker "aarch64/gpu_common.policy", 152*bb4ee6a4SAndroid Build Coastguard Worker "aarch64/serial.policy", 153*bb4ee6a4SAndroid Build Coastguard Worker "aarch64/net.policy", 154*bb4ee6a4SAndroid Build Coastguard Worker ], 155*bb4ee6a4SAndroid Build Coastguard Worker} 156*bb4ee6a4SAndroid Build Coastguard Worker 157*bb4ee6a4SAndroid Build Coastguard WorkerEOF 158*bb4ee6a4SAndroid Build Coastguard Worker} 159*bb4ee6a4SAndroid Build Coastguard Worker 160*bb4ee6a4SAndroid Build Coastguard Workerfunction gen_blueprint_arch_policy_files() { 161*bb4ee6a4SAndroid Build Coastguard Worker local archs=("$@") 162*bb4ee6a4SAndroid Build Coastguard Worker declare -A policy_genrules 163*bb4ee6a4SAndroid Build Coastguard Worker for arch in ${archs[@]}; do 164*bb4ee6a4SAndroid Build Coastguard Worker for file in $(scan_policy_name ${arch}); do 165*bb4ee6a4SAndroid Build Coastguard Worker local base_name="$(basename $file)" 166*bb4ee6a4SAndroid Build Coastguard Worker policy_genrules[${base_name}]="${policy_genrules[${base_name}]} $arch" 167*bb4ee6a4SAndroid Build Coastguard Worker done 168*bb4ee6a4SAndroid Build Coastguard Worker done 169*bb4ee6a4SAndroid Build Coastguard Worker for file in "${!policy_genrules[@]}"; do 170*bb4ee6a4SAndroid Build Coastguard Worker for arch in ${policy_genrules[$file]}; do 171*bb4ee6a4SAndroid Build Coastguard Worker echo "genrule {" 172*bb4ee6a4SAndroid Build Coastguard Worker echo " name: \"${file}_inline_${arch}\"," 173*bb4ee6a4SAndroid Build Coastguard Worker echo " defaults: [\"crosvm_inline_seccomp_policy_${arch}\"]," 174*bb4ee6a4SAndroid Build Coastguard Worker echo " out: [\"${file}\"]," 175*bb4ee6a4SAndroid Build Coastguard Worker echo " srcs: [\"${arch}/${file}\"]," 176*bb4ee6a4SAndroid Build Coastguard Worker echo "}" 177*bb4ee6a4SAndroid Build Coastguard Worker echo 178*bb4ee6a4SAndroid Build Coastguard Worker if [[ $arch != "arm" ]]; then 179*bb4ee6a4SAndroid Build Coastguard Worker echo "prebuilt_usr_share_host {" 180*bb4ee6a4SAndroid Build Coastguard Worker echo " name: \"${file}_${arch}\"," 181*bb4ee6a4SAndroid Build Coastguard Worker echo " filename: \"${file}\"," 182*bb4ee6a4SAndroid Build Coastguard Worker echo " relative_install_path: \"crosvm/$(get_arch_dir ${arch})/seccomp\"," 183*bb4ee6a4SAndroid Build Coastguard Worker echo " src: \":${file}_inline_${arch}\"," 184*bb4ee6a4SAndroid Build Coastguard Worker echo "}" 185*bb4ee6a4SAndroid Build Coastguard Worker echo 186*bb4ee6a4SAndroid Build Coastguard Worker fi 187*bb4ee6a4SAndroid Build Coastguard Worker done 188*bb4ee6a4SAndroid Build Coastguard Worker echo "prebuilt_etc {" 189*bb4ee6a4SAndroid Build Coastguard Worker echo " name: \"${file}\"," 190*bb4ee6a4SAndroid Build Coastguard Worker echo " relative_install_path: \"seccomp_policy/crosvm\"," 191*bb4ee6a4SAndroid Build Coastguard Worker declare -a target_archs 192*bb4ee6a4SAndroid Build Coastguard Worker echo " arch: {" 193*bb4ee6a4SAndroid Build Coastguard Worker declare -a disabled_archs=${all_archs[@]} 194*bb4ee6a4SAndroid Build Coastguard Worker for arch in ${policy_genrules[$file]}; do 195*bb4ee6a4SAndroid Build Coastguard Worker disabled_archs=("${disabled_archs[@]/$arch}") 196*bb4ee6a4SAndroid Build Coastguard Worker local bp_arch=$(get_bp_arch ${arch}) 197*bb4ee6a4SAndroid Build Coastguard Worker echo " ${bp_arch}: {" 198*bb4ee6a4SAndroid Build Coastguard Worker echo " src: \":${file}_inline_${arch}\"," 199*bb4ee6a4SAndroid Build Coastguard Worker echo " }," 200*bb4ee6a4SAndroid Build Coastguard Worker done 201*bb4ee6a4SAndroid Build Coastguard Worker echo " }," 202*bb4ee6a4SAndroid Build Coastguard Worker echo " target: {" 203*bb4ee6a4SAndroid Build Coastguard Worker for arch in ${disabled_archs[@]}; do 204*bb4ee6a4SAndroid Build Coastguard Worker local bp_arch=$(get_bp_arch ${arch}) 205*bb4ee6a4SAndroid Build Coastguard Worker echo " android_${bp_arch}: {" 206*bb4ee6a4SAndroid Build Coastguard Worker echo " enabled: false," 207*bb4ee6a4SAndroid Build Coastguard Worker echo " }," 208*bb4ee6a4SAndroid Build Coastguard Worker done 209*bb4ee6a4SAndroid Build Coastguard Worker echo " }," 210*bb4ee6a4SAndroid Build Coastguard Worker echo "}" 211*bb4ee6a4SAndroid Build Coastguard Worker echo 212*bb4ee6a4SAndroid Build Coastguard Worker done 213*bb4ee6a4SAndroid Build Coastguard Worker} 214*bb4ee6a4SAndroid Build Coastguard Worker 215*bb4ee6a4SAndroid Build Coastguard Workerfunction gen_crosvm_seccomp_policy_product_packages_mk_fragment() { 216*bb4ee6a4SAndroid Build Coastguard Worker local archs=("$@") 217*bb4ee6a4SAndroid Build Coastguard Worker declare -A policy_genrules 218*bb4ee6a4SAndroid Build Coastguard Worker for arch in ${archs[@]}; do 219*bb4ee6a4SAndroid Build Coastguard Worker for file in $(scan_policy_name ${arch}); do 220*bb4ee6a4SAndroid Build Coastguard Worker local base_name="$(basename $file)" 221*bb4ee6a4SAndroid Build Coastguard Worker policy_genrules[${base_name}]="${policy_genrules[${base_name}]} $arch" 222*bb4ee6a4SAndroid Build Coastguard Worker done 223*bb4ee6a4SAndroid Build Coastguard Worker done 224*bb4ee6a4SAndroid Build Coastguard Worker echo "PRODUCT_PACKAGES += \\" 225*bb4ee6a4SAndroid Build Coastguard Worker for file in "${!policy_genrules[@]}"; do 226*bb4ee6a4SAndroid Build Coastguard Worker echo " ${file} \\" 227*bb4ee6a4SAndroid Build Coastguard Worker done | sort 228*bb4ee6a4SAndroid Build Coastguard Worker echo 229*bb4ee6a4SAndroid Build Coastguard Worker 230*bb4ee6a4SAndroid Build Coastguard Worker echo "# TODO: Remove this when crosvm is added to generic system image" 231*bb4ee6a4SAndroid Build Coastguard Worker echo "PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST += \\" 232*bb4ee6a4SAndroid Build Coastguard Worker for file in "${!policy_genrules[@]}"; do 233*bb4ee6a4SAndroid Build Coastguard Worker echo " system/etc/seccomp_policy/crosvm/${file} \\" 234*bb4ee6a4SAndroid Build Coastguard Worker done | sort 235*bb4ee6a4SAndroid Build Coastguard Worker} 236*bb4ee6a4SAndroid Build Coastguard Worker 237*bb4ee6a4SAndroid Build Coastguard Workerfunction print_host_seccomp_policy_lists() { 238*bb4ee6a4SAndroid Build Coastguard Worker local archs=("$@") 239*bb4ee6a4SAndroid Build Coastguard Worker echo "Please update the following blocks in device/google/cuttlefish/build/Android.bp:" 240*bb4ee6a4SAndroid Build Coastguard Worker for arch in ${archs[@]}; do 241*bb4ee6a4SAndroid Build Coastguard Worker echo 242*bb4ee6a4SAndroid Build Coastguard Worker echo "cvd_host_seccomp_policy_${arch} = [" 243*bb4ee6a4SAndroid Build Coastguard Worker for file in $(scan_policy_name ${arch}); do 244*bb4ee6a4SAndroid Build Coastguard Worker local base_name="$(basename $file)" 245*bb4ee6a4SAndroid Build Coastguard Worker echo " \"${file}_${arch}\"," 246*bb4ee6a4SAndroid Build Coastguard Worker done | sort 247*bb4ee6a4SAndroid Build Coastguard Worker echo "]" 248*bb4ee6a4SAndroid Build Coastguard Worker done 249*bb4ee6a4SAndroid Build Coastguard Worker} 250*bb4ee6a4SAndroid Build Coastguard Worker 251*bb4ee6a4SAndroid Build Coastguard Worker# main 252*bb4ee6a4SAndroid Build Coastguard Workercheck_location 253*bb4ee6a4SAndroid Build Coastguard Workergen_license >Android.bp 254*bb4ee6a4SAndroid Build Coastguard Workergen_license \# >crosvm_seccomp_policy_product_packages.mk 255*bb4ee6a4SAndroid Build Coastguard Workergen_blueprint_boilerplate >>Android.bp 256*bb4ee6a4SAndroid Build Coastguard Workergen_blueprint_arch_policy_files "${seccomp_archs[@]}" >>Android.bp 257*bb4ee6a4SAndroid Build Coastguard Workergen_crosvm_seccomp_policy_product_packages_mk_fragment \ 258*bb4ee6a4SAndroid Build Coastguard Worker "${seccomp_archs[@]}" >>crosvm_seccomp_policy_product_packages.mk 259*bb4ee6a4SAndroid Build Coastguard Workerprint_host_seccomp_policy_lists "${seccomp_archs[@]}" 260