1LOCAL_PATH:= $(call my-dir) 2 3include $(LOCAL_PATH)/definitions.mk 4include $(LOCAL_PATH)/policy_version.mk 5 6include $(CLEAR_VARS) 7 8MLS_SENS=1 9MLS_CATS=1024 10 11ifdef BOARD_SEPOLICY_UNION 12$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 13endif 14 15ifdef BOARD_SEPOLICY_M4DEFS 16LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 17else 18LOCAL_ADDITIONAL_M4DEFS := 19endif 20 21# sepolicy is now divided into multiple portions: 22# public - policy exported on which non-platform policy developers may write 23# additional policy. types and attributes are versioned and included in 24# delivered non-platform policy, which is to be combined with platform policy. 25# private - platform-only policy required for platform functionality but which 26# is not exported to vendor policy developers and as such may not be assumed 27# to exist. 28# vendor - vendor-only policy required for vendor functionality. This policy can 29# reference the public policy but cannot reference the private policy. This 30# policy is for components which are produced from the core/non-vendor tree and 31# placed into a vendor partition. 32# mapping - This contains policy statements which map the attributes 33# exposed in the public policy of previous versions to the concrete types used 34# in this policy to ensure that policy targeting attributes from public 35# policy from an older platform version continues to work. 36 37# build process for device: 38# 1) convert policies to CIL: 39# - private + public platform policy to CIL 40# - mapping file to CIL (should already be in CIL form) 41# - non-platform public policy to CIL 42# - non-platform public + private policy to CIL 43# 2) attributize policy 44# - run script which takes non-platform public and non-platform combined 45# private + public policy and produces attributized and versioned 46# non-platform policy 47# 3) combine policy files 48# - combine mapping, platform and non-platform policy. 49# - compile output binary policy file 50 51PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 52PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 53PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 54REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 55SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) 56SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) 57PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS) 58PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS) 59 60ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY)) 61HAS_SYSTEM_EXT_SEPOLICY_DIR := true 62endif 63 64# TODO(b/119305624): Currently if the device doesn't have a product partition, 65# we install product sepolicy into /system/product. We do that because bits of 66# product sepolicy that's still in /system might depend on bits that have moved 67# to /product. Once we finish migrating product sepolicy out of system, change 68# it so that if no product partition is present, product sepolicy artifacts are 69# not built and installed at all. 70ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) 71HAS_PRODUCT_SEPOLICY_DIR := true 72endif 73 74# TODO: move to README when doing the README update and finalizing versioning. 75# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy 76# version identifier corresponding to the sepolicy on which the non-platform 77# policy is to be based. If unspecified, this will build against the current 78# public platform policy in tree 79ifndef BOARD_SEPOLICY_VERS 80# The default platform policy version. 81BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION) 82endif 83 84NEVERALLOW_ARG := 85ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 86ifeq ($(TARGET_BUILD_VARIANT),user) 87$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) 88endif 89$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ 90 It does not work in user builds and using it will \ 91 not stop you from failing CTS.) 92NEVERALLOW_ARG := -N 93endif 94 95# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. 96# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and 97# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for 98# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. 99ifdef BOARD_SEPOLICY_DIRS 100BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) 101endif 102 103ifdef BOARD_ODM_SEPOLICY_DIRS 104ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 105$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) 106endif 107endif 108 109########################################################### 110# Compute policy files to be used in policy build. 111# $(1): files to include 112# $(2): directories in which to find files 113########################################################### 114 115define build_policy 116$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))) 117endef 118 119# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. 120# $(1): the set of policy name paths to build 121build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 122 123# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. 124build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) 125 126sepolicy_build_files := security_classes \ 127 initial_sids \ 128 access_vectors \ 129 global_macros \ 130 neverallow_macros \ 131 mls_macros \ 132 mls_decl \ 133 mls \ 134 policy_capabilities \ 135 te_macros \ 136 attributes \ 137 ioctl_defines \ 138 ioctl_macros \ 139 *.te \ 140 roles_decl \ 141 roles \ 142 users \ 143 initial_sid_contexts \ 144 fs_use \ 145 genfs_contexts \ 146 port_contexts 147 148# Security classes and permissions defined outside of system/sepolicy. 149security_class_extension_files := $(call build_policy, security_classes access_vectors, \ 150 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 151 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 152 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 153 154ifneq (,$(strip $(security_class_extension_files))) 155 $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files))) 156endif 157 158ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 159 # Checks if there are public system_ext policy files. 160 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY)) 161 ifneq (,$(strip $(policy_files))) 162 HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true 163 endif 164 # Checks if there are public/private system_ext policy files. 165 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) 166 ifneq (,$(strip $(policy_files))) 167 HAS_SYSTEM_EXT_SEPOLICY := true 168 endif 169endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 170 171ifdef HAS_PRODUCT_SEPOLICY_DIR 172 # Checks if there are public product policy files. 173 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY)) 174 ifneq (,$(strip $(policy_files))) 175 HAS_PRODUCT_PUBLIC_SEPOLICY := true 176 endif 177 # Checks if there are public/private product policy files. 178 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) 179 ifneq (,$(strip $(policy_files))) 180 HAS_PRODUCT_SEPOLICY := true 181 endif 182endif # ifdef HAS_PRODUCT_SEPOLICY_DIR 183 184# CIL files which contain workarounds for current limitation of human-readable 185# module policy language. These files are appended to the CIL files produced 186# from module language files. 187sepolicy_build_cil_workaround_files := technical_debt.cil 188 189my_target_arch := $(TARGET_ARCH) 190ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 191 my_target_arch := mips 192endif 193 194intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 195 196with_asan := false 197ifneq (,$(filter address,$(SANITIZE_TARGET))) 198 with_asan := true 199endif 200 201with_native_coverage := false 202ifeq ($(NATIVE_COVERAGE),true) 203 with_native_coverage := true 204endif 205ifeq ($(CLANG_COVERAGE),true) 206 with_native_coverage := true 207endif 208 209treble_sysprop_neverallow := true 210ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true) 211 treble_sysprop_neverallow := false 212endif 213 214ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) 215 #$(warning no product shipping level defined) 216else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) 217 ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),) 218 $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.) 219 endif 220endif 221 222# Library extension for host-side tests 223ifeq ($(HOST_OS),darwin) 224SHAREDLIB_EXT=dylib 225else 226SHAREDLIB_EXT=so 227endif 228 229# Convert a file_context file for a non-flattened APEX into a file for 230# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths 231# $(1): path to the input file_contexts file for non-flattened APEX 232# $(2): path to the flattened APEX 233# $(3): path to the generated file_contexts file for flattened APEX 234# $(4): variable where $(3) is added to 235define build_flattened_apex_file_contexts 236$(4) += $(3) 237$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2)) 238$(3): $(1) 239 $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@ 240endef 241 242################################# 243 244include $(CLEAR_VARS) 245 246LOCAL_MODULE := selinux_policy 247LOCAL_MODULE_TAGS := optional 248LOCAL_REQUIRED_MODULES += \ 249 selinux_policy_nonsystem \ 250 selinux_policy_system \ 251 252include $(BUILD_PHONY_PACKAGE) 253 254# selinux_policy is a main goal and triggers lots of tests. 255# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') 256# By setting as droidcore's dependency, tests will run on normal builds. 257droidcore: selinux_policy 258 259include $(CLEAR_VARS) 260LOCAL_MODULE := selinux_policy_system 261# These build targets are not used on non-Treble devices. However, we build these to avoid 262# divergence between Treble and non-Treble devices. 263LOCAL_REQUIRED_MODULES += \ 264 plat_mapping_file \ 265 $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 266 $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 267 plat_sepolicy.cil \ 268 plat_sepolicy_and_mapping.sha256 \ 269 secilc \ 270 271LOCAL_REQUIRED_MODULES += \ 272 build_sepolicy \ 273 plat_file_contexts \ 274 plat_file_contexts_test \ 275 plat_mac_permissions.xml \ 276 plat_property_contexts \ 277 plat_property_contexts_test \ 278 plat_seapp_contexts \ 279 plat_service_contexts \ 280 plat_service_contexts_test \ 281 plat_hwservice_contexts \ 282 plat_hwservice_contexts_test \ 283 searchpolicy \ 284 285# This conditional inclusion closely mimics the conditional logic 286# inside init/init.cpp for loading SELinux policy from files. 287ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 288# The following files are only allowed for non-Treble devices. 289LOCAL_REQUIRED_MODULES += \ 290 sepolicy \ 291 vendor_service_contexts \ 292 293endif # ($(PRODUCT_SEPOLICY_SPLIT),true) 294 295ifneq ($(with_asan),true) 296ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 297LOCAL_REQUIRED_MODULES += \ 298 sepolicy_tests \ 299 $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 300 301ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 302LOCAL_REQUIRED_MODULES += \ 303 $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 304 305endif # PRODUCT_SEPOLICY_SPLIT 306endif # SELINUX_IGNORE_NEVERALLOWS 307endif # with_asan 308 309ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 310LOCAL_REQUIRED_MODULES += \ 311 sepolicy_freeze_test \ 312 313endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 314 315include $(BUILD_PHONY_PACKAGE) 316 317################################# 318 319include $(CLEAR_VARS) 320 321LOCAL_MODULE := selinux_policy_nonsystem 322# Include precompiled policy, unless told otherwise. 323ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 324LOCAL_REQUIRED_MODULES += \ 325 precompiled_sepolicy \ 326 precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \ 327 precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \ 328 system_ext_sepolicy_and_mapping.sha256 \ 329 precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \ 330 product_sepolicy_and_mapping.sha256 \ 331 332endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 333 334 335# These build targets are not used on non-Treble devices. However, we build these to avoid 336# divergence between Treble and non-Treble devices. 337LOCAL_REQUIRED_MODULES += \ 338 plat_pub_versioned.cil \ 339 vendor_sepolicy.cil \ 340 plat_sepolicy_vers.txt \ 341 342LOCAL_REQUIRED_MODULES += \ 343 vendor_file_contexts \ 344 vendor_file_contexts_test \ 345 vendor_mac_permissions.xml \ 346 vendor_property_contexts \ 347 vendor_property_contexts_test \ 348 vendor_seapp_contexts \ 349 vendor_service_contexts \ 350 vendor_hwservice_contexts \ 351 vendor_hwservice_contexts_test \ 352 vndservice_contexts \ 353 354ifdef BOARD_ODM_SEPOLICY_DIRS 355LOCAL_REQUIRED_MODULES += \ 356 odm_sepolicy.cil \ 357 odm_file_contexts \ 358 odm_file_contexts_test \ 359 odm_seapp_contexts \ 360 odm_property_contexts \ 361 odm_property_contexts_test \ 362 odm_hwservice_contexts \ 363 odm_hwservice_contexts_test \ 364 odm_mac_permissions.xml 365endif 366 367ifdef HAS_SYSTEM_EXT_SEPOLICY 368LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil 369endif 370 371ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 372LOCAL_REQUIRED_MODULES += \ 373 system_ext_mapping_file \ 374 $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 375 376endif 377 378ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 379LOCAL_REQUIRED_MODULES += \ 380 system_ext_file_contexts \ 381 system_ext_file_contexts_test \ 382 system_ext_hwservice_contexts \ 383 system_ext_hwservice_contexts_test \ 384 system_ext_property_contexts \ 385 system_ext_property_contexts_test \ 386 system_ext_seapp_contexts \ 387 system_ext_service_contexts \ 388 system_ext_service_contexts_test \ 389 system_ext_mac_permissions.xml \ 390 391endif 392 393ifdef HAS_PRODUCT_SEPOLICY 394LOCAL_REQUIRED_MODULES += product_sepolicy.cil 395endif 396 397ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 398LOCAL_REQUIRED_MODULES += \ 399 product_mapping_file \ 400 $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 401 402endif 403 404ifdef HAS_PRODUCT_SEPOLICY_DIR 405LOCAL_REQUIRED_MODULES += \ 406 product_file_contexts \ 407 product_file_contexts_test \ 408 product_hwservice_contexts \ 409 product_hwservice_contexts_test \ 410 product_property_contexts \ 411 product_property_contexts_test \ 412 product_seapp_contexts \ 413 product_service_contexts \ 414 product_service_contexts_test \ 415 product_mac_permissions.xml \ 416 417endif 418 419LOCAL_REQUIRED_MODULES += \ 420 selinux_denial_metadata \ 421 422# Builds an addtional userdebug sepolicy into the debug ramdisk. 423LOCAL_REQUIRED_MODULES += \ 424 userdebug_plat_sepolicy.cil \ 425 426include $(BUILD_PHONY_PACKAGE) 427 428################################# 429include $(CLEAR_VARS) 430 431LOCAL_MODULE := sepolicy_neverallows 432LOCAL_MODULE_CLASS := FAKE 433LOCAL_MODULE_TAGS := optional 434 435include $(BUILD_SYSTEM)/base_rules.mk 436 437# sepolicy_policy.conf - All of the policy for the device. This is only used to 438# check neverallow rules. 439policy_files := $(call build_policy, $(sepolicy_build_files), \ 440 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ 441 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 442 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 443 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 444sepolicy_policy.conf := $(intermediates)/policy.conf 445$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 446$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 447$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 448$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 449$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 450$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 451$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 452$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 453$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 454$(sepolicy_policy.conf): $(policy_files) $(M4) 455 $(transform-policy-to-conf) 456 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 457 458# sepolicy_policy_2.conf - All of the policy for the device. This is only used to 459# check neverallow rules using sepolicy-analyze, similar to CTS. 460policy_files := $(call build_policy, $(sepolicy_build_files), \ 461 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ 462 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 463 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 464 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 465sepolicy_policy_2.conf := $(intermediates)/policy_2.conf 466$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 467$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 468$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user 469$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true 470$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 471$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 472$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 473$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 474$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 475$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) 476$(sepolicy_policy_2.conf): $(policy_files) $(M4) 477 $(transform-policy-to-conf) 478 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 479 480$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf) 481$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf) 482$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \ 483 $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 484ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 485 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 486 $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1) 487 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \ 488 ( echo "" 1>&2; \ 489 echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \ 490 echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \ 491 echo "the policy." 1>&2; \ 492 exit 1 ) 493endif # ($(SELINUX_IGNORE_NEVERALLOWS),true) 494 $(hide) touch $@.tmp 495 $(hide) mv $@.tmp $@ 496 497sepolicy_policy.conf := 498sepolicy_policy_2.conf := 499built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE) 500 501################################## 502# reqd_policy_mask - a policy.conf file which contains only the bare minimum 503# policy necessary to use checkpolicy. This bare-minimum policy needs to be 504# present in all policy.conf files, but should not necessarily be exported as 505# part of the public policy. The rules generated by reqd_policy_mask will allow 506# the compilation of public policy and subsequent removal of CIL policy that 507# should not be exported. 508 509policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) 510reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf 511$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 512$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 513$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 514$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 515$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 516$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 517$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 518$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 519$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 520$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 521$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files) 522$(reqd_policy_mask.conf): $(policy_files) $(M4) 523 $(transform-policy-to-conf) 524# b/37755687 525CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 526 527reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil 528$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 529 @mkdir -p $(dir $@) 530 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ 531 $(POLICYVERS) -o $@ $< 532 533reqd_policy_mask.conf := 534 535################################## 536# pub_policy - policy that will be exported to be a part of non-platform 537# policy corresponding to this platform version. This is a limited subset of 538# policy that would not compile in checkpolicy on its own. To get around this 539# limitation, add only the required files from private policy, which will 540# generate CIL policy that will then be filtered out by the reqd_policy_mask. 541# 542# There are three pub_policy.cil files below: 543# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 544# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 545# - plat_pub_policy.cil: exported 'system' policy. 546# 547# Those above files will in turn be used to generate the following versioned cil files: 548# - product_mapping_file: the versioned, exported 'product' policy in product partition. 549# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 550# - plat_mapping_file: the versioned, exported 'system' policy in system partition. 551# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' 552# policy in vendor partition. 553# 554policy_files := $(call build_policy, $(sepolicy_build_files), \ 555 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 556pub_policy.conf := $(intermediates)/pub_policy.conf 557$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 558$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 559$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 560$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 561$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 562$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 563$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 564$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 565$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 566$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 567$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 568$(pub_policy.conf): $(policy_files) $(M4) 569 $(transform-policy-to-conf) 570pub_policy.cil := $(intermediates)/pub_policy.cil 571$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf) 572$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 573$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 574$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil) 575 @mkdir -p $(dir $@) 576 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 577 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 578 -f $(PRIVATE_REQD_MASK) -t $@ 579 580pub_policy.conf := 581 582################################## 583policy_files := $(call build_policy, $(sepolicy_build_files), \ 584 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 585system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf 586$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 587$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 588$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 589$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 590$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 591$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 592$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 593$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 594$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 595$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 596$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 597$(system_ext_pub_policy.conf): $(policy_files) $(M4) 598 $(transform-policy-to-conf) 599 600system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil 601$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf) 602$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 603$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 604$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil) 605 @mkdir -p $(dir $@) 606 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 607 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 608 -f $(PRIVATE_REQD_MASK) -t $@ 609 610system_ext_pub_policy.conf := 611 612################################## 613policy_files := $(call build_policy, $(sepolicy_build_files), \ 614 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 615plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf 616$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 617$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 618$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 619$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 620$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 621$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 622$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 623$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 624$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 625$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 626$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 627$(plat_pub_policy.conf): $(policy_files) $(M4) 628 $(transform-policy-to-conf) 629 630plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil 631$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) 632$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 633$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 634$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) 635 @mkdir -p $(dir $@) 636 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 637 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 638 -f $(PRIVATE_REQD_MASK) -t $@ 639 640plat_pub_policy.conf := 641 642################################# 643include $(CLEAR_VARS) 644 645LOCAL_MODULE := plat_sepolicy.cil 646LOCAL_MODULE_CLASS := ETC 647LOCAL_MODULE_TAGS := optional 648LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 649 650include $(BUILD_SYSTEM)/base_rules.mk 651 652# plat_policy.conf - A combination of the private and public platform policy 653# which will ship with the device. The platform will always reflect the most 654# recent platform version and is not currently being attributized. 655policy_files := $(call build_policy, $(sepolicy_build_files), \ 656 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 657plat_policy.conf := $(intermediates)/plat_policy.conf 658$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 659$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 660$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 661$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 662$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 663$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 664$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 665$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 666$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 667$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 668$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 669$(plat_policy.conf): $(policy_files) $(M4) 670 $(transform-policy-to-conf) 671 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 672 673$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 674 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 675$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 676$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 677 $(HOST_OUT_EXECUTABLES)/secilc \ 678 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 679 $(built_sepolicy_neverallows) 680 @mkdir -p $(dir $@) 681 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 682 $(POLICYVERS) -o $@.tmp $< 683 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp 684 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null 685 $(hide) mv $@.tmp $@ 686 687built_plat_cil := $(LOCAL_BUILT_MODULE) 688plat_policy.conf := 689 690################################# 691include $(CLEAR_VARS) 692 693LOCAL_MODULE := userdebug_plat_sepolicy.cil 694LOCAL_MODULE_CLASS := ETC 695LOCAL_MODULE_TAGS := optional 696LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT) 697 698include $(BUILD_SYSTEM)/base_rules.mk 699 700# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 701policy_files := $(call build_policy, $(sepolicy_build_files), \ 702 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 703userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf 704$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 705$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 706$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug 707$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 708$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 709$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 710$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 711$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 712$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 713$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 714$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 715$(userdebug_plat_policy.conf): $(policy_files) $(M4) 716 $(transform-policy-to-conf) 717 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 718 719$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 720 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 721$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 722$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 723 $(HOST_OUT_EXECUTABLES)/secilc \ 724 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 725 $(built_sepolicy_neverallows) 726 @mkdir -p $(dir $@) 727 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 728 $(POLICYVERS) -o $@.tmp $< 729 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp 730 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null 731 $(hide) mv $@.tmp $@ 732 733userdebug_plat_policy.conf := 734 735################################# 736include $(CLEAR_VARS) 737 738ifdef HAS_SYSTEM_EXT_SEPOLICY 739LOCAL_MODULE := system_ext_sepolicy.cil 740LOCAL_MODULE_CLASS := ETC 741LOCAL_MODULE_TAGS := optional 742LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux 743 744include $(BUILD_SYSTEM)/base_rules.mk 745 746# system_ext_policy.conf - A combination of the private and public system_ext policy 747# which will ship with the device. System_ext policy is not attributized. 748policy_files := $(call build_policy, $(sepolicy_build_files), \ 749 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 750 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) 751system_ext_policy.conf := $(intermediates)/system_ext_policy.conf 752$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 753$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 754$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 755$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 756$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 757$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 758$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 759$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 760$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 761$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 762$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 763$(system_ext_policy.conf): $(policy_files) $(M4) 764 $(transform-policy-to-conf) 765 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 766 767$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 768$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil) 769$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 770$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) 771 @mkdir -p $(dir $@) 772 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 773 $(POLICYVERS) -o $@ $< 774 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 775 -f $(PRIVATE_PLAT_CIL) -t $@ 776 # Line markers (denoted by ;;) are malformed after above cmd. They are only 777 # used for debugging, so we remove them. 778 $(hide) grep -v ';;' $@ > $@.tmp 779 $(hide) mv $@.tmp $@ 780 # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the 781 # latter doesn't accidentally depend on vendor/odm policies. 782 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ 783 $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null 784 785 786built_system_ext_cil := $(LOCAL_BUILT_MODULE) 787system_ext_policy.conf := 788endif # ifdef HAS_SYSTEM_EXT_SEPOLICY 789 790################################# 791include $(CLEAR_VARS) 792 793ifdef HAS_PRODUCT_SEPOLICY 794LOCAL_MODULE := product_sepolicy.cil 795LOCAL_MODULE_CLASS := ETC 796LOCAL_MODULE_TAGS := optional 797LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux 798 799include $(BUILD_SYSTEM)/base_rules.mk 800 801# product_policy.conf - A combination of the private and public product policy 802# which will ship with the device. Product policy is not attributized. 803policy_files := $(call build_policy, $(sepolicy_build_files), \ 804 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 805 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 806 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) 807product_policy.conf := $(intermediates)/product_policy.conf 808$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 809$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 810$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 811$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 812$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 813$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 814$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 815$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 816$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 817$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 818$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 819$(product_policy.conf): $(policy_files) $(M4) 820 $(transform-policy-to-conf) 821 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 822 823$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 824$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) 825$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 826$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \ 827$(built_plat_cil) $(built_system_ext_cil) 828 @mkdir -p $(dir $@) 829 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 830 $(POLICYVERS) -o $@ $< 831 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 832 -f $(PRIVATE_PLAT_CIL_FILES) -t $@ 833 # Line markers (denoted by ;;) are malformed after above cmd. They are only 834 # used for debugging, so we remove them. 835 $(hide) grep -v ';;' $@ > $@.tmp 836 $(hide) mv $@.tmp $@ 837 # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to 838 # make sure that the latter doesn't accidentally depend on vendor/odm policies. 839 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ 840 $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null 841 842 843built_product_cil := $(LOCAL_BUILT_MODULE) 844product_policy.conf := 845endif # ifdef HAS_PRODUCT_SEPOLICY 846 847################################# 848include $(CLEAR_VARS) 849 850LOCAL_MODULE := plat_sepolicy_vers.txt 851LOCAL_MODULE_CLASS := ETC 852LOCAL_MODULE_TAGS := optional 853LOCAL_PROPRIETARY_MODULE := true 854LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 855 856include $(BUILD_SYSTEM)/base_rules.mk 857 858$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS) 859$(LOCAL_BUILT_MODULE) : 860 mkdir -p $(dir $@) 861 echo $(PRIVATE_PLAT_SEPOL_VERS) > $@ 862 863################################# 864include $(CLEAR_VARS) 865 866LOCAL_MODULE := plat_mapping_file 867LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil 868LOCAL_MODULE_CLASS := ETC 869LOCAL_MODULE_TAGS := optional 870LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 871 872include $(BUILD_SYSTEM)/base_rules.mk 873 874# auto-generate the mapping file for current platform policy, since it needs to 875# track platform policy development 876$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 877$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy 878 @mkdir -p $(dir $@) 879 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 880 881built_plat_mapping_cil := $(LOCAL_BUILT_MODULE) 882 883################################# 884include $(CLEAR_VARS) 885 886ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 887LOCAL_MODULE := system_ext_mapping_file 888LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil 889LOCAL_MODULE_CLASS := ETC 890LOCAL_MODULE_TAGS := optional 891LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping 892 893include $(BUILD_SYSTEM)/base_rules.mk 894 895$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 896$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil) 897$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 898$(built_plat_mapping_cil) 899 @mkdir -p $(dir $@) 900 # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext' 901 # sepolicy minus plat_mapping_file. 902 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 903 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 904 -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@ 905 906built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE) 907endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 908 909################################# 910include $(CLEAR_VARS) 911 912ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 913LOCAL_MODULE := product_mapping_file 914LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil 915LOCAL_MODULE_CLASS := ETC 916LOCAL_MODULE_TAGS := optional 917LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping 918 919include $(BUILD_SYSTEM)/base_rules.mk 920 921$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 922$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) 923$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 924$(built_plat_mapping_cil) $(built_system_ext_mapping_cil) 925 @mkdir -p $(dir $@) 926 # Generate product mapping file as mapping file of all public sepolicy minus 927 # plat_mapping_file and system_ext_mapping_file. 928 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 929 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 930 -f $(PRIVATE_FILTER_CIL_FILES) -t $@ 931 932built_product_mapping_cil := $(LOCAL_BUILT_MODULE) 933endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 934 935################################# 936include $(CLEAR_VARS) 937 938# plat_pub_versioned.cil - the exported platform policy associated with the version 939# that non-platform policy targets. 940LOCAL_MODULE := plat_pub_versioned.cil 941LOCAL_MODULE_CLASS := ETC 942LOCAL_MODULE_TAGS := optional 943LOCAL_PROPRIETARY_MODULE := true 944LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 945 946include $(BUILD_SYSTEM)/base_rules.mk 947 948$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 949$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil) 950$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ 951$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \ 952$(built_product_mapping_cil) 953$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 954 $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \ 955 $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) 956 @mkdir -p $(dir $@) 957 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ 958 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ 959 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null 960 961built_pub_vers_cil := $(LOCAL_BUILT_MODULE) 962 963################################# 964include $(CLEAR_VARS) 965 966# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 967# with the platform-provided policy. It makes use of the reqd_policy_mask files from private 968# policy and the platform public policy files in order to use checkpolicy. 969LOCAL_MODULE := vendor_sepolicy.cil 970LOCAL_MODULE_CLASS := ETC 971LOCAL_MODULE_TAGS := optional 972LOCAL_PROPRIETARY_MODULE := true 973LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 974 975include $(BUILD_SYSTEM)/base_rules.mk 976 977policy_files := $(call build_policy, $(sepolicy_build_files), \ 978 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \ 979 $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 980vendor_policy.conf := $(intermediates)/vendor_policy.conf 981$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 982$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 983$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 984$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 985$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 986$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 987$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 988$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 989$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 990$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 991$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 992$(vendor_policy.conf): $(policy_files) $(M4) 993 $(transform-policy-to-conf) 994 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 995 996$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) 997$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 998$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) 999$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 1000$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ 1001$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \ 1002$(built_system_ext_mapping_cil) $(built_product_mapping_cil) 1003$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil) 1004$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 1005 $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ 1006 $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \ 1007 $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \ 1008 $(built_product_mapping_cil) 1009 @mkdir -p $(dir $@) 1010 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 1011 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 1012 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ 1013 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 1014 1015built_vendor_cil := $(LOCAL_BUILT_MODULE) 1016vendor_policy.conf := 1017 1018################################# 1019include $(CLEAR_VARS) 1020 1021ifdef BOARD_ODM_SEPOLICY_DIRS 1022# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined 1023# with the platform-provided policy. It makes use of the reqd_policy_mask files from private 1024# policy and the platform public policy files in order to use checkpolicy. 1025LOCAL_MODULE := odm_sepolicy.cil 1026LOCAL_MODULE_CLASS := ETC 1027LOCAL_MODULE_TAGS := optional 1028LOCAL_PROPRIETARY_MODULE := true 1029LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1030 1031include $(BUILD_SYSTEM)/base_rules.mk 1032 1033policy_files := $(call build_policy, $(sepolicy_build_files), \ 1034 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \ 1035 $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 1036odm_policy.conf := $(intermediates)/odm_policy.conf 1037$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1038$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1039$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 1040$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1041$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1042$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 1043$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1044$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 1045$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1046$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1047$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1048$(odm_policy.conf): $(policy_files) $(M4) 1049 $(transform-policy-to-conf) 1050 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1051 1052$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf) 1053$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 1054$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) 1055$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 1056$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ 1057 $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \ 1058 $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil) 1059$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil) 1060$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 1061 $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ 1062 $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \ 1063 $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \ 1064 $(built_vendor_cil) 1065 @mkdir -p $(dir $@) 1066 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 1067 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 1068 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \ 1069 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 1070 1071built_odm_cil := $(LOCAL_BUILT_MODULE) 1072odm_policy.conf := 1073odm_policy_raw := 1074endif 1075 1076################################# 1077include $(CLEAR_VARS) 1078 1079LOCAL_MODULE := precompiled_sepolicy 1080LOCAL_MODULE_CLASS := ETC 1081LOCAL_MODULE_TAGS := optional 1082LOCAL_PROPRIETARY_MODULE := true 1083 1084ifeq ($(BOARD_USES_ODMIMAGE),true) 1085LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1086else 1087LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1088endif 1089 1090include $(BUILD_SYSTEM)/base_rules.mk 1091 1092all_cil_files := \ 1093 $(built_plat_cil) \ 1094 $(built_plat_mapping_cil) \ 1095 $(built_pub_vers_cil) \ 1096 $(built_vendor_cil) 1097 1098ifdef HAS_SYSTEM_EXT_SEPOLICY 1099all_cil_files += $(built_system_ext_cil) 1100endif 1101 1102ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 1103all_cil_files += $(built_system_ext_mapping_cil) 1104endif 1105 1106ifdef HAS_PRODUCT_SEPOLICY 1107all_cil_files += $(built_product_cil) 1108endif 1109 1110ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 1111all_cil_files += $(built_product_mapping_cil) 1112endif 1113 1114ifdef BOARD_ODM_SEPOLICY_DIRS 1115all_cil_files += $(built_odm_cil) 1116endif 1117 1118$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 1119$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1120$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) 1121 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \ 1122 $(PRIVATE_CIL_FILES) -o $@ -f /dev/null 1123 1124built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE) 1125all_cil_files := 1126 1127################################# 1128# Precompiled sepolicy is loaded if and only if: 1129# - plat_sepolicy_and_mapping.sha256 equals 1130# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 1131# AND 1132# - system_ext_sepolicy_and_mapping.sha256 equals 1133# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 1134# AND 1135# - product_sepolicy_and_mapping.sha256 equals 1136# precompiled_sepolicy.product_sepolicy_and_mapping.sha256 1137# See system/core/init/selinux.cpp for details. 1138################################# 1139include $(CLEAR_VARS) 1140 1141LOCAL_MODULE := plat_sepolicy_and_mapping.sha256 1142LOCAL_MODULE_CLASS := ETC 1143LOCAL_MODULE_TAGS := optional 1144LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux 1145 1146include $(BUILD_SYSTEM)/base_rules.mk 1147 1148$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil) 1149 cat $^ | sha256sum | cut -d' ' -f1 > $@ 1150 1151################################# 1152include $(CLEAR_VARS) 1153 1154LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256 1155LOCAL_MODULE_CLASS := ETC 1156LOCAL_MODULE_TAGS := optional 1157LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux 1158 1159include $(BUILD_SYSTEM)/base_rules.mk 1160 1161$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil) 1162 cat $^ | sha256sum | cut -d' ' -f1 > $@ 1163 1164################################# 1165include $(CLEAR_VARS) 1166 1167LOCAL_MODULE := product_sepolicy_and_mapping.sha256 1168LOCAL_MODULE_CLASS := ETC 1169LOCAL_MODULE_TAGS := optional 1170LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux 1171 1172include $(BUILD_SYSTEM)/base_rules.mk 1173 1174$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil) 1175 cat $^ | sha256sum | cut -d' ' -f1 > $@ 1176 1177################################# 1178# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 1179# which precompiled_policy was built. 1180################################# 1181include $(CLEAR_VARS) 1182LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 1183LOCAL_MODULE_CLASS := ETC 1184LOCAL_MODULE_TAGS := optional 1185 1186ifeq ($(BOARD_USES_ODMIMAGE),true) 1187LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1188else 1189LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1190endif 1191 1192include $(BUILD_SYSTEM)/base_rules.mk 1193 1194$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil) 1195$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil) 1196 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 1197 1198################################# 1199# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 1200# which precompiled_policy was built. 1201################################# 1202include $(CLEAR_VARS) 1203LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 1204LOCAL_MODULE_CLASS := ETC 1205LOCAL_MODULE_TAGS := optional 1206 1207ifeq ($(BOARD_USES_ODMIMAGE),true) 1208LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1209else 1210LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1211endif 1212 1213include $(BUILD_SYSTEM)/base_rules.mk 1214 1215$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil) 1216$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil) 1217 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 1218 1219################################# 1220# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 1221# which precompiled_policy was built. 1222################################# 1223include $(CLEAR_VARS) 1224LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256 1225LOCAL_MODULE_CLASS := ETC 1226LOCAL_MODULE_TAGS := optional 1227 1228ifeq ($(BOARD_USES_ODMIMAGE),true) 1229LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1230else 1231LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1232endif 1233 1234include $(BUILD_SYSTEM)/base_rules.mk 1235 1236$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil) 1237$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil) 1238 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 1239 1240################################# 1241include $(CLEAR_VARS) 1242# build this target so that we can still perform neverallow checks 1243 1244LOCAL_MODULE := sepolicy 1245LOCAL_MODULE_CLASS := ETC 1246LOCAL_MODULE_TAGS := optional 1247LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1248 1249include $(BUILD_SYSTEM)/base_rules.mk 1250 1251all_cil_files := \ 1252 $(built_plat_cil) \ 1253 $(built_plat_mapping_cil) \ 1254 $(built_pub_vers_cil) \ 1255 $(built_vendor_cil) 1256 1257ifdef HAS_SYSTEM_EXT_SEPOLICY 1258all_cil_files += $(built_system_ext_cil) 1259endif 1260 1261ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 1262all_cil_files += $(built_system_ext_mapping_cil) 1263endif 1264 1265ifdef HAS_PRODUCT_SEPOLICY 1266all_cil_files += $(built_product_cil) 1267endif 1268 1269ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 1270all_cil_files += $(built_product_mapping_cil) 1271endif 1272 1273ifdef BOARD_ODM_SEPOLICY_DIRS 1274all_cil_files += $(built_odm_cil) 1275endif 1276 1277$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 1278$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1279$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ 1280$(built_sepolicy_neverallows) 1281 @mkdir -p $(dir $@) 1282 $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null 1283 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 1284 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 1285 echo "==========" 1>&2; \ 1286 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 1287 echo "List of invalid domains:" 1>&2; \ 1288 cat $@.permissivedomains 1>&2; \ 1289 exit 1; \ 1290 fi 1291 $(hide) mv $@.tmp $@ 1292 1293built_sepolicy := $(LOCAL_BUILT_MODULE) 1294all_cil_files := 1295 1296################################# 1297include $(CLEAR_VARS) 1298 1299# keep concrete sepolicy for neverallow checks 1300# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling. 1301 1302LOCAL_MODULE := sepolicy.recovery 1303LOCAL_MODULE_STEM := sepolicy 1304LOCAL_MODULE_CLASS := ETC 1305LOCAL_MODULE_TAGS := optional 1306LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1307 1308include $(BUILD_SYSTEM)/base_rules.mk 1309 1310policy_files := $(call build_policy, $(sepolicy_build_files), \ 1311 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 1312 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 1313 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 1314 $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ 1315 $(BOARD_ODM_SEPOLICY_DIRS)) 1316sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf 1317$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1318$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1319$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 1320$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1321$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1322$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 1323$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1324$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true 1325$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files) 1326$(sepolicy.recovery.conf): $(policy_files) $(M4) 1327 $(transform-policy-to-conf) 1328 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1329 1330ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 1331 $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow 1332 $(hide) mv $@.neverallow $@ 1333endif 1334 1335$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1336 $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 1337 @mkdir -p $(dir $@) 1338 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 1339 $(POLICYVERS) -o $@.tmp $< 1340 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 1341 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 1342 echo "==========" 1>&2; \ 1343 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 1344 echo "List of invalid domains:" 1>&2; \ 1345 cat $@.permissivedomains 1>&2; \ 1346 exit 1; \ 1347 fi 1348 $(hide) mv $@.tmp $@ 1349 1350sepolicy.recovery.conf := 1351 1352################################## 1353# SELinux policy embedded into CTS. 1354# CTS checks neverallow rules of this policy against the policy of the device under test. 1355################################## 1356include $(CLEAR_VARS) 1357 1358LOCAL_MODULE := general_sepolicy.conf 1359LOCAL_MODULE_CLASS := ETC 1360LOCAL_MODULE_TAGS := tests 1361 1362include $(BUILD_SYSTEM)/base_rules.mk 1363 1364policy_files := $(call build_policy, $(sepolicy_build_files), \ 1365 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 1366$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) 1367$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) 1368$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user 1369$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) 1370$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false 1371$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts 1372$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts 1373$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts 1374$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true 1375$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files) 1376$(LOCAL_BUILT_MODULE): $(policy_files) $(M4) 1377 $(transform-policy-to-conf) 1378 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1379 1380################################## 1381# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 1382# 1383include $(CLEAR_VARS) 1384 1385LOCAL_MODULE := file_contexts.bin 1386LOCAL_MODULE_CLASS := ETC 1387LOCAL_MODULE_TAGS := optional 1388LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1389 1390include $(BUILD_SYSTEM)/base_rules.mk 1391 1392# The file_contexts.bin is built in the following way: 1393# 1. Collect all file_contexts files in THIS repository and process them with 1394# m4 into a tmp file called file_contexts.local.tmp. 1395# 2. Collect all device specific file_contexts files and process them with m4 1396# into a tmp file called file_contexts.device.tmp. 1397# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 1398# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 1399# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into 1400# file_contexts.concat.tmp. 1401# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 1402# file_contexts.bin. 1403# 1404# Note: That a newline file is placed between each file_context file found to 1405# ensure a proper build when an fc file is missing an ending newline. 1406 1407local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 1408 1409ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 1410local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY)) 1411endif 1412 1413ifdef HAS_PRODUCT_SEPOLICY_DIR 1414local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY)) 1415endif 1416 1417ifneq ($(filter address,$(SANITIZE_TARGET)),) 1418 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 1419endif 1420ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) 1421 local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) 1422endif 1423 1424# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed 1425$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\ 1426 $(eval _apex_name := $(call word-colon,1,$(_tuple)))\ 1427 $(eval _apex_path := $(call word-colon,2,$(_tuple)))\ 1428 $(eval _fc_path := $(call word-colon,3,$(_tuple)))\ 1429 $(eval _input := $(_fc_path))\ 1430 $(eval _output := $(intermediates)/$(_apex_name)-flattened)\ 1431 $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\ 1432 ) 1433 1434file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 1435$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files) 1436$(file_contexts.local.tmp): $(local_fc_files) $(M4) 1437 @mkdir -p $(dir $@) 1438 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@ 1439 1440device_fc_files := $(call build_vendor_policy, file_contexts) 1441 1442ifdef BOARD_ODM_SEPOLICY_DIRS 1443device_fc_files += $(call build_odm_policy, file_contexts) 1444endif 1445 1446file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 1447$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1448$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) 1449$(file_contexts.device.tmp): $(device_fc_files) $(M4) 1450 @mkdir -p $(dir $@) 1451 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ 1452 1453file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 1454$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 1455$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ 1456 $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 1457 @mkdir -p $(dir $@) 1458 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 1459 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ 1460 1461file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 1462$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) 1463$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4) 1464 @mkdir -p $(dir $@) 1465 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@ 1466 1467$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1468$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 1469 @mkdir -p $(dir $@) 1470 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 1471 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 1472 1473built_fc := $(LOCAL_BUILT_MODULE) 1474local_fc_files := 1475local_fcfiles_with_nl := 1476device_fc_files := 1477device_fcfiles_with_nl := 1478file_contexts.concat.tmp := 1479file_contexts.device.sorted.tmp := 1480file_contexts.device.tmp := 1481file_contexts.local.tmp := 1482 1483################################## 1484include $(CLEAR_VARS) 1485 1486LOCAL_MODULE := selinux_denial_metadata 1487LOCAL_MODULE_CLASS := ETC 1488LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1489 1490include $(BUILD_SYSTEM)/base_rules.mk 1491 1492bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY)) 1493 1494$(LOCAL_BUILT_MODULE) : $(bug_files) 1495 @mkdir -p $(dir $@) 1496 cat $^ > $@ 1497 1498bug_files := 1499 1500################################## 1501include $(LOCAL_PATH)/seapp_contexts.mk 1502 1503################################## 1504include $(LOCAL_PATH)/contexts_tests.mk 1505 1506################################## 1507include $(CLEAR_VARS) 1508 1509LOCAL_MODULE := vndservice_contexts 1510LOCAL_MODULE_CLASS := ETC 1511LOCAL_MODULE_TAGS := optional 1512LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1513 1514include $(BUILD_SYSTEM)/base_rules.mk 1515 1516vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1517 1518vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp 1519$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) 1520$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1521$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4) 1522 @mkdir -p $(dir $@) 1523 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1524 1525$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1526$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1527 @mkdir -p $(dir $@) 1528 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1529 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@ 1530 1531vnd_svcfiles := 1532vndservice_contexts.tmp := 1533 1534################################## 1535include $(LOCAL_PATH)/mac_permissions.mk 1536 1537################################# 1538include $(CLEAR_VARS) 1539LOCAL_MODULE := sepolicy_tests 1540LOCAL_MODULE_CLASS := FAKE 1541LOCAL_MODULE_TAGS := optional 1542 1543include $(BUILD_SYSTEM)/base_rules.mk 1544 1545all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts 1546all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts 1547ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 1548all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts 1549endif 1550ifdef HAS_PRODUCT_SEPOLICY_DIR 1551all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts 1552endif 1553ifdef BOARD_ODM_SEPOLICY_DIRS 1554all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts 1555endif 1556all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 1557 1558$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args) 1559$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1560$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy) 1561 @mkdir -p $(dir $@) 1562 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \ 1563 $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY) 1564 $(hide) touch $@ 1565 1566################################## 1567intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,) 1568 1569# plat_sepolicy - the current platform policy only, built into a policy binary. 1570# TODO - this currently excludes partner extensions, but support should be added 1571# to enable partners to add their own compatibility mapping 1572policy_files := $(call build_policy, $(sepolicy_build_files), \ 1573 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 1574base_plat_policy.conf := $(intermediates)/base_plat_policy.conf 1575$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1576$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1577$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 1578$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1579$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1580$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1581$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 1582$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1583$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1584$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1585$(base_plat_policy.conf): $(policy_files) $(M4) 1586 $(transform-policy-to-conf) 1587 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1588 1589built_plat_sepolicy := $(intermediates)/built_plat_sepolicy 1590$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ 1591 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 1592$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1593$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1594$(HOST_OUT_EXECUTABLES)/secilc \ 1595$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 1596$(built_sepolicy_neverallows) 1597 @mkdir -p $(dir $@) 1598 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 1599 $(POLICYVERS) -o $@ $< 1600 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 1601 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null 1602 1603policy_files := $(call build_policy, $(sepolicy_build_files), \ 1604 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 1605base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf 1606$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1607$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1608$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 1609$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1610$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1611$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1612$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 1613$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1614$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1615$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1616$(base_plat_pub_policy.conf): $(policy_files) $(M4) 1617 $(transform-policy-to-conf) 1618 1619base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil 1620$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf) 1621$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 1622$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1623$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil) 1624 @mkdir -p $(dir $@) 1625 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 1626 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 1627 -f $(PRIVATE_REQD_MASK) -t $@ 1628 1629ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1630# Tests for Treble compatibility of current platform policy and vendor policy of 1631# given release version. 1632version_under_treble_tests := 26.0 1633include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1634version_under_treble_tests := 27.0 1635include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1636version_under_treble_tests := 28.0 1637include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1638version_under_treble_tests := 29.0 1639include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1640endif # PRODUCT_SEPOLICY_SPLIT 1641 1642version_under_treble_tests := 26.0 1643include $(LOCAL_PATH)/compat.mk 1644version_under_treble_tests := 27.0 1645include $(LOCAL_PATH)/compat.mk 1646version_under_treble_tests := 28.0 1647include $(LOCAL_PATH)/compat.mk 1648version_under_treble_tests := 29.0 1649include $(LOCAL_PATH)/compat.mk 1650 1651base_plat_policy.conf := 1652base_plat_pub_policy.conf := 1653plat_sepolicy := 1654all_fc_files := 1655all_fc_args := 1656 1657################################# 1658include $(CLEAR_VARS) 1659LOCAL_MODULE := sepolicy_freeze_test 1660LOCAL_MODULE_CLASS := FAKE 1661LOCAL_MODULE_TAGS := optional 1662 1663include $(BUILD_SYSTEM)/base_rules.mk 1664 1665base_plat_public := $(LOCAL_PATH)/public 1666base_plat_private := $(LOCAL_PATH)/private 1667base_plat_public_prebuilt := \ 1668 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public 1669base_plat_private_prebuilt := \ 1670 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private 1671 1672all_frozen_files := $(call build_policy,$(sepolicy_build_files), \ 1673$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt)) 1674 1675$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public) 1676$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private) 1677$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt) 1678$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt) 1679$(LOCAL_BUILT_MODULE): $(all_frozen_files) 1680ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1681 @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC) 1682 @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE) 1683endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1684 $(hide) touch $@ 1685 1686base_plat_public := 1687base_plat_private := 1688base_plat_public_prebuilt := 1689base_plat_private_prebuilt := 1690all_frozen_files := 1691 1692################################# 1693 1694 1695build_vendor_policy := 1696build_odm_policy := 1697build_policy := 1698built_plat_cil := 1699built_system_ext_cil := 1700built_product_cil := 1701built_pub_vers_cil := 1702built_plat_mapping_cil := 1703built_system_ext_mapping_cil := 1704built_product_mapping_cil := 1705built_vendor_cil := 1706built_odm_cil := 1707built_precompiled_sepolicy := 1708built_sepolicy := 1709built_sepolicy_neverallows := 1710built_plat_svc := 1711built_vendor_svc := 1712built_plat_sepolicy := 1713treble_sysprop_neverallow := 1714mapping_policy := 1715my_target_arch := 1716pub_policy.cil := 1717system_ext_pub_policy.cil := 1718plat_pub_policy.cil := 1719reqd_policy_mask.cil := 1720sepolicy_build_files := 1721sepolicy_build_cil_workaround_files := 1722with_asan := 1723 1724include $(call all-makefiles-under,$(LOCAL_PATH)) 1725