1LOCAL_PATH:= $(call my-dir)
2
3include $(LOCAL_PATH)/definitions.mk
4include $(LOCAL_PATH)/policy_version.mk
5
6include $(CLEAR_VARS)
7
8MLS_SENS=1
9MLS_CATS=1024
10
11ifdef BOARD_SEPOLICY_UNION
12$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
13endif
14
15ifdef BOARD_SEPOLICY_M4DEFS
16LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
17else
18LOCAL_ADDITIONAL_M4DEFS :=
19endif
20
21# sepolicy is now divided into multiple portions:
22# public - policy exported on which non-platform policy developers may write
23#   additional policy.  types and attributes are versioned and included in
24#   delivered non-platform policy, which is to be combined with platform policy.
25# private - platform-only policy required for platform functionality but which
26#  is not exported to vendor policy developers and as such may not be assumed
27#  to exist.
28# vendor - vendor-only policy required for vendor functionality. This policy can
29#  reference the public policy but cannot reference the private policy. This
30#  policy is for components which are produced from the core/non-vendor tree and
31#  placed into a vendor partition.
32# mapping - This contains policy statements which map the attributes
33#  exposed in the public policy of previous versions to the concrete types used
34#  in this policy to ensure that policy targeting attributes from public
35#  policy from an older platform version continues to work.
36
37# build process for device:
38# 1) convert policies to CIL:
39#    - private + public platform policy to CIL
40#    - mapping file to CIL (should already be in CIL form)
41#    - non-platform public policy to CIL
42#    - non-platform public + private policy to CIL
43# 2) attributize policy
44#    - run script which takes non-platform public and non-platform combined
45#      private + public policy and produces attributized and versioned
46#      non-platform policy
47# 3) combine policy files
48#    - combine mapping, platform and non-platform policy.
49#    - compile output binary policy file
50
51PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
52PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
53PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
54REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
55SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
56SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
57PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
58PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
59
60ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
61HAS_SYSTEM_EXT_SEPOLICY_DIR := true
62endif
63
64# TODO(b/119305624): Currently if the device doesn't have a product partition,
65# we install product sepolicy into /system/product. We do that because bits of
66# product sepolicy that's still in /system might depend on bits that have moved
67# to /product. Once we finish migrating product sepolicy out of system, change
68# it so that if no product partition is present, product sepolicy artifacts are
69# not built and installed at all.
70ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
71HAS_PRODUCT_SEPOLICY_DIR := true
72endif
73
74# TODO: move to README when doing the README update and finalizing versioning.
75# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
76# version identifier corresponding to the sepolicy on which the non-platform
77# policy is to be based. If unspecified, this will build against the current
78# public platform policy in tree
79ifndef BOARD_SEPOLICY_VERS
80# The default platform policy version.
81BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
82endif
83
84NEVERALLOW_ARG :=
85ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
86ifeq ($(TARGET_BUILD_VARIANT),user)
87$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
88endif
89$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
90          It does not work in user builds and using it will \
91          not stop you from failing CTS.)
92NEVERALLOW_ARG := -N
93endif
94
95# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
96# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
97# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
98# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
99ifdef BOARD_SEPOLICY_DIRS
100BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
101endif
102
103ifdef BOARD_ODM_SEPOLICY_DIRS
104ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
105$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
106endif
107endif
108
109###########################################################
110# Compute policy files to be used in policy build.
111# $(1): files to include
112# $(2): directories in which to find files
113###########################################################
114
115define build_policy
116$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
117endef
118
119# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
120# $(1): the set of policy name paths to build
121build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
122
123# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
124build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
125
126sepolicy_build_files := security_classes \
127                        initial_sids \
128                        access_vectors \
129                        global_macros \
130                        neverallow_macros \
131                        mls_macros \
132                        mls_decl \
133                        mls \
134                        policy_capabilities \
135                        te_macros \
136                        attributes \
137                        ioctl_defines \
138                        ioctl_macros \
139                        *.te \
140                        roles_decl \
141                        roles \
142                        users \
143                        initial_sid_contexts \
144                        fs_use \
145                        genfs_contexts \
146                        port_contexts
147
148# Security classes and permissions defined outside of system/sepolicy.
149security_class_extension_files := $(call build_policy, security_classes access_vectors, \
150  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
151  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
152  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
153
154ifneq (,$(strip $(security_class_extension_files)))
155  $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
156endif
157
158ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
159  # Checks if there are public system_ext policy files.
160  policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
161  ifneq (,$(strip $(policy_files)))
162    HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
163  endif
164  # Checks if there are public/private system_ext policy files.
165  policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
166  ifneq (,$(strip $(policy_files)))
167    HAS_SYSTEM_EXT_SEPOLICY := true
168  endif
169endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
170
171ifdef HAS_PRODUCT_SEPOLICY_DIR
172  # Checks if there are public product policy files.
173  policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
174  ifneq (,$(strip $(policy_files)))
175    HAS_PRODUCT_PUBLIC_SEPOLICY := true
176  endif
177  # Checks if there are public/private product policy files.
178  policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
179  ifneq (,$(strip $(policy_files)))
180    HAS_PRODUCT_SEPOLICY := true
181  endif
182endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
183
184# CIL files which contain workarounds for current limitation of human-readable
185# module policy language. These files are appended to the CIL files produced
186# from module language files.
187sepolicy_build_cil_workaround_files := technical_debt.cil
188
189my_target_arch := $(TARGET_ARCH)
190ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
191  my_target_arch := mips
192endif
193
194intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
195
196with_asan := false
197ifneq (,$(filter address,$(SANITIZE_TARGET)))
198  with_asan := true
199endif
200
201with_native_coverage := false
202ifeq ($(NATIVE_COVERAGE),true)
203  with_native_coverage := true
204endif
205ifeq ($(CLANG_COVERAGE),true)
206  with_native_coverage := true
207endif
208
209treble_sysprop_neverallow := true
210ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
211  treble_sysprop_neverallow := false
212endif
213
214ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
215  #$(warning no product shipping level defined)
216else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
217  ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
218    $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
219  endif
220endif
221
222# Library extension for host-side tests
223ifeq ($(HOST_OS),darwin)
224SHAREDLIB_EXT=dylib
225else
226SHAREDLIB_EXT=so
227endif
228
229# Convert a file_context file for a non-flattened APEX into a file for
230# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
231# $(1): path to the input file_contexts file for non-flattened APEX
232# $(2): path to the flattened APEX
233# $(3): path to the generated file_contexts file for flattened APEX
234# $(4): variable where $(3) is added to
235define build_flattened_apex_file_contexts
236$(4) += $(3)
237$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2))
238$(3): $(1)
239	$(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
240endef
241
242#################################
243
244include $(CLEAR_VARS)
245
246LOCAL_MODULE := selinux_policy
247LOCAL_MODULE_TAGS := optional
248LOCAL_REQUIRED_MODULES += \
249    selinux_policy_nonsystem \
250    selinux_policy_system \
251
252include $(BUILD_PHONY_PACKAGE)
253
254# selinux_policy is a main goal and triggers lots of tests.
255# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
256# By setting as droidcore's dependency, tests will run on normal builds.
257droidcore: selinux_policy
258
259include $(CLEAR_VARS)
260LOCAL_MODULE := selinux_policy_system
261# These build targets are not used on non-Treble devices. However, we build these to avoid
262# divergence between Treble and non-Treble devices.
263LOCAL_REQUIRED_MODULES += \
264    plat_mapping_file \
265    $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
266    $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
267    plat_sepolicy.cil \
268    plat_sepolicy_and_mapping.sha256 \
269    secilc \
270
271LOCAL_REQUIRED_MODULES += \
272    build_sepolicy \
273    plat_file_contexts \
274    plat_file_contexts_test \
275    plat_mac_permissions.xml \
276    plat_property_contexts \
277    plat_property_contexts_test \
278    plat_seapp_contexts \
279    plat_service_contexts \
280    plat_service_contexts_test \
281    plat_hwservice_contexts \
282    plat_hwservice_contexts_test \
283    searchpolicy \
284
285# This conditional inclusion closely mimics the conditional logic
286# inside init/init.cpp for loading SELinux policy from files.
287ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
288# The following files are only allowed for non-Treble devices.
289LOCAL_REQUIRED_MODULES += \
290    sepolicy \
291    vendor_service_contexts \
292
293endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
294
295ifneq ($(with_asan),true)
296ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
297LOCAL_REQUIRED_MODULES += \
298    sepolicy_tests \
299    $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
300
301ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
302LOCAL_REQUIRED_MODULES += \
303    $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
304
305endif  # PRODUCT_SEPOLICY_SPLIT
306endif  # SELINUX_IGNORE_NEVERALLOWS
307endif  # with_asan
308
309ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
310LOCAL_REQUIRED_MODULES += \
311    sepolicy_freeze_test \
312
313endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
314
315include $(BUILD_PHONY_PACKAGE)
316
317#################################
318
319include $(CLEAR_VARS)
320
321LOCAL_MODULE := selinux_policy_nonsystem
322# Include precompiled policy, unless told otherwise.
323ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
324LOCAL_REQUIRED_MODULES += \
325    precompiled_sepolicy \
326    precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
327    precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
328    system_ext_sepolicy_and_mapping.sha256 \
329    precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
330    product_sepolicy_and_mapping.sha256 \
331
332endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
333
334
335# These build targets are not used on non-Treble devices. However, we build these to avoid
336# divergence between Treble and non-Treble devices.
337LOCAL_REQUIRED_MODULES += \
338    plat_pub_versioned.cil \
339    vendor_sepolicy.cil \
340    plat_sepolicy_vers.txt \
341
342LOCAL_REQUIRED_MODULES += \
343    vendor_file_contexts \
344    vendor_file_contexts_test \
345    vendor_mac_permissions.xml \
346    vendor_property_contexts \
347    vendor_property_contexts_test \
348    vendor_seapp_contexts \
349    vendor_service_contexts \
350    vendor_hwservice_contexts \
351    vendor_hwservice_contexts_test \
352    vndservice_contexts \
353
354ifdef BOARD_ODM_SEPOLICY_DIRS
355LOCAL_REQUIRED_MODULES += \
356    odm_sepolicy.cil \
357    odm_file_contexts \
358    odm_file_contexts_test \
359    odm_seapp_contexts \
360    odm_property_contexts \
361    odm_property_contexts_test \
362    odm_hwservice_contexts \
363    odm_hwservice_contexts_test \
364    odm_mac_permissions.xml
365endif
366
367ifdef HAS_SYSTEM_EXT_SEPOLICY
368LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
369endif
370
371ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
372LOCAL_REQUIRED_MODULES += \
373    system_ext_mapping_file \
374    $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
375
376endif
377
378ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
379LOCAL_REQUIRED_MODULES += \
380    system_ext_file_contexts \
381    system_ext_file_contexts_test \
382    system_ext_hwservice_contexts \
383    system_ext_hwservice_contexts_test \
384    system_ext_property_contexts \
385    system_ext_property_contexts_test \
386    system_ext_seapp_contexts \
387    system_ext_service_contexts \
388    system_ext_service_contexts_test \
389    system_ext_mac_permissions.xml \
390
391endif
392
393ifdef HAS_PRODUCT_SEPOLICY
394LOCAL_REQUIRED_MODULES += product_sepolicy.cil
395endif
396
397ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
398LOCAL_REQUIRED_MODULES += \
399    product_mapping_file \
400    $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
401
402endif
403
404ifdef HAS_PRODUCT_SEPOLICY_DIR
405LOCAL_REQUIRED_MODULES += \
406    product_file_contexts \
407    product_file_contexts_test \
408    product_hwservice_contexts \
409    product_hwservice_contexts_test \
410    product_property_contexts \
411    product_property_contexts_test \
412    product_seapp_contexts \
413    product_service_contexts \
414    product_service_contexts_test \
415    product_mac_permissions.xml \
416
417endif
418
419LOCAL_REQUIRED_MODULES += \
420    selinux_denial_metadata \
421
422# Builds an addtional userdebug sepolicy into the debug ramdisk.
423LOCAL_REQUIRED_MODULES += \
424    userdebug_plat_sepolicy.cil \
425
426include $(BUILD_PHONY_PACKAGE)
427
428#################################
429include $(CLEAR_VARS)
430
431LOCAL_MODULE := sepolicy_neverallows
432LOCAL_MODULE_CLASS := FAKE
433LOCAL_MODULE_TAGS := optional
434
435include $(BUILD_SYSTEM)/base_rules.mk
436
437# sepolicy_policy.conf - All of the policy for the device.  This is only used to
438# check neverallow rules.
439policy_files := $(call build_policy, $(sepolicy_build_files), \
440  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
441  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
442  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
443  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
444sepolicy_policy.conf := $(intermediates)/policy.conf
445$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
446$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
447$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
448$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
449$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
450$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
451$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
452$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
453$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
454$(sepolicy_policy.conf): $(policy_files) $(M4)
455	$(transform-policy-to-conf)
456	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
457
458# sepolicy_policy_2.conf - All of the policy for the device.  This is only used to
459# check neverallow rules using sepolicy-analyze, similar to CTS.
460policy_files := $(call build_policy, $(sepolicy_build_files), \
461  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
462  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
463  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
464  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
465sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
466$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
467$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
468$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
469$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
470$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
471$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
472$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
473$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
474$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
475$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
476$(sepolicy_policy_2.conf): $(policy_files) $(M4)
477	$(transform-policy-to-conf)
478	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
479
480$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
481$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
482$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
483  $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
484ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
485	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
486		$(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
487	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
488	  ( echo "" 1>&2; \
489	    echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
490	    echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
491	    echo "the policy." 1>&2; \
492	    exit 1 )
493endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
494	$(hide) touch $@.tmp
495	$(hide) mv $@.tmp $@
496
497sepolicy_policy.conf :=
498sepolicy_policy_2.conf :=
499built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
500
501##################################
502# reqd_policy_mask - a policy.conf file which contains only the bare minimum
503# policy necessary to use checkpolicy.  This bare-minimum policy needs to be
504# present in all policy.conf files, but should not necessarily be exported as
505# part of the public policy.  The rules generated by reqd_policy_mask will allow
506# the compilation of public policy and subsequent removal of CIL policy that
507# should not be exported.
508
509policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
510reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
511$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
512$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
513$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
514$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
515$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
516$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
517$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
518$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
519$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
520$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
521$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
522$(reqd_policy_mask.conf): $(policy_files) $(M4)
523	$(transform-policy-to-conf)
524# b/37755687
525CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
526
527reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
528$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
529	@mkdir -p $(dir $@)
530	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
531		$(POLICYVERS) -o $@ $<
532
533reqd_policy_mask.conf :=
534
535##################################
536# pub_policy - policy that will be exported to be a part of non-platform
537# policy corresponding to this platform version.  This is a limited subset of
538# policy that would not compile in checkpolicy on its own.  To get around this
539# limitation, add only the required files from private policy, which will
540# generate CIL policy that will then be filtered out by the reqd_policy_mask.
541#
542# There are three pub_policy.cil files below:
543#   - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
544#   - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
545#   - plat_pub_policy.cil: exported 'system' policy.
546#
547# Those above files will in turn be used to generate the following versioned cil files:
548#   - product_mapping_file: the versioned, exported 'product' policy in product partition.
549#   - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
550#   - plat_mapping_file: the versioned, exported 'system' policy in system partition.
551#   - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
552#                             policy in vendor partition.
553#
554policy_files := $(call build_policy, $(sepolicy_build_files), \
555  $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
556pub_policy.conf := $(intermediates)/pub_policy.conf
557$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
558$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
559$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
560$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
561$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
562$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
563$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
564$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
565$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
566$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
567$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
568$(pub_policy.conf): $(policy_files) $(M4)
569	$(transform-policy-to-conf)
570pub_policy.cil := $(intermediates)/pub_policy.cil
571$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
572$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
573$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
574$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
575	@mkdir -p $(dir $@)
576	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
577	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
578		-f $(PRIVATE_REQD_MASK) -t $@
579
580pub_policy.conf :=
581
582##################################
583policy_files := $(call build_policy, $(sepolicy_build_files), \
584  $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
585system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
586$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
587$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
588$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
589$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
590$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
591$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
592$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
593$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
594$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
595$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
596$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
597$(system_ext_pub_policy.conf): $(policy_files) $(M4)
598	$(transform-policy-to-conf)
599
600system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
601$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
602$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
603$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
604$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
605	@mkdir -p $(dir $@)
606	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
607	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
608		-f $(PRIVATE_REQD_MASK) -t $@
609
610system_ext_pub_policy.conf :=
611
612##################################
613policy_files := $(call build_policy, $(sepolicy_build_files), \
614  $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
615plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
616$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
617$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
618$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
619$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
620$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
621$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
622$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
623$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
624$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
625$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
626$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
627$(plat_pub_policy.conf): $(policy_files) $(M4)
628	$(transform-policy-to-conf)
629
630plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
631$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
632$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
633$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
634$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
635	@mkdir -p $(dir $@)
636	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
637	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
638		-f $(PRIVATE_REQD_MASK) -t $@
639
640plat_pub_policy.conf :=
641
642#################################
643include $(CLEAR_VARS)
644
645LOCAL_MODULE := plat_sepolicy.cil
646LOCAL_MODULE_CLASS := ETC
647LOCAL_MODULE_TAGS := optional
648LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
649
650include $(BUILD_SYSTEM)/base_rules.mk
651
652# plat_policy.conf - A combination of the private and public platform policy
653# which will ship with the device.  The platform will always reflect the most
654# recent platform version and is not currently being attributized.
655policy_files := $(call build_policy, $(sepolicy_build_files), \
656  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
657plat_policy.conf := $(intermediates)/plat_policy.conf
658$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
659$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
660$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
661$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
662$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
663$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
664$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
665$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
666$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
667$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
668$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
669$(plat_policy.conf): $(policy_files) $(M4)
670	$(transform-policy-to-conf)
671	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
672
673$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
674  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
675$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
676$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
677  $(HOST_OUT_EXECUTABLES)/secilc \
678  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
679  $(built_sepolicy_neverallows)
680	@mkdir -p $(dir $@)
681	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
682		$(POLICYVERS) -o $@.tmp $<
683	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
684	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
685	$(hide) mv $@.tmp $@
686
687built_plat_cil := $(LOCAL_BUILT_MODULE)
688plat_policy.conf :=
689
690#################################
691include $(CLEAR_VARS)
692
693LOCAL_MODULE := userdebug_plat_sepolicy.cil
694LOCAL_MODULE_CLASS := ETC
695LOCAL_MODULE_TAGS := optional
696LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
697
698include $(BUILD_SYSTEM)/base_rules.mk
699
700# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
701policy_files := $(call build_policy, $(sepolicy_build_files), \
702  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
703userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
704$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
705$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
706$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
707$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
708$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
709$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
710$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
711$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
712$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
713$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
714$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
715$(userdebug_plat_policy.conf): $(policy_files) $(M4)
716	$(transform-policy-to-conf)
717	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
718
719$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
720  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
721$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
722$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
723  $(HOST_OUT_EXECUTABLES)/secilc \
724  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
725  $(built_sepolicy_neverallows)
726	@mkdir -p $(dir $@)
727	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
728		$(POLICYVERS) -o $@.tmp $<
729	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
730	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
731	$(hide) mv $@.tmp $@
732
733userdebug_plat_policy.conf :=
734
735#################################
736include $(CLEAR_VARS)
737
738ifdef HAS_SYSTEM_EXT_SEPOLICY
739LOCAL_MODULE := system_ext_sepolicy.cil
740LOCAL_MODULE_CLASS := ETC
741LOCAL_MODULE_TAGS := optional
742LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
743
744include $(BUILD_SYSTEM)/base_rules.mk
745
746# system_ext_policy.conf - A combination of the private and public system_ext policy
747# which will ship with the device. System_ext policy is not attributized.
748policy_files := $(call build_policy, $(sepolicy_build_files), \
749  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
750  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
751system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
752$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
753$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
754$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
755$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
756$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
757$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
758$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
759$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
760$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
761$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
762$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
763$(system_ext_policy.conf): $(policy_files) $(M4)
764	$(transform-policy-to-conf)
765	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
766
767$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
768$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
769$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
770$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
771	@mkdir -p $(dir $@)
772	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
773	$(POLICYVERS) -o $@ $<
774	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
775		-f $(PRIVATE_PLAT_CIL) -t $@
776	# Line markers (denoted by ;;) are malformed after above cmd. They are only
777	# used for debugging, so we remove them.
778	$(hide) grep -v ';;' $@ > $@.tmp
779	$(hide) mv $@.tmp $@
780	# Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
781	# latter doesn't accidentally depend on vendor/odm policies.
782	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
783		$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
784
785
786built_system_ext_cil := $(LOCAL_BUILT_MODULE)
787system_ext_policy.conf :=
788endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
789
790#################################
791include $(CLEAR_VARS)
792
793ifdef HAS_PRODUCT_SEPOLICY
794LOCAL_MODULE := product_sepolicy.cil
795LOCAL_MODULE_CLASS := ETC
796LOCAL_MODULE_TAGS := optional
797LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
798
799include $(BUILD_SYSTEM)/base_rules.mk
800
801# product_policy.conf - A combination of the private and public product policy
802# which will ship with the device. Product policy is not attributized.
803policy_files := $(call build_policy, $(sepolicy_build_files), \
804  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
805  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
806  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
807product_policy.conf := $(intermediates)/product_policy.conf
808$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
809$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
810$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
811$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
812$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
813$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
814$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
815$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
816$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
817$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
818$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
819$(product_policy.conf): $(policy_files) $(M4)
820	$(transform-policy-to-conf)
821	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
822
823$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
824$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
825$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
826$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
827$(built_plat_cil) $(built_system_ext_cil)
828	@mkdir -p $(dir $@)
829	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
830	$(POLICYVERS) -o $@ $<
831	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
832		-f $(PRIVATE_PLAT_CIL_FILES) -t $@
833	# Line markers (denoted by ;;) are malformed after above cmd. They are only
834	# used for debugging, so we remove them.
835	$(hide) grep -v ';;' $@ > $@.tmp
836	$(hide) mv $@.tmp $@
837	# Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
838	# make sure that the latter doesn't accidentally depend on vendor/odm policies.
839	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
840		$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
841
842
843built_product_cil := $(LOCAL_BUILT_MODULE)
844product_policy.conf :=
845endif # ifdef HAS_PRODUCT_SEPOLICY
846
847#################################
848include $(CLEAR_VARS)
849
850LOCAL_MODULE := plat_sepolicy_vers.txt
851LOCAL_MODULE_CLASS := ETC
852LOCAL_MODULE_TAGS := optional
853LOCAL_PROPRIETARY_MODULE := true
854LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
855
856include $(BUILD_SYSTEM)/base_rules.mk
857
858$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
859$(LOCAL_BUILT_MODULE) :
860	mkdir -p $(dir $@)
861	echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
862
863#################################
864include $(CLEAR_VARS)
865
866LOCAL_MODULE := plat_mapping_file
867LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
868LOCAL_MODULE_CLASS := ETC
869LOCAL_MODULE_TAGS := optional
870LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
871
872include $(BUILD_SYSTEM)/base_rules.mk
873
874# auto-generate the mapping file for current platform policy, since it needs to
875# track platform policy development
876$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
877$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
878	@mkdir -p $(dir $@)
879	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
880
881built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
882
883#################################
884include $(CLEAR_VARS)
885
886ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
887LOCAL_MODULE := system_ext_mapping_file
888LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
889LOCAL_MODULE_CLASS := ETC
890LOCAL_MODULE_TAGS := optional
891LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
892
893include $(BUILD_SYSTEM)/base_rules.mk
894
895$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
896$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
897$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
898$(built_plat_mapping_cil)
899	@mkdir -p $(dir $@)
900	# Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
901	# sepolicy minus plat_mapping_file.
902	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
903	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
904		-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
905
906built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
907endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
908
909#################################
910include $(CLEAR_VARS)
911
912ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
913LOCAL_MODULE := product_mapping_file
914LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
915LOCAL_MODULE_CLASS := ETC
916LOCAL_MODULE_TAGS := optional
917LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
918
919include $(BUILD_SYSTEM)/base_rules.mk
920
921$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
922$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
923$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
924$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
925	@mkdir -p $(dir $@)
926	# Generate product mapping file as mapping file of all public sepolicy minus
927	# plat_mapping_file and system_ext_mapping_file.
928	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
929	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
930		-f $(PRIVATE_FILTER_CIL_FILES) -t $@
931
932built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
933endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
934
935#################################
936include $(CLEAR_VARS)
937
938# plat_pub_versioned.cil - the exported platform policy associated with the version
939# that non-platform policy targets.
940LOCAL_MODULE := plat_pub_versioned.cil
941LOCAL_MODULE_CLASS := ETC
942LOCAL_MODULE_TAGS := optional
943LOCAL_PROPRIETARY_MODULE := true
944LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
945
946include $(BUILD_SYSTEM)/base_rules.mk
947
948$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
949$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
950$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
951$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
952$(built_product_mapping_cil)
953$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
954  $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
955  $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
956	@mkdir -p $(dir $@)
957	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
958	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
959		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
960
961built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
962
963#################################
964include $(CLEAR_VARS)
965
966# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
967# with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
968# policy and the platform public policy files in order to use checkpolicy.
969LOCAL_MODULE := vendor_sepolicy.cil
970LOCAL_MODULE_CLASS := ETC
971LOCAL_MODULE_TAGS := optional
972LOCAL_PROPRIETARY_MODULE := true
973LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
974
975include $(BUILD_SYSTEM)/base_rules.mk
976
977policy_files := $(call build_policy, $(sepolicy_build_files), \
978  $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
979  $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
980vendor_policy.conf := $(intermediates)/vendor_policy.conf
981$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
982$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
983$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
984$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
985$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
986$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
987$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
988$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
989$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
990$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
991$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
992$(vendor_policy.conf): $(policy_files) $(M4)
993	$(transform-policy-to-conf)
994	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
995
996$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
997$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
998$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
999$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
1000$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
1001$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
1002$(built_system_ext_mapping_cil) $(built_product_mapping_cil)
1003$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
1004$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
1005  $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
1006  $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
1007  $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
1008  $(built_product_mapping_cil)
1009	@mkdir -p $(dir $@)
1010	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
1011		-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
1012		-b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
1013		-t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
1014
1015built_vendor_cil := $(LOCAL_BUILT_MODULE)
1016vendor_policy.conf :=
1017
1018#################################
1019include $(CLEAR_VARS)
1020
1021ifdef BOARD_ODM_SEPOLICY_DIRS
1022# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
1023# with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
1024# policy and the platform public policy files in order to use checkpolicy.
1025LOCAL_MODULE := odm_sepolicy.cil
1026LOCAL_MODULE_CLASS := ETC
1027LOCAL_MODULE_TAGS := optional
1028LOCAL_PROPRIETARY_MODULE := true
1029LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
1030
1031include $(BUILD_SYSTEM)/base_rules.mk
1032
1033policy_files := $(call build_policy, $(sepolicy_build_files), \
1034  $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
1035  $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
1036odm_policy.conf := $(intermediates)/odm_policy.conf
1037$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
1038$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
1039$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
1040$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
1041$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
1042$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
1043$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
1044$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
1045$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
1046$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
1047$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
1048$(odm_policy.conf): $(policy_files) $(M4)
1049	$(transform-policy-to-conf)
1050	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
1051
1052$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
1053$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
1054$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
1055$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
1056$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
1057  $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
1058  $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
1059$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
1060$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
1061  $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
1062  $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \
1063  $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \
1064  $(built_vendor_cil)
1065	@mkdir -p $(dir $@)
1066	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
1067		-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
1068		-b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
1069		-t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
1070
1071built_odm_cil := $(LOCAL_BUILT_MODULE)
1072odm_policy.conf :=
1073odm_policy_raw :=
1074endif
1075
1076#################################
1077include $(CLEAR_VARS)
1078
1079LOCAL_MODULE := precompiled_sepolicy
1080LOCAL_MODULE_CLASS := ETC
1081LOCAL_MODULE_TAGS := optional
1082LOCAL_PROPRIETARY_MODULE := true
1083
1084ifeq ($(BOARD_USES_ODMIMAGE),true)
1085LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
1086else
1087LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
1088endif
1089
1090include $(BUILD_SYSTEM)/base_rules.mk
1091
1092all_cil_files := \
1093    $(built_plat_cil) \
1094    $(built_plat_mapping_cil) \
1095    $(built_pub_vers_cil) \
1096    $(built_vendor_cil)
1097
1098ifdef HAS_SYSTEM_EXT_SEPOLICY
1099all_cil_files += $(built_system_ext_cil)
1100endif
1101
1102ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
1103all_cil_files += $(built_system_ext_mapping_cil)
1104endif
1105
1106ifdef HAS_PRODUCT_SEPOLICY
1107all_cil_files += $(built_product_cil)
1108endif
1109
1110ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
1111all_cil_files += $(built_product_mapping_cil)
1112endif
1113
1114ifdef BOARD_ODM_SEPOLICY_DIRS
1115all_cil_files += $(built_odm_cil)
1116endif
1117
1118$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
1119$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
1120$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
1121	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
1122		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
1123
1124built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
1125all_cil_files :=
1126
1127#################################
1128# Precompiled sepolicy is loaded if and only if:
1129# - plat_sepolicy_and_mapping.sha256 equals
1130#   precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
1131# AND
1132# - system_ext_sepolicy_and_mapping.sha256 equals
1133#   precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
1134# AND
1135# - product_sepolicy_and_mapping.sha256 equals
1136#   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
1137# See system/core/init/selinux.cpp for details.
1138#################################
1139include $(CLEAR_VARS)
1140
1141LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
1142LOCAL_MODULE_CLASS := ETC
1143LOCAL_MODULE_TAGS := optional
1144LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
1145
1146include $(BUILD_SYSTEM)/base_rules.mk
1147
1148$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
1149	cat $^ | sha256sum | cut -d' ' -f1 > $@
1150
1151#################################
1152include $(CLEAR_VARS)
1153
1154LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
1155LOCAL_MODULE_CLASS := ETC
1156LOCAL_MODULE_TAGS := optional
1157LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
1158
1159include $(BUILD_SYSTEM)/base_rules.mk
1160
1161$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
1162	cat $^ | sha256sum | cut -d' ' -f1 > $@
1163
1164#################################
1165include $(CLEAR_VARS)
1166
1167LOCAL_MODULE := product_sepolicy_and_mapping.sha256
1168LOCAL_MODULE_CLASS := ETC
1169LOCAL_MODULE_TAGS := optional
1170LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
1171
1172include $(BUILD_SYSTEM)/base_rules.mk
1173
1174$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
1175	cat $^ | sha256sum | cut -d' ' -f1 > $@
1176
1177#################################
1178# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
1179# which precompiled_policy was built.
1180#################################
1181include $(CLEAR_VARS)
1182LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
1183LOCAL_MODULE_CLASS := ETC
1184LOCAL_MODULE_TAGS := optional
1185
1186ifeq ($(BOARD_USES_ODMIMAGE),true)
1187LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
1188else
1189LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
1190endif
1191
1192include $(BUILD_SYSTEM)/base_rules.mk
1193
1194$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
1195$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
1196	cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
1197
1198#################################
1199# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
1200# which precompiled_policy was built.
1201#################################
1202include $(CLEAR_VARS)
1203LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
1204LOCAL_MODULE_CLASS := ETC
1205LOCAL_MODULE_TAGS := optional
1206
1207ifeq ($(BOARD_USES_ODMIMAGE),true)
1208LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
1209else
1210LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
1211endif
1212
1213include $(BUILD_SYSTEM)/base_rules.mk
1214
1215$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
1216$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
1217	cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
1218
1219#################################
1220# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
1221# which precompiled_policy was built.
1222#################################
1223include $(CLEAR_VARS)
1224LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
1225LOCAL_MODULE_CLASS := ETC
1226LOCAL_MODULE_TAGS := optional
1227
1228ifeq ($(BOARD_USES_ODMIMAGE),true)
1229LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
1230else
1231LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
1232endif
1233
1234include $(BUILD_SYSTEM)/base_rules.mk
1235
1236$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
1237$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
1238	cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
1239
1240#################################
1241include $(CLEAR_VARS)
1242# build this target so that we can still perform neverallow checks
1243
1244LOCAL_MODULE := sepolicy
1245LOCAL_MODULE_CLASS := ETC
1246LOCAL_MODULE_TAGS := optional
1247LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
1248
1249include $(BUILD_SYSTEM)/base_rules.mk
1250
1251all_cil_files := \
1252    $(built_plat_cil) \
1253    $(built_plat_mapping_cil) \
1254    $(built_pub_vers_cil) \
1255    $(built_vendor_cil)
1256
1257ifdef HAS_SYSTEM_EXT_SEPOLICY
1258all_cil_files += $(built_system_ext_cil)
1259endif
1260
1261ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
1262all_cil_files += $(built_system_ext_mapping_cil)
1263endif
1264
1265ifdef HAS_PRODUCT_SEPOLICY
1266all_cil_files += $(built_product_cil)
1267endif
1268
1269ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
1270all_cil_files += $(built_product_mapping_cil)
1271endif
1272
1273ifdef BOARD_ODM_SEPOLICY_DIRS
1274all_cil_files += $(built_odm_cil)
1275endif
1276
1277$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
1278$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
1279$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
1280$(built_sepolicy_neverallows)
1281	@mkdir -p $(dir $@)
1282	$(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
1283	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
1284	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
1285		echo "==========" 1>&2; \
1286		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
1287		echo "List of invalid domains:" 1>&2; \
1288		cat $@.permissivedomains 1>&2; \
1289		exit 1; \
1290		fi
1291	$(hide) mv $@.tmp $@
1292
1293built_sepolicy := $(LOCAL_BUILT_MODULE)
1294all_cil_files :=
1295
1296#################################
1297include $(CLEAR_VARS)
1298
1299# keep concrete sepolicy for neverallow checks
1300# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
1301
1302LOCAL_MODULE := sepolicy.recovery
1303LOCAL_MODULE_STEM := sepolicy
1304LOCAL_MODULE_CLASS := ETC
1305LOCAL_MODULE_TAGS := optional
1306LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
1307
1308include $(BUILD_SYSTEM)/base_rules.mk
1309
1310policy_files := $(call build_policy, $(sepolicy_build_files), \
1311  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
1312  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
1313  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
1314  $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
1315  $(BOARD_ODM_SEPOLICY_DIRS))
1316sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
1317$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
1318$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
1319$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
1320$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
1321$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
1322$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
1323$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
1324$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
1325$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
1326$(sepolicy.recovery.conf): $(policy_files) $(M4)
1327	$(transform-policy-to-conf)
1328	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
1329
1330ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
1331	$(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
1332	$(hide) mv $@.neverallow $@
1333endif
1334
1335$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
1336                       $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
1337	@mkdir -p $(dir $@)
1338	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
1339		$(POLICYVERS) -o $@.tmp $<
1340	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
1341	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
1342		echo "==========" 1>&2; \
1343		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
1344		echo "List of invalid domains:" 1>&2; \
1345		cat $@.permissivedomains 1>&2; \
1346		exit 1; \
1347		fi
1348	$(hide) mv $@.tmp $@
1349
1350sepolicy.recovery.conf :=
1351
1352##################################
1353# SELinux policy embedded into CTS.
1354# CTS checks neverallow rules of this policy against the policy of the device under test.
1355##################################
1356include $(CLEAR_VARS)
1357
1358LOCAL_MODULE := general_sepolicy.conf
1359LOCAL_MODULE_CLASS := ETC
1360LOCAL_MODULE_TAGS := tests
1361
1362include $(BUILD_SYSTEM)/base_rules.mk
1363
1364policy_files := $(call build_policy, $(sepolicy_build_files), \
1365  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
1366$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
1367$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
1368$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
1369$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
1370$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
1371$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
1372$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
1373$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
1374$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
1375$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
1376$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
1377	$(transform-policy-to-conf)
1378	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
1379
1380##################################
1381# TODO - remove this.   Keep around until we get the filesystem creation stuff taken care of.
1382#
1383include $(CLEAR_VARS)
1384
1385LOCAL_MODULE := file_contexts.bin
1386LOCAL_MODULE_CLASS := ETC
1387LOCAL_MODULE_TAGS := optional
1388LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
1389
1390include $(BUILD_SYSTEM)/base_rules.mk
1391
1392# The file_contexts.bin is built in the following way:
1393# 1. Collect all file_contexts files in THIS repository and process them with
1394#    m4 into a tmp file called file_contexts.local.tmp.
1395# 2. Collect all device specific file_contexts files and process them with m4
1396#    into a tmp file called file_contexts.device.tmp.
1397# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
1398#    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
1399# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
1400#    file_contexts.concat.tmp.
1401# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
1402#    file_contexts.bin.
1403#
1404#  Note: That a newline file is placed between each file_context file found to
1405#        ensure a proper build when an fc file is missing an ending newline.
1406
1407local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
1408
1409ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
1410local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
1411endif
1412
1413ifdef HAS_PRODUCT_SEPOLICY_DIR
1414local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
1415endif
1416
1417ifneq ($(filter address,$(SANITIZE_TARGET)),)
1418  local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
1419endif
1420ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
1421  local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
1422endif
1423
1424# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
1425$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
1426  $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
1427  $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
1428  $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
1429  $(eval _input := $(_fc_path))\
1430  $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
1431  $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
1432  )
1433
1434file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
1435$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
1436$(file_contexts.local.tmp): $(local_fc_files) $(M4)
1437	@mkdir -p $(dir $@)
1438	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@
1439
1440device_fc_files := $(call build_vendor_policy, file_contexts)
1441
1442ifdef BOARD_ODM_SEPOLICY_DIRS
1443device_fc_files += $(call build_odm_policy, file_contexts)
1444endif
1445
1446file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
1447$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
1448$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files)
1449$(file_contexts.device.tmp): $(device_fc_files) $(M4)
1450	@mkdir -p $(dir $@)
1451	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@
1452
1453file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
1454$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
1455$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
1456  $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
1457	@mkdir -p $(dir $@)
1458	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
1459	$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
1460
1461file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
1462$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
1463$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4)
1464	@mkdir -p $(dir $@)
1465	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@
1466
1467$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
1468$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
1469	@mkdir -p $(dir $@)
1470	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
1471	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
1472
1473built_fc := $(LOCAL_BUILT_MODULE)
1474local_fc_files :=
1475local_fcfiles_with_nl :=
1476device_fc_files :=
1477device_fcfiles_with_nl :=
1478file_contexts.concat.tmp :=
1479file_contexts.device.sorted.tmp :=
1480file_contexts.device.tmp :=
1481file_contexts.local.tmp :=
1482
1483##################################
1484include $(CLEAR_VARS)
1485
1486LOCAL_MODULE := selinux_denial_metadata
1487LOCAL_MODULE_CLASS := ETC
1488LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
1489
1490include $(BUILD_SYSTEM)/base_rules.mk
1491
1492bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
1493
1494$(LOCAL_BUILT_MODULE) : $(bug_files)
1495	@mkdir -p $(dir $@)
1496	cat $^ > $@
1497
1498bug_files :=
1499
1500##################################
1501include $(LOCAL_PATH)/seapp_contexts.mk
1502
1503##################################
1504include $(LOCAL_PATH)/contexts_tests.mk
1505
1506##################################
1507include $(CLEAR_VARS)
1508
1509LOCAL_MODULE := vndservice_contexts
1510LOCAL_MODULE_CLASS := ETC
1511LOCAL_MODULE_TAGS := optional
1512LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
1513
1514include $(BUILD_SYSTEM)/base_rules.mk
1515
1516vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
1517
1518vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
1519$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
1520$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
1521$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
1522	@mkdir -p $(dir $@)
1523	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
1524
1525$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
1526$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
1527	@mkdir -p $(dir $@)
1528	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
1529	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
1530
1531vnd_svcfiles :=
1532vndservice_contexts.tmp :=
1533
1534##################################
1535include $(LOCAL_PATH)/mac_permissions.mk
1536
1537#################################
1538include $(CLEAR_VARS)
1539LOCAL_MODULE := sepolicy_tests
1540LOCAL_MODULE_CLASS := FAKE
1541LOCAL_MODULE_TAGS := optional
1542
1543include $(BUILD_SYSTEM)/base_rules.mk
1544
1545all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
1546all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
1547ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
1548all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
1549endif
1550ifdef HAS_PRODUCT_SEPOLICY_DIR
1551all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
1552endif
1553ifdef BOARD_ODM_SEPOLICY_DIRS
1554all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
1555endif
1556all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
1557
1558$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
1559$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
1560$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
1561	@mkdir -p $(dir $@)
1562	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
1563		$(ALL_FC_ARGS)  -p $(PRIVATE_SEPOLICY)
1564	$(hide) touch $@
1565
1566##################################
1567intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
1568
1569# plat_sepolicy - the current platform policy only, built into a policy binary.
1570# TODO - this currently excludes partner extensions, but support should be added
1571# to enable partners to add their own compatibility mapping
1572policy_files := $(call build_policy, $(sepolicy_build_files), \
1573  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
1574base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
1575$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
1576$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
1577$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
1578$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
1579$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
1580$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
1581$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
1582$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
1583$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
1584$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
1585$(base_plat_policy.conf): $(policy_files) $(M4)
1586	$(transform-policy-to-conf)
1587	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
1588
1589built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
1590$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
1591  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
1592$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
1593$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
1594$(HOST_OUT_EXECUTABLES)/secilc \
1595$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
1596$(built_sepolicy_neverallows)
1597	@mkdir -p $(dir $@)
1598	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
1599		$(POLICYVERS) -o $@ $<
1600	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
1601	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
1602
1603policy_files := $(call build_policy, $(sepolicy_build_files), \
1604  $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
1605base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
1606$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
1607$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
1608$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
1609$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
1610$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
1611$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
1612$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
1613$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
1614$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
1615$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
1616$(base_plat_pub_policy.conf): $(policy_files) $(M4)
1617	$(transform-policy-to-conf)
1618
1619base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
1620$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
1621$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
1622$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
1623$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
1624	@mkdir -p $(dir $@)
1625	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
1626	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
1627		-f $(PRIVATE_REQD_MASK) -t $@
1628
1629ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
1630# Tests for Treble compatibility of current platform policy and vendor policy of
1631# given release version.
1632version_under_treble_tests := 26.0
1633include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
1634version_under_treble_tests := 27.0
1635include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
1636version_under_treble_tests := 28.0
1637include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
1638version_under_treble_tests := 29.0
1639include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
1640endif  # PRODUCT_SEPOLICY_SPLIT
1641
1642version_under_treble_tests := 26.0
1643include $(LOCAL_PATH)/compat.mk
1644version_under_treble_tests := 27.0
1645include $(LOCAL_PATH)/compat.mk
1646version_under_treble_tests := 28.0
1647include $(LOCAL_PATH)/compat.mk
1648version_under_treble_tests := 29.0
1649include $(LOCAL_PATH)/compat.mk
1650
1651base_plat_policy.conf :=
1652base_plat_pub_policy.conf :=
1653plat_sepolicy :=
1654all_fc_files :=
1655all_fc_args :=
1656
1657#################################
1658include $(CLEAR_VARS)
1659LOCAL_MODULE := sepolicy_freeze_test
1660LOCAL_MODULE_CLASS := FAKE
1661LOCAL_MODULE_TAGS := optional
1662
1663include $(BUILD_SYSTEM)/base_rules.mk
1664
1665base_plat_public := $(LOCAL_PATH)/public
1666base_plat_private := $(LOCAL_PATH)/private
1667base_plat_public_prebuilt := \
1668  $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
1669base_plat_private_prebuilt := \
1670  $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
1671
1672all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
1673$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
1674
1675$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
1676$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
1677$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
1678$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
1679$(LOCAL_BUILT_MODULE): $(all_frozen_files)
1680ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
1681	@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
1682	@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
1683endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
1684	$(hide) touch $@
1685
1686base_plat_public :=
1687base_plat_private :=
1688base_plat_public_prebuilt :=
1689base_plat_private_prebuilt :=
1690all_frozen_files :=
1691
1692#################################
1693
1694
1695build_vendor_policy :=
1696build_odm_policy :=
1697build_policy :=
1698built_plat_cil :=
1699built_system_ext_cil :=
1700built_product_cil :=
1701built_pub_vers_cil :=
1702built_plat_mapping_cil :=
1703built_system_ext_mapping_cil :=
1704built_product_mapping_cil :=
1705built_vendor_cil :=
1706built_odm_cil :=
1707built_precompiled_sepolicy :=
1708built_sepolicy :=
1709built_sepolicy_neverallows :=
1710built_plat_svc :=
1711built_vendor_svc :=
1712built_plat_sepolicy :=
1713treble_sysprop_neverallow :=
1714mapping_policy :=
1715my_target_arch :=
1716pub_policy.cil :=
1717system_ext_pub_policy.cil :=
1718plat_pub_policy.cil :=
1719reqd_policy_mask.cil :=
1720sepolicy_build_files :=
1721sepolicy_build_cil_workaround_files :=
1722with_asan :=
1723
1724include $(call all-makefiles-under,$(LOCAL_PATH))
1725