1LOCAL_PATH:= $(call my-dir) 2 3include $(LOCAL_PATH)/definitions.mk 4include $(LOCAL_PATH)/policy_version.mk 5 6include $(CLEAR_VARS) 7 8MLS_SENS=1 9MLS_CATS=1024 10 11ifdef BOARD_SEPOLICY_UNION 12$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 13endif 14 15ifdef BOARD_SEPOLICY_M4DEFS 16LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 17else 18LOCAL_ADDITIONAL_M4DEFS := 19endif 20 21# sepolicy is now divided into multiple portions: 22# public - policy exported on which non-platform policy developers may write 23# additional policy. types and attributes are versioned and included in 24# delivered non-platform policy, which is to be combined with platform policy. 25# private - platform-only policy required for platform functionality but which 26# is not exported to vendor policy developers and as such may not be assumed 27# to exist. 28# vendor - vendor-only policy required for vendor functionality. This policy can 29# reference the public policy but cannot reference the private policy. This 30# policy is for components which are produced from the core/non-vendor tree and 31# placed into a vendor partition. 32# mapping - This contains policy statements which map the attributes 33# exposed in the public policy of previous versions to the concrete types used 34# in this policy to ensure that policy targeting attributes from public 35# policy from an older platform version continues to work. 36 37# build process for device: 38# 1) convert policies to CIL: 39# - private + public platform policy to CIL 40# - mapping file to CIL (should already be in CIL form) 41# - non-platform public policy to CIL 42# - non-platform public + private policy to CIL 43# 2) attributize policy 44# - run script which takes non-platform public and non-platform combined 45# private + public policy and produces attributized and versioned 46# non-platform policy 47# 3) combine policy files 48# - combine mapping, platform and non-platform policy. 49# - compile output binary policy file 50 51PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 52PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 53PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 54REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 55SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) 56SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) 57PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS) 58PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS) 59 60# Extra sepolicy and prebuilts directories for sepolicy_freeze_test 61FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS) 62FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS) 63 64ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY)) 65HAS_SYSTEM_EXT_SEPOLICY_DIR := true 66endif 67 68# TODO(b/119305624): Currently if the device doesn't have a product partition, 69# we install product sepolicy into /system/product. We do that because bits of 70# product sepolicy that's still in /system might depend on bits that have moved 71# to /product. Once we finish migrating product sepolicy out of system, change 72# it so that if no product partition is present, product sepolicy artifacts are 73# not built and installed at all. 74ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) 75HAS_PRODUCT_SEPOLICY_DIR := true 76endif 77 78# TODO: move to README when doing the README update and finalizing versioning. 79# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy 80# version identifier corresponding to the sepolicy on which the non-platform 81# policy is to be based. If unspecified, this will build against the current 82# public platform policy in tree 83ifndef BOARD_SEPOLICY_VERS 84# The default platform policy version. 85BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION) 86endif 87 88NEVERALLOW_ARG := 89ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 90ifeq ($(TARGET_BUILD_VARIANT),user) 91$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) 92endif 93$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ 94 It does not work in user builds and using it will \ 95 not stop you from failing CTS.) 96NEVERALLOW_ARG := -N 97endif 98 99# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. 100# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and 101# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for 102# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. 103ifdef BOARD_SEPOLICY_DIRS 104BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) 105endif 106 107ifdef BOARD_ODM_SEPOLICY_DIRS 108ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 109$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) 110endif 111endif 112 113########################################################### 114# Compute policy files to be used in policy build. 115# $(1): files to include 116# $(2): directories in which to find files 117########################################################### 118 119define build_policy 120$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))) 121endef 122 123# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. 124# $(1): the set of policy name paths to build 125build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 126 127# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. 128build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) 129 130sepolicy_build_files := security_classes \ 131 initial_sids \ 132 access_vectors \ 133 global_macros \ 134 neverallow_macros \ 135 mls_macros \ 136 mls_decl \ 137 mls \ 138 policy_capabilities \ 139 te_macros \ 140 attributes \ 141 ioctl_defines \ 142 ioctl_macros \ 143 *.te \ 144 roles_decl \ 145 roles \ 146 users \ 147 initial_sid_contexts \ 148 fs_use \ 149 genfs_contexts \ 150 port_contexts 151 152# Security classes and permissions defined outside of system/sepolicy. 153security_class_extension_files := $(call build_policy, security_classes access_vectors, \ 154 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 155 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 156 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 157 158ifneq (,$(strip $(security_class_extension_files))) 159 $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files))) 160endif 161 162ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 163 # Checks if there are public system_ext policy files. 164 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY)) 165 ifneq (,$(strip $(policy_files))) 166 HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true 167 endif 168 # Checks if there are public/private system_ext policy files. 169 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) 170 ifneq (,$(strip $(policy_files))) 171 HAS_SYSTEM_EXT_SEPOLICY := true 172 endif 173endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 174 175ifdef HAS_PRODUCT_SEPOLICY_DIR 176 # Checks if there are public product policy files. 177 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY)) 178 ifneq (,$(strip $(policy_files))) 179 HAS_PRODUCT_PUBLIC_SEPOLICY := true 180 endif 181 # Checks if there are public/private product policy files. 182 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) 183 ifneq (,$(strip $(policy_files))) 184 HAS_PRODUCT_SEPOLICY := true 185 endif 186endif # ifdef HAS_PRODUCT_SEPOLICY_DIR 187 188# CIL files which contain workarounds for current limitation of human-readable 189# module policy language. These files are appended to the CIL files produced 190# from module language files. 191sepolicy_build_cil_workaround_files := technical_debt.cil 192 193my_target_arch := $(TARGET_ARCH) 194ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 195 my_target_arch := mips 196endif 197 198intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 199 200with_asan := false 201ifneq (,$(filter address,$(SANITIZE_TARGET))) 202 with_asan := true 203endif 204 205with_native_coverage := false 206ifeq ($(NATIVE_COVERAGE),true) 207 with_native_coverage := true 208endif 209ifeq ($(CLANG_COVERAGE),true) 210 with_native_coverage := true 211endif 212 213treble_sysprop_neverallow := true 214ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true) 215 treble_sysprop_neverallow := false 216endif 217 218ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) 219 #$(warning no product shipping level defined) 220else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) 221 ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),) 222 $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.) 223 endif 224endif 225 226# Library extension for host-side tests 227ifeq ($(HOST_OS),darwin) 228SHAREDLIB_EXT=dylib 229else 230SHAREDLIB_EXT=so 231endif 232 233# Convert a file_context file for a non-flattened APEX into a file for 234# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths 235# $(1): path to the input file_contexts file for non-flattened APEX 236# $(2): path to the flattened APEX 237# $(3): path to the generated file_contexts file for flattened APEX 238# $(4): variable where $(3) is added to 239define build_flattened_apex_file_contexts 240$(4) += $(3) 241$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2)) 242$(3): $(1) 243 $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@ 244endef 245 246################################# 247 248include $(CLEAR_VARS) 249 250LOCAL_MODULE := selinux_policy 251LOCAL_MODULE_TAGS := optional 252LOCAL_REQUIRED_MODULES += \ 253 selinux_policy_nonsystem \ 254 selinux_policy_system \ 255 256include $(BUILD_PHONY_PACKAGE) 257 258# selinux_policy is a main goal and triggers lots of tests. 259# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') 260# By setting as droidcore's dependency, tests will run on normal builds. 261droidcore: selinux_policy 262 263include $(CLEAR_VARS) 264LOCAL_MODULE := selinux_policy_system 265# These build targets are not used on non-Treble devices. However, we build these to avoid 266# divergence between Treble and non-Treble devices. 267LOCAL_REQUIRED_MODULES += \ 268 plat_mapping_file \ 269 $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 270 $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 271 plat_sepolicy.cil \ 272 plat_sepolicy_and_mapping.sha256 \ 273 secilc \ 274 275LOCAL_REQUIRED_MODULES += \ 276 build_sepolicy \ 277 plat_file_contexts \ 278 plat_file_contexts_test \ 279 plat_mac_permissions.xml \ 280 plat_property_contexts \ 281 plat_property_contexts_test \ 282 plat_seapp_contexts \ 283 plat_service_contexts \ 284 plat_service_contexts_test \ 285 plat_hwservice_contexts \ 286 plat_hwservice_contexts_test \ 287 searchpolicy \ 288 289# This conditional inclusion closely mimics the conditional logic 290# inside init/init.cpp for loading SELinux policy from files. 291ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 292# The following files are only allowed for non-Treble devices. 293LOCAL_REQUIRED_MODULES += \ 294 sepolicy \ 295 vendor_service_contexts \ 296 297endif # ($(PRODUCT_SEPOLICY_SPLIT),true) 298 299ifneq ($(with_asan),true) 300ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 301LOCAL_REQUIRED_MODULES += \ 302 sepolicy_tests \ 303 $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 304 305ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 306LOCAL_REQUIRED_MODULES += \ 307 $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 308 309endif # PRODUCT_SEPOLICY_SPLIT 310endif # SELINUX_IGNORE_NEVERALLOWS 311endif # with_asan 312 313ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 314LOCAL_REQUIRED_MODULES += \ 315 sepolicy_freeze_test \ 316 317else 318ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS)) 319$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\ 320cannot be set before system/sepolicy freezes.) 321endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS)) 322endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 323 324include $(BUILD_PHONY_PACKAGE) 325 326################################# 327 328include $(CLEAR_VARS) 329 330LOCAL_MODULE := selinux_policy_nonsystem 331# Include precompiled policy, unless told otherwise. 332ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 333LOCAL_REQUIRED_MODULES += \ 334 precompiled_sepolicy \ 335 precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \ 336 precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \ 337 system_ext_sepolicy_and_mapping.sha256 \ 338 precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \ 339 product_sepolicy_and_mapping.sha256 \ 340 341endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 342 343 344# These build targets are not used on non-Treble devices. However, we build these to avoid 345# divergence between Treble and non-Treble devices. 346LOCAL_REQUIRED_MODULES += \ 347 plat_pub_versioned.cil \ 348 vendor_sepolicy.cil \ 349 plat_sepolicy_vers.txt \ 350 351LOCAL_REQUIRED_MODULES += \ 352 vendor_file_contexts \ 353 vendor_file_contexts_test \ 354 vendor_mac_permissions.xml \ 355 vendor_property_contexts \ 356 vendor_property_contexts_test \ 357 vendor_seapp_contexts \ 358 vendor_service_contexts \ 359 vendor_hwservice_contexts \ 360 vendor_hwservice_contexts_test \ 361 vndservice_contexts \ 362 363ifdef BOARD_ODM_SEPOLICY_DIRS 364LOCAL_REQUIRED_MODULES += \ 365 odm_sepolicy.cil \ 366 odm_file_contexts \ 367 odm_file_contexts_test \ 368 odm_seapp_contexts \ 369 odm_property_contexts \ 370 odm_property_contexts_test \ 371 odm_hwservice_contexts \ 372 odm_hwservice_contexts_test \ 373 odm_mac_permissions.xml 374endif 375 376ifdef HAS_SYSTEM_EXT_SEPOLICY 377LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil 378endif 379 380ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 381LOCAL_REQUIRED_MODULES += \ 382 system_ext_mapping_file \ 383 $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 384 385endif 386 387ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 388LOCAL_REQUIRED_MODULES += \ 389 system_ext_file_contexts \ 390 system_ext_file_contexts_test \ 391 system_ext_hwservice_contexts \ 392 system_ext_hwservice_contexts_test \ 393 system_ext_property_contexts \ 394 system_ext_property_contexts_test \ 395 system_ext_seapp_contexts \ 396 system_ext_service_contexts \ 397 system_ext_service_contexts_test \ 398 system_ext_mac_permissions.xml \ 399 400endif 401 402ifdef HAS_PRODUCT_SEPOLICY 403LOCAL_REQUIRED_MODULES += product_sepolicy.cil 404endif 405 406ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 407LOCAL_REQUIRED_MODULES += \ 408 product_mapping_file \ 409 $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 410 411endif 412 413ifdef HAS_PRODUCT_SEPOLICY_DIR 414LOCAL_REQUIRED_MODULES += \ 415 product_file_contexts \ 416 product_file_contexts_test \ 417 product_hwservice_contexts \ 418 product_hwservice_contexts_test \ 419 product_property_contexts \ 420 product_property_contexts_test \ 421 product_seapp_contexts \ 422 product_service_contexts \ 423 product_service_contexts_test \ 424 product_mac_permissions.xml \ 425 426endif 427 428LOCAL_REQUIRED_MODULES += \ 429 selinux_denial_metadata \ 430 431# Builds an addtional userdebug sepolicy into the debug ramdisk. 432LOCAL_REQUIRED_MODULES += \ 433 userdebug_plat_sepolicy.cil \ 434 435include $(BUILD_PHONY_PACKAGE) 436 437################################# 438include $(CLEAR_VARS) 439 440LOCAL_MODULE := sepolicy_neverallows 441LOCAL_MODULE_CLASS := FAKE 442LOCAL_MODULE_TAGS := optional 443 444include $(BUILD_SYSTEM)/base_rules.mk 445 446# sepolicy_policy.conf - All of the policy for the device. This is only used to 447# check neverallow rules. 448policy_files := $(call build_policy, $(sepolicy_build_files), \ 449 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ 450 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 451 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 452 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 453sepolicy_policy.conf := $(intermediates)/policy.conf 454$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 455$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 456$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 457$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 458$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 459$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 460$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 461$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 462$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 463$(sepolicy_policy.conf): $(policy_files) $(M4) 464 $(transform-policy-to-conf) 465 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 466 467# sepolicy_policy_2.conf - All of the policy for the device. This is only used to 468# check neverallow rules using sepolicy-analyze, similar to CTS. 469policy_files := $(call build_policy, $(sepolicy_build_files), \ 470 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ 471 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 472 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 473 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 474sepolicy_policy_2.conf := $(intermediates)/policy_2.conf 475$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 476$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 477$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user 478$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true 479$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 480$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 481$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 482$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 483$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 484$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) 485$(sepolicy_policy_2.conf): $(policy_files) $(M4) 486 $(transform-policy-to-conf) 487 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 488 489$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf) 490$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf) 491$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \ 492 $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 493ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 494 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 495 $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1) 496 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \ 497 ( echo "" 1>&2; \ 498 echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \ 499 echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \ 500 echo "the policy." 1>&2; \ 501 exit 1 ) 502endif # ($(SELINUX_IGNORE_NEVERALLOWS),true) 503 $(hide) touch $@.tmp 504 $(hide) mv $@.tmp $@ 505 506sepolicy_policy.conf := 507sepolicy_policy_2.conf := 508built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE) 509 510################################## 511# reqd_policy_mask - a policy.conf file which contains only the bare minimum 512# policy necessary to use checkpolicy. This bare-minimum policy needs to be 513# present in all policy.conf files, but should not necessarily be exported as 514# part of the public policy. The rules generated by reqd_policy_mask will allow 515# the compilation of public policy and subsequent removal of CIL policy that 516# should not be exported. 517 518policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) 519reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf 520$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 521$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 522$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 523$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 524$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 525$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 526$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 527$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 528$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 529$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 530$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files) 531$(reqd_policy_mask.conf): $(policy_files) $(M4) 532 $(transform-policy-to-conf) 533# b/37755687 534CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 535 536reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil 537$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 538 @mkdir -p $(dir $@) 539 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ 540 $(POLICYVERS) -o $@ $< 541 542reqd_policy_mask.conf := 543 544################################## 545# pub_policy - policy that will be exported to be a part of non-platform 546# policy corresponding to this platform version. This is a limited subset of 547# policy that would not compile in checkpolicy on its own. To get around this 548# limitation, add only the required files from private policy, which will 549# generate CIL policy that will then be filtered out by the reqd_policy_mask. 550# 551# There are three pub_policy.cil files below: 552# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 553# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 554# - plat_pub_policy.cil: exported 'system' policy. 555# 556# Those above files will in turn be used to generate the following versioned cil files: 557# - product_mapping_file: the versioned, exported 'product' policy in product partition. 558# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 559# - plat_mapping_file: the versioned, exported 'system' policy in system partition. 560# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' 561# policy in vendor partition. 562# 563policy_files := $(call build_policy, $(sepolicy_build_files), \ 564 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 565pub_policy.conf := $(intermediates)/pub_policy.conf 566$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 567$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 568$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 569$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 570$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 571$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 572$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 573$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 574$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 575$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 576$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 577$(pub_policy.conf): $(policy_files) $(M4) 578 $(transform-policy-to-conf) 579pub_policy.cil := $(intermediates)/pub_policy.cil 580$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf) 581$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 582$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 583$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil) 584 @mkdir -p $(dir $@) 585 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 586 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 587 -f $(PRIVATE_REQD_MASK) -t $@ 588 589pub_policy.conf := 590 591################################## 592policy_files := $(call build_policy, $(sepolicy_build_files), \ 593 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 594system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf 595$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 596$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 597$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 598$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 599$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 600$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 601$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 602$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 603$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 604$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 605$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 606$(system_ext_pub_policy.conf): $(policy_files) $(M4) 607 $(transform-policy-to-conf) 608 609system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil 610$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf) 611$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 612$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 613$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil) 614 @mkdir -p $(dir $@) 615 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 616 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 617 -f $(PRIVATE_REQD_MASK) -t $@ 618 619system_ext_pub_policy.conf := 620 621################################## 622policy_files := $(call build_policy, $(sepolicy_build_files), \ 623 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 624plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf 625$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 626$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 627$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 628$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 629$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 630$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 631$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 632$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 633$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 634$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 635$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 636$(plat_pub_policy.conf): $(policy_files) $(M4) 637 $(transform-policy-to-conf) 638 639plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil 640$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) 641$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 642$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 643$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) 644 @mkdir -p $(dir $@) 645 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 646 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 647 -f $(PRIVATE_REQD_MASK) -t $@ 648 649plat_pub_policy.conf := 650 651################################# 652include $(CLEAR_VARS) 653 654LOCAL_MODULE := plat_sepolicy.cil 655LOCAL_MODULE_CLASS := ETC 656LOCAL_MODULE_TAGS := optional 657LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 658 659include $(BUILD_SYSTEM)/base_rules.mk 660 661# plat_policy.conf - A combination of the private and public platform policy 662# which will ship with the device. The platform will always reflect the most 663# recent platform version and is not currently being attributized. 664policy_files := $(call build_policy, $(sepolicy_build_files), \ 665 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 666plat_policy.conf := $(intermediates)/plat_policy.conf 667$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 668$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 669$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 670$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 671$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 672$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 673$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 674$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 675$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 676$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 677$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 678$(plat_policy.conf): $(policy_files) $(M4) 679 $(transform-policy-to-conf) 680 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 681 682$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 683 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 684$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 685$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 686 $(HOST_OUT_EXECUTABLES)/secilc \ 687 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 688 $(built_sepolicy_neverallows) 689 @mkdir -p $(dir $@) 690 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 691 $(POLICYVERS) -o $@.tmp $< 692 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp 693 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null 694 $(hide) mv $@.tmp $@ 695 696built_plat_cil := $(LOCAL_BUILT_MODULE) 697plat_policy.conf := 698 699################################# 700include $(CLEAR_VARS) 701 702LOCAL_MODULE := userdebug_plat_sepolicy.cil 703LOCAL_MODULE_CLASS := ETC 704LOCAL_MODULE_TAGS := optional 705LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT) 706 707include $(BUILD_SYSTEM)/base_rules.mk 708 709# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 710policy_files := $(call build_policy, $(sepolicy_build_files), \ 711 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 712userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf 713$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 714$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 715$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug 716$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 717$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 718$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 719$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 720$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 721$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 722$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 723$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 724$(userdebug_plat_policy.conf): $(policy_files) $(M4) 725 $(transform-policy-to-conf) 726 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 727 728$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 729 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 730$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 731$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 732 $(HOST_OUT_EXECUTABLES)/secilc \ 733 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 734 $(built_sepolicy_neverallows) 735 @mkdir -p $(dir $@) 736 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 737 $(POLICYVERS) -o $@.tmp $< 738 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp 739 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null 740 $(hide) mv $@.tmp $@ 741 742userdebug_plat_policy.conf := 743 744################################# 745include $(CLEAR_VARS) 746 747ifdef HAS_SYSTEM_EXT_SEPOLICY 748LOCAL_MODULE := system_ext_sepolicy.cil 749LOCAL_MODULE_CLASS := ETC 750LOCAL_MODULE_TAGS := optional 751LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux 752 753include $(BUILD_SYSTEM)/base_rules.mk 754 755# system_ext_policy.conf - A combination of the private and public system_ext policy 756# which will ship with the device. System_ext policy is not attributized. 757policy_files := $(call build_policy, $(sepolicy_build_files), \ 758 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 759 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) 760system_ext_policy.conf := $(intermediates)/system_ext_policy.conf 761$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 762$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 763$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 764$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 765$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 766$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 767$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 768$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 769$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 770$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 771$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 772$(system_ext_policy.conf): $(policy_files) $(M4) 773 $(transform-policy-to-conf) 774 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 775 776$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 777$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil) 778$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 779$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) 780 @mkdir -p $(dir $@) 781 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 782 $(POLICYVERS) -o $@ $< 783 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 784 -f $(PRIVATE_PLAT_CIL) -t $@ 785 # Line markers (denoted by ;;) are malformed after above cmd. They are only 786 # used for debugging, so we remove them. 787 $(hide) grep -v ';;' $@ > $@.tmp 788 $(hide) mv $@.tmp $@ 789 # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the 790 # latter doesn't accidentally depend on vendor/odm policies. 791 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ 792 $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null 793 794 795built_system_ext_cil := $(LOCAL_BUILT_MODULE) 796system_ext_policy.conf := 797endif # ifdef HAS_SYSTEM_EXT_SEPOLICY 798 799################################# 800include $(CLEAR_VARS) 801 802ifdef HAS_PRODUCT_SEPOLICY 803LOCAL_MODULE := product_sepolicy.cil 804LOCAL_MODULE_CLASS := ETC 805LOCAL_MODULE_TAGS := optional 806LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux 807 808include $(BUILD_SYSTEM)/base_rules.mk 809 810# product_policy.conf - A combination of the private and public product policy 811# which will ship with the device. Product policy is not attributized. 812policy_files := $(call build_policy, $(sepolicy_build_files), \ 813 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 814 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 815 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) 816product_policy.conf := $(intermediates)/product_policy.conf 817$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 818$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 819$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 820$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 821$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 822$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 823$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 824$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 825$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 826$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 827$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 828$(product_policy.conf): $(policy_files) $(M4) 829 $(transform-policy-to-conf) 830 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 831 832$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 833$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) 834$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 835$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \ 836$(built_plat_cil) $(built_system_ext_cil) 837 @mkdir -p $(dir $@) 838 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 839 $(POLICYVERS) -o $@ $< 840 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 841 -f $(PRIVATE_PLAT_CIL_FILES) -t $@ 842 # Line markers (denoted by ;;) are malformed after above cmd. They are only 843 # used for debugging, so we remove them. 844 $(hide) grep -v ';;' $@ > $@.tmp 845 $(hide) mv $@.tmp $@ 846 # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to 847 # make sure that the latter doesn't accidentally depend on vendor/odm policies. 848 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ 849 $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null 850 851 852built_product_cil := $(LOCAL_BUILT_MODULE) 853product_policy.conf := 854endif # ifdef HAS_PRODUCT_SEPOLICY 855 856################################# 857include $(CLEAR_VARS) 858 859LOCAL_MODULE := plat_sepolicy_vers.txt 860LOCAL_MODULE_CLASS := ETC 861LOCAL_MODULE_TAGS := optional 862LOCAL_PROPRIETARY_MODULE := true 863LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 864 865include $(BUILD_SYSTEM)/base_rules.mk 866 867$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS) 868$(LOCAL_BUILT_MODULE) : 869 mkdir -p $(dir $@) 870 echo $(PRIVATE_PLAT_SEPOL_VERS) > $@ 871 872################################# 873include $(CLEAR_VARS) 874 875LOCAL_MODULE := plat_mapping_file 876LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil 877LOCAL_MODULE_CLASS := ETC 878LOCAL_MODULE_TAGS := optional 879LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 880 881include $(BUILD_SYSTEM)/base_rules.mk 882 883# auto-generate the mapping file for current platform policy, since it needs to 884# track platform policy development 885$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 886$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy 887 @mkdir -p $(dir $@) 888 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 889 890built_plat_mapping_cil := $(LOCAL_BUILT_MODULE) 891 892################################# 893include $(CLEAR_VARS) 894 895ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 896LOCAL_MODULE := system_ext_mapping_file 897LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil 898LOCAL_MODULE_CLASS := ETC 899LOCAL_MODULE_TAGS := optional 900LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping 901 902include $(BUILD_SYSTEM)/base_rules.mk 903 904$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 905$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil) 906$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 907$(built_plat_mapping_cil) 908 @mkdir -p $(dir $@) 909 # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext' 910 # sepolicy minus plat_mapping_file. 911 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 912 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 913 -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@ 914 915built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE) 916endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 917 918################################# 919include $(CLEAR_VARS) 920 921ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 922LOCAL_MODULE := product_mapping_file 923LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil 924LOCAL_MODULE_CLASS := ETC 925LOCAL_MODULE_TAGS := optional 926LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping 927 928include $(BUILD_SYSTEM)/base_rules.mk 929 930$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 931$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) 932$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 933$(built_plat_mapping_cil) $(built_system_ext_mapping_cil) 934 @mkdir -p $(dir $@) 935 # Generate product mapping file as mapping file of all public sepolicy minus 936 # plat_mapping_file and system_ext_mapping_file. 937 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 938 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 939 -f $(PRIVATE_FILTER_CIL_FILES) -t $@ 940 941built_product_mapping_cil := $(LOCAL_BUILT_MODULE) 942endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 943 944################################# 945include $(CLEAR_VARS) 946 947# plat_pub_versioned.cil - the exported platform policy associated with the version 948# that non-platform policy targets. 949LOCAL_MODULE := plat_pub_versioned.cil 950LOCAL_MODULE_CLASS := ETC 951LOCAL_MODULE_TAGS := optional 952LOCAL_PROPRIETARY_MODULE := true 953LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 954 955include $(BUILD_SYSTEM)/base_rules.mk 956 957$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 958$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil) 959$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ 960$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \ 961$(built_product_mapping_cil) 962$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 963 $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \ 964 $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) 965 @mkdir -p $(dir $@) 966 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ 967 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ 968 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null 969 970built_pub_vers_cil := $(LOCAL_BUILT_MODULE) 971 972################################# 973include $(CLEAR_VARS) 974 975# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 976# with the platform-provided policy. It makes use of the reqd_policy_mask files from private 977# policy and the platform public policy files in order to use checkpolicy. 978LOCAL_MODULE := vendor_sepolicy.cil 979LOCAL_MODULE_CLASS := ETC 980LOCAL_MODULE_TAGS := optional 981LOCAL_PROPRIETARY_MODULE := true 982LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 983 984include $(BUILD_SYSTEM)/base_rules.mk 985 986policy_files := $(call build_policy, $(sepolicy_build_files), \ 987 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \ 988 $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 989vendor_policy.conf := $(intermediates)/vendor_policy.conf 990$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 991$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 992$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 993$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 994$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 995$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 996$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 997$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 998$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 999$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1000$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1001$(vendor_policy.conf): $(policy_files) $(M4) 1002 $(transform-policy-to-conf) 1003 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1004 1005$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) 1006$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 1007$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) 1008$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 1009$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ 1010$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \ 1011$(built_system_ext_mapping_cil) $(built_product_mapping_cil) 1012$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil) 1013$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 1014 $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ 1015 $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \ 1016 $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \ 1017 $(built_product_mapping_cil) 1018 @mkdir -p $(dir $@) 1019 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 1020 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 1021 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ 1022 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 1023 1024built_vendor_cil := $(LOCAL_BUILT_MODULE) 1025vendor_policy.conf := 1026 1027################################# 1028include $(CLEAR_VARS) 1029 1030ifdef BOARD_ODM_SEPOLICY_DIRS 1031# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined 1032# with the platform-provided policy. It makes use of the reqd_policy_mask files from private 1033# policy and the platform public policy files in order to use checkpolicy. 1034LOCAL_MODULE := odm_sepolicy.cil 1035LOCAL_MODULE_CLASS := ETC 1036LOCAL_MODULE_TAGS := optional 1037LOCAL_PROPRIETARY_MODULE := true 1038LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1039 1040include $(BUILD_SYSTEM)/base_rules.mk 1041 1042policy_files := $(call build_policy, $(sepolicy_build_files), \ 1043 $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \ 1044 $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 1045odm_policy.conf := $(intermediates)/odm_policy.conf 1046$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1047$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1048$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 1049$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1050$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1051$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 1052$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1053$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 1054$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1055$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1056$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1057$(odm_policy.conf): $(policy_files) $(M4) 1058 $(transform-policy-to-conf) 1059 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1060 1061$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf) 1062$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 1063$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) 1064$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 1065$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ 1066 $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \ 1067 $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil) 1068$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil) 1069$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 1070 $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ 1071 $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \ 1072 $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \ 1073 $(built_vendor_cil) 1074 @mkdir -p $(dir $@) 1075 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 1076 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 1077 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \ 1078 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 1079 1080built_odm_cil := $(LOCAL_BUILT_MODULE) 1081odm_policy.conf := 1082odm_policy_raw := 1083endif 1084 1085################################# 1086include $(CLEAR_VARS) 1087 1088LOCAL_MODULE := precompiled_sepolicy 1089LOCAL_MODULE_CLASS := ETC 1090LOCAL_MODULE_TAGS := optional 1091LOCAL_PROPRIETARY_MODULE := true 1092 1093ifeq ($(BOARD_USES_ODMIMAGE),true) 1094LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1095else 1096LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1097endif 1098 1099include $(BUILD_SYSTEM)/base_rules.mk 1100 1101all_cil_files := \ 1102 $(built_plat_cil) \ 1103 $(built_plat_mapping_cil) \ 1104 $(built_pub_vers_cil) \ 1105 $(built_vendor_cil) 1106 1107ifdef HAS_SYSTEM_EXT_SEPOLICY 1108all_cil_files += $(built_system_ext_cil) 1109endif 1110 1111ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 1112all_cil_files += $(built_system_ext_mapping_cil) 1113endif 1114 1115ifdef HAS_PRODUCT_SEPOLICY 1116all_cil_files += $(built_product_cil) 1117endif 1118 1119ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 1120all_cil_files += $(built_product_mapping_cil) 1121endif 1122 1123ifdef BOARD_ODM_SEPOLICY_DIRS 1124all_cil_files += $(built_odm_cil) 1125endif 1126 1127$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 1128$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1129$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) 1130 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \ 1131 $(PRIVATE_CIL_FILES) -o $@ -f /dev/null 1132 1133built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE) 1134all_cil_files := 1135 1136################################# 1137# Precompiled sepolicy is loaded if and only if: 1138# - plat_sepolicy_and_mapping.sha256 equals 1139# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 1140# AND 1141# - system_ext_sepolicy_and_mapping.sha256 equals 1142# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 1143# AND 1144# - product_sepolicy_and_mapping.sha256 equals 1145# precompiled_sepolicy.product_sepolicy_and_mapping.sha256 1146# See system/core/init/selinux.cpp for details. 1147################################# 1148include $(CLEAR_VARS) 1149 1150LOCAL_MODULE := plat_sepolicy_and_mapping.sha256 1151LOCAL_MODULE_CLASS := ETC 1152LOCAL_MODULE_TAGS := optional 1153LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux 1154 1155include $(BUILD_SYSTEM)/base_rules.mk 1156 1157$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil) 1158 cat $^ | sha256sum | cut -d' ' -f1 > $@ 1159 1160################################# 1161include $(CLEAR_VARS) 1162 1163LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256 1164LOCAL_MODULE_CLASS := ETC 1165LOCAL_MODULE_TAGS := optional 1166LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux 1167 1168include $(BUILD_SYSTEM)/base_rules.mk 1169 1170$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil) 1171 cat $^ | sha256sum | cut -d' ' -f1 > $@ 1172 1173################################# 1174include $(CLEAR_VARS) 1175 1176LOCAL_MODULE := product_sepolicy_and_mapping.sha256 1177LOCAL_MODULE_CLASS := ETC 1178LOCAL_MODULE_TAGS := optional 1179LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux 1180 1181include $(BUILD_SYSTEM)/base_rules.mk 1182 1183$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil) 1184 cat $^ | sha256sum | cut -d' ' -f1 > $@ 1185 1186################################# 1187# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 1188# which precompiled_policy was built. 1189################################# 1190include $(CLEAR_VARS) 1191LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 1192LOCAL_MODULE_CLASS := ETC 1193LOCAL_MODULE_TAGS := optional 1194 1195ifeq ($(BOARD_USES_ODMIMAGE),true) 1196LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1197else 1198LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1199endif 1200 1201include $(BUILD_SYSTEM)/base_rules.mk 1202 1203$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil) 1204$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil) 1205 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 1206 1207################################# 1208# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 1209# which precompiled_policy was built. 1210################################# 1211include $(CLEAR_VARS) 1212LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 1213LOCAL_MODULE_CLASS := ETC 1214LOCAL_MODULE_TAGS := optional 1215 1216ifeq ($(BOARD_USES_ODMIMAGE),true) 1217LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1218else 1219LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1220endif 1221 1222include $(BUILD_SYSTEM)/base_rules.mk 1223 1224$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil) 1225$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil) 1226 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 1227 1228################################# 1229# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 1230# which precompiled_policy was built. 1231################################# 1232include $(CLEAR_VARS) 1233LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256 1234LOCAL_MODULE_CLASS := ETC 1235LOCAL_MODULE_TAGS := optional 1236 1237ifeq ($(BOARD_USES_ODMIMAGE),true) 1238LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1239else 1240LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1241endif 1242 1243include $(BUILD_SYSTEM)/base_rules.mk 1244 1245$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil) 1246$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil) 1247 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 1248 1249################################# 1250include $(CLEAR_VARS) 1251# build this target so that we can still perform neverallow checks 1252 1253LOCAL_MODULE := sepolicy 1254LOCAL_MODULE_CLASS := ETC 1255LOCAL_MODULE_TAGS := optional 1256LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1257 1258include $(BUILD_SYSTEM)/base_rules.mk 1259 1260all_cil_files := \ 1261 $(built_plat_cil) \ 1262 $(built_plat_mapping_cil) \ 1263 $(built_pub_vers_cil) \ 1264 $(built_vendor_cil) 1265 1266ifdef HAS_SYSTEM_EXT_SEPOLICY 1267all_cil_files += $(built_system_ext_cil) 1268endif 1269 1270ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 1271all_cil_files += $(built_system_ext_mapping_cil) 1272endif 1273 1274ifdef HAS_PRODUCT_SEPOLICY 1275all_cil_files += $(built_product_cil) 1276endif 1277 1278ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 1279all_cil_files += $(built_product_mapping_cil) 1280endif 1281 1282ifdef BOARD_ODM_SEPOLICY_DIRS 1283all_cil_files += $(built_odm_cil) 1284endif 1285 1286$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 1287$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1288$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ 1289$(built_sepolicy_neverallows) 1290 @mkdir -p $(dir $@) 1291 $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null 1292 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 1293 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 1294 echo "==========" 1>&2; \ 1295 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 1296 echo "List of invalid domains:" 1>&2; \ 1297 cat $@.permissivedomains 1>&2; \ 1298 exit 1; \ 1299 fi 1300 $(hide) mv $@.tmp $@ 1301 1302built_sepolicy := $(LOCAL_BUILT_MODULE) 1303all_cil_files := 1304 1305################################# 1306include $(CLEAR_VARS) 1307 1308# keep concrete sepolicy for neverallow checks 1309# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling. 1310 1311LOCAL_MODULE := sepolicy.recovery 1312LOCAL_MODULE_STEM := sepolicy 1313LOCAL_MODULE_CLASS := ETC 1314LOCAL_MODULE_TAGS := optional 1315LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1316 1317include $(BUILD_SYSTEM)/base_rules.mk 1318 1319policy_files := $(call build_policy, $(sepolicy_build_files), \ 1320 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 1321 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 1322 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 1323 $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ 1324 $(BOARD_ODM_SEPOLICY_DIRS)) 1325sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf 1326$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1327$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1328$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 1329$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1330$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1331$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 1332$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1333$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true 1334$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files) 1335$(sepolicy.recovery.conf): $(policy_files) $(M4) 1336 $(transform-policy-to-conf) 1337 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1338 1339ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 1340 $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow 1341 $(hide) mv $@.neverallow $@ 1342endif 1343 1344$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1345 $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 1346 @mkdir -p $(dir $@) 1347 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 1348 $(POLICYVERS) -o $@.tmp $< 1349 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 1350 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 1351 echo "==========" 1>&2; \ 1352 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 1353 echo "List of invalid domains:" 1>&2; \ 1354 cat $@.permissivedomains 1>&2; \ 1355 exit 1; \ 1356 fi 1357 $(hide) mv $@.tmp $@ 1358 1359sepolicy.recovery.conf := 1360 1361################################## 1362# SELinux policy embedded into CTS. 1363# CTS checks neverallow rules of this policy against the policy of the device under test. 1364################################## 1365include $(CLEAR_VARS) 1366 1367LOCAL_MODULE := general_sepolicy.conf 1368LOCAL_MODULE_CLASS := ETC 1369LOCAL_MODULE_TAGS := tests 1370 1371include $(BUILD_SYSTEM)/base_rules.mk 1372 1373policy_files := $(call build_policy, $(sepolicy_build_files), \ 1374 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 1375$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) 1376$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) 1377$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user 1378$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) 1379$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false 1380$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts 1381$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts 1382$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts 1383$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true 1384$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files) 1385$(LOCAL_BUILT_MODULE): $(policy_files) $(M4) 1386 $(transform-policy-to-conf) 1387 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1388 1389################################## 1390# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 1391# 1392include $(CLEAR_VARS) 1393 1394LOCAL_MODULE := file_contexts.bin 1395LOCAL_MODULE_CLASS := ETC 1396LOCAL_MODULE_TAGS := optional 1397LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1398 1399include $(BUILD_SYSTEM)/base_rules.mk 1400 1401# The file_contexts.bin is built in the following way: 1402# 1. Collect all file_contexts files in THIS repository and process them with 1403# m4 into a tmp file called file_contexts.local.tmp. 1404# 2. Collect all device specific file_contexts files and process them with m4 1405# into a tmp file called file_contexts.device.tmp. 1406# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 1407# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 1408# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into 1409# file_contexts.concat.tmp. 1410# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 1411# file_contexts.bin. 1412# 1413# Note: That a newline file is placed between each file_context file found to 1414# ensure a proper build when an fc file is missing an ending newline. 1415 1416local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 1417 1418ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 1419local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY)) 1420endif 1421 1422ifdef HAS_PRODUCT_SEPOLICY_DIR 1423local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY)) 1424endif 1425 1426ifneq ($(filter address,$(SANITIZE_TARGET)),) 1427 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 1428endif 1429ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) 1430 local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) 1431endif 1432 1433# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed 1434$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\ 1435 $(eval _apex_name := $(call word-colon,1,$(_tuple)))\ 1436 $(eval _apex_path := $(call word-colon,2,$(_tuple)))\ 1437 $(eval _fc_path := $(call word-colon,3,$(_tuple)))\ 1438 $(eval _input := $(_fc_path))\ 1439 $(eval _output := $(intermediates)/$(_apex_name)-flattened)\ 1440 $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\ 1441 ) 1442 1443file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 1444$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files) 1445$(file_contexts.local.tmp): $(local_fc_files) $(M4) 1446 @mkdir -p $(dir $@) 1447 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@ 1448 1449device_fc_files := $(call build_vendor_policy, file_contexts) 1450 1451ifdef BOARD_ODM_SEPOLICY_DIRS 1452device_fc_files += $(call build_odm_policy, file_contexts) 1453endif 1454 1455file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 1456$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1457$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) 1458$(file_contexts.device.tmp): $(device_fc_files) $(M4) 1459 @mkdir -p $(dir $@) 1460 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ 1461 1462file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 1463$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 1464$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ 1465 $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 1466 @mkdir -p $(dir $@) 1467 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 1468 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ 1469 1470file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 1471$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) 1472$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4) 1473 @mkdir -p $(dir $@) 1474 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@ 1475 1476$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1477$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 1478 @mkdir -p $(dir $@) 1479 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 1480 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 1481 1482built_fc := $(LOCAL_BUILT_MODULE) 1483local_fc_files := 1484local_fcfiles_with_nl := 1485device_fc_files := 1486device_fcfiles_with_nl := 1487file_contexts.concat.tmp := 1488file_contexts.device.sorted.tmp := 1489file_contexts.device.tmp := 1490file_contexts.local.tmp := 1491 1492################################## 1493include $(CLEAR_VARS) 1494 1495LOCAL_MODULE := selinux_denial_metadata 1496LOCAL_MODULE_CLASS := ETC 1497LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1498 1499include $(BUILD_SYSTEM)/base_rules.mk 1500 1501bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY)) 1502 1503$(LOCAL_BUILT_MODULE) : $(bug_files) 1504 @mkdir -p $(dir $@) 1505 cat $^ > $@ 1506 1507bug_files := 1508 1509################################## 1510include $(LOCAL_PATH)/seapp_contexts.mk 1511 1512################################## 1513include $(LOCAL_PATH)/contexts_tests.mk 1514 1515################################## 1516include $(CLEAR_VARS) 1517 1518LOCAL_MODULE := vndservice_contexts 1519LOCAL_MODULE_CLASS := ETC 1520LOCAL_MODULE_TAGS := optional 1521LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1522 1523include $(BUILD_SYSTEM)/base_rules.mk 1524 1525vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1526 1527vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp 1528$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) 1529$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1530$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4) 1531 @mkdir -p $(dir $@) 1532 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1533 1534$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1535$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1536 @mkdir -p $(dir $@) 1537 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1538 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@ 1539 1540vnd_svcfiles := 1541vndservice_contexts.tmp := 1542 1543################################## 1544include $(LOCAL_PATH)/mac_permissions.mk 1545 1546################################# 1547include $(CLEAR_VARS) 1548LOCAL_MODULE := sepolicy_tests 1549LOCAL_MODULE_CLASS := FAKE 1550LOCAL_MODULE_TAGS := optional 1551 1552include $(BUILD_SYSTEM)/base_rules.mk 1553 1554all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts 1555all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts 1556ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 1557all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts 1558endif 1559ifdef HAS_PRODUCT_SEPOLICY_DIR 1560all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts 1561endif 1562ifdef BOARD_ODM_SEPOLICY_DIRS 1563all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts 1564endif 1565all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 1566 1567$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args) 1568$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1569$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy) 1570 @mkdir -p $(dir $@) 1571 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \ 1572 $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY) 1573 $(hide) touch $@ 1574 1575################################## 1576intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,) 1577 1578# plat_sepolicy - the current platform policy only, built into a policy binary. 1579# TODO - this currently excludes partner extensions, but support should be added 1580# to enable partners to add their own compatibility mapping 1581policy_files := $(call build_policy, $(sepolicy_build_files), \ 1582 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 1583base_plat_policy.conf := $(intermediates)/base_plat_policy.conf 1584$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1585$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1586$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 1587$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1588$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1589$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1590$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 1591$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1592$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1593$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1594$(base_plat_policy.conf): $(policy_files) $(M4) 1595 $(transform-policy-to-conf) 1596 $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit 1597 1598built_plat_sepolicy := $(intermediates)/built_plat_sepolicy 1599$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ 1600 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 1601$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1602$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1603$(HOST_OUT_EXECUTABLES)/secilc \ 1604$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 1605$(built_sepolicy_neverallows) 1606 @mkdir -p $(dir $@) 1607 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 1608 $(POLICYVERS) -o $@ $< 1609 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 1610 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null 1611 1612policy_files := $(call build_policy, $(sepolicy_build_files), \ 1613 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 1614base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf 1615$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1616$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1617$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 1618$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1619$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1620$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1621$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 1622$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1623$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) 1624$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 1625$(base_plat_pub_policy.conf): $(policy_files) $(M4) 1626 $(transform-policy-to-conf) 1627 1628base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil 1629$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf) 1630$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 1631$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1632$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil) 1633 @mkdir -p $(dir $@) 1634 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 1635 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 1636 -f $(PRIVATE_REQD_MASK) -t $@ 1637 1638ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1639# Tests for Treble compatibility of current platform policy and vendor policy of 1640# given release version. 1641version_under_treble_tests := 26.0 1642include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1643version_under_treble_tests := 27.0 1644include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1645version_under_treble_tests := 28.0 1646include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1647version_under_treble_tests := 29.0 1648include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1649endif # PRODUCT_SEPOLICY_SPLIT 1650 1651version_under_treble_tests := 26.0 1652include $(LOCAL_PATH)/compat.mk 1653version_under_treble_tests := 27.0 1654include $(LOCAL_PATH)/compat.mk 1655version_under_treble_tests := 28.0 1656include $(LOCAL_PATH)/compat.mk 1657version_under_treble_tests := 29.0 1658include $(LOCAL_PATH)/compat.mk 1659 1660base_plat_policy.conf := 1661base_plat_pub_policy.conf := 1662plat_sepolicy := 1663all_fc_files := 1664all_fc_args := 1665 1666################################# 1667include $(CLEAR_VARS) 1668LOCAL_MODULE := sepolicy_freeze_test 1669LOCAL_MODULE_CLASS := FAKE 1670LOCAL_MODULE_TAGS := optional 1671 1672include $(BUILD_SYSTEM)/base_rules.mk 1673 1674define ziplist 1675$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\ 1676 $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2))) 1677endef 1678 1679base_plat_public := $(LOCAL_PATH)/public 1680base_plat_private := $(LOCAL_PATH)/private 1681base_plat_public_prebuilt := \ 1682 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public 1683base_plat_private_prebuilt := \ 1684 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private 1685 1686all_frozen_files := $(call build_policy,$(sepolicy_build_files), \ 1687$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt)) 1688 1689$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public) 1690$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private) 1691$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt) 1692$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt) 1693$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS)) 1694$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS)) 1695$(LOCAL_BUILT_MODULE): $(all_frozen_files) 1696ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1697 @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC) 1698 @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE) 1699ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS)) 1700 @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \ 1701 do diff -rq -x bug_map $$pair; done 1702endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS)) 1703endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1704 $(hide) touch $@ 1705 1706base_plat_public := 1707base_plat_private := 1708base_plat_public_prebuilt := 1709base_plat_private_prebuilt := 1710all_frozen_files := 1711 1712################################# 1713 1714 1715build_vendor_policy := 1716build_odm_policy := 1717build_policy := 1718built_plat_cil := 1719built_system_ext_cil := 1720built_product_cil := 1721built_pub_vers_cil := 1722built_plat_mapping_cil := 1723built_system_ext_mapping_cil := 1724built_product_mapping_cil := 1725built_vendor_cil := 1726built_odm_cil := 1727built_precompiled_sepolicy := 1728built_sepolicy := 1729built_sepolicy_neverallows := 1730built_plat_svc := 1731built_vendor_svc := 1732built_plat_sepolicy := 1733treble_sysprop_neverallow := 1734mapping_policy := 1735my_target_arch := 1736pub_policy.cil := 1737system_ext_pub_policy.cil := 1738plat_pub_policy.cil := 1739reqd_policy_mask.cil := 1740sepolicy_build_files := 1741sepolicy_build_cil_workaround_files := 1742with_asan := 1743 1744include $(call all-makefiles-under,$(LOCAL_PATH)) 1745