1// Copyright (C) 2018 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package { 16 default_applicable_licenses: ["system_sepolicy_license"], 17} 18 19// Added automatically by a large-scale-change that took the approach of 20// 'apply every license found to every target'. While this makes sure we respect 21// every license restriction, it may not be entirely correct. 22// 23// e.g. GPL in an MIT project might only apply to the contrib/ directory. 24// 25// Please consider splitting the single license below into multiple licenses, 26// taking care not to lose any license_kind information, and overriding the 27// default license using the 'licenses: [...]' property on targets as needed. 28// 29// For unused files, consider creating a 'filegroup' with "//visibility:private" 30// to attach the license to, and including a comment whether the files may be 31// used in the current project. 32// http://go/android-license-faq 33license { 34 name: "system_sepolicy_license", 35 visibility: [":__subpackages__"], 36 license_kinds: [ 37 "SPDX-license-identifier-Apache-2.0", 38 "legacy_unencumbered", 39 ], 40 license_text: [ 41 "NOTICE", 42 ], 43} 44 45cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } 46 47se_filegroup { 48 name: "28.0.board.compat.map", 49 srcs: [ 50 "compat/28.0/28.0.cil", 51 ], 52} 53 54se_filegroup { 55 name: "29.0.board.compat.map", 56 srcs: [ 57 "compat/29.0/29.0.cil", 58 ], 59} 60 61se_filegroup { 62 name: "30.0.board.compat.map", 63 srcs: [ 64 "compat/30.0/30.0.cil", 65 ], 66} 67 68se_filegroup { 69 name: "31.0.board.compat.map", 70 srcs: [ 71 "compat/31.0/31.0.cil", 72 ], 73} 74 75se_filegroup { 76 name: "32.0.board.compat.map", 77 srcs: [ 78 "compat/32.0/32.0.cil", 79 ], 80} 81 82se_filegroup { 83 name: "28.0.board.compat.cil", 84 srcs: [ 85 "compat/28.0/28.0.compat.cil", 86 ], 87} 88 89se_filegroup { 90 name: "29.0.board.compat.cil", 91 srcs: [ 92 "compat/29.0/29.0.compat.cil", 93 ], 94} 95 96se_filegroup { 97 name: "30.0.board.compat.cil", 98 srcs: [ 99 "compat/30.0/30.0.compat.cil", 100 ], 101} 102 103se_filegroup { 104 name: "31.0.board.compat.cil", 105 srcs: [ 106 "compat/31.0/31.0.compat.cil", 107 ], 108} 109 110se_filegroup { 111 name: "32.0.board.compat.cil", 112 srcs: [ 113 "compat/32.0/32.0.compat.cil", 114 ], 115} 116 117se_filegroup { 118 name: "28.0.board.ignore.map", 119 srcs: [ 120 "compat/28.0/28.0.ignore.cil", 121 ], 122} 123 124se_filegroup { 125 name: "29.0.board.ignore.map", 126 srcs: [ 127 "compat/29.0/29.0.ignore.cil", 128 ], 129} 130 131se_filegroup { 132 name: "30.0.board.ignore.map", 133 srcs: [ 134 "compat/30.0/30.0.ignore.cil", 135 ], 136} 137 138se_filegroup { 139 name: "31.0.board.ignore.map", 140 srcs: [ 141 "compat/31.0/31.0.ignore.cil", 142 ], 143} 144 145se_filegroup { 146 name: "32.0.board.ignore.map", 147 srcs: [ 148 "compat/32.0/32.0.ignore.cil", 149 ], 150} 151 152se_build_files { 153 name: "file_contexts_files", 154 srcs: ["file_contexts"], 155} 156 157se_build_files { 158 name: "file_contexts_asan_files", 159 srcs: ["file_contexts_asan"], 160} 161 162se_build_files { 163 name: "file_contexts_overlayfs_files", 164 srcs: ["file_contexts_overlayfs"], 165} 166 167se_build_files { 168 name: "hwservice_contexts_files", 169 srcs: ["hwservice_contexts"], 170} 171 172se_build_files { 173 name: "property_contexts_files", 174 srcs: ["property_contexts"], 175} 176 177se_build_files { 178 name: "service_contexts_files", 179 srcs: ["service_contexts"], 180} 181 182se_build_files { 183 name: "keystore2_key_contexts_files", 184 srcs: ["keystore2_key_contexts"], 185} 186 187se_build_files { 188 name: "seapp_contexts_files", 189 srcs: ["seapp_contexts"], 190} 191 192se_build_files { 193 name: "vndservice_contexts_files", 194 srcs: ["vndservice_contexts"], 195} 196 197// For vts_treble_sys_prop_test 198filegroup { 199 name: "private_property_contexts", 200 srcs: ["private/property_contexts"], 201 visibility: [ 202 "//test/vts-testcase/security/system_property", 203 ], 204} 205 206se_build_files { 207 name: "se_build_files", 208 srcs: [ 209 "security_classes", 210 "initial_sids", 211 "access_vectors", 212 "global_macros", 213 "neverallow_macros", 214 "mls_macros", 215 "mls_decl", 216 "mls", 217 "policy_capabilities", 218 "te_macros", 219 "attributes", 220 "ioctl_defines", 221 "ioctl_macros", 222 "*.te", 223 "roles_decl", 224 "roles", 225 "users", 226 "initial_sid_contexts", 227 "fs_use", 228 "genfs_contexts", 229 "port_contexts", 230 ], 231} 232 233se_build_files { 234 name: "sepolicy_technical_debt", 235 srcs: ["technical_debt.cil"], 236} 237 238reqd_mask_policy = [":se_build_files{.reqd_mask}"] 239plat_public_policy = [":se_build_files{.plat_public}"] 240plat_private_policy = [":se_build_files{.plat_private}"] 241system_ext_public_policy = [":se_build_files{.system_ext_public}"] 242system_ext_private_policy = [":se_build_files{.system_ext_private}"] 243product_public_policy = [":se_build_files{.product_public}"] 244product_private_policy = [":se_build_files{.product_private}"] 245 246// reqd_policy_mask - a policy.conf file which contains only the bare minimum 247// policy necessary to use checkpolicy. 248// 249// This bare-minimum policy needs to be present in all policy.conf files, but 250// should not necessarily be exported as part of the public policy. 251// 252// The rules generated by reqd_policy_mask will allow the compilation of public 253// policy and subsequent removal of CIL policy that should not be exported. 254se_policy_conf { 255 name: "reqd_policy_mask.conf", 256 srcs: reqd_mask_policy, 257 installable: false, 258} 259 260se_policy_cil { 261 name: "reqd_policy_mask.cil", 262 src: ":reqd_policy_mask.conf", 263 secilc_check: false, 264 installable: false, 265} 266 267// pub_policy - policy that will be exported to be a part of non-platform 268// policy corresponding to this platform version. 269// 270// This is a limited subset of policy that would not compile in checkpolicy on 271// its own. 272// 273// To get around this limitation, add only the required files from private 274// policy, which will generate CIL policy that will then be filtered out by the 275// reqd_policy_mask. 276// 277// There are three pub_policy.cil files below: 278// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 279// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 280// - plat_pub_policy.cil: exported 'system' policy. 281// 282// Those above files will in turn be used to generate the following versioned cil files: 283// - product_mapping_file: the versioned, exported 'product' policy in product partition. 284// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 285// - plat_mapping_file: the versioned, exported 'system' policy in system partition. 286// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy 287// in vendor partition. 288// 289se_policy_conf { 290 name: "pub_policy.conf", 291 srcs: plat_public_policy + 292 system_ext_public_policy + 293 product_public_policy + 294 reqd_mask_policy, 295 installable: false, 296} 297 298se_policy_cil { 299 name: "pub_policy.cil", 300 src: ":pub_policy.conf", 301 filter_out: [":reqd_policy_mask.cil"], 302 secilc_check: false, 303 installable: false, 304} 305 306se_policy_conf { 307 name: "system_ext_pub_policy.conf", 308 srcs: plat_public_policy + 309 system_ext_public_policy + 310 reqd_mask_policy, 311 installable: false, 312} 313 314se_policy_cil { 315 name: "system_ext_pub_policy.cil", 316 src: ":system_ext_pub_policy.conf", 317 filter_out: [":reqd_policy_mask.cil"], 318 secilc_check: false, 319 installable: false, 320} 321 322se_policy_conf { 323 name: "plat_pub_policy.conf", 324 srcs: plat_public_policy + 325 reqd_mask_policy, 326 installable: false, 327} 328 329se_policy_cil { 330 name: "plat_pub_policy.cil", 331 src: ":plat_pub_policy.conf", 332 filter_out: [":reqd_policy_mask.cil"], 333 secilc_check: false, 334 installable: false, 335} 336 337// plat_policy.conf - A combination of the private and public platform policy 338// which will ship with the device. 339// 340// The platform will always reflect the most recent platform version and is not 341// currently being attributized. 342se_policy_conf { 343 name: "plat_sepolicy.conf", 344 srcs: plat_public_policy + 345 plat_private_policy, 346 installable: false, 347} 348 349se_policy_cil { 350 name: "plat_sepolicy.cil", 351 src: ":plat_sepolicy.conf", 352 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 353} 354 355 356se_policy_conf { 357 name: "apex_sepolicy-33.conf", 358 srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"], 359 installable: false, 360} 361 362se_policy_cil { 363 name: "apex_sepolicy-33.cil", 364 src: ":apex_sepolicy-33.conf", 365 filter_out: [":plat_sepolicy.cil"], 366 installable: false, 367 stem: "apex_sepolicy.cil", 368} 369 370// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 371se_policy_conf { 372 name: "userdebug_plat_sepolicy.conf", 373 srcs: plat_public_policy + 374 plat_private_policy, 375 build_variant: "userdebug", 376 installable: false, 377} 378 379se_policy_cil { 380 name: "userdebug_plat_sepolicy.cil", 381 src: ":userdebug_plat_sepolicy.conf", 382 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 383 debug_ramdisk: true, 384 dist: { 385 targets: ["droidcore"], 386 }, 387} 388 389// A copy of the userdebug_plat_policy in GSI. 390soong_config_module_type { 391 name: "gsi_se_policy_cil", 392 module_type: "se_policy_cil", 393 config_namespace: "ANDROID", 394 bool_variables: [ 395 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", 396 ], 397 properties: [ 398 "enabled", 399 "installable", 400 ], 401} 402 403gsi_se_policy_cil { 404 name: "system_ext_userdebug_plat_sepolicy.cil", 405 stem: "userdebug_plat_sepolicy.cil", 406 src: ":userdebug_plat_sepolicy.conf", 407 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 408 system_ext_specific: true, 409 enabled: false, 410 installable: false, 411 soong_config_variables: { 412 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { 413 enabled: true, 414 installable: true, 415 }, 416 }, 417} 418 419// system_ext_policy.conf - A combination of the private and public system_ext 420// policy which will ship with the device. System_ext policy is not attributized 421se_policy_conf { 422 name: "system_ext_sepolicy.conf", 423 srcs: plat_public_policy + 424 plat_private_policy + 425 system_ext_public_policy + 426 system_ext_private_policy, 427 installable: false, 428} 429 430se_policy_cil { 431 name: "system_ext_sepolicy.cil", 432 src: ":system_ext_sepolicy.conf", 433 system_ext_specific: true, 434 filter_out: [":plat_sepolicy.cil"], 435 remove_line_marker: true, 436} 437 438// product_policy.conf - A combination of the private and public product policy 439// which will ship with the device. Product policy is not attributized 440se_policy_conf { 441 name: "product_sepolicy.conf", 442 srcs: plat_public_policy + 443 plat_private_policy + 444 system_ext_public_policy + 445 system_ext_private_policy + 446 product_public_policy + 447 product_private_policy, 448 installable: false, 449} 450 451se_policy_cil { 452 name: "product_sepolicy.cil", 453 src: ":product_sepolicy.conf", 454 product_specific: true, 455 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"], 456 remove_line_marker: true, 457} 458 459// policy mapping files 460// auto-generate the mapping file for current platform policy, since it needs to 461// track platform policy development 462se_versioned_policy { 463 name: "plat_mapping_file", 464 base: ":plat_pub_policy.cil", 465 mapping: true, 466 version: "current", 467 relative_install_path: "mapping", // install to /system/etc/selinux/mapping 468} 469 470se_versioned_policy { 471 name: "system_ext_mapping_file", 472 base: ":system_ext_pub_policy.cil", 473 mapping: true, 474 version: "current", 475 filter_out: [":plat_mapping_file"], 476 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping 477 system_ext_specific: true, 478} 479 480se_versioned_policy { 481 name: "product_mapping_file", 482 base: ":pub_policy.cil", 483 mapping: true, 484 version: "current", 485 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"], 486 relative_install_path: "mapping", // install to /product/etc/selinux/mapping 487 product_specific: true, 488} 489 490// vendor/odm sepolicy 491// 492// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION, 493// policy files of platform (system, system_ext, product) can't be mixed with 494// policy files of vendor (vendor, odm). If it's the case, platform policies and 495// vendor policies are separately built. More specifically, 496// 497// - Platform policy files needed to build vendor policies, such as plat_policy, 498// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the 499// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS). 500// 501// - sepolicy_neverallows only checks platform policies, and a new module 502// sepolicy_neverallows_vendor checks vendor policies. 503// 504// - neverallow checks are turned off while compiling precompiled_sepolicy 505// module and sepolicy module. 506// 507// - Vendor policies are not checked on the compat test (compat.mk). 508// 509// In such scenario, we can grab platform policy files from the prebuilts/api 510// directory. But we need more than that: prebuilts of system_ext, product, 511// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following 512// variables are introduced to specify such prebuilts. 513// 514// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask) 515// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor) 516// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public) 517// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private) 518// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public) 519// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private) 520// 521// Vendors are responsible for copying policy files from the old version of the 522// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they 523// can be used to build vendor policies. 524// 525// To support both mixed build and normal build, platform policy files are 526// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal 527// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION. 528// Otherwise, they will be equal to the Makefile variables above. 529 530plat_public_policies_for_vendor = [ 531 ":se_build_files{.plat_public_for_vendor}", 532 ":se_build_files{.system_ext_public_for_vendor}", 533 ":se_build_files{.product_public_for_vendor}", 534 ":se_build_files{.reqd_mask_for_vendor}", 535] 536 537plat_policies_for_vendor = [ 538 ":se_build_files{.plat_public_for_vendor}", 539 ":se_build_files{.plat_private_for_vendor}", 540 ":se_build_files{.system_ext_public_for_vendor}", 541 ":se_build_files{.system_ext_private_for_vendor}", 542 ":se_build_files{.product_public_for_vendor}", 543 ":se_build_files{.product_private_for_vendor}", 544] 545 546se_policy_conf { 547 name: "plat_policy_for_vendor.conf", 548 srcs: plat_policies_for_vendor, 549 installable: false, 550} 551 552se_policy_cil { 553 name: "plat_policy_for_vendor.cil", 554 src: ":plat_policy_for_vendor.conf", 555 additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"], 556 installable: false, 557} 558 559se_policy_conf { 560 name: "reqd_policy_mask_for_vendor.conf", 561 srcs: [":se_build_files{.reqd_mask_for_vendor}"], 562 installable: false, 563} 564 565se_policy_cil { 566 name: "reqd_policy_mask_for_vendor.cil", 567 src: ":reqd_policy_mask_for_vendor.conf", 568 secilc_check: false, 569 installable: false, 570} 571 572se_policy_conf { 573 name: "pub_policy_for_vendor.conf", 574 srcs: plat_public_policies_for_vendor, 575 installable: false, 576} 577 578se_policy_cil { 579 name: "pub_policy_for_vendor.cil", 580 src: ":pub_policy_for_vendor.conf", 581 filter_out: [":reqd_policy_mask_for_vendor.cil"], 582 secilc_check: false, 583 installable: false, 584} 585 586se_versioned_policy { 587 name: "plat_mapping_file_for_vendor", 588 base: ":pub_policy_for_vendor.cil", 589 mapping: true, 590 version: "vendor", 591 installable: false, 592} 593 594// plat_pub_versioned.cil - the exported platform policy associated with the version 595// that non-platform policy targets. 596se_versioned_policy { 597 name: "plat_pub_versioned.cil", 598 base: ":pub_policy_for_vendor.cil", 599 target_policy: ":pub_policy_for_vendor.cil", 600 version: "vendor", 601 vendor: true, 602} 603 604// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 605// with the platform-provided policy. It makes use of the reqd_policy_mask files from private 606// policy and the platform public policy files in order to use checkpolicy. 607se_policy_conf { 608 name: "vendor_sepolicy.conf", 609 srcs: plat_public_policies_for_vendor + [ 610 ":se_build_files{.plat_vendor_for_vendor}", 611 ":se_build_files{.vendor}", 612 ], 613 installable: false, 614} 615 616se_policy_cil { 617 name: "vendor_sepolicy.cil.raw", 618 src: ":vendor_sepolicy.conf", 619 filter_out: [":reqd_policy_mask_for_vendor.cil"], 620 secilc_check: false, // will be done in se_versioned_policy module 621 installable: false, 622} 623 624se_versioned_policy { 625 name: "vendor_sepolicy.cil", 626 base: ":pub_policy_for_vendor.cil", 627 target_policy: ":vendor_sepolicy.cil.raw", 628 version: "vendor", 629 dependent_cils: [ 630 ":plat_policy_for_vendor.cil", 631 ":plat_pub_versioned.cil", 632 ":plat_mapping_file_for_vendor", 633 ], 634 filter_out: [":plat_pub_versioned.cil"], 635 vendor: true, 636} 637 638// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined 639// with the platform-provided policy. It makes use of the reqd_policy_mask files from private 640// policy and the platform public policy files in order to use checkpolicy. 641se_policy_conf { 642 name: "odm_sepolicy.conf", 643 srcs: plat_public_policies_for_vendor + [ 644 ":se_build_files{.plat_vendor_for_vendor}", 645 ":se_build_files{.vendor}", 646 ":se_build_files{.odm}", 647 ], 648 installable: false, 649} 650 651se_policy_cil { 652 name: "odm_sepolicy.cil.raw", 653 src: ":odm_sepolicy.conf", 654 filter_out: [ 655 ":reqd_policy_mask_for_vendor.cil", 656 ":vendor_sepolicy.cil", 657 ], 658 secilc_check: false, // will be done in se_versioned_policy module 659 installable: false, 660} 661 662se_versioned_policy { 663 name: "odm_sepolicy.cil", 664 base: ":pub_policy_for_vendor.cil", 665 target_policy: ":odm_sepolicy.cil.raw", 666 version: "vendor", 667 dependent_cils: [ 668 ":plat_policy_for_vendor.cil", 669 ":plat_pub_versioned.cil", 670 ":plat_mapping_file_for_vendor", 671 ":vendor_sepolicy.cil", 672 ], 673 filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"], 674 device_specific: true, 675} 676 677////////////////////////////////// 678// Precompiled sepolicy is loaded if and only if: 679// - plat_sepolicy_and_mapping.sha256 equals 680// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 681// AND 682// - system_ext_sepolicy_and_mapping.sha256 equals 683// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 684// AND 685// - product_sepolicy_and_mapping.sha256 equals 686// precompiled_sepolicy.product_sepolicy_and_mapping.sha256 687// AND 688// - apex_sepolicy.sha256 equals 689// precompiled_sepolicy.apex_sepolicy.sha256 690// See system/core/init/selinux.cpp for details. 691////////////////////////////////// 692genrule { 693 name: "plat_sepolicy_and_mapping.sha256_gen", 694 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"], 695 out: ["plat_sepolicy_and_mapping.sha256"], 696 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 697} 698 699prebuilt_etc { 700 name: "plat_sepolicy_and_mapping.sha256", 701 filename: "plat_sepolicy_and_mapping.sha256", 702 src: ":plat_sepolicy_and_mapping.sha256_gen", 703 relative_install_path: "selinux", 704} 705 706genrule { 707 name: "apex_sepolicy.sha256_gen", 708 srcs: [":apex_sepolicy-33.cil"], 709 out: ["apex_sepolicy.sha256"], 710 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 711} 712 713prebuilt_etc { 714 name: "apex_sepolicy.sha256", 715 filename: "apex_sepolicy.sha256", 716 src: ":apex_sepolicy.sha256_gen", 717 installable: false, 718} 719 720genrule { 721 name: "system_ext_sepolicy_and_mapping.sha256_gen", 722 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"], 723 out: ["system_ext_sepolicy_and_mapping.sha256"], 724 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 725} 726 727prebuilt_etc { 728 name: "system_ext_sepolicy_and_mapping.sha256", 729 filename: "system_ext_sepolicy_and_mapping.sha256", 730 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 731 relative_install_path: "selinux", 732 system_ext_specific: true, 733} 734 735genrule { 736 name: "product_sepolicy_and_mapping.sha256_gen", 737 srcs: [":product_sepolicy.cil", ":product_mapping_file"], 738 out: ["product_sepolicy_and_mapping.sha256"], 739 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 740} 741 742prebuilt_etc { 743 name: "product_sepolicy_and_mapping.sha256", 744 filename: "product_sepolicy_and_mapping.sha256", 745 src: ":product_sepolicy_and_mapping.sha256_gen", 746 relative_install_path: "selinux", 747 product_specific: true, 748} 749 750sepolicy_vers { 751 name: "plat_sepolicy_vers.txt", 752 version: "vendor", 753 vendor: true, 754} 755 756soong_config_module_type { 757 name: "precompiled_sepolicy_prebuilts_defaults", 758 module_type: "prebuilt_defaults", 759 config_namespace: "ANDROID", 760 bool_variables: ["BOARD_USES_ODMIMAGE"], 761 properties: ["vendor", "device_specific"], 762} 763 764precompiled_sepolicy_prebuilts_defaults { 765 name: "precompiled_sepolicy_prebuilts", 766 soong_config_variables: { 767 BOARD_USES_ODMIMAGE: { 768 device_specific: true, 769 conditions_default: { 770 vendor: true, 771 }, 772 }, 773 }, 774} 775 776////////////////////////////////// 777// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 778// which precompiled_policy was built. 779////////////////////////////////// 780prebuilt_etc { 781 defaults: ["precompiled_sepolicy_prebuilts"], 782 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 783 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 784 src: ":plat_sepolicy_and_mapping.sha256_gen", 785 relative_install_path: "selinux", 786} 787 788////////////////////////////////// 789// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy 790// was built. 791////////////////////////////////// 792prebuilt_etc { 793 defaults: ["precompiled_sepolicy_prebuilts"], 794 name: "precompiled_sepolicy.apex_sepolicy.sha256", 795 filename: "precompiled_sepolicy.apex_sepolicy.sha256", 796 src: ":apex_sepolicy.sha256_gen", 797 relative_install_path: "selinux", 798} 799 800////////////////////////////////// 801// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 802// which precompiled_policy was built. 803////////////////////////////////// 804prebuilt_etc { 805 defaults: ["precompiled_sepolicy_prebuilts"], 806 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 807 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 808 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 809 relative_install_path: "selinux", 810} 811 812////////////////////////////////// 813// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 814// which precompiled_policy was built. 815////////////////////////////////// 816prebuilt_etc { 817 defaults: ["precompiled_sepolicy_prebuilts"], 818 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 819 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 820 src: ":product_sepolicy_and_mapping.sha256_gen", 821 relative_install_path: "selinux", 822} 823 824soong_config_module_type { 825 name: "precompiled_se_policy_binary", 826 module_type: "se_policy_binary", 827 config_namespace: "ANDROID", 828 bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"], 829 value_variables: ["MIXED_SEPOLICY_VERSION"], 830 properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"], 831} 832 833precompiled_se_policy_binary { 834 name: "precompiled_sepolicy", 835 srcs: [ 836 ":plat_sepolicy.cil", 837 ":apex_sepolicy-33.cil", 838 ":plat_pub_versioned.cil", 839 ":system_ext_sepolicy.cil", 840 ":product_sepolicy.cil", 841 ":vendor_sepolicy.cil", 842 ":odm_sepolicy.cil", 843 ], 844 soong_config_variables: { 845 BOARD_USES_ODMIMAGE: { 846 device_specific: true, 847 conditions_default: { 848 vendor: true, 849 }, 850 }, 851 IS_TARGET_MIXED_SEPOLICY: { 852 ignore_neverallow: true, 853 }, 854 MIXED_SEPOLICY_VERSION: { 855 srcs: [ 856 ":plat_%s.cil", 857 ":system_ext_%s.cil", 858 ":product_%s.cil", 859 ], 860 conditions_default: { 861 srcs: [ 862 ":plat_mapping_file", 863 ":system_ext_mapping_file", 864 ":product_mapping_file", 865 ], 866 }, 867 }, 868 }, 869 required: [ 870 "sepolicy_neverallows", 871 "sepolicy_neverallows_vendor", 872 ], 873 dist: { 874 targets: ["base-sepolicy-files-for-mapping"], 875 }, 876} 877 878// policy for recovery 879se_policy_conf { 880 name: "recovery_sepolicy.conf", 881 srcs: plat_policies_for_vendor + [ 882 ":se_build_files{.plat_vendor_for_vendor}", 883 ":se_build_files{.vendor}", 884 ":se_build_files{.odm}", 885 ], 886 target_recovery: true, 887 installable: false, 888} 889 890se_policy_cil { 891 name: "recovery_sepolicy.cil", 892 src: ":recovery_sepolicy.conf", 893 secilc_check: false, // will be done in se_policy_binary module 894 installable: false, 895} 896 897se_policy_binary { 898 name: "sepolicy.recovery", 899 srcs: [":recovery_sepolicy.cil"], 900 stem: "sepolicy", 901 recovery: true, 902} 903 904////////////////////////////////// 905// SELinux policy embedded into CTS. 906// CTS checks neverallow rules of this policy against the policy of the device under test. 907////////////////////////////////// 908se_policy_conf { 909 name: "general_sepolicy.conf", 910 srcs: plat_public_policy + 911 plat_private_policy, 912 build_variant: "user", 913 cts: true, 914 exclude_build_test: true, 915} 916 917////////////////////////////////// 918// Base system policy for treble sepolicy tests. 919// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ 920// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case, 921// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil. 922// See treble_sepolicy_tests_for_release.mk for more details. 923////////////////////////////////// 924se_policy_conf { 925 name: "base_plat_sepolicy.conf", 926 srcs: plat_public_policy + 927 plat_private_policy, 928 build_variant: "user", 929 installable: false, 930} 931 932se_policy_cil { 933 name: "base_plat_sepolicy.cil", 934 src: ":base_plat_sepolicy.conf", 935 additional_cil_files: ["private/technical_debt.cil"], 936 installable: false, 937 secilc_check: false, // done by se_policy_binary 938} 939 940se_policy_binary { 941 name: "base_plat_sepolicy", 942 srcs: [":base_plat_sepolicy.cil"], 943 installable: false, 944 dist: { 945 targets: ["base-sepolicy-files-for-mapping"], 946 }, 947} 948 949se_policy_conf { 950 name: "base_system_ext_sepolicy.conf", 951 srcs: plat_public_policy + 952 plat_private_policy + 953 system_ext_public_policy + 954 system_ext_private_policy, 955 build_variant: "user", 956 installable: false, 957} 958 959se_policy_cil { 960 name: "base_system_ext_sepolicy.cil", 961 src: ":base_system_ext_sepolicy.conf", 962 additional_cil_files: ["private/technical_debt.cil"], 963 system_ext_specific: true, 964 installable: false, 965 secilc_check: false, // done by se_policy_binary 966} 967 968se_policy_binary { 969 name: "base_system_ext_sepolicy", 970 srcs: [":base_system_ext_sepolicy.cil"], 971 system_ext_specific: true, 972 installable: false, 973} 974 975se_policy_conf { 976 name: "base_product_sepolicy.conf", 977 srcs: plat_public_policy + 978 plat_private_policy + 979 system_ext_public_policy + 980 system_ext_private_policy + 981 product_public_policy + 982 product_private_policy, 983 build_variant: "user", 984 installable: false, 985} 986 987se_policy_cil { 988 name: "base_product_sepolicy.cil", 989 src: ":base_product_sepolicy.conf", 990 additional_cil_files: ["private/technical_debt.cil"], 991 product_specific: true, 992 installable: false, 993 secilc_check: false, // done by se_policy_binary 994} 995 996se_policy_binary { 997 name: "base_product_sepolicy", 998 srcs: [":base_product_sepolicy.cil"], 999 product_specific: true, 1000 installable: false, 1001} 1002 1003se_policy_conf { 1004 name: "base_plat_pub_policy.conf", 1005 srcs: plat_public_policy + 1006 reqd_mask_policy, 1007 build_variant: "user", 1008 installable: false, 1009} 1010 1011se_policy_cil { 1012 name: "base_plat_pub_policy.cil", 1013 src: ":base_plat_pub_policy.conf", 1014 filter_out: [":reqd_policy_mask.cil"], 1015 secilc_check: false, 1016 installable: false, 1017 dist: { 1018 targets: ["base-sepolicy-files-for-mapping"], 1019 }, 1020} 1021 1022se_policy_conf { 1023 name: "base_system_ext_pub_policy.conf", 1024 srcs: plat_public_policy + 1025 system_ext_public_policy + 1026 reqd_mask_policy, 1027 build_variant: "user", 1028 installable: false, 1029} 1030 1031se_policy_cil { 1032 name: "base_system_ext_pub_policy.cil", 1033 src: ":base_system_ext_pub_policy.conf", 1034 filter_out: [":reqd_policy_mask.cil"], 1035 secilc_check: false, 1036 installable: false, 1037} 1038 1039se_policy_conf { 1040 name: "base_product_pub_policy.conf", 1041 srcs: plat_public_policy + 1042 system_ext_public_policy + 1043 product_public_policy + 1044 reqd_mask_policy, 1045 build_variant: "user", 1046 installable: false, 1047} 1048 1049se_policy_cil { 1050 name: "base_product_pub_policy.cil", 1051 src: ":base_product_pub_policy.conf", 1052 filter_out: [":reqd_policy_mask.cil"], 1053 secilc_check: false, 1054 installable: false, 1055} 1056 1057// bug_map - Bug tracking information for selinux denials loaded by auditd. 1058se_filegroup { 1059 name: "bug_map_files", 1060 srcs: ["bug_map"], 1061} 1062 1063se_bug_map { 1064 name: "plat_bug_map", 1065 srcs: [":bug_map_files"], 1066 stem: "bug_map", 1067} 1068 1069se_bug_map { 1070 name: "system_ext_bug_map", 1071 srcs: [":bug_map_files"], 1072 stem: "bug_map", 1073 system_ext_specific: true, 1074} 1075 1076se_bug_map { 1077 name: "vendor_bug_map", 1078 srcs: [":bug_map_files"], 1079 // Legacy file name of the vendor partition bug_map. 1080 stem: "selinux_denial_metadata", 1081 vendor: true, 1082} 1083 1084se_neverallow_test { 1085 name: "sepolicy_neverallows", 1086 srcs: plat_public_policy + 1087 plat_private_policy + 1088 system_ext_public_policy + 1089 system_ext_private_policy + 1090 product_public_policy + 1091 product_private_policy, 1092} 1093 1094se_neverallow_test { 1095 name: "sepolicy_neverallows_vendor", 1096 srcs: plat_policies_for_vendor + [ 1097 ":se_build_files{.plat_vendor_for_vendor}", 1098 ":se_build_files{.vendor}", 1099 ":se_build_files{.odm}", 1100 ], 1101} 1102 1103////////////////////////////////// 1104// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy 1105// Additional directories can be specified via Makefile variables: 1106// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS. 1107////////////////////////////////// 1108se_freeze_test { 1109 name: "sepolicy_freeze_test", 1110} 1111 1112////////////////////////////////// 1113// sepolicy_test checks various types of violations, which can't be easily done 1114// by CIL itself. Refer tests/sepolicy_tests.py for more detail. 1115////////////////////////////////// 1116genrule { 1117 name: "sepolicy_test", 1118 srcs: [ 1119 ":plat_file_contexts", 1120 ":vendor_file_contexts", 1121 ":system_ext_file_contexts", 1122 ":product_file_contexts", 1123 ":odm_file_contexts", 1124 ":precompiled_sepolicy", 1125 ], 1126 tools: ["sepolicy_tests"], 1127 out: ["sepolicy_test"], 1128 cmd: "$(location sepolicy_tests) " + 1129 "-f $(location :plat_file_contexts) " + 1130 "-f $(location :vendor_file_contexts) " + 1131 "-f $(location :system_ext_file_contexts) " + 1132 "-f $(location :product_file_contexts) " + 1133 "-f $(location :odm_file_contexts) " + 1134 "-p $(location :precompiled_sepolicy) && " + 1135 "touch $(out)", 1136} 1137