1LOCAL_PATH:= $(call my-dir) 2 3include $(LOCAL_PATH)/definitions.mk 4include $(LOCAL_PATH)/policy_version.mk 5 6include $(CLEAR_VARS) 7 8MLS_SENS=1 9MLS_CATS=1024 10 11ifdef BOARD_SEPOLICY_UNION 12$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 13endif 14 15ifdef BOARD_SEPOLICY_M4DEFS 16LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 17else 18LOCAL_ADDITIONAL_M4DEFS := 19endif 20 21# sepolicy is now divided into multiple portions: 22# public - policy exported on which non-platform policy developers may write 23# additional policy. types and attributes are versioned and included in 24# delivered non-platform policy, which is to be combined with platform policy. 25# private - platform-only policy required for platform functionality but which 26# is not exported to vendor policy developers and as such may not be assumed 27# to exist. 28# vendor - vendor-only policy required for vendor functionality. This policy can 29# reference the public policy but cannot reference the private policy. This 30# policy is for components which are produced from the core/non-vendor tree and 31# placed into a vendor partition. 32# mapping - This contains policy statements which map the attributes 33# exposed in the public policy of previous versions to the concrete types used 34# in this policy to ensure that policy targeting attributes from public 35# policy from an older platform version continues to work. 36 37# build process for device: 38# 1) convert policies to CIL: 39# - private + public platform policy to CIL 40# - mapping file to CIL (should already be in CIL form) 41# - non-platform public policy to CIL 42# - non-platform public + private policy to CIL 43# 2) attributize policy 44# - run script which takes non-platform public and non-platform combined 45# private + public policy and produces attributized and versioned 46# non-platform policy 47# 3) combine policy files 48# - combine mapping, platform and non-platform policy. 49# - compile output binary policy file 50 51PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 52PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 53PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 54REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 55 56SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) 57ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)) 58 # TODO: Disallow BOARD_PLAT_* 59 SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) 60endif 61SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) 62ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)) 63 # TODO: Disallow BOARD_PLAT_* 64 SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) 65endif 66 67PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS) 68PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS) 69 70ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY)) 71HAS_SYSTEM_EXT_SEPOLICY_DIR := true 72endif 73 74# TODO(b/119305624): Currently if the device doesn't have a product partition, 75# we install product sepolicy into /system/product. We do that because bits of 76# product sepolicy that's still in /system might depend on bits that have moved 77# to /product. Once we finish migrating product sepolicy out of system, change 78# it so that if no product partition is present, product sepolicy artifacts are 79# not built and installed at all. 80ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) 81HAS_PRODUCT_SEPOLICY_DIR := true 82endif 83 84ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)) 85mixed_sepolicy_build := true 86else 87mixed_sepolicy_build := 88endif 89 90NEVERALLOW_ARG := 91ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 92ifeq ($(TARGET_BUILD_VARIANT),user) 93$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) 94endif 95$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ 96 It does not work in user builds and using it will \ 97 not stop you from failing CTS.) 98NEVERALLOW_ARG := -N 99endif 100 101# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. 102# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and 103# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for 104# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. 105ifdef BOARD_SEPOLICY_DIRS 106BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) 107endif 108 109# Set default values for these prebuilt directories 110ifeq (,$(BOARD_REQD_MASK_POLICY)) 111BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY) 112endif 113 114ifeq (,$(BOARD_PLAT_VENDOR_POLICY)) 115BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY) 116endif 117 118$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \ 119 $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\ 120 BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \ 121 ) \ 122))) 123 124ifdef BOARD_ODM_SEPOLICY_DIRS 125ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 126$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) 127endif 128endif 129 130########################################################### 131# Compute policy files to be used in policy build. 132# $(1): files to include 133# $(2): directories in which to find files 134########################################################### 135 136define build_policy 137$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))) 138endef 139 140# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. 141# $(1): the set of policy name paths to build 142build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 143 144# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. 145build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) 146 147sepolicy_build_files := security_classes \ 148 initial_sids \ 149 access_vectors \ 150 global_macros \ 151 neverallow_macros \ 152 mls_macros \ 153 mls_decl \ 154 mls \ 155 policy_capabilities \ 156 te_macros \ 157 attributes \ 158 ioctl_defines \ 159 ioctl_macros \ 160 *.te \ 161 roles_decl \ 162 roles \ 163 users \ 164 initial_sid_contexts \ 165 fs_use \ 166 genfs_contexts \ 167 port_contexts 168 169sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \ 170 $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver)))) 171 172# Security classes and permissions defined outside of system/sepolicy. 173security_class_extension_files := $(call build_policy, security_classes access_vectors, \ 174 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 175 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 176 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 177 178ifneq (,$(strip $(security_class_extension_files))) 179 $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files))) 180endif 181 182ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 183 # Checks if there are public system_ext policy files. 184 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY)) 185 ifneq (,$(strip $(policy_files))) 186 HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true 187 endif 188 # Checks if there are public/private system_ext policy files. 189 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) 190 ifneq (,$(strip $(policy_files))) 191 HAS_SYSTEM_EXT_SEPOLICY := true 192 endif 193endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 194 195ifdef HAS_PRODUCT_SEPOLICY_DIR 196 # Checks if there are public product policy files. 197 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY)) 198 ifneq (,$(strip $(policy_files))) 199 HAS_PRODUCT_PUBLIC_SEPOLICY := true 200 endif 201 # Checks if there are public/private product policy files. 202 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) 203 ifneq (,$(strip $(policy_files))) 204 HAS_PRODUCT_SEPOLICY := true 205 endif 206endif # ifdef HAS_PRODUCT_SEPOLICY_DIR 207 208# CIL files which contain workarounds for current limitation of human-readable 209# module policy language. These files are appended to the CIL files produced 210# from module language files. 211sepolicy_build_cil_workaround_files := technical_debt.cil 212 213my_target_arch := $(TARGET_ARCH) 214ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 215 my_target_arch := mips 216endif 217 218intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 219 220with_asan := false 221ifneq (,$(filter address,$(SANITIZE_TARGET))) 222 with_asan := true 223endif 224 225with_native_coverage := false 226ifeq ($(NATIVE_COVERAGE),true) 227 with_native_coverage := true 228endif 229ifeq ($(CLANG_COVERAGE),true) 230 with_native_coverage := true 231endif 232 233treble_sysprop_neverallow := true 234ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true) 235 treble_sysprop_neverallow := false 236endif 237 238ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) 239 #$(warning no product shipping level defined) 240else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) 241 ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),) 242 $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.) 243 endif 244endif 245 246enforce_sysprop_owner := true 247ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true) 248 enforce_sysprop_owner := false 249endif 250 251enforce_debugfs_restriction := false 252ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true) 253 enforce_debugfs_restriction := true 254endif 255 256ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) 257 #$(warning no product shipping level defined) 258else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) 259 ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),) 260 $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.) 261 endif 262endif 263 264# Library extension for host-side tests 265ifeq ($(HOST_OS),darwin) 266SHAREDLIB_EXT=dylib 267else 268SHAREDLIB_EXT=so 269endif 270 271# Convert a file_context file for a non-flattened APEX into a file for 272# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths 273# $(1): path to the input file_contexts file for non-flattened APEX 274# $(2): path to the flattened APEX 275# $(3): path to the generated file_contexts file for flattened APEX 276# $(4): variable where $(3) is added to 277define build_flattened_apex_file_contexts 278$(4) += $(3) 279$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2)) 280$(3): $(1) 281 $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@ 282endef 283 284################################# 285 286include $(CLEAR_VARS) 287 288LOCAL_MODULE := selinux_policy 289LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 290LOCAL_LICENSE_CONDITIONS := notice unencumbered 291LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 292LOCAL_MODULE_TAGS := optional 293LOCAL_REQUIRED_MODULES += \ 294 selinux_policy_nonsystem \ 295 selinux_policy_system \ 296 297include $(BUILD_PHONY_PACKAGE) 298 299# selinux_policy is a main goal and triggers lots of tests. 300# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') 301# By setting as droidcore's dependency, tests will run on normal builds. 302droidcore: selinux_policy 303 304include $(CLEAR_VARS) 305LOCAL_MODULE := selinux_policy_system 306LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 307LOCAL_LICENSE_CONDITIONS := notice unencumbered 308LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 309# These build targets are not used on non-Treble devices. However, we build these to avoid 310# divergence between Treble and non-Treble devices. 311LOCAL_REQUIRED_MODULES += \ 312 plat_mapping_file \ 313 $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 314 $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 315 plat_sepolicy.cil \ 316 secilc \ 317 318ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 319LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256 320endif 321 322LOCAL_REQUIRED_MODULES += \ 323 build_sepolicy \ 324 plat_file_contexts \ 325 plat_file_contexts_test \ 326 plat_keystore2_key_contexts \ 327 plat_mac_permissions.xml \ 328 plat_property_contexts \ 329 plat_property_contexts_test \ 330 plat_seapp_contexts \ 331 plat_service_contexts \ 332 plat_service_contexts_test \ 333 plat_hwservice_contexts \ 334 plat_hwservice_contexts_test \ 335 plat_bug_map \ 336 searchpolicy \ 337 338# This conditional inclusion closely mimics the conditional logic 339# inside init/init.cpp for loading SELinux policy from files. 340ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 341# The following files are only allowed for non-Treble devices. 342LOCAL_REQUIRED_MODULES += \ 343 sepolicy \ 344 345endif # ($(PRODUCT_SEPOLICY_SPLIT),true) 346 347ifneq ($(with_asan),true) 348ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 349LOCAL_REQUIRED_MODULES += \ 350 sepolicy_compat_test \ 351 352# HACK: sepolicy_test is implemented as genrule 353# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work. 354# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output 355LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test 356 357ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 358LOCAL_REQUIRED_MODULES += \ 359 $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 360 361endif # PRODUCT_SEPOLICY_SPLIT 362endif # SELINUX_IGNORE_NEVERALLOWS 363endif # with_asan 364 365ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 366LOCAL_REQUIRED_MODULES += \ 367 sepolicy_freeze_test 368endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 369 370include $(BUILD_PHONY_PACKAGE) 371 372################################# 373 374include $(CLEAR_VARS) 375 376LOCAL_MODULE := selinux_policy_system_ext 377LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 378LOCAL_LICENSE_CONDITIONS := notice unencumbered 379LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 380# Include precompiled policy, unless told otherwise. 381ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 382ifdef HAS_SYSTEM_EXT_SEPOLICY 383LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256 384endif 385endif 386 387ifdef HAS_SYSTEM_EXT_SEPOLICY 388LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil 389endif 390 391ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 392LOCAL_REQUIRED_MODULES += \ 393 system_ext_mapping_file 394 395system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY)) 396 397LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files))) 398 399endif 400 401ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 402LOCAL_REQUIRED_MODULES += \ 403 system_ext_file_contexts \ 404 system_ext_file_contexts_test \ 405 system_ext_hwservice_contexts \ 406 system_ext_hwservice_contexts_test \ 407 system_ext_property_contexts \ 408 system_ext_property_contexts_test \ 409 system_ext_seapp_contexts \ 410 system_ext_service_contexts \ 411 system_ext_service_contexts_test \ 412 system_ext_mac_permissions.xml \ 413 system_ext_bug_map \ 414 $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 415 416endif 417 418include $(BUILD_PHONY_PACKAGE) 419 420################################# 421 422include $(CLEAR_VARS) 423 424LOCAL_MODULE := selinux_policy_product 425LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 426LOCAL_LICENSE_CONDITIONS := notice unencumbered 427LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 428# Include precompiled policy, unless told otherwise. 429ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 430ifdef HAS_PRODUCT_SEPOLICY 431LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256 432endif 433endif 434 435ifdef HAS_PRODUCT_SEPOLICY 436LOCAL_REQUIRED_MODULES += product_sepolicy.cil 437endif 438 439ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 440LOCAL_REQUIRED_MODULES += \ 441 product_mapping_file 442 443product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY)) 444 445LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files))) 446 447endif 448 449ifdef HAS_PRODUCT_SEPOLICY_DIR 450LOCAL_REQUIRED_MODULES += \ 451 product_file_contexts \ 452 product_file_contexts_test \ 453 product_hwservice_contexts \ 454 product_hwservice_contexts_test \ 455 product_property_contexts \ 456 product_property_contexts_test \ 457 product_seapp_contexts \ 458 product_service_contexts \ 459 product_service_contexts_test \ 460 product_mac_permissions.xml \ 461 462endif 463 464include $(BUILD_PHONY_PACKAGE) 465 466################################# 467 468include $(CLEAR_VARS) 469 470LOCAL_MODULE := selinux_policy_nonsystem 471LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 472LOCAL_LICENSE_CONDITIONS := notice unencumbered 473LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 474# Include precompiled policy, unless told otherwise. 475ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 476LOCAL_REQUIRED_MODULES += \ 477 precompiled_sepolicy \ 478 precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 479 480ifdef HAS_SYSTEM_EXT_SEPOLICY 481LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 482endif 483 484ifdef HAS_PRODUCT_SEPOLICY 485LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256 486endif 487 488endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 489 490 491# These build targets are not used on non-Treble devices. However, we build these to avoid 492# divergence between Treble and non-Treble devices. 493LOCAL_REQUIRED_MODULES += \ 494 plat_pub_versioned.cil \ 495 vendor_sepolicy.cil \ 496 plat_sepolicy_vers.txt \ 497 498LOCAL_REQUIRED_MODULES += \ 499 vendor_file_contexts \ 500 vendor_file_contexts_test \ 501 vendor_mac_permissions.xml \ 502 vendor_property_contexts \ 503 vendor_property_contexts_test \ 504 vendor_seapp_contexts \ 505 vendor_service_contexts \ 506 vendor_service_contexts_test \ 507 vendor_hwservice_contexts \ 508 vendor_hwservice_contexts_test \ 509 vendor_bug_map \ 510 vndservice_contexts \ 511 vndservice_contexts_test \ 512 513ifdef BOARD_ODM_SEPOLICY_DIRS 514LOCAL_REQUIRED_MODULES += \ 515 odm_sepolicy.cil \ 516 odm_file_contexts \ 517 odm_file_contexts_test \ 518 odm_seapp_contexts \ 519 odm_property_contexts \ 520 odm_property_contexts_test \ 521 odm_hwservice_contexts \ 522 odm_hwservice_contexts_test \ 523 odm_mac_permissions.xml 524endif 525 526LOCAL_REQUIRED_MODULES += selinux_policy_system_ext 527LOCAL_REQUIRED_MODULES += selinux_policy_product 528 529# Builds an addtional userdebug sepolicy into the debug ramdisk. 530LOCAL_REQUIRED_MODULES += \ 531 userdebug_plat_sepolicy.cil \ 532 533include $(BUILD_PHONY_PACKAGE) 534 535################################## 536# Policy files are now built with Android.bp. Grab them from intermediate. 537# See Android.bp for details of policy files. 538# 539built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil 540 541ifdef HAS_SYSTEM_EXT_SEPOLICY 542built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil 543endif # ifdef HAS_SYSTEM_EXT_SEPOLICY 544 545ifdef HAS_PRODUCT_SEPOLICY 546built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil 547endif # ifdef HAS_PRODUCT_SEPOLICY 548 549built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy 550built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows 551built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor 552 553################################# 554# sepolicy is also built with Android.bp. 555# This module is to keep compatibility with monolithic sepolicy devices. 556include $(CLEAR_VARS) 557 558LOCAL_MODULE := sepolicy 559LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 560LOCAL_LICENSE_CONDITIONS := notice unencumbered 561LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 562LOCAL_MODULE_CLASS := ETC 563LOCAL_MODULE_TAGS := optional 564LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 565 566include $(BUILD_SYSTEM)/base_rules.mk 567 568$(LOCAL_BUILT_MODULE): $(built_sepolicy) 569 $(copy-file-to-target) 570 571################################## 572# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 573# 574include $(CLEAR_VARS) 575 576LOCAL_MODULE := file_contexts.bin 577LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 578LOCAL_LICENSE_CONDITIONS := notice unencumbered 579LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 580LOCAL_MODULE_CLASS := ETC 581LOCAL_MODULE_TAGS := optional 582LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 583 584include $(BUILD_SYSTEM)/base_rules.mk 585 586# The file_contexts.bin is built in the following way: 587# 1. Collect all file_contexts files in THIS repository and process them with 588# m4 into a tmp file called file_contexts.local.tmp. 589# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed 590# modules with m4 with a tmp file called file_contexts.modules.tmp. 591# 3. Collect all device specific file_contexts files and process them with m4 592# into a tmp file called file_contexts.device.tmp. 593# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 594# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 595# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and 596# file_contexts.device.sorted.tmp into file_contexts.concat.tmp. 597# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 598# file_contexts.bin. 599# 600# Note: That a newline file is placed between each file_context file found to 601# ensure a proper build when an fc file is missing an ending newline. 602 603local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 604 605ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 606local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY)) 607endif 608 609ifdef HAS_PRODUCT_SEPOLICY_DIR 610local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY)) 611endif 612 613ifneq ($(filter address,$(SANITIZE_TARGET)),) 614 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 615endif 616ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) 617 local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) 618endif 619 620file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 621$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp)) 622 623# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile. 624# it gathers LOCAL_FILE_CONTEXTS from product_MODULES 625file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp 626 627device_fc_files := $(call build_vendor_policy, file_contexts) 628 629ifdef BOARD_ODM_SEPOLICY_DIRS 630device_fc_files += $(call build_odm_policy, file_contexts) 631endif 632 633file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 634$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 635$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) 636$(file_contexts.device.tmp): $(device_fc_files) $(M4) 637 @mkdir -p $(dir $@) 638 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ 639 640file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 641$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 642$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ 643 $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 644 @mkdir -p $(dir $@) 645 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 646 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ 647 648file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 649$(call merge-fc-files,\ 650 $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\ 651 $(file_contexts.concat.tmp)) 652 653$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 654$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 655 @mkdir -p $(dir $@) 656 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 657 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 658 659built_fc := $(LOCAL_BUILT_MODULE) 660local_fc_files := 661local_fcfiles_with_nl := 662device_fc_files := 663device_fcfiles_with_nl := 664file_contexts.concat.tmp := 665file_contexts.device.sorted.tmp := 666file_contexts.device.tmp := 667file_contexts.local.tmp := 668file_contexts.modules.tmp := 669 670################################## 671include $(LOCAL_PATH)/mac_permissions.mk 672 673all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts 674all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts 675ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 676all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts 677endif 678ifdef HAS_PRODUCT_SEPOLICY_DIR 679all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts 680endif 681ifdef BOARD_ODM_SEPOLICY_DIRS 682all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts 683endif 684all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 685 686################################## 687# Tests for Treble compatibility of current platform policy and vendor policy of 688# given release version. 689ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 690 691built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy 692built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy 693built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy 694 695base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil 696base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil 697base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil 698 699$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \ 700 $(eval version_under_treble_tests := $(v)) \ 701 $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \ 702) 703endif # PRODUCT_SEPOLICY_SPLIT 704 705built_plat_sepolicy := 706built_system_ext_sepolicy := 707built_product_sepolicy := 708base_plat_pub_policy.cil := 709base_system_ext_pub_polcy.cil := 710base_product_pub_policy.cil := 711all_fc_files := 712all_fc_args := 713 714################################# 715 716 717build_vendor_policy := 718build_odm_policy := 719build_policy := 720built_plat_cil := 721built_system_ext_cil := 722built_product_cil := 723built_sepolicy := 724built_sepolicy_neverallows := 725built_plat_svc := 726built_vendor_svc := 727treble_sysprop_neverallow := 728enforce_sysprop_owner := 729enforce_debugfs_restriction := 730my_target_arch := 731sepolicy_build_files := 732sepolicy_build_cil_workaround_files := 733with_asan := 734 735include $(call all-makefiles-under,$(LOCAL_PATH)) 736