1LOCAL_PATH:= $(call my-dir) 2 3include $(LOCAL_PATH)/definitions.mk 4include $(LOCAL_PATH)/policy_version.mk 5 6include $(CLEAR_VARS) 7 8MLS_SENS=1 9MLS_CATS=1024 10 11ifdef BOARD_SEPOLICY_UNION 12$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 13endif 14 15ifdef BOARD_SEPOLICY_M4DEFS 16LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 17else 18LOCAL_ADDITIONAL_M4DEFS := 19endif 20 21# sepolicy is now divided into multiple portions: 22# public - policy exported on which non-platform policy developers may write 23# additional policy. types and attributes are versioned and included in 24# delivered non-platform policy, which is to be combined with platform policy. 25# private - platform-only policy required for platform functionality but which 26# is not exported to vendor policy developers and as such may not be assumed 27# to exist. 28# vendor - vendor-only policy required for vendor functionality. This policy can 29# reference the public policy but cannot reference the private policy. This 30# policy is for components which are produced from the core/non-vendor tree and 31# placed into a vendor partition. 32# mapping - This contains policy statements which map the attributes 33# exposed in the public policy of previous versions to the concrete types used 34# in this policy to ensure that policy targeting attributes from public 35# policy from an older platform version continues to work. 36 37# build process for device: 38# 1) convert policies to CIL: 39# - private + public platform policy to CIL 40# - mapping file to CIL (should already be in CIL form) 41# - non-platform public policy to CIL 42# - non-platform public + private policy to CIL 43# 2) attributize policy 44# - run script which takes non-platform public and non-platform combined 45# private + public policy and produces attributized and versioned 46# non-platform policy 47# 3) combine policy files 48# - combine mapping, platform and non-platform policy. 49# - compile output binary policy file 50 51PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 52PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 53PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 54REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 55 56SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) 57SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) 58 59PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS) 60PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS) 61 62ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY)) 63HAS_SYSTEM_EXT_SEPOLICY_DIR := true 64endif 65 66# TODO(b/119305624): Currently if the device doesn't have a product partition, 67# we install product sepolicy into /system/product. We do that because bits of 68# product sepolicy that's still in /system might depend on bits that have moved 69# to /product. Once we finish migrating product sepolicy out of system, change 70# it so that if no product partition is present, product sepolicy artifacts are 71# not built and installed at all. 72ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) 73HAS_PRODUCT_SEPOLICY_DIR := true 74endif 75 76ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)) 77mixed_sepolicy_build := true 78else 79mixed_sepolicy_build := 80endif 81 82NEVERALLOW_ARG := 83ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 84ifeq ($(TARGET_BUILD_VARIANT),user) 85$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) 86endif 87$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ 88 It does not work in user builds and using it will \ 89 not stop you from failing CTS.) 90NEVERALLOW_ARG := -N 91endif 92 93# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. 94# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and 95# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for 96# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. 97ifdef BOARD_SEPOLICY_DIRS 98BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) 99endif 100 101# Set default values for these prebuilt directories 102ifeq (,$(BOARD_REQD_MASK_POLICY)) 103BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY) 104endif 105 106ifeq (,$(BOARD_PLAT_VENDOR_POLICY)) 107BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY) 108endif 109 110$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \ 111 $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\ 112 BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \ 113 ) \ 114))) 115 116ifdef BOARD_ODM_SEPOLICY_DIRS 117ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 118$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) 119endif 120endif 121 122########################################################### 123# Compute policy files to be used in policy build. 124# $(1): files to include 125# $(2): directories in which to find files 126########################################################### 127 128define build_policy 129$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))) 130endef 131 132# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. 133# $(1): the set of policy name paths to build 134build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 135 136# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. 137build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) 138 139sepolicy_build_files := security_classes \ 140 initial_sids \ 141 access_vectors \ 142 global_macros \ 143 neverallow_macros \ 144 mls_macros \ 145 mls_decl \ 146 mls \ 147 policy_capabilities \ 148 te_macros \ 149 attributes \ 150 ioctl_defines \ 151 ioctl_macros \ 152 *.te \ 153 roles_decl \ 154 roles \ 155 users \ 156 initial_sid_contexts \ 157 fs_use \ 158 genfs_contexts \ 159 port_contexts 160 161sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \ 162 $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver)))) 163 164# Security classes and permissions defined outside of system/sepolicy. 165security_class_extension_files := $(call build_policy, security_classes access_vectors, \ 166 $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ 167 $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ 168 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 169 170ifneq (,$(strip $(security_class_extension_files))) 171 $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files))) 172endif 173 174ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 175 # Checks if there are public system_ext policy files. 176 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY)) 177 ifneq (,$(strip $(policy_files))) 178 HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true 179 endif 180 # Checks if there are public/private system_ext policy files. 181 policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) 182 ifneq (,$(strip $(policy_files))) 183 HAS_SYSTEM_EXT_SEPOLICY := true 184 endif 185endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 186 187ifdef HAS_PRODUCT_SEPOLICY_DIR 188 # Checks if there are public product policy files. 189 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY)) 190 ifneq (,$(strip $(policy_files))) 191 HAS_PRODUCT_PUBLIC_SEPOLICY := true 192 endif 193 # Checks if there are public/private product policy files. 194 policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) 195 ifneq (,$(strip $(policy_files))) 196 HAS_PRODUCT_SEPOLICY := true 197 endif 198endif # ifdef HAS_PRODUCT_SEPOLICY_DIR 199 200# CIL files which contain workarounds for current limitation of human-readable 201# module policy language. These files are appended to the CIL files produced 202# from module language files. 203sepolicy_build_cil_workaround_files := technical_debt.cil 204 205my_target_arch := $(TARGET_ARCH) 206ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 207 my_target_arch := mips 208endif 209 210intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 211 212with_asan := false 213ifneq (,$(filter address,$(SANITIZE_TARGET))) 214 with_asan := true 215endif 216 217with_native_coverage := false 218ifeq ($(NATIVE_COVERAGE),true) 219 with_native_coverage := true 220endif 221ifeq ($(CLANG_COVERAGE),true) 222 with_native_coverage := true 223endif 224 225treble_sysprop_neverallow := true 226ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true) 227 treble_sysprop_neverallow := false 228endif 229 230ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) 231 #$(warning no product shipping level defined) 232else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) 233 ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),) 234 $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.) 235 endif 236endif 237 238enforce_sysprop_owner := true 239ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true) 240 enforce_sysprop_owner := false 241endif 242 243enforce_debugfs_restriction := false 244ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true) 245 enforce_debugfs_restriction := true 246endif 247 248ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) 249 #$(warning no product shipping level defined) 250else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) 251 ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),) 252 $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.) 253 endif 254endif 255 256# Library extension for host-side tests 257ifeq ($(HOST_OS),darwin) 258SHAREDLIB_EXT=dylib 259else 260SHAREDLIB_EXT=so 261endif 262 263################################# 264 265include $(CLEAR_VARS) 266 267LOCAL_MODULE := selinux_policy 268LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 269LOCAL_LICENSE_CONDITIONS := notice unencumbered 270LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 271LOCAL_MODULE_TAGS := optional 272LOCAL_REQUIRED_MODULES += \ 273 selinux_policy_nonsystem \ 274 selinux_policy_system \ 275 276include $(BUILD_PHONY_PACKAGE) 277 278# selinux_policy is a main goal and triggers lots of tests. 279# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') 280# By setting as droidcore's dependency, tests will run on normal builds. 281droidcore: selinux_policy 282 283include $(CLEAR_VARS) 284LOCAL_MODULE := selinux_policy_system 285LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 286LOCAL_LICENSE_CONDITIONS := notice unencumbered 287LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 288# These build targets are not used on non-Treble devices. However, we build these to avoid 289# divergence between Treble and non-Treble devices. 290LOCAL_REQUIRED_MODULES += \ 291 plat_mapping_file \ 292 $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 293 $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 294 plat_sepolicy.cil \ 295 secilc \ 296 297ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 298LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256 299endif 300 301LOCAL_REQUIRED_MODULES += \ 302 build_sepolicy \ 303 plat_file_contexts \ 304 plat_file_contexts_test \ 305 plat_keystore2_key_contexts \ 306 plat_mac_permissions.xml \ 307 plat_property_contexts \ 308 plat_property_contexts_test \ 309 plat_seapp_contexts \ 310 plat_service_contexts \ 311 plat_service_contexts_test \ 312 plat_hwservice_contexts \ 313 plat_hwservice_contexts_test \ 314 fuzzer_bindings_test \ 315 plat_bug_map \ 316 searchpolicy \ 317 318# This conditional inclusion closely mimics the conditional logic 319# inside init/init.cpp for loading SELinux policy from files. 320ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 321# The following files are only allowed for non-Treble devices. 322LOCAL_REQUIRED_MODULES += \ 323 sepolicy \ 324 325endif # ($(PRODUCT_SEPOLICY_SPLIT),true) 326 327ifneq ($(with_asan),true) 328ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 329LOCAL_REQUIRED_MODULES += \ 330 sepolicy_compat_test \ 331 332# HACK: sepolicy_test is implemented as genrule 333# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work. 334# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output 335LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test 336 337ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 338LOCAL_REQUIRED_MODULES += \ 339 $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 340 341endif # PRODUCT_SEPOLICY_SPLIT 342endif # SELINUX_IGNORE_NEVERALLOWS 343endif # with_asan 344 345ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 346LOCAL_REQUIRED_MODULES += \ 347 sepolicy_freeze_test 348endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 349 350include $(BUILD_PHONY_PACKAGE) 351 352################################# 353 354include $(CLEAR_VARS) 355 356LOCAL_MODULE := selinux_policy_system_ext 357LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 358LOCAL_LICENSE_CONDITIONS := notice unencumbered 359LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 360# Include precompiled policy, unless told otherwise. 361ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 362ifdef HAS_SYSTEM_EXT_SEPOLICY 363LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256 364endif 365endif 366 367ifdef HAS_SYSTEM_EXT_SEPOLICY 368LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil 369endif 370 371ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY 372LOCAL_REQUIRED_MODULES += \ 373 system_ext_mapping_file 374 375system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY)) 376 377LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files))) 378 379endif 380 381ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 382LOCAL_REQUIRED_MODULES += \ 383 system_ext_file_contexts \ 384 system_ext_file_contexts_test \ 385 system_ext_hwservice_contexts \ 386 system_ext_hwservice_contexts_test \ 387 system_ext_property_contexts \ 388 system_ext_property_contexts_test \ 389 system_ext_seapp_contexts \ 390 system_ext_service_contexts \ 391 system_ext_service_contexts_test \ 392 system_ext_mac_permissions.xml \ 393 system_ext_bug_map \ 394 $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 395 396endif 397 398include $(BUILD_PHONY_PACKAGE) 399 400################################# 401 402include $(CLEAR_VARS) 403 404LOCAL_MODULE := selinux_policy_product 405LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 406LOCAL_LICENSE_CONDITIONS := notice unencumbered 407LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 408# Include precompiled policy, unless told otherwise. 409ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 410ifdef HAS_PRODUCT_SEPOLICY 411LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256 412endif 413endif 414 415ifdef HAS_PRODUCT_SEPOLICY 416LOCAL_REQUIRED_MODULES += product_sepolicy.cil 417endif 418 419ifdef HAS_PRODUCT_PUBLIC_SEPOLICY 420LOCAL_REQUIRED_MODULES += \ 421 product_mapping_file 422 423product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY)) 424 425LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files))) 426 427endif 428 429ifdef HAS_PRODUCT_SEPOLICY_DIR 430LOCAL_REQUIRED_MODULES += \ 431 product_file_contexts \ 432 product_file_contexts_test \ 433 product_hwservice_contexts \ 434 product_hwservice_contexts_test \ 435 product_property_contexts \ 436 product_property_contexts_test \ 437 product_seapp_contexts \ 438 product_service_contexts \ 439 product_service_contexts_test \ 440 product_mac_permissions.xml \ 441 442endif 443 444include $(BUILD_PHONY_PACKAGE) 445 446################################# 447 448include $(CLEAR_VARS) 449 450LOCAL_MODULE := selinux_policy_nonsystem 451LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 452LOCAL_LICENSE_CONDITIONS := notice unencumbered 453LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 454# Include precompiled policy, unless told otherwise. 455ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 456LOCAL_REQUIRED_MODULES += \ 457 precompiled_sepolicy \ 458 precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 459 460ifdef HAS_SYSTEM_EXT_SEPOLICY 461LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 462endif 463 464ifdef HAS_PRODUCT_SEPOLICY 465LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256 466endif 467 468endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 469 470 471# These build targets are not used on non-Treble devices. However, we build these to avoid 472# divergence between Treble and non-Treble devices. 473LOCAL_REQUIRED_MODULES += \ 474 plat_pub_versioned.cil \ 475 vendor_sepolicy.cil \ 476 plat_sepolicy_vers.txt \ 477 478LOCAL_REQUIRED_MODULES += \ 479 vendor_file_contexts \ 480 vendor_file_contexts_test \ 481 vendor_mac_permissions.xml \ 482 vendor_property_contexts \ 483 vendor_property_contexts_test \ 484 vendor_seapp_contexts \ 485 vendor_service_contexts \ 486 vendor_service_contexts_test \ 487 vendor_hwservice_contexts \ 488 vendor_hwservice_contexts_test \ 489 vendor_bug_map \ 490 vndservice_contexts \ 491 vndservice_contexts_test \ 492 493ifdef BOARD_ODM_SEPOLICY_DIRS 494LOCAL_REQUIRED_MODULES += \ 495 odm_sepolicy.cil \ 496 odm_file_contexts \ 497 odm_file_contexts_test \ 498 odm_seapp_contexts \ 499 odm_property_contexts \ 500 odm_property_contexts_test \ 501 odm_service_contexts \ 502 odm_service_contexts_test \ 503 odm_hwservice_contexts \ 504 odm_hwservice_contexts_test \ 505 odm_mac_permissions.xml 506endif 507 508LOCAL_REQUIRED_MODULES += selinux_policy_system_ext 509LOCAL_REQUIRED_MODULES += selinux_policy_product 510 511# Builds an addtional userdebug sepolicy into the debug ramdisk. 512LOCAL_REQUIRED_MODULES += \ 513 userdebug_plat_sepolicy.cil \ 514 515include $(BUILD_PHONY_PACKAGE) 516 517################################## 518# Policy files are now built with Android.bp. Grab them from intermediate. 519# See Android.bp for details of policy files. 520# 521built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil 522 523ifdef HAS_SYSTEM_EXT_SEPOLICY 524built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil 525endif # ifdef HAS_SYSTEM_EXT_SEPOLICY 526 527ifdef HAS_PRODUCT_SEPOLICY 528built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil 529endif # ifdef HAS_PRODUCT_SEPOLICY 530 531built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy 532built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows 533built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor 534 535################################# 536# sepolicy is also built with Android.bp. 537# This module is to keep compatibility with monolithic sepolicy devices. 538include $(CLEAR_VARS) 539 540LOCAL_MODULE := sepolicy 541LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 542LOCAL_LICENSE_CONDITIONS := notice unencumbered 543LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 544LOCAL_MODULE_CLASS := ETC 545LOCAL_MODULE_TAGS := optional 546LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 547 548include $(BUILD_SYSTEM)/base_rules.mk 549 550$(LOCAL_BUILT_MODULE): $(built_sepolicy) 551 $(copy-file-to-target) 552 553################################## 554# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 555# 556include $(CLEAR_VARS) 557 558LOCAL_MODULE := file_contexts.bin 559LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 560LOCAL_LICENSE_CONDITIONS := notice unencumbered 561LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 562LOCAL_MODULE_CLASS := ETC 563LOCAL_MODULE_TAGS := optional 564LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 565 566include $(BUILD_SYSTEM)/base_rules.mk 567 568# The file_contexts.bin is built in the following way: 569# 1. Collect all file_contexts files in THIS repository and process them with 570# m4 into a tmp file called file_contexts.local.tmp. 571# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed 572# modules with m4 with a tmp file called file_contexts.modules.tmp. 573# 3. Collect all device specific file_contexts files and process them with m4 574# into a tmp file called file_contexts.device.tmp. 575# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 576# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 577# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and 578# file_contexts.device.sorted.tmp into file_contexts.concat.tmp. 579# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 580# file_contexts.bin. 581# 582# Note: That a newline file is placed between each file_context file found to 583# ensure a proper build when an fc file is missing an ending newline. 584 585local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 586 587ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 588local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY)) 589endif 590 591ifdef HAS_PRODUCT_SEPOLICY_DIR 592local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY)) 593endif 594 595ifneq ($(filter address,$(SANITIZE_TARGET)),) 596 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 597endif 598ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) 599 local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) 600endif 601 602file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 603$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp)) 604 605# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile. 606# it gathers LOCAL_FILE_CONTEXTS from product_MODULES 607file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp 608 609device_fc_files := $(call build_vendor_policy, file_contexts) 610 611ifdef BOARD_ODM_SEPOLICY_DIRS 612device_fc_files += $(call build_odm_policy, file_contexts) 613endif 614 615file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 616$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 617$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) 618$(file_contexts.device.tmp): $(device_fc_files) $(M4) 619 @mkdir -p $(dir $@) 620 $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ 621 622file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 623$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 624$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ 625 $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 626 @mkdir -p $(dir $@) 627 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 628 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ 629 630file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 631$(call merge-fc-files,\ 632 $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\ 633 $(file_contexts.concat.tmp)) 634 635$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 636$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 637 @mkdir -p $(dir $@) 638 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 639 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 640 641built_fc := $(LOCAL_BUILT_MODULE) 642local_fc_files := 643local_fcfiles_with_nl := 644device_fc_files := 645device_fcfiles_with_nl := 646file_contexts.concat.tmp := 647file_contexts.device.sorted.tmp := 648file_contexts.device.tmp := 649file_contexts.local.tmp := 650file_contexts.modules.tmp := 651 652################################## 653 654all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts 655all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts 656ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 657all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts 658endif 659ifdef HAS_PRODUCT_SEPOLICY_DIR 660all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts 661endif 662ifdef BOARD_ODM_SEPOLICY_DIRS 663all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts 664endif 665all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 666 667################################## 668# Tests for Treble compatibility of current platform policy and vendor policy of 669# given release version. 670ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 671 672built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy 673built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy 674built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy 675 676base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil 677base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil 678base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil 679 680$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \ 681 $(eval version_under_treble_tests := $(v)) \ 682 $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \ 683) 684endif # PRODUCT_SEPOLICY_SPLIT 685 686built_plat_sepolicy := 687built_system_ext_sepolicy := 688built_product_sepolicy := 689base_plat_pub_policy.cil := 690base_system_ext_pub_polcy.cil := 691base_product_pub_policy.cil := 692all_fc_files := 693all_fc_args := 694 695################################# 696 697 698build_vendor_policy := 699build_odm_policy := 700build_policy := 701built_plat_cil := 702built_system_ext_cil := 703built_product_cil := 704built_sepolicy := 705built_sepolicy_neverallows := 706built_plat_svc := 707built_vendor_svc := 708treble_sysprop_neverallow := 709enforce_sysprop_owner := 710enforce_debugfs_restriction := 711my_target_arch := 712sepolicy_build_files := 713sepolicy_build_cil_workaround_files := 714with_asan := 715 716include $(call all-makefiles-under,$(LOCAL_PATH)) 717