1// Copyright (C) 2021 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15// This file contains module definitions for various contexts files. 16 17package { 18 // See: http://go/android-license-faq 19 // A large-scale-change added 'default_applicable_licenses' to import 20 // all of the 'license_kinds' from "system_sepolicy_license" 21 // to get the below license kinds: 22 // SPDX-license-identifier-Apache-2.0 23 default_applicable_licenses: ["system_sepolicy_license"], 24} 25 26se_build_files { 27 name: "file_contexts_files", 28 srcs: ["file_contexts"], 29} 30 31se_build_files { 32 name: "file_contexts_asan_files", 33 srcs: ["file_contexts_asan"], 34} 35 36se_build_files { 37 name: "file_contexts_overlayfs_files", 38 srcs: ["file_contexts_overlayfs"], 39} 40 41se_build_files { 42 name: "hwservice_contexts_files", 43 srcs: ["hwservice_contexts"], 44} 45 46se_build_files { 47 name: "property_contexts_files", 48 srcs: ["property_contexts"], 49} 50 51se_build_files { 52 name: "service_contexts_files", 53 srcs: ["service_contexts"], 54} 55 56se_build_files { 57 name: "keystore2_key_contexts_files", 58 srcs: ["keystore2_key_contexts"], 59} 60 61se_build_files { 62 name: "seapp_contexts_files", 63 srcs: ["seapp_contexts"], 64} 65 66se_build_files { 67 name: "vndservice_contexts_files", 68 srcs: ["vndservice_contexts"], 69} 70 71file_contexts { 72 name: "plat_file_contexts", 73 srcs: [":file_contexts_files{.plat_private}"], 74 product_variables: { 75 address_sanitize: { 76 srcs: [":file_contexts_asan_files{.plat_private}"], 77 }, 78 debuggable: { 79 srcs: [":file_contexts_overlayfs_files{.plat_private}"], 80 }, 81 }, 82 83 flatten_apex: { 84 srcs: [":apex_file_contexts_files"], 85 }, 86} 87 88file_contexts { 89 name: "plat_file_contexts.recovery", 90 srcs: [":file_contexts_files{.plat_private}"], 91 stem: "plat_file_contexts", 92 product_variables: { 93 address_sanitize: { 94 srcs: [":file_contexts_asan_files{.plat_private}"], 95 }, 96 debuggable: { 97 srcs: [":file_contexts_overlayfs_files{.plat_private}"], 98 }, 99 }, 100 101 flatten_apex: { 102 srcs: [":apex_file_contexts_files"], 103 }, 104 105 recovery: true, 106} 107 108file_contexts { 109 name: "vendor_file_contexts", 110 srcs: [ 111 ":file_contexts_files{.plat_vendor_for_vendor}", 112 ":file_contexts_files{.vendor}", 113 ], 114 soc_specific: true, 115} 116 117file_contexts { 118 name: "vendor_file_contexts.recovery", 119 srcs: [ 120 ":file_contexts_files{.plat_vendor_for_vendor}", 121 ":file_contexts_files{.vendor}", 122 ], 123 stem: "vendor_file_contexts", 124 recovery: true, 125} 126 127file_contexts { 128 name: "system_ext_file_contexts", 129 srcs: [":file_contexts_files{.system_ext_private}"], 130 system_ext_specific: true, 131} 132 133file_contexts { 134 name: "system_ext_file_contexts.recovery", 135 srcs: [":file_contexts_files{.system_ext_private}"], 136 stem: "system_ext_file_contexts", 137 recovery: true, 138} 139 140file_contexts { 141 name: "product_file_contexts", 142 srcs: [":file_contexts_files{.product_private}"], 143 product_specific: true, 144} 145 146file_contexts { 147 name: "product_file_contexts.recovery", 148 srcs: [":file_contexts_files{.product_private}"], 149 stem: "product_file_contexts", 150 recovery: true, 151} 152 153file_contexts { 154 name: "odm_file_contexts", 155 srcs: [":file_contexts_files{.odm}"], 156 device_specific: true, 157} 158 159file_contexts { 160 name: "odm_file_contexts.recovery", 161 srcs: [":file_contexts_files{.odm}"], 162 stem: "odm_file_contexts", 163 recovery: true, 164} 165 166hwservice_contexts { 167 name: "plat_hwservice_contexts", 168 srcs: [":hwservice_contexts_files{.plat_private}"], 169} 170 171hwservice_contexts { 172 name: "system_ext_hwservice_contexts", 173 srcs: [":hwservice_contexts_files{.system_ext_private}"], 174 system_ext_specific: true, 175} 176 177hwservice_contexts { 178 name: "product_hwservice_contexts", 179 srcs: [":hwservice_contexts_files{.product_private}"], 180 product_specific: true, 181} 182 183hwservice_contexts { 184 name: "vendor_hwservice_contexts", 185 srcs: [ 186 ":hwservice_contexts_files{.plat_vendor_for_vendor}", 187 ":hwservice_contexts_files{.vendor}", 188 ":hwservice_contexts_files{.reqd_mask_for_vendor}", 189 ], 190 soc_specific: true, 191} 192 193hwservice_contexts { 194 name: "odm_hwservice_contexts", 195 srcs: [":hwservice_contexts_files{.odm}"], 196 device_specific: true, 197} 198 199property_contexts { 200 name: "plat_property_contexts", 201 srcs: [":property_contexts_files{.plat_private}"], 202} 203 204property_contexts { 205 name: "plat_property_contexts.recovery", 206 srcs: [":property_contexts_files{.plat_private}"], 207 stem: "plat_property_contexts", 208 recovery: true, 209} 210 211property_contexts { 212 name: "system_ext_property_contexts", 213 srcs: [":property_contexts_files{.system_ext_private}"], 214 system_ext_specific: true, 215 recovery_available: true, 216} 217 218property_contexts { 219 name: "product_property_contexts", 220 srcs: [":property_contexts_files{.product_private}"], 221 product_specific: true, 222 recovery_available: true, 223} 224 225property_contexts { 226 name: "vendor_property_contexts", 227 srcs: [ 228 ":property_contexts_files{.plat_vendor_for_vendor}", 229 ":property_contexts_files{.vendor}", 230 ":property_contexts_files{.reqd_mask_for_vendor}", 231 ], 232 soc_specific: true, 233 recovery_available: true, 234} 235 236property_contexts { 237 name: "odm_property_contexts", 238 srcs: [":property_contexts_files{.odm}"], 239 device_specific: true, 240 recovery_available: true, 241} 242 243service_contexts { 244 name: "plat_service_contexts", 245 srcs: [":service_contexts_files{.plat_private}"], 246} 247 248service_contexts { 249 name: "plat_service_contexts.recovery", 250 srcs: [":service_contexts_files{.plat_private}"], 251 stem: "plat_service_contexts", 252 recovery: true, 253} 254 255service_contexts { 256 name: "system_ext_service_contexts", 257 srcs: [":service_contexts_files{.system_ext_private}"], 258 system_ext_specific: true, 259 recovery_available: true, 260} 261 262service_contexts { 263 name: "product_service_contexts", 264 srcs: [":service_contexts_files{.product_private}"], 265 product_specific: true, 266 recovery_available: true, 267} 268 269service_contexts { 270 name: "vendor_service_contexts", 271 srcs: [ 272 ":service_contexts_files{.plat_vendor_for_vendor}", 273 ":service_contexts_files{.vendor}", 274 ":service_contexts_files{.reqd_mask_for_vendor}", 275 ], 276 soc_specific: true, 277 recovery_available: true, 278} 279 280service_contexts { 281 name: "odm_service_contexts", 282 srcs: [ 283 ":service_contexts_files{.odm}", 284 ], 285 device_specific: true, 286 recovery_available: true, 287} 288 289keystore2_key_contexts { 290 name: "plat_keystore2_key_contexts", 291 srcs: [":keystore2_key_contexts_files{.plat_private}"], 292} 293 294keystore2_key_contexts { 295 name: "system_keystore2_key_contexts", 296 srcs: [":keystore2_key_contexts_files{.system_ext_private}"], 297 system_ext_specific: true, 298} 299 300keystore2_key_contexts { 301 name: "product_keystore2_key_contexts", 302 srcs: [":keystore2_key_contexts_files{.product_private}"], 303 product_specific: true, 304} 305 306keystore2_key_contexts { 307 name: "vendor_keystore2_key_contexts", 308 srcs: [ 309 ":keystore2_key_contexts_files{.plat_vendor_for_vendor}", 310 ":keystore2_key_contexts_files{.vendor}", 311 ":keystore2_key_contexts_files{.reqd_mask_for_vendor}", 312 ], 313 soc_specific: true, 314} 315 316seapp_contexts { 317 name: "plat_seapp_contexts", 318 srcs: [":seapp_contexts_files{.plat_private}"], 319 sepolicy: ":precompiled_sepolicy", 320} 321 322seapp_contexts { 323 name: "system_ext_seapp_contexts", 324 srcs: [":seapp_contexts_files{.system_ext_private}"], 325 neverallow_files: [":seapp_contexts_files{.plat_private}"], 326 system_ext_specific: true, 327 sepolicy: ":precompiled_sepolicy", 328} 329 330seapp_contexts { 331 name: "product_seapp_contexts", 332 srcs: [":seapp_contexts_files{.product_private}"], 333 neverallow_files: [ 334 ":seapp_contexts_files{.plat_private}", 335 ":seapp_contexts_files{.system_ext_private}", 336 ], 337 product_specific: true, 338 sepolicy: ":precompiled_sepolicy", 339} 340 341seapp_contexts { 342 name: "vendor_seapp_contexts", 343 srcs: [ 344 ":seapp_contexts_files{.plat_vendor_for_vendor}", 345 ":seapp_contexts_files{.vendor}", 346 ":seapp_contexts_files{.reqd_mask_for_vendor}", 347 ], 348 neverallow_files: [ 349 ":seapp_contexts_files{.plat_private_for_vendor}", 350 ":seapp_contexts_files{.system_ext_private_for_vendor}", 351 ":seapp_contexts_files{.product_private_for_vendor}", 352 ], 353 soc_specific: true, 354 sepolicy: ":precompiled_sepolicy", 355} 356 357seapp_contexts { 358 name: "odm_seapp_contexts", 359 srcs: [ 360 ":seapp_contexts_files{.odm}", 361 ], 362 neverallow_files: [ 363 ":seapp_contexts_files{.plat_private_for_vendor}", 364 ":seapp_contexts_files{.system_ext_private_for_vendor}", 365 ":seapp_contexts_files{.product_private_for_vendor}", 366 ], 367 device_specific: true, 368 sepolicy: ":precompiled_sepolicy", 369} 370 371vndservice_contexts { 372 name: "vndservice_contexts", 373 srcs: [ 374 ":vndservice_contexts_files{.plat_vendor_for_vendor}", 375 ":vndservice_contexts_files{.vendor}", 376 ":vndservice_contexts_files{.reqd_mask_for_vendor}", 377 ], 378 soc_specific: true, 379} 380 381// for CTS 382genrule { 383 name: "plat_seapp_neverallows", 384 srcs: [ 385 ":seapp_contexts_files{.plat_private}", 386 ":seapp_contexts_files{.system_ext_private}", 387 ":seapp_contexts_files{.product_private}", 388 ], 389 out: ["plat_seapp_neverallows"], 390 cmd: "grep -ihe '^neverallow' $(in) > $(out) || true", 391} 392 393////////////////////////////////// 394// Run host-side test with contexts files and the sepolicy file 395file_contexts_test { 396 name: "plat_file_contexts_test", 397 srcs: [":plat_file_contexts"], 398 sepolicy: ":precompiled_sepolicy", 399} 400 401file_contexts_test { 402 name: "system_ext_file_contexts_test", 403 srcs: [":system_ext_file_contexts"], 404 sepolicy: ":precompiled_sepolicy", 405} 406 407file_contexts_test { 408 name: "product_file_contexts_test", 409 srcs: [":product_file_contexts"], 410 sepolicy: ":precompiled_sepolicy", 411} 412 413file_contexts_test { 414 name: "vendor_file_contexts_test", 415 srcs: [":vendor_file_contexts"], 416 sepolicy: ":precompiled_sepolicy", 417} 418 419file_contexts_test { 420 name: "odm_file_contexts_test", 421 srcs: [":odm_file_contexts"], 422 sepolicy: ":precompiled_sepolicy", 423} 424 425hwservice_contexts_test { 426 name: "plat_hwservice_contexts_test", 427 srcs: [":plat_hwservice_contexts"], 428 sepolicy: ":precompiled_sepolicy", 429} 430 431hwservice_contexts_test { 432 name: "system_ext_hwservice_contexts_test", 433 srcs: [":system_ext_hwservice_contexts"], 434 sepolicy: ":precompiled_sepolicy", 435} 436 437hwservice_contexts_test { 438 name: "product_hwservice_contexts_test", 439 srcs: [":product_hwservice_contexts"], 440 sepolicy: ":precompiled_sepolicy", 441} 442 443hwservice_contexts_test { 444 name: "vendor_hwservice_contexts_test", 445 srcs: [":vendor_hwservice_contexts"], 446 sepolicy: ":precompiled_sepolicy", 447} 448 449hwservice_contexts_test { 450 name: "odm_hwservice_contexts_test", 451 srcs: [":odm_hwservice_contexts"], 452 sepolicy: ":precompiled_sepolicy", 453} 454 455property_contexts_test { 456 name: "plat_property_contexts_test", 457 srcs: [":plat_property_contexts"], 458 sepolicy: ":precompiled_sepolicy", 459} 460 461property_contexts_test { 462 name: "system_ext_property_contexts_test", 463 srcs: [ 464 ":plat_property_contexts", 465 ":system_ext_property_contexts", 466 ], 467 sepolicy: ":precompiled_sepolicy", 468} 469 470property_contexts_test { 471 name: "product_property_contexts_test", 472 srcs: [ 473 ":plat_property_contexts", 474 ":system_ext_property_contexts", 475 ":product_property_contexts", 476 ], 477 sepolicy: ":precompiled_sepolicy", 478} 479 480property_contexts_test { 481 name: "vendor_property_contexts_test", 482 srcs: [ 483 ":plat_property_contexts", 484 ":system_ext_property_contexts", 485 ":product_property_contexts", 486 ":vendor_property_contexts", 487 ], 488 sepolicy: ":precompiled_sepolicy", 489} 490 491property_contexts_test { 492 name: "odm_property_contexts_test", 493 srcs: [ 494 ":plat_property_contexts", 495 ":system_ext_property_contexts", 496 ":product_property_contexts", 497 ":vendor_property_contexts", 498 ":odm_property_contexts", 499 ], 500 sepolicy: ":precompiled_sepolicy", 501} 502 503service_contexts_test { 504 name: "plat_service_contexts_test", 505 srcs: [":plat_service_contexts"], 506 sepolicy: ":precompiled_sepolicy", 507} 508 509service_contexts_test { 510 name: "system_ext_service_contexts_test", 511 srcs: [":system_ext_service_contexts"], 512 sepolicy: ":precompiled_sepolicy", 513} 514 515service_contexts_test { 516 name: "product_service_contexts_test", 517 srcs: [":product_service_contexts"], 518 sepolicy: ":precompiled_sepolicy", 519} 520 521service_contexts_test { 522 name: "vendor_service_contexts_test", 523 srcs: [":vendor_service_contexts"], 524 sepolicy: ":precompiled_sepolicy", 525} 526 527service_contexts_test { 528 name: "odm_service_contexts_test", 529 srcs: [":odm_service_contexts"], 530 sepolicy: ":precompiled_sepolicy", 531} 532 533vndservice_contexts_test { 534 name: "vndservice_contexts_test", 535 srcs: [":vndservice_contexts"], 536 sepolicy: ":precompiled_sepolicy", 537} 538 539fuzzer_bindings_test { 540 name: "fuzzer_bindings_test", 541 srcs: [":plat_service_contexts"], 542} 543