• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1version := $(version_under_treble_tests)
2
3include $(CLEAR_VARS)
4# For Treble builds run tests verifying that processes are properly labeled and
5# permissions granted do not violate the treble model.  Also ensure that treble
6# compatibility guarantees are upheld between SELinux version bumps.
7LOCAL_MODULE := treble_sepolicy_tests_$(version)
8LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
9LOCAL_LICENSE_CONDITIONS := notice unencumbered
10LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
11LOCAL_MODULE_CLASS := FAKE
12LOCAL_MODULE_TAGS := optional
13
14# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
15# make file of the system_ext partition.
16SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
17# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
18# make file of the product partition.
19PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
20IS_TREBLE_TEST_ENABLED_PARTNER := false
21ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
22ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
23IS_TREBLE_TEST_ENABLED_PARTNER := true
24endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
25endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
26
27include $(BUILD_SYSTEM)/base_rules.mk
28
29# $(version)_plat - the platform policy shipped as part of the $(version) release.  This is
30# built to enable us to determine the diff between the current policy and the
31# $(version) policy, which will be used in tests to make sure that compatibility has
32# been maintained by our mapping files.
33$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
34$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
35ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
36ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
37$(version)_PLAT_PUBLIC_POLICY += \
38    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
39$(version)_PLAT_PRIVATE_POLICY += \
40    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
41endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
42ifneq (,$(PRODUCT_PREBUILT_POLICY))
43$(version)_PLAT_PUBLIC_POLICY += \
44    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
45$(version)_PLAT_PRIVATE_POLICY += \
46    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
47endif # (,$(PRODUCT_PREBUILT_POLICY))
48endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
49policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
50$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
51$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
52$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
53$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
54$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
55$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
56$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
57$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
58$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
59$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
60$($(version)_plat_policy.conf): $(policy_files) $(M4)
61	$(transform-policy-to-conf)
62	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
63
64policy_files :=
65
66built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
67$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
68  $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
69$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
70$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
71  $(HOST_OUT_EXECUTABLES)/secilc \
72  $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
73  $(built_sepolicy_neverallows)
74	@mkdir -p $(dir $@)
75	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
76		$(POLICYVERS) -o $@ $<
77	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
78	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
79
80$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
81
82# TODO(b/214336258): move to Soong
83$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
84
85$(version)_plat_policy.conf :=
86
87$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
88$(version)_mapping.ignore.cil := \
89    $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
90ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
91ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
92$(version)_mapping.cil += \
93    $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
94$(version)_mapping.ignore.cil += \
95    $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
96endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
97ifneq (,$(PRODUCT_PREBUILT_POLICY))
98$(version)_mapping.cil += \
99    $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
100$(version)_mapping.ignore.cil += \
101    $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
102endif # (,$(PRODUCT_PREBUILT_POLICY))
103endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
104
105# $(version)_mapping.combined.cil - a combination of the mapping file used when
106# combining the current platform policy with nonplatform policy based on the
107# $(version) policy release and also a special ignored file that exists purely for
108# these tests.
109$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
110$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
111	mkdir -p $(dir $@)
112	cat $^ > $@
113
114ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
115built_sepolicy_files := $(built_product_sepolicy)
116public_cil_files := $(base_product_pub_policy.cil)
117else
118built_sepolicy_files := $(built_plat_sepolicy)
119public_cil_files := $(base_plat_pub_policy.cil)
120endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
121$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
122$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
123$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
124$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
125$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
126$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
127$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
128ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
129# TODO(b/113124961): remove fake-treble
130$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
131endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
132$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
133  $(all_fc_files) $(built_sepolicy) \
134  $(built_sepolicy_files) \
135  $(public_cil_files) \
136  $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
137	@mkdir -p $(dir $@)
138	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
139                -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
140                -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
141                -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
142                $(PRIVATE_FAKE_TREBLE)
143	$(hide) touch $@
144
145$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
146$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
147$(version)_PRODUCT_PUBLIC_POLICY :=
148$(version)_PRODUCT_PRIVATE_POLICY :=
149$(version)_PLAT_PUBLIC_POLICY :=
150$(version)_PLAT_PRIVATE_POLICY :=
151built_sepolicy_files :=
152public_cil_files :=
153cil_files :=
154$(version)_mapping.cil :=
155$(version)_mapping.combined.cil :=
156$(version)_mapping.ignore.cil :=
157built_$(version)_plat_sepolicy :=
158version :=
159version_under_treble_tests :=
160