1// Copyright (C) 2018 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package { 16 default_applicable_licenses: ["system_sepolicy_license"], 17} 18 19// Added automatically by a large-scale-change that took the approach of 20// 'apply every license found to every target'. While this makes sure we respect 21// every license restriction, it may not be entirely correct. 22// 23// e.g. GPL in an MIT project might only apply to the contrib/ directory. 24// 25// Please consider splitting the single license below into multiple licenses, 26// taking care not to lose any license_kind information, and overriding the 27// default license using the 'licenses: [...]' property on targets as needed. 28// 29// For unused files, consider creating a 'filegroup' with "//visibility:private" 30// to attach the license to, and including a comment whether the files may be 31// used in the current project. 32// http://go/android-license-faq 33license { 34 name: "system_sepolicy_license", 35 visibility: [":__subpackages__"], 36 license_kinds: [ 37 "SPDX-license-identifier-Apache-2.0", 38 "legacy_unencumbered", 39 ], 40 license_text: [ 41 "NOTICE", 42 ], 43} 44 45cc_defaults { 46 name: "selinux_policy_version", 47 cflags: ["-DSEPOLICY_VERSION=30"], 48} 49 50// For vts_treble_sys_prop_test 51filegroup { 52 name: "private_property_contexts", 53 srcs: ["private/property_contexts"], 54 visibility: [ 55 "//test/vts-testcase/security/system_property", 56 ], 57} 58 59se_build_files { 60 name: "se_build_files", 61 srcs: [ 62 "security_classes", 63 "initial_sids", 64 "access_vectors", 65 "global_macros", 66 "neverallow_macros", 67 "mls_macros", 68 "mls_decl", 69 "mls", 70 "policy_capabilities", 71 "te_macros", 72 "attributes", 73 "ioctl_defines", 74 "ioctl_macros", 75 "*.te", 76 "roles_decl", 77 "roles", 78 "users", 79 "initial_sid_contexts", 80 "fs_use", 81 "genfs_contexts", 82 "port_contexts", 83 ], 84} 85 86se_build_files { 87 name: "sepolicy_technical_debt", 88 srcs: ["technical_debt.cil"], 89} 90 91phony { 92 // Currently used only for aosp_cf_system_x86_64 93 // TODO(b/329208946): migrate selinux_policy_system to Soong 94 name: "selinux_policy_system_soong", 95 required: [ 96 "plat_bug_map", 97 "plat_file_contexts", 98 "plat_hwservice_contexts", 99 "plat_keystore2_key_contexts", 100 "plat_mac_permissions.xml", 101 "plat_mapping_file", 102 "plat_property_contexts", 103 "plat_seapp_contexts", 104 "plat_sepolicy.cil", 105 "plat_sepolicy_genfs_202504.cil", 106 "plat_sepolicy_genfs_202604.cil", 107 "plat_service_contexts", 108 "secilc", 109 "plat_29.0.cil", 110 "29.0.compat.cil", 111 "plat_30.0.cil", 112 "30.0.compat.cil", 113 "plat_31.0.cil", 114 "31.0.compat.cil", 115 "plat_32.0.cil", 116 "32.0.compat.cil", 117 "plat_33.0.cil", 118 "33.0.compat.cil", 119 "plat_34.0.cil", 120 "34.0.compat.cil", 121 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 122 "202404": [], 123 default: [ 124 "plat_202404.cil", 125 "202404.compat.cil", 126 ], 127 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 128 // TODO(b/391513934): clean up once we can simplify complex select statements. 129 "202404": [], 130 "202504": [], 131 default: [ 132 "plat_202504.cil", 133 "202504.compat.cil", 134 ], 135 }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 136 true: ["plat_sepolicy_and_mapping.sha256"], 137 default: [], 138 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 139 true: ["plat_tee_service_contexts"], 140 default: [], 141 }), 142} 143 144reqd_mask_policy = [":se_build_files{.reqd_mask}"] 145plat_public_policy = [":se_build_files{.plat_public}"] 146plat_private_policy = [":se_build_files{.plat_private}"] 147system_ext_public_policy = [":se_build_files{.system_ext_public}"] 148system_ext_private_policy = [":se_build_files{.system_ext_private}"] 149product_public_policy = [":se_build_files{.product_public}"] 150product_private_policy = [":se_build_files{.product_private}"] 151 152// reqd_policy_mask - a policy.conf file which contains only the bare minimum 153// policy necessary to use checkpolicy. 154// 155// This bare-minimum policy needs to be present in all policy.conf files, but 156// should not necessarily be exported as part of the public policy. 157// 158// The rules generated by reqd_policy_mask will allow the compilation of public 159// policy and subsequent removal of CIL policy that should not be exported. 160se_policy_conf { 161 name: "reqd_policy_mask.conf", 162 defaults: ["se_policy_conf_flags_defaults"], 163 srcs: reqd_mask_policy, 164 installable: false, 165} 166 167se_policy_cil { 168 name: "reqd_policy_mask.cil", 169 src: ":reqd_policy_mask.conf", 170 secilc_check: false, 171 installable: false, 172} 173 174// pub_policy - policy that will be exported to be a part of non-platform 175// policy corresponding to this platform version. 176// 177// This is a limited subset of policy that would not compile in checkpolicy on 178// its own. 179// 180// To get around this limitation, add only the required files from private 181// policy, which will generate CIL policy that will then be filtered out by the 182// reqd_policy_mask. 183// 184// There are three pub_policy.cil files below: 185// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 186// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 187// - plat_pub_policy.cil: exported 'system' policy. 188// 189// Those above files will in turn be used to generate the following versioned cil files: 190// - product_mapping_file: the versioned, exported 'product' policy in product partition. 191// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 192// - plat_mapping_file: the versioned, exported 'system' policy in system partition. 193// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy 194// in vendor partition. 195// 196se_policy_conf { 197 name: "pub_policy.conf", 198 defaults: ["se_policy_conf_flags_defaults"], 199 srcs: plat_public_policy + 200 system_ext_public_policy + 201 product_public_policy + 202 reqd_mask_policy, 203 vendor: true, 204 installable: false, 205} 206 207se_policy_cil { 208 name: "pub_policy.cil", 209 src: ":pub_policy.conf", 210 filter_out: [":reqd_policy_mask.cil"], 211 secilc_check: false, 212 vendor: true, 213 installable: false, 214} 215 216se_policy_conf { 217 name: "system_ext_pub_policy.conf", 218 defaults: ["se_policy_conf_flags_defaults"], 219 srcs: plat_public_policy + 220 system_ext_public_policy + 221 reqd_mask_policy, 222 system_ext_specific: true, 223 installable: false, 224} 225 226se_policy_cil { 227 name: "system_ext_pub_policy.cil", 228 src: ":system_ext_pub_policy.conf", 229 filter_out: [":reqd_policy_mask.cil"], 230 secilc_check: false, 231 system_ext_specific: true, 232 installable: false, 233} 234 235se_policy_conf { 236 name: "plat_pub_policy.conf", 237 defaults: ["se_policy_conf_flags_defaults"], 238 srcs: plat_public_policy + 239 reqd_mask_policy, 240 installable: false, 241} 242 243se_policy_cil { 244 name: "plat_pub_policy.cil", 245 src: ":plat_pub_policy.conf", 246 filter_out: [":reqd_policy_mask.cil"], 247 secilc_check: false, 248 installable: false, 249} 250 251// plat_policy.conf - A combination of the private and public platform policy 252// which will ship with the device. 253// 254// The platform will always reflect the most recent platform version and is not 255// currently being attributized. 256se_policy_conf { 257 name: "plat_sepolicy.conf", 258 defaults: ["se_policy_conf_flags_defaults"], 259 srcs: plat_public_policy + 260 plat_private_policy, 261 installable: false, 262} 263 264se_policy_cil { 265 name: "plat_sepolicy.cil", 266 src: ":plat_sepolicy.conf", 267 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 268} 269 270// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 271se_policy_conf { 272 name: "userdebug_plat_sepolicy.conf", 273 defaults: ["se_policy_conf_flags_defaults"], 274 srcs: plat_public_policy + 275 plat_private_policy, 276 build_variant: "userdebug", 277 installable: false, 278} 279 280se_policy_cil { 281 name: "userdebug_plat_sepolicy.cil", 282 src: ":userdebug_plat_sepolicy.conf", 283 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 284 debug_ramdisk: true, 285 dist: { 286 targets: ["droidcore"], 287 }, 288} 289 290// A copy of the userdebug_plat_policy in GSI. 291soong_config_module_type { 292 name: "gsi_se_policy_cil", 293 module_type: "se_policy_cil", 294 config_namespace: "ANDROID", 295 bool_variables: [ 296 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", 297 ], 298 properties: [ 299 "enabled", 300 "installable", 301 ], 302} 303 304gsi_se_policy_cil { 305 name: "system_ext_userdebug_plat_sepolicy.cil", 306 stem: "userdebug_plat_sepolicy.cil", 307 src: ":userdebug_plat_sepolicy.conf", 308 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 309 system_ext_specific: true, 310 enabled: false, 311 installable: false, 312 soong_config_variables: { 313 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { 314 enabled: true, 315 installable: true, 316 }, 317 }, 318} 319 320// system_ext_policy.conf - A combination of the private and public system_ext 321// policy which will ship with the device. System_ext policy is not attributized 322se_policy_conf { 323 name: "system_ext_sepolicy.conf", 324 defaults: ["se_policy_conf_flags_defaults"], 325 srcs: plat_public_policy + 326 plat_private_policy + 327 system_ext_public_policy + 328 system_ext_private_policy, 329 system_ext_specific: true, 330 installable: false, 331} 332 333se_policy_cil { 334 name: "system_ext_sepolicy.cil", 335 src: ":system_ext_sepolicy.conf", 336 system_ext_specific: true, 337 filter_out: [":plat_sepolicy.cil"], 338} 339 340// product_policy.conf - A combination of the private and public product policy 341// which will ship with the device. Product policy is not attributized 342se_policy_conf { 343 name: "product_sepolicy.conf", 344 defaults: ["se_policy_conf_flags_defaults"], 345 srcs: plat_public_policy + 346 plat_private_policy + 347 system_ext_public_policy + 348 system_ext_private_policy + 349 product_public_policy + 350 product_private_policy, 351 product_specific: true, 352 installable: false, 353} 354 355se_policy_cil { 356 name: "product_sepolicy.cil", 357 src: ":product_sepolicy.conf", 358 product_specific: true, 359 filter_out: [ 360 ":plat_sepolicy.cil", 361 ":system_ext_sepolicy.cil", 362 ], 363} 364 365// policy mapping files 366// auto-generate the mapping file for current platform policy, since it needs to 367// track platform policy development 368se_versioned_policy { 369 name: "plat_mapping_file", 370 base: ":plat_pub_policy.cil", 371 mapping: true, 372 version: "current", 373 relative_install_path: "mapping", // install to /system/etc/selinux/mapping 374} 375 376se_versioned_policy { 377 name: "system_ext_mapping_file", 378 base: ":system_ext_pub_policy.cil", 379 mapping: true, 380 version: "current", 381 filter_out: [":plat_mapping_file"], 382 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping 383 system_ext_specific: true, 384} 385 386se_versioned_policy { 387 name: "product_mapping_file", 388 base: ":pub_policy.cil", 389 mapping: true, 390 version: "current", 391 filter_out: [ 392 ":plat_mapping_file", 393 ":system_ext_mapping_file", 394 ], 395 relative_install_path: "mapping", // install to /product/etc/selinux/mapping 396 product_specific: true, 397} 398 399////////////////////////////////// 400// vendor/odm sepolicy 401////////////////////////////////// 402 403// plat_pub_versioned.cil - the exported platform policy associated with the version 404// that non-platform policy targets. 405se_versioned_policy { 406 name: "plat_pub_versioned.cil", 407 base: ":pub_policy.cil", 408 target_policy: ":pub_policy.cil", 409 version: "vendor", 410 vendor: true, 411} 412 413// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 414// with the platform-provided policy. It makes use of the reqd_policy_mask files from private 415// policy and the platform public policy files in order to use checkpolicy. 416se_policy_conf { 417 name: "vendor_sepolicy.conf", 418 defaults: ["se_policy_conf_flags_defaults"], 419 srcs: plat_public_policy + 420 system_ext_public_policy + 421 product_public_policy + 422 reqd_mask_policy + [ 423 ":se_build_files{.plat_vendor}", 424 ":se_build_files{.vendor}", 425 ], 426 vendor: true, 427 installable: false, 428} 429 430se_policy_cil { 431 name: "vendor_sepolicy.cil.raw", 432 src: ":vendor_sepolicy.conf", 433 filter_out: [":reqd_policy_mask.cil"], 434 secilc_check: false, // will be done in se_versioned_policy module 435 vendor: true, 436 installable: false, 437} 438 439se_versioned_policy { 440 name: "vendor_sepolicy.cil", 441 base: ":pub_policy.cil", 442 target_policy: ":vendor_sepolicy.cil.raw", 443 version: "vendor", 444 dependent_cils: [ 445 ":plat_sepolicy.cil", 446 ":system_ext_sepolicy.cil", 447 ":product_sepolicy.cil", 448 ":plat_pub_versioned.cil", 449 ":plat_mapping_file", 450 ], 451 filter_out: [":plat_pub_versioned.cil"], 452 vendor: true, 453} 454 455// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined 456// with the platform-provided policy. It makes use of the reqd_policy_mask files from private 457// policy and the platform public policy files in order to use checkpolicy. 458se_policy_conf { 459 name: "odm_sepolicy.conf", 460 defaults: ["se_policy_conf_flags_defaults"], 461 srcs: plat_public_policy + 462 system_ext_public_policy + 463 product_public_policy + 464 reqd_mask_policy + [ 465 ":se_build_files{.plat_vendor}", 466 ":se_build_files{.vendor}", 467 ":se_build_files{.odm}", 468 ], 469 device_specific: true, 470 installable: false, 471} 472 473se_policy_cil { 474 name: "odm_sepolicy.cil.raw", 475 src: ":odm_sepolicy.conf", 476 filter_out: [ 477 ":reqd_policy_mask.cil", 478 ":vendor_sepolicy.cil.raw", 479 ], 480 secilc_check: false, // will be done in se_versioned_policy module 481 device_specific: true, 482 installable: false, 483} 484 485se_versioned_policy { 486 name: "odm_sepolicy.cil", 487 base: ":pub_policy.cil", 488 target_policy: ":odm_sepolicy.cil.raw", 489 version: "vendor", 490 dependent_cils: [ 491 ":plat_sepolicy.cil", 492 ":system_ext_sepolicy.cil", 493 ":product_sepolicy.cil", 494 ":plat_pub_versioned.cil", 495 ":plat_mapping_file", 496 ":vendor_sepolicy.cil", 497 ], 498 filter_out: [":plat_pub_versioned.cil"], 499 device_specific: true, 500} 501 502////////////////////////////////// 503// Precompiled sepolicy is loaded if and only if: 504// - plat_sepolicy_and_mapping.sha256 equals 505// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 506// AND 507// - system_ext_sepolicy_and_mapping.sha256 equals 508// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 509// AND 510// - product_sepolicy_and_mapping.sha256 equals 511// precompiled_sepolicy.product_sepolicy_and_mapping.sha256 512// See system/core/init/selinux.cpp for details. 513////////////////////////////////// 514java_genrule { 515 name: "plat_sepolicy_and_mapping.sha256_gen", 516 srcs: [ 517 ":plat_sepolicy.cil", 518 ":plat_mapping_file", 519 ], 520 out: ["plat_sepolicy_and_mapping.sha256"], 521 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 522} 523 524prebuilt_etc { 525 name: "plat_sepolicy_and_mapping.sha256", 526 filename: "plat_sepolicy_and_mapping.sha256", 527 src: ":plat_sepolicy_and_mapping.sha256_gen", 528 relative_install_path: "selinux", 529} 530 531java_genrule { 532 name: "system_ext_sepolicy_and_mapping.sha256_gen", 533 srcs: [ 534 ":system_ext_sepolicy.cil", 535 ":system_ext_mapping_file", 536 ], 537 out: ["system_ext_sepolicy_and_mapping.sha256"], 538 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 539} 540 541prebuilt_etc { 542 name: "system_ext_sepolicy_and_mapping.sha256", 543 filename: "system_ext_sepolicy_and_mapping.sha256", 544 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 545 relative_install_path: "selinux", 546 system_ext_specific: true, 547} 548 549java_genrule { 550 name: "product_sepolicy_and_mapping.sha256_gen", 551 srcs: [ 552 ":product_sepolicy.cil", 553 ":product_mapping_file", 554 ], 555 out: ["product_sepolicy_and_mapping.sha256"], 556 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 557} 558 559prebuilt_etc { 560 name: "product_sepolicy_and_mapping.sha256", 561 filename: "product_sepolicy_and_mapping.sha256", 562 src: ":product_sepolicy_and_mapping.sha256_gen", 563 relative_install_path: "selinux", 564 product_specific: true, 565} 566 567sepolicy_vers { 568 name: "plat_sepolicy_vers.txt", 569 version: "vendor", 570 vendor: true, 571} 572 573genrule { 574 name: "genfs_labels_version.txt.gen", 575 out: ["genfs_labels_version.txt"], 576 cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), { 577 any @ value: "echo " + value + " > $(out)", 578 default: "echo > $(out)", 579 }), 580} 581 582prebuilt_etc { 583 name: "genfs_labels_version.txt", 584 src: ":genfs_labels_version.txt.gen", 585 relative_install_path: "selinux", 586 vendor: true, 587} 588 589soong_config_module_type { 590 name: "precompiled_sepolicy_prebuilts_defaults", 591 module_type: "prebuilt_defaults", 592 config_namespace: "ANDROID", 593 bool_variables: ["BOARD_USES_ODMIMAGE"], 594 properties: [ 595 "vendor", 596 "device_specific", 597 ], 598} 599 600precompiled_sepolicy_prebuilts_defaults { 601 name: "precompiled_sepolicy_prebuilts", 602 soong_config_variables: { 603 BOARD_USES_ODMIMAGE: { 604 device_specific: true, 605 conditions_default: { 606 vendor: true, 607 }, 608 }, 609 }, 610} 611 612////////////////////////////////// 613// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 614// which precompiled_policy was built. 615////////////////////////////////// 616prebuilt_etc { 617 defaults: ["precompiled_sepolicy_prebuilts"], 618 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 619 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 620 src: ":plat_sepolicy_and_mapping.sha256_gen", 621 relative_install_path: "selinux", 622} 623 624////////////////////////////////// 625// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 626// which precompiled_policy was built. 627////////////////////////////////// 628prebuilt_etc { 629 defaults: ["precompiled_sepolicy_prebuilts"], 630 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 631 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 632 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 633 relative_install_path: "selinux", 634} 635 636////////////////////////////////// 637// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 638// which precompiled_policy was built. 639////////////////////////////////// 640prebuilt_etc { 641 defaults: ["precompiled_sepolicy_prebuilts"], 642 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 643 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 644 src: ":product_sepolicy_and_mapping.sha256_gen", 645 relative_install_path: "selinux", 646} 647 648soong_config_module_type { 649 name: "precompiled_se_policy_binary", 650 module_type: "se_policy_binary", 651 config_namespace: "ANDROID", 652 bool_variables: ["BOARD_USES_ODMIMAGE"], 653 properties: [ 654 "vendor", 655 "device_specific", 656 ], 657} 658 659filegroup { 660 name: "precompiled_sepolicy_srcs", 661 device_common_srcs: [ 662 ":plat_sepolicy.cil", 663 ":plat_pub_versioned.cil", 664 ":system_ext_sepolicy.cil", 665 ":product_sepolicy.cil", 666 ":vendor_sepolicy.cil", 667 ":odm_sepolicy.cil", 668 ":plat_mapping_file", 669 ":system_ext_mapping_file", 670 ":product_mapping_file", 671 ], 672 device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), { 673 "202404": [], 674 any @ ver: [":plat_sepolicy_genfs_" + ver + ".cil"], 675 default: [], 676 }), 677 // Make precompiled_sepolicy_srcs as public so that OEMs have access to them. 678 // Useful when some partitions need to be bind mounted across VM boundaries. 679 visibility: ["//visibility:public"], 680} 681 682precompiled_se_policy_binary { 683 name: "precompiled_sepolicy", 684 srcs: [ 685 ":precompiled_sepolicy_srcs", 686 ], 687 soong_config_variables: { 688 BOARD_USES_ODMIMAGE: { 689 device_specific: true, 690 conditions_default: { 691 vendor: true, 692 }, 693 }, 694 }, 695 required: [ 696 "sepolicy_neverallows", 697 ], 698 dist: { 699 targets: ["base-sepolicy-files-for-mapping"], 700 }, 701} 702 703// policy for recovery 704se_policy_conf { 705 name: "recovery_sepolicy.conf", 706 defaults: ["se_policy_conf_flags_defaults"], 707 srcs: plat_public_policy + 708 plat_private_policy + 709 system_ext_public_policy + 710 system_ext_private_policy + 711 product_public_policy + 712 product_private_policy + [ 713 ":se_build_files{.plat_vendor}", 714 ":se_build_files{.vendor}", 715 ":se_build_files{.odm}", 716 ], 717 target_recovery: true, 718 installable: false, 719 recovery: true, 720} 721 722se_policy_cil { 723 name: "recovery_sepolicy.cil", 724 src: ":recovery_sepolicy.conf", 725 secilc_check: false, // will be done in se_policy_binary module 726 installable: false, 727 recovery: true, 728} 729 730se_policy_binary { 731 name: "sepolicy.recovery", 732 srcs: [":recovery_sepolicy.cil"], 733 stem: "sepolicy", 734 recovery: true, 735} 736 737////////////////////////////////// 738// SELinux policy embedded into CTS. 739// CTS checks neverallow rules of this policy against the policy of the device under test. 740////////////////////////////////// 741se_policy_conf { 742 name: "general_sepolicy.conf", 743 defaults: ["se_policy_conf_flags_defaults"], 744 srcs: plat_public_policy + 745 plat_private_policy, 746 build_variant: "user", 747 cts: true, 748 exclude_build_test: true, 749 dist: { 750 targets: ["sepolicy_finalize"], 751 }, 752} 753 754////////////////////////////////// 755// Base system policy for treble sepolicy tests. 756// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ 757// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case, 758// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil. 759// See treble_sepolicy_tests_for_release.mk for more details. 760////////////////////////////////// 761se_policy_conf { 762 name: "base_plat_sepolicy.conf", 763 defaults: ["se_policy_conf_flags_defaults"], 764 srcs: plat_public_policy + 765 plat_private_policy, 766 build_variant: "user", 767 installable: false, 768} 769 770se_policy_cil { 771 name: "base_plat_sepolicy.cil", 772 src: ":base_plat_sepolicy.conf", 773 additional_cil_files: ["private/technical_debt.cil"], 774 installable: false, 775 secilc_check: false, // done by se_policy_binary 776 dist: { 777 targets: ["sepolicy_finalize"], 778 }, 779} 780 781se_policy_binary { 782 name: "base_plat_sepolicy", 783 srcs: [":base_plat_sepolicy.cil"], 784 installable: false, 785 dist: { 786 targets: ["base-sepolicy-files-for-mapping"], 787 }, 788} 789 790se_policy_conf { 791 name: "base_product_sepolicy.conf", 792 defaults: ["se_policy_conf_flags_defaults"], 793 srcs: plat_public_policy + 794 plat_private_policy + 795 system_ext_public_policy + 796 system_ext_private_policy + 797 product_public_policy + 798 product_private_policy, 799 build_variant: "user", 800 installable: false, 801 product_specific: true, 802} 803 804se_policy_cil { 805 name: "base_product_sepolicy.cil", 806 src: ":base_product_sepolicy.conf", 807 additional_cil_files: ["private/technical_debt.cil"], 808 product_specific: true, 809 installable: false, 810 secilc_check: false, // done by se_policy_binary 811} 812 813se_policy_binary { 814 name: "base_product_sepolicy", 815 srcs: [":base_product_sepolicy.cil"], 816 product_specific: true, 817 installable: false, 818} 819 820se_policy_conf { 821 name: "base_plat_pub_policy.conf", 822 defaults: ["se_policy_conf_flags_defaults"], 823 srcs: plat_public_policy + 824 reqd_mask_policy, 825 build_variant: "user", 826 installable: false, 827} 828 829se_policy_cil { 830 name: "base_plat_pub_policy.cil", 831 src: ":base_plat_pub_policy.conf", 832 filter_out: [":reqd_policy_mask.cil"], 833 secilc_check: false, 834 installable: false, 835 dist: { 836 targets: ["base-sepolicy-files-for-mapping"], 837 }, 838} 839 840se_versioned_policy { 841 name: "base_plat_mapping_file", 842 base: ":base_plat_pub_policy.cil", 843 mapping: true, 844 version: "current", 845 relative_install_path: "mapping", // install to /system/etc/selinux/mapping 846 dist: { 847 targets: ["sepolicy_finalize"], 848 }, 849 installable: false, 850} 851 852se_policy_conf { 853 name: "base_product_pub_policy.conf", 854 defaults: ["se_policy_conf_flags_defaults"], 855 srcs: plat_public_policy + 856 system_ext_public_policy + 857 product_public_policy + 858 reqd_mask_policy, 859 build_variant: "user", 860 installable: false, 861 product_specific: true, 862} 863 864se_policy_cil { 865 name: "base_product_pub_policy.cil", 866 src: ":base_product_pub_policy.conf", 867 filter_out: [":reqd_policy_mask.cil"], 868 secilc_check: false, 869 installable: false, 870 product_specific: true, 871} 872 873// bug_map - Bug tracking information for selinux denials loaded by auditd. 874se_build_files { 875 name: "bug_map_files", 876 srcs: ["bug_map"], 877} 878 879se_bug_map { 880 name: "plat_bug_map", 881 srcs: [":bug_map_files{.plat_private}"], 882 stem: "bug_map", 883} 884 885se_bug_map { 886 name: "system_ext_bug_map", 887 srcs: [":bug_map_files{.system_ext_private}"], 888 stem: "bug_map", 889 system_ext_specific: true, 890} 891 892se_bug_map { 893 name: "vendor_bug_map", 894 srcs: [ 895 ":bug_map_files{.vendor}", 896 ":bug_map_files{.plat_vendor}", 897 ], 898 // Legacy file name of the vendor partition bug_map. 899 stem: "selinux_denial_metadata", 900 vendor: true, 901} 902 903se_neverallow_test { 904 name: "sepolicy_neverallows", 905 defaults: ["se_policy_conf_flags_defaults"], 906 srcs: plat_public_policy + 907 plat_private_policy + 908 system_ext_public_policy + 909 system_ext_private_policy + 910 product_public_policy + 911 product_private_policy + [ 912 ":se_build_files{.plat_vendor}", 913 ":se_build_files{.vendor}", 914 ":se_build_files{.odm}", 915 ], 916} 917 918////////////////////////////////// 919// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy 920// Additional directories can be specified via Makefile variables: 921// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS. 922////////////////////////////////// 923 924FREEZE_TEST_BOARD_API_LEVEL = "202504" 925 926se_policy_conf { 927 name: "base_plat_pub_policy_for_freeze_test.conf", 928 defaults: ["se_policy_conf_flags_defaults"], 929 srcs: plat_public_policy + 930 reqd_mask_policy, 931 build_variant: "user", 932 installable: false, 933 board_api_level: FREEZE_TEST_BOARD_API_LEVEL, 934} 935 936se_policy_cil { 937 name: "base_plat_pub_policy_for_freeze_test.cil", 938 src: ":base_plat_pub_policy_for_freeze_test.conf", 939 filter_out: [":reqd_policy_mask.cil"], 940 secilc_check: false, 941 installable: false, 942} 943 944se_freeze_test { 945 name: "se_freeze_test", 946 board_api_level: FREEZE_TEST_BOARD_API_LEVEL, 947 current_cil: ":base_plat_pub_policy_for_freeze_test.cil", 948 prebuilt_cil: ":" + FREEZE_TEST_BOARD_API_LEVEL + "_plat_pub_policy.cil", 949} 950 951////////////////////////////////// 952// sepolicy_test checks various types of violations, which can't be easily done 953// by CIL itself. Refer tests/sepolicy_tests.py for more detail. 954////////////////////////////////// 955java_genrule { 956 name: "sepolicy_test", 957 srcs: [ 958 ":plat_file_contexts", 959 ":vendor_file_contexts", 960 ":system_ext_file_contexts", 961 ":product_file_contexts", 962 ":odm_file_contexts", 963 ":precompiled_sepolicy", 964 ], 965 tools: ["sepolicy_tests"], 966 out: ["sepolicy_test"], 967 cmd: "$(location sepolicy_tests) " + 968 "-f $(location :plat_file_contexts) " + 969 "-f $(location :vendor_file_contexts) " + 970 "-f $(location :system_ext_file_contexts) " + 971 "-f $(location :product_file_contexts) " + 972 "-f $(location :odm_file_contexts) " + 973 "-p $(location :precompiled_sepolicy) && " + 974 "touch $(out)", 975} 976 977////////////////////////////////// 978// TestDevTypeViolations can't run on old devices (V or before) 979////////////////////////////////// 980 981soong_config_module_type { 982 name: "dev_type_test_genrule", 983 module_type: "java_genrule", 984 config_namespace: "ANDROID", 985 bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"], 986 properties: ["cmd"], 987} 988 989dev_type_test_genrule { 990 name: "sepolicy_dev_type_test", 991 srcs: [ 992 ":plat_file_contexts", 993 ":vendor_file_contexts", 994 ":system_ext_file_contexts", 995 ":product_file_contexts", 996 ":odm_file_contexts", 997 ":precompiled_sepolicy", 998 ], 999 tools: ["sepolicy_tests"], 1000 out: ["sepolicy_dev_type_test"], 1001 soong_config_variables: { 1002 CHECK_DEV_TYPE_VIOLATIONS: { 1003 cmd: "$(location sepolicy_tests) " + 1004 "-f $(location :plat_file_contexts) " + 1005 "-f $(location :vendor_file_contexts) " + 1006 "-f $(location :system_ext_file_contexts) " + 1007 "-f $(location :product_file_contexts) " + 1008 "-f $(location :odm_file_contexts) " + 1009 "-p $(location :precompiled_sepolicy) " + 1010 "-t TestDevTypeViolations && " + 1011 "touch $(out)", 1012 conditions_default: { 1013 cmd: "touch $(out)", 1014 }, 1015 }, 1016 }, 1017} 1018 1019phony { 1020 name: "selinux_policy_system_ext", 1021 required: [ 1022 //"ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY" check included in system_ext_pub_policy.cil 1023 "system_ext_mapping_file", 1024 //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil 1025 "system_ext_sepolicy.cil", 1026 ] + [ 1027 //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil 1028 "system_ext_29.0.cil", 1029 "system_ext_30.0.cil", 1030 "system_ext_31.0.cil", 1031 "system_ext_32.0.cil", 1032 "system_ext_33.0.cil", 1033 "system_ext_34.0.cil", 1034 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1035 "202404": [], 1036 default: [ 1037 "system_ext_202404.cil", 1038 ], 1039 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1040 // TODO(b/391513934): clean up once we can simplify complex select statements. 1041 "202404": [], 1042 "202504": [], 1043 default: [ 1044 "system_ext_202504.cil", 1045 ], 1046 }) + 1047 select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1048 true: ["system_ext_sepolicy_and_mapping.sha256"], 1049 default: [], 1050 }) + [ 1051 "system_ext_file_contexts", 1052 "system_ext_file_contexts_test", 1053 "system_ext_keystore2_key_contexts", 1054 "system_ext_hwservice_contexts", 1055 "system_ext_hwservice_contexts_test", 1056 "system_ext_property_contexts", 1057 "system_ext_property_contexts_test", 1058 "system_ext_seapp_contexts", 1059 "system_ext_service_contexts", 1060 "system_ext_service_contexts_test", 1061 "system_ext_mac_permissions.xml", 1062 "system_ext_bug_map", 1063 // $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 1064 "system_ext_29.0.compat.cil", 1065 "system_ext_30.0.compat.cil", 1066 "system_ext_31.0.compat.cil", 1067 "system_ext_32.0.compat.cil", 1068 "system_ext_33.0.compat.cil", 1069 "system_ext_34.0.compat.cil", 1070 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1071 "202404": [], 1072 default: [ 1073 "system_ext_202404.compat.cil", 1074 ], 1075 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1076 // TODO(b/391513934): clean up once we can simplify complex select statements. 1077 "202404": [], 1078 "202504": [], 1079 default: [ 1080 "system_ext_202504.compat.cil", 1081 ], 1082 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1083 true: ["system_ext_tee_service_contexts"], 1084 default: [], 1085 }), 1086 system_ext_specific: true, 1087} 1088 1089phony { 1090 name: "selinux_policy_product", 1091 required: [ 1092 "product_mapping_file", 1093 "product_sepolicy.cil", 1094 // "ifdef HAS_PRODUCT_PUBLIC_SEPOLICY" check included in .cil 1095 "product_29.0.cil", 1096 "product_30.0.cil", 1097 "product_31.0.cil", 1098 "product_32.0.cil", 1099 "product_33.0.cil", 1100 "product_34.0.cil", 1101 "product_file_contexts", 1102 // "ifdef HAS_PRODUCT_SEPOLICY_DIR" in Android.mk can be ignored. 1103 "product_file_contexts_test", 1104 "product_keystore2_key_contexts", 1105 "product_hwservice_contexts", 1106 "product_hwservice_contexts_test", 1107 "product_property_contexts", 1108 "product_property_contexts_test", 1109 "product_seapp_contexts", 1110 "product_service_contexts", 1111 "product_service_contexts_test", 1112 "product_mac_permissions.xml", 1113 ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1114 true: ["product_sepolicy_and_mapping.sha256"], 1115 default: [], 1116 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1117 "202404": [], 1118 default: [ 1119 "product_202404.cil", 1120 ], 1121 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1122 // TODO(b/391513934): clean up once we can simplify complex select statements. 1123 "202404": [], 1124 "202504": [], 1125 default: [ 1126 "product_202504.cil", 1127 ], 1128 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1129 true: ["product_tee_service_contexts"], 1130 default: [], 1131 }), 1132 product_specific: true, 1133} 1134 1135phony { 1136 name: "selinux_policy_nonsystem", 1137 required: [ 1138 "selinux_policy_system_ext", 1139 "selinux_policy_product", 1140 "selinux_policy_vendor", 1141 "selinux_policy_odm", 1142 // Builds an additional userdebug sepolicy into the debug ramdisk. 1143 "userdebug_plat_sepolicy.cil", 1144 ], 1145} 1146 1147phony { 1148 name: "selinux_policy_vendor", 1149 required: [ 1150 "genfs_labels_version.txt", 1151 "plat_pub_versioned.cil", 1152 "vendor_sepolicy.cil", 1153 "plat_sepolicy_vers.txt", 1154 "vendor_file_contexts", 1155 "vendor_file_contexts_test", 1156 "vendor_keystore2_key_contexts", 1157 "vendor_mac_permissions.xml", 1158 "vendor_property_contexts", 1159 "vendor_property_contexts_test", 1160 "vendor_seapp_contexts", 1161 "vendor_service_contexts", 1162 "vendor_service_contexts_test", 1163 "vendor_hwservice_contexts", 1164 "vendor_hwservice_contexts_test", 1165 "vendor_bug_map", 1166 "vndservice_contexts", 1167 "vndservice_contexts_test", 1168 ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1169 true: ["vendor_tee_service_contexts"], 1170 default: [], 1171 }), 1172 vendor: true, 1173} 1174 1175phony { 1176 name: "selinux_policy_odm", 1177 required: [ 1178 "odm_sepolicy.cil", 1179 "odm_file_contexts", 1180 "odm_file_contexts_test", 1181 "odm_seapp_contexts", 1182 "odm_property_contexts", 1183 "odm_property_contexts_test", 1184 "odm_service_contexts", 1185 "odm_service_contexts_test", 1186 "odm_hwservice_contexts", 1187 "odm_hwservice_contexts_test", 1188 "odm_mac_permissions.xml", 1189 ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1190 true: [ 1191 "precompiled_sepolicy", 1192 "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 1193 "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 1194 "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 1195 ], 1196 default: [], 1197 }), 1198 device_specific: true, 1199} 1200 1201phony { 1202 name: "selinux_policy_system", 1203 required: [ 1204 "29.0.compat.cil", 1205 "30.0.compat.cil", 1206 "31.0.compat.cil", 1207 "32.0.compat.cil", 1208 "33.0.compat.cil", 1209 "34.0.compat.cil", 1210 "build_sepolicy", 1211 "fuzzer_bindings_test", 1212 "plat_29.0.cil", 1213 "plat_30.0.cil", 1214 "plat_31.0.cil", 1215 "plat_32.0.cil", 1216 "plat_33.0.cil", 1217 "plat_34.0.cil", 1218 "plat_bug_map", 1219 "plat_file_contexts", 1220 "plat_file_contexts_data_test", 1221 "plat_file_contexts_test", 1222 "plat_hwservice_contexts", 1223 "plat_hwservice_contexts_test", 1224 "plat_keystore2_key_contexts", 1225 "plat_mac_permissions.xml", 1226 "plat_mapping_file", 1227 "plat_property_contexts", 1228 "plat_property_contexts_test", 1229 "plat_seapp_contexts", 1230 "plat_sepolicy.cil", 1231 "plat_sepolicy_genfs_202504.cil", 1232 "plat_sepolicy_genfs_202604.cil", 1233 "plat_service_contexts", 1234 "plat_service_contexts_test", 1235 "searchpolicy", 1236 "secilc", 1237 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1238 "202404": [], 1239 default: [ 1240 "202404.compat.cil", 1241 "plat_202404.cil", 1242 ], 1243 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1244 // TODO(b/391513934): clean up once we can simplify complex select statements. 1245 "202404": [], 1246 "202504": [], 1247 default: [ 1248 "202504.compat.cil", 1249 "plat_202504.cil", 1250 ], 1251 }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1252 true: ["plat_sepolicy_and_mapping.sha256"], 1253 default: [], 1254 }) + select(( 1255 soong_config_variable("ANDROID", "ASAN_ENABLED"), 1256 product_variable("selinux_ignore_neverallows"), 1257 ), { 1258 (true, true): [ 1259 ], 1260 (default, default): [ 1261 "sepolicy_compat_test", 1262 "sepolicy_test", 1263 "sepolicy_dev_type_test", 1264 "treble_sepolicy_tests_29.0", 1265 "treble_sepolicy_tests_30.0", 1266 "treble_sepolicy_tests_31.0", 1267 "treble_sepolicy_tests_32.0", 1268 "treble_sepolicy_tests_33.0", 1269 "treble_sepolicy_tests_34.0", 1270 ], 1271 }) + select(( 1272 soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), 1273 soong_config_variable("ANDROID", "ASAN_ENABLED"), 1274 product_variable("selinux_ignore_neverallows"), 1275 ), { 1276 ("202404", true, true): [], 1277 (default, true, true): [], 1278 (default, default, default): [ 1279 "treble_sepolicy_tests_202404", 1280 ], 1281 }) + select(( 1282 soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), 1283 soong_config_variable("ANDROID", "ASAN_ENABLED"), 1284 product_variable("selinux_ignore_neverallows"), 1285 ), { 1286 ("202404", default, default): [], // TODO(b/391513934): clean up once we can simplify complex select statements. 1287 ("202504", true, true): [], 1288 (default, true, true): [], 1289 (default, default, default): [ 1290 "treble_sepolicy_tests_202504", 1291 ], 1292 }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), { 1293 true: ["se_freeze_test"], 1294 default: [], 1295 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1296 true: ["plat_tee_service_contexts"], 1297 default: [], 1298 }), 1299} 1300 1301phony { 1302 name: "selinux_policy", 1303 required: [ 1304 // Runs checkfc against merged service_contexts files 1305 "merged_hwservice_contexts_test", 1306 "merged_service_contexts_test", 1307 "selinux_policy_nonsystem", 1308 "selinux_policy_system", 1309 ], 1310} 1311 1312// selinux_policy is a main goal and triggers lots of tests. 1313// Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') 1314// By setting as droidcore's dependency, tests will run on normal builds. 1315phony_rule { 1316 name: "droidcore", 1317 phony_deps: ["selinux_policy"], 1318} 1319 1320//----------------------------------------------------------------------------- 1321// TODO - remove this. Keep around until we get the filesystem creation stuff 1322// taken care of. 1323// 1324// The file_contexts.bin is built in the following way: 1325// 1. Collect all file_contexts files in THIS repository and process them with 1326// m4 into a tmp file called file_contexts.local.tmp. 1327// 2. Collect all device specific file_contexts files and process them with m4 1328// into a tmp file called file_contexts.device.tmp. 1329// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 1330// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 1331// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp 1332// into file_contexts.concat.tmp. 1333// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 1334// file_contexts.bin. 1335// 1336// Note: That a newline file is placed between each file_context file found to 1337// ensure a proper build when an fc file is missing an ending newline. 1338//--- 1339// 1. Collect all file_contexts files in THIS repository and process them with 1340// m4 into a tmp file called file_contexts.local.tmp. 1341java_genrule { 1342 name: "file_contexts.local.tmp", 1343 srcs: [ 1344 ":plat_file_contexts", 1345 ":system_ext_file_contexts", 1346 ":product_file_contexts", 1347 ], 1348 tools: [ 1349 "m4", 1350 ], 1351 out: ["file_contexts.local.tmp"], 1352 cmd: "$(location m4) --fatal-warnings " + 1353 "-s $(in) > $(out)", 1354} 1355 1356// 2. Collect all device specific file_contexts files and process them with m4 1357// into a tmp file called file_contexts.device.tmp. 1358PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), { 1359 any @ m4defs: m4defs, 1360 default: "", 1361}) 1362java_genrule { 1363 name: "file_contexts.device.tmp", 1364 srcs: [ 1365 ":vendor_file_contexts", 1366 ":odm_file_contexts", 1367 ], 1368 tools: [ 1369 "m4", 1370 ], 1371 out: ["file_contexts.device.tmp"], 1372 cmd: "$(location m4) --fatal-warnings " + 1373 "-s " + PRIVATE_ADDITIONAL_M4DEFS + 1374 " $(in) > $(out)", 1375} 1376 1377// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 1378// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 1379java_genrule { 1380 name: "file_contexts.device.sorted.tmp", 1381 srcs: [ 1382 ":file_contexts.device.tmp", 1383 ":precompiled_sepolicy", 1384 ], 1385 tools: [ 1386 "checkfc", 1387 "fc_sort", 1388 ], 1389 out: ["file_contexts.device.sorted.tmp"], 1390 cmd: "$(location checkfc) " + 1391 "-e $(location :precompiled_sepolicy) " + 1392 "$(location :file_contexts.device.tmp) && " + 1393 "$(location fc_sort) " + 1394 "-i $(location :file_contexts.device.tmp) " + 1395 "-o $(out)", 1396} 1397 1398// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp 1399// into file_contexts.concat.tmp. 1400java_genrule { 1401 name: "file_contexts.concat.tmp", 1402 srcs: [ 1403 ":file_contexts.local.tmp", 1404 ":file_contexts.device.sorted.tmp", 1405 ], 1406 tools: [ 1407 "m4", 1408 ], 1409 out: ["file_contexts.concat.tmp"], 1410 cmd: "$(location m4) --fatal-warnings " + 1411 "-s $(location :file_contexts.local.tmp) " + 1412 "$(location :file_contexts.device.sorted.tmp) > $(out)", 1413} 1414 1415// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 1416// file_contexts.bin. 1417java_genrule { 1418 name: "file_contexts_bin_gen", 1419 srcs: [ 1420 ":file_contexts.concat.tmp", 1421 ":precompiled_sepolicy", 1422 ], 1423 tools: [ 1424 "checkfc", 1425 "sefcontext_compile", 1426 ], 1427 out: ["file_contexts.bin"], 1428 cmd: "$(location checkfc) " + 1429 "$(location :precompiled_sepolicy) " + 1430 "$(location :file_contexts.concat.tmp) && " + 1431 "$(location sefcontext_compile) " + 1432 "-o $(out) $(location :file_contexts.concat.tmp)", 1433} 1434 1435prebuilt_etc { 1436 name: "file_contexts.bin", 1437 src: ":file_contexts_bin_gen", 1438} 1439