• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1LOCAL_PATH:= $(call my-dir)
2
3include $(CLEAR_VARS)
4
5# SELinux policy version.
6# Must be <= /selinux/policyvers reported by the Android kernel.
7# Must be within the compatibility range reported by checkpolicy -V.
8POLICYVERS ?= 26
9
10MLS_SENS=1
11MLS_CATS=1024
12
13ifeq ($(TARGET_BUILD_VARIANT),user)
14	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
15else
16	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
17endif
18
19# Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
20# Builds the singular path for each replace file.
21sepolicy_replace_paths :=
22$(foreach pf, $(BOARD_SEPOLICY_REPLACE), \
23  $(if $(filter $(pf), $(BOARD_SEPOLICY_UNION)), \
24    $(error Ambiguous request for sepolicy $(pf). Appears in both \
25      BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION), \
26  ) \
27  $(eval _paths := $(filter-out $(BOARD_SEPOLICY_IGNORE), \
28  $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))) \
29  $(eval _occurrences := $(words $(_paths))) \
30  $(if $(filter 0,$(_occurrences)), \
31    $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
32  ) \
33  $(if $(filter 1, $(_occurrences)), \
34    $(eval sepolicy_replace_paths += $(_paths)), \
35    $(error Multiple occurrences of replace file $(pf) in $(_paths)) \
36  ) \
37  $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(LOCAL_PATH))))), \
38    $(error Specified the sepolicy file $(pf) in BOARD_SEPOLICY_REPLACE, \
39      but none found in $(LOCAL_PATH)), \
40  ) \
41)
42
43# Builds paths for all requested policy files w.r.t
44# both BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
45# product variables.
46# $(1): the set of policy name paths to build
47build_policy = $(foreach type, $(1), \
48  $(filter-out $(BOARD_SEPOLICY_IGNORE), \
49    $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \
50      $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \
51        $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \
52        $(LOCAL_PATH)/$(expanded_type) \
53      ) \
54    ) \
55    $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \
56      $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \
57        $(union_policy), \
58      ) \
59    ) \
60  ) \
61)
62
63##################################
64include $(CLEAR_VARS)
65
66LOCAL_MODULE := sepolicy
67LOCAL_MODULE_CLASS := ETC
68LOCAL_MODULE_TAGS := optional
69LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
70
71include $(BUILD_SYSTEM)/base_rules.mk
72
73sepolicy_policy.conf := $(intermediates)/policy.conf
74$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
75$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
76$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
77	@mkdir -p $(dir $@)
78	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
79	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
80
81$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
82	@mkdir -p $(dir $@)
83	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
84	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
85
86built_sepolicy := $(LOCAL_BUILT_MODULE)
87sepolicy_policy.conf :=
88
89###################################
90include $(CLEAR_VARS)
91
92LOCAL_MODULE := file_contexts
93LOCAL_MODULE_CLASS := ETC
94LOCAL_MODULE_TAGS := optional
95LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
96
97include $(BUILD_SYSTEM)/base_rules.mk
98
99ALL_FC_FILES := $(call build_policy, file_contexts)
100
101$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
102$(LOCAL_BUILT_MODULE):  $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
103	@mkdir -p $(dir $@)
104	$(hide) m4 -s $(ALL_FC_FILES) > $@
105	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
106
107file_contexts :=
108
109##################################
110include $(CLEAR_VARS)
111LOCAL_MODULE := seapp_contexts
112LOCAL_MODULE_CLASS := ETC
113LOCAL_MODULE_TAGS := optional
114LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
115
116include $(BUILD_SYSTEM)/base_rules.mk
117
118seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
119$(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
120	@mkdir -p $(dir $@)
121	$(hide) m4 -s $^ > $@
122
123$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
124$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
125	@mkdir -p $(dir $@)
126	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
127
128seapp_contexts.tmp :=
129##################################
130include $(CLEAR_VARS)
131
132LOCAL_MODULE := property_contexts
133LOCAL_MODULE_CLASS := ETC
134LOCAL_MODULE_TAGS := optional
135LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
136
137include $(BUILD_SYSTEM)/base_rules.mk
138
139ALL_PC_FILES := $(call build_policy, property_contexts)
140
141$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
142$(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
143	@mkdir -p $(dir $@)
144	$(hide) m4 -s $(ALL_PC_FILES) > $@
145	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
146
147property_contexts :=
148built_sepolicy :=
149##################################
150
151##################################
152include $(CLEAR_VARS)
153
154LOCAL_MODULE := selinux-network.sh
155LOCAL_SRC_FILES := $(LOCAL_MODULE)
156LOCAL_MODULE_CLASS := EXECUTABLES
157LOCAL_MODULE_TAGS := optional
158LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
159
160include $(BUILD_PREBUILT)
161
162##################################
163include $(CLEAR_VARS)
164
165LOCAL_MODULE := mac_permissions.xml
166LOCAL_MODULE_CLASS := ETC
167LOCAL_MODULE_TAGS := optional
168LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
169
170include $(BUILD_SYSTEM)/base_rules.mk
171
172# Build keys.conf
173mac_perms_keys.tmp := $(intermediates)/keys.tmp
174$(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
175	@mkdir -p $(dir $@)
176	$(hide) m4 -s $^ > $@
177
178ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
179
180$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
181	@mkdir -p $(dir $@)
182	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -d $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE)) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
183
184mac_perms_keys.tmp :=
185##################################
186
187build_policy :=
188sepolicy_replace_paths :=
189
190include $(call all-makefiles-under,$(LOCAL_PATH))
191