1LOCAL_PATH:= $(call my-dir) 2 3# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to 4# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux 5# changes independent of PLATFORM_SDK_VERSION. This value will be set to 6# 10000.0 to represent tip-of-tree development that is inherently unstable and 7# thus designed not to work with any shipping vendor policy. This is similar in 8# spirit to how DEFAULT_APP_TARGET_SDK is set. 9# The minor version ('m' component) must be updated every time a platform release 10# is made which breaks compatibility with the previous platform sepolicy version, 11# not just on every increase in PLATFORM_SDK_VERSION. The minor version should 12# be reset to 0 on every bump of the PLATFORM_SDK_VERSION. 13sepolicy_major_vers := 26 14sepolicy_minor_vers := 0 15 16ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION)) 17$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.) 18endif 19ifneq (REL,$(PLATFORM_VERSION_CODENAME)) 20 sepolicy_major_vers := 10000 21 sepolicy_minor_vers := 0 22endif 23PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers)) 24sepolicy_major_vers := 25sepolicy_minor_vers := 26 27include $(CLEAR_VARS) 28# SELinux policy version. 29# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. 30# Must be within the compatibility range reported by checkpolicy -V. 31POLICYVERS ?= 30 32 33MLS_SENS=1 34MLS_CATS=1024 35 36ifdef BOARD_SEPOLICY_REPLACE 37$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) 38endif 39 40ifdef BOARD_SEPOLICY_IGNORE 41$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) 42endif 43 44ifdef BOARD_SEPOLICY_UNION 45$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 46endif 47 48ifdef BOARD_SEPOLICY_M4DEFS 49LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 50endif 51 52# sepolicy is now divided into multiple portions: 53# public - policy exported on which non-platform policy developers may write 54# additional policy. types and attributes are versioned and included in 55# delivered non-platform policy, which is to be combined with platform policy. 56# private - platform-only policy required for platform functionality but which 57# is not exported to vendor policy developers and as such may not be assumed 58# to exist. 59# vendor - vendor-only policy required for vendor functionality. This policy can 60# reference the public policy but cannot reference the private policy. This 61# policy is for components which are produced from the core/non-vendor tree and 62# placed into a vendor partition. 63# mapping - This contains policy statements which map the attributes 64# exposed in the public policy of previous versions to the concrete types used 65# in this policy to ensure that policy targeting attributes from public 66# policy from an older platform version continues to work. 67 68# build process for device: 69# 1) convert policies to CIL: 70# - private + public platform policy to CIL 71# - mapping file to CIL (should already be in CIL form) 72# - non-platform public policy to CIL 73# - non-platform public + private policy to CIL 74# 2) attributize policy 75# - run script which takes non-platform public and non-platform combined 76# private + public policy and produces attributized and versioned 77# non-platform policy 78# 3) combine policy files 79# - combine mapping, platform and non-platform policy. 80# - compile output binary policy file 81 82PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 83ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)) 84ifneq (1, $(words $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))) 85$(error BOARD_PLAT_PUBLIC_SEPOLICY_DIR must only contain one directory) 86else 87PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) 88endif 89endif 90PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 91ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)) 92ifneq (1, $(words $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))) 93$(error BOARD_PLAT_PRIVATE_SEPOLICY_DIR must only contain one directory) 94else 95PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) 96endif 97endif 98PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 99REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 100 101# TODO: move to README when doing the README update and finalizing versioning. 102# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy 103# version identifier corresponding to the sepolicy on which the non-platform 104# policy is to be based. If unspecified, this will build against the current 105# public platform policy in tree 106ifndef BOARD_SEPOLICY_VERS 107$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version) 108# The default platform policy version. 109BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION) 110endif 111 112 113platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil 114 115########################################################### 116# Compute policy files to be used in policy build. 117# $(1): files to include 118# $(2): directories in which to find files 119########################################################### 120 121define build_policy 122$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))) 123endef 124 125# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS. 126# $(1): the set of policy name paths to build 127build_device_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS)) 128 129# Add a file containing only a newline in-between each policy configuration 130# 'contexts' file. This will allow OEM policy configuration files without a 131# final newline (0x0A) to be built correctly by the m4(1) macro processor. 132# $(1): the set of contexts file names. 133# $(2): the file containing only 0x0A. 134add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry))) 135 136sepolicy_build_files := security_classes \ 137 initial_sids \ 138 access_vectors \ 139 global_macros \ 140 neverallow_macros \ 141 mls_macros \ 142 mls_decl \ 143 mls \ 144 policy_capabilities \ 145 te_macros \ 146 attributes \ 147 ioctl_defines \ 148 ioctl_macros \ 149 *.te \ 150 roles_decl \ 151 roles \ 152 users \ 153 initial_sid_contexts \ 154 fs_use \ 155 genfs_contexts \ 156 port_contexts 157 158# CIL files which contain workarounds for current limitation of human-readable 159# module policy language. These files are appended to the CIL files produced 160# from module language files. 161sepolicy_build_cil_workaround_files := technical_debt.cil 162 163my_target_arch := $(TARGET_ARCH) 164ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 165 my_target_arch := mips 166endif 167 168intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 169 170with_asan := false 171ifneq (,$(filter address,$(SANITIZE_TARGET))) 172 with_asan := true 173endif 174 175include $(CLEAR_VARS) 176LOCAL_MODULE := selinux_policy 177LOCAL_MODULE_TAGS := optional 178# Include SELinux policy. We do this here because different modules 179# need to be included based on the value of PRODUCT_FULL_TREBLE. This 180# type of conditional inclusion cannot be done in top-level files such 181# as build/target/product/embedded.mk. 182# This conditional inclusion closely mimics the conditional logic 183# inside init/init.cpp for loading SELinux policy from files. 184ifeq ($(PRODUCT_FULL_TREBLE),true) 185 186# Use split SELinux policy 187LOCAL_REQUIRED_MODULES += \ 188 $(platform_mapping_file) \ 189 nonplat_sepolicy.cil \ 190 plat_sepolicy.cil \ 191 plat_and_mapping_sepolicy.cil.sha256 \ 192 secilc \ 193 plat_sepolicy_vers.txt \ 194 treble_sepolicy_tests 195 196# Include precompiled policy, unless told otherwise 197ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 198LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256 199endif 200else 201# Use monolithic SELinux policy 202LOCAL_REQUIRED_MODULES += sepolicy 203endif 204 205LOCAL_REQUIRED_MODULES += \ 206 nonplat_file_contexts \ 207 plat_file_contexts 208 209include $(BUILD_PHONY_PACKAGE) 210 211################################## 212# reqd_policy_mask - a policy.conf file which contains only the bare minimum 213# policy necessary to use checkpolicy. This bare-minimum policy needs to be 214# present in all policy.conf files, but should not necessarily be exported as 215# part of the public policy. The rules generated by reqd_policy_mask will allow 216# the compilation of public policy and subsequent removal of CIL policy that 217# should not be exported. 218 219reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf 220$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 221$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 222$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 223$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 224$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 225$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) 226 @mkdir -p $(dir $@) 227 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ 228 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 229 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 230 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ 231 -D target_arch=$(PRIVATE_TGT_ARCH) \ 232 -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ 233 -D target_full_treble=$(PRODUCT_FULL_TREBLE) \ 234 -s $^ > $@ 235 236reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil 237$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 238 @mkdir -p $(dir $@) 239 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c $(POLICYVERS) -o $@ $< 240 241reqd_policy_mask.conf := 242 243################################## 244# plat_pub_policy - policy that will be exported to be a part of non-platform 245# policy corresponding to this platform version. This is a limited subset of 246# policy that would not compile in checkpolicy on its own. To get around this 247# limitation, add only the required files from private policy, which will 248# generate CIL policy that will then be filtered out by the reqd_policy_mask. 249plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf 250$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 251$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 252$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 253$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 254$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 255$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 256$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 257 @mkdir -p $(dir $@) 258 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ 259 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 260 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 261 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ 262 -D target_arch=$(PRIVATE_TGT_ARCH) \ 263 -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ 264 -D target_full_treble=$(PRODUCT_FULL_TREBLE) \ 265 -s $^ > $@ 266 267plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil 268$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) 269$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 270$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) 271 @mkdir -p $(dir $@) 272 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF) 273 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@ 274 275plat_pub_policy.conf := 276 277################################## 278include $(CLEAR_VARS) 279 280LOCAL_MODULE := sectxfile_nl 281LOCAL_MODULE_CLASS := ETC 282LOCAL_MODULE_TAGS := optional 283 284# Create a file containing newline only to add between context config files 285include $(BUILD_SYSTEM)/base_rules.mk 286$(LOCAL_BUILT_MODULE): 287 @mkdir -p $(dir $@) 288 $(hide) echo > $@ 289 290built_nl := $(LOCAL_BUILT_MODULE) 291 292################################# 293include $(CLEAR_VARS) 294 295LOCAL_MODULE := plat_sepolicy.cil 296LOCAL_MODULE_CLASS := ETC 297LOCAL_MODULE_TAGS := optional 298LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 299 300include $(BUILD_SYSTEM)/base_rules.mk 301 302# plat_policy.conf - A combination of the private and public platform policy 303# which will ship with the device. The platform will always reflect the most 304# recent platform version and is not currently being attributized. 305plat_policy.conf := $(intermediates)/plat_policy.conf 306$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 307$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 308$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 309$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 310$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 311$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 312$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 313 @mkdir -p $(dir $@) 314 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ 315 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 316 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 317 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ 318 -D target_arch=$(PRIVATE_TGT_ARCH) \ 319 -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ 320 -D target_full_treble=$(PRODUCT_FULL_TREBLE) \ 321 -s $^ > $@ 322 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 323 324$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 325 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 326$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 327 $(HOST_OUT_EXECUTABLES)/secilc \ 328 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 329 @mkdir -p $(dir $@) 330 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $< 331 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 332 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null 333 334built_plat_cil := $(LOCAL_BUILT_MODULE) 335plat_policy.conf := 336 337################################# 338include $(CLEAR_VARS) 339 340LOCAL_MODULE := plat_sepolicy_vers.txt 341LOCAL_MODULE_CLASS := ETC 342LOCAL_MODULE_TAGS := optional 343LOCAL_PROPRIETARY_MODULE := true 344LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 345 346include $(BUILD_SYSTEM)/base_rules.mk 347 348$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS) 349$(LOCAL_BUILT_MODULE) : 350 mkdir -p $(dir $@) 351 echo $(PRIVATE_PLAT_SEPOL_VERS) > $@ 352 353################################# 354include $(CLEAR_VARS) 355 356LOCAL_MODULE := $(platform_mapping_file) 357LOCAL_MODULE_CLASS := ETC 358LOCAL_MODULE_TAGS := optional 359LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 360 361include $(BUILD_SYSTEM)/base_rules.mk 362 363current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil 364ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION)) 365# auto-generate the mapping file for current platform policy, since it needs to 366# track platform policy development 367$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 368$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy 369 @mkdir -p $(dir $@) 370 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 371 372else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION)) 373prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY))) 374$(current_mapping.cil) : $(prebuilt_mapping_files) 375 @mkdir -p $(dir $@) 376 cat $^ > $@ 377 378prebuilt_mapping_files := 379endif 380 381$(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP) 382 $(hide) $(ACP) $< $@ 383 384built_mapping_cil := $(LOCAL_BUILT_MODULE) 385current_mapping.cil := 386 387################################# 388include $(CLEAR_VARS) 389 390LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256 391LOCAL_MODULE_CLASS := ETC 392LOCAL_MODULE_TAGS := optional 393LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux 394 395include $(BUILD_SYSTEM)/base_rules.mk 396 397$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil) 398 cat $^ | sha256sum | cut -d' ' -f1 > $@ 399 400################################# 401include $(CLEAR_VARS) 402 403LOCAL_MODULE := nonplat_sepolicy.cil 404LOCAL_MODULE_CLASS := ETC 405LOCAL_MODULE_TAGS := optional 406LOCAL_PROPRIETARY_MODULE := true 407LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 408 409include $(BUILD_SYSTEM)/base_rules.mk 410 411# nonplat_policy.conf - A combination of the non-platform private, vendor and 412# the exported platform policy associated with the version the non-platform 413# policy targets. This needs attributization and to be combined with the 414# platform-provided policy. Like plat_pub_policy.conf, this needs to make use 415# of the reqd_policy_mask files from private policy in order to use checkpolicy. 416nonplat_policy.conf := $(intermediates)/nonplat_policy.conf 417$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 418$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 419$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 420$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 421$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 422$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 423$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS)) 424 @mkdir -p $(dir $@) 425 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ 426 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 427 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 428 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ 429 -D target_arch=$(PRIVATE_TGT_ARCH) \ 430 -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ 431 -D target_full_treble=$(PRODUCT_FULL_TREBLE) \ 432 -s $^ > $@ 433 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 434 435nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil 436$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf) 437$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 438$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \ 439$(reqd_policy_mask.cil) 440 @mkdir -p $(dir $@) 441 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF) 442 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@ 443 444$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 445$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw) 446$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) 447$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \ 448$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \ 449$(built_plat_cil) $(built_mapping_cil) 450 @mkdir -p $(dir $@) 451 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ 452 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \ 453 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null 454 455built_nonplat_cil := $(LOCAL_BUILT_MODULE) 456nonplat_policy.conf := 457nonplat_policy_raw := 458 459################################# 460include $(CLEAR_VARS) 461 462LOCAL_MODULE := precompiled_sepolicy 463LOCAL_MODULE_CLASS := ETC 464LOCAL_MODULE_TAGS := optional 465LOCAL_PROPRIETARY_MODULE := true 466LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 467 468include $(BUILD_SYSTEM)/base_rules.mk 469 470$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \ 471$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil) 472$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \ 473$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil) 474 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \ 475 $(PRIVATE_CIL_FILES) -o $@ -f /dev/null 476 477built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE) 478 479################################# 480# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against 481# which precompiled_policy was built. 482################################# 483include $(CLEAR_VARS) 484LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256 485LOCAL_MODULE_CLASS := ETC 486LOCAL_MODULE_TAGS := optional 487LOCAL_PROPRIETARY_MODULE := true 488LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 489 490include $(BUILD_SYSTEM)/base_rules.mk 491 492$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) 493$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil) 494 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 495 496################################# 497include $(CLEAR_VARS) 498# build this target so that we can still perform neverallow checks 499 500LOCAL_MODULE := sepolicy 501LOCAL_MODULE_CLASS := ETC 502LOCAL_MODULE_TAGS := optional 503LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 504 505include $(BUILD_SYSTEM)/base_rules.mk 506 507all_cil_files := \ 508 $(built_plat_cil) \ 509 $(built_mapping_cil) \ 510 $(built_nonplat_cil) 511 512$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 513$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) 514 @mkdir -p $(dir $@) 515 $(hide) $< -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null 516 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 517 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 518 echo "==========" 1>&2; \ 519 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 520 echo "List of invalid domains:" 1>&2; \ 521 cat $@.permissivedomains 1>&2; \ 522 exit 1; \ 523 fi 524 $(hide) mv $@.tmp $@ 525 526built_sepolicy := $(LOCAL_BUILT_MODULE) 527all_cil_files := 528 529################################# 530include $(CLEAR_VARS) 531 532# keep concrete sepolicy for neverallow checks 533 534LOCAL_MODULE := sepolicy.recovery 535LOCAL_MODULE_STEM := sepolicy 536LOCAL_MODULE_CLASS := ETC 537LOCAL_MODULE_TAGS := optional 538LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 539 540include $(BUILD_SYSTEM)/base_rules.mk 541 542sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf 543$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 544$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 545$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 546$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 547$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 548$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ 549 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 550 $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS)) 551 @mkdir -p $(dir $@) 552 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ 553 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 554 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 555 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ 556 -D target_arch=$(PRIVATE_TGT_ARCH) \ 557 -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ 558 -D target_recovery=true \ 559 -s $^ > $@ 560 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 561 562$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 563 $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 564 @mkdir -p $(dir $@) 565 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< 566 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 567 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 568 echo "==========" 1>&2; \ 569 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 570 echo "List of invalid domains:" 1>&2; \ 571 cat $@.permissivedomains 1>&2; \ 572 exit 1; \ 573 fi 574 $(hide) mv $@.tmp $@ 575 576sepolicy.recovery.conf := 577 578################################## 579# SELinux policy embedded into CTS. 580# CTS checks neverallow rules of this policy against the policy of the device under test. 581################################## 582include $(CLEAR_VARS) 583 584LOCAL_MODULE := general_sepolicy.conf 585LOCAL_MODULE_CLASS := ETC 586LOCAL_MODULE_TAGS := tests 587 588include $(BUILD_SYSTEM)/base_rules.mk 589 590$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) 591$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) 592$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) 593$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \ 594$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 595 mkdir -p $(dir $@) 596 $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 597 -D target_build_variant=user \ 598 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ 599 -D target_arch=$(PRIVATE_TGT_ARCH) \ 600 -D target_with_asan=false \ 601 -D target_full_treble=cts \ 602 -s $^ > $@ 603 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 604 605################################## 606# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 607# 608include $(CLEAR_VARS) 609 610LOCAL_MODULE := file_contexts.bin 611LOCAL_MODULE_CLASS := ETC 612LOCAL_MODULE_TAGS := optional 613LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 614 615include $(BUILD_SYSTEM)/base_rules.mk 616 617# The file_contexts.bin is built in the following way: 618# 1. Collect all file_contexts files in THIS repository and process them with 619# m4 into a tmp file called file_contexts.local.tmp. 620# 2. Collect all device specific file_contexts files and process them with m4 621# into a tmp file called file_contexts.device.tmp. 622# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 623# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 624# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into 625# file_contexts.concat.tmp. 626# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 627# file_contexts.bin. 628# 629# Note: That a newline file is placed between each file_context file found to 630# ensure a proper build when an fc file is missing an ending newline. 631 632local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 633 634ifneq ($(filter address,$(SANITIZE_TARGET)),) 635 local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 636endif 637local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) 638 639file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 640$(file_contexts.local.tmp): $(local_fcfiles_with_nl) 641 @mkdir -p $(dir $@) 642 $(hide) m4 -s $^ > $@ 643 644device_fc_files := $(call build_device_policy, file_contexts) 645device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl)) 646 647file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 648$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 649$(file_contexts.device.tmp): $(device_fcfiles_with_nl) 650 @mkdir -p $(dir $@) 651 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 652 653file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 654$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 655$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 656 @mkdir -p $(dir $@) 657 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 658 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@ 659 660file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 661$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) 662 @mkdir -p $(dir $@) 663 $(hide) m4 -s $^ > $@ 664 665$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 666$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 667 @mkdir -p $(dir $@) 668 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 669 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 670 671built_fc := $(LOCAL_BUILT_MODULE) 672local_fc_files := 673local_fcfiles_with_nl := 674device_fc_files := 675device_fcfiles_with_nl := 676file_contexts.concat.tmp := 677file_contexts.device.sorted.tmp := 678file_contexts.device.tmp := 679file_contexts.local.tmp := 680 681################################## 682include $(CLEAR_VARS) 683 684LOCAL_MODULE := plat_file_contexts 685LOCAL_MODULE_CLASS := ETC 686LOCAL_MODULE_TAGS := optional 687ifeq ($(PRODUCT_FULL_TREBLE),true) 688LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 689else 690LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 691endif 692 693include $(BUILD_SYSTEM)/base_rules.mk 694 695local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 696ifneq ($(filter address,$(SANITIZE_TARGET)),) 697 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 698endif 699local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) 700 701$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl) 702$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 703$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 704$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 705$(local_fcfiles_with_nl) $(built_sepolicy) 706 @mkdir -p $(dir $@) 707 $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp 708 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 709 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 710 711built_plat_fc := $(LOCAL_BUILT_MODULE) 712local_fc_files := 713local_fcfiles_with_nl := 714 715################################## 716include $(CLEAR_VARS) 717 718LOCAL_MODULE := nonplat_file_contexts 719LOCAL_MODULE_CLASS := ETC 720LOCAL_MODULE_TAGS := optional 721ifeq ($(PRODUCT_FULL_TREBLE),true) 722LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 723else 724LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 725endif 726 727include $(BUILD_SYSTEM)/base_rules.mk 728 729nonplat_fc_files := $(call build_device_policy, file_contexts) 730nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl)) 731 732$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl) 733$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 734$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 735$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 736$(nonplat_fcfiles_with_nl) $(built_sepolicy) 737 @mkdir -p $(dir $@) 738 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp 739 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 740 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 741 742built_nonplat_fc := $(LOCAL_BUILT_MODULE) 743nonplat_fc_files := 744nonplat_fcfiles_with_nl := 745 746################################## 747include $(CLEAR_VARS) 748 749LOCAL_MODULE := plat_file_contexts.recovery 750LOCAL_MODULE_STEM := plat_file_contexts 751LOCAL_MODULE_CLASS := ETC 752LOCAL_MODULE_TAGS := optional 753LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 754 755include $(BUILD_SYSTEM)/base_rules.mk 756 757$(LOCAL_BUILT_MODULE): $(built_plat_fc) 758 $(hide) cp -f $< $@ 759 760################################## 761include $(CLEAR_VARS) 762LOCAL_MODULE := nonplat_file_contexts.recovery 763LOCAL_MODULE_STEM := nonplat_file_contexts 764LOCAL_MODULE_CLASS := ETC 765LOCAL_MODULE_TAGS := optional 766LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 767 768include $(BUILD_SYSTEM)/base_rules.mk 769 770$(LOCAL_BUILT_MODULE): $(built_nonplat_fc) 771 $(hide) cp -f $< $@ 772 773################################## 774include $(CLEAR_VARS) 775LOCAL_MODULE := plat_seapp_contexts 776LOCAL_MODULE_CLASS := ETC 777LOCAL_MODULE_TAGS := optional 778ifeq ($(PRODUCT_FULL_TREBLE),true) 779LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 780else 781LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 782endif 783 784include $(BUILD_SYSTEM)/base_rules.mk 785 786plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 787 788$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 789$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files) 790$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp 791 @mkdir -p $(dir $@) 792 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) 793 794built_plat_sc := $(LOCAL_BUILT_MODULE) 795plat_sc_files := 796 797################################## 798include $(CLEAR_VARS) 799LOCAL_MODULE := nonplat_seapp_contexts 800LOCAL_MODULE_CLASS := ETC 801LOCAL_MODULE_TAGS := optional 802ifeq ($(PRODUCT_FULL_TREBLE),true) 803LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 804else 805LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 806endif 807 808include $(BUILD_SYSTEM)/base_rules.mk 809 810nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 811plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 812 813$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 814$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files) 815$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files) 816$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files) 817 @mkdir -p $(dir $@) 818 $(hide) grep -ie '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp 819 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp 820 821built_nonplat_sc := $(LOCAL_BUILT_MODULE) 822nonplat_sc_files := 823 824################################## 825include $(CLEAR_VARS) 826LOCAL_MODULE := plat_seapp_neverallows 827LOCAL_MODULE_CLASS := ETC 828LOCAL_MODULE_TAGS := tests 829 830include $(BUILD_SYSTEM)/base_rules.mk 831 832$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files) 833 @mkdir -p $(dir $@) 834 - $(hide) grep -ie '^neverallow' $< > $@ 835 836plat_sc_neverallow_files := 837 838################################## 839include $(CLEAR_VARS) 840 841LOCAL_MODULE := plat_property_contexts 842LOCAL_MODULE_CLASS := ETC 843LOCAL_MODULE_TAGS := optional 844 845ifeq ($(PRODUCT_FULL_TREBLE),true) 846LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 847else 848LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 849endif 850 851include $(BUILD_SYSTEM)/base_rules.mk 852 853plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY)) 854 855plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp 856$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles) 857$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 858$(plat_property_contexts.tmp): $(plat_pcfiles) 859 @mkdir -p $(dir $@) 860 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 861$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 862$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc 863 @mkdir -p $(dir $@) 864 $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@ 865 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@ 866 867built_plat_pc := $(LOCAL_BUILT_MODULE) 868plat_pcfiles := 869plat_property_contexts.tmp := 870 871################################## 872include $(CLEAR_VARS) 873LOCAL_MODULE := nonplat_property_contexts 874LOCAL_MODULE_CLASS := ETC 875LOCAL_MODULE_TAGS := optional 876 877ifeq ($(PRODUCT_FULL_TREBLE),true) 878LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 879else 880LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 881endif 882 883include $(BUILD_SYSTEM)/base_rules.mk 884 885nonplat_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 886 887nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp 888$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles) 889$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 890$(nonplat_property_contexts.tmp): $(nonplat_pcfiles) 891 @mkdir -p $(dir $@) 892 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 893 894 895$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 896$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc 897 @mkdir -p $(dir $@) 898 $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@ 899 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@ 900 901built_nonplat_pc := $(LOCAL_BUILT_MODULE) 902nonplat_pcfiles := 903nonplat_property_contexts.tmp := 904 905################################## 906include $(CLEAR_VARS) 907 908LOCAL_MODULE := plat_property_contexts.recovery 909LOCAL_MODULE_STEM := plat_property_contexts 910LOCAL_MODULE_CLASS := ETC 911LOCAL_MODULE_TAGS := optional 912LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 913 914include $(BUILD_SYSTEM)/base_rules.mk 915 916$(LOCAL_BUILT_MODULE): $(built_plat_pc) 917 $(hide) cp -f $< $@ 918 919################################## 920include $(CLEAR_VARS) 921LOCAL_MODULE := nonplat_property_contexts.recovery 922LOCAL_MODULE_STEM := nonplat_property_contexts 923LOCAL_MODULE_CLASS := ETC 924LOCAL_MODULE_TAGS := optional 925LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 926 927include $(BUILD_SYSTEM)/base_rules.mk 928 929$(LOCAL_BUILT_MODULE): $(built_nonplat_pc) 930 $(hide) cp -f $< $@ 931 932################################## 933include $(CLEAR_VARS) 934 935LOCAL_MODULE := plat_service_contexts 936LOCAL_MODULE_CLASS := ETC 937LOCAL_MODULE_TAGS := optional 938ifeq ($(PRODUCT_FULL_TREBLE),true) 939LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 940else 941LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 942endif 943 944include $(BUILD_SYSTEM)/base_rules.mk 945 946plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY)) 947 948plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp 949$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles) 950$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 951$(plat_service_contexts.tmp): $(plat_svcfiles) 952 @mkdir -p $(dir $@) 953 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 954 955$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 956$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 957 @mkdir -p $(dir $@) 958 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 959 $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ 960 961built_plat_svc := $(LOCAL_BUILT_MODULE) 962plat_svcfiles := 963plat_service_contexts.tmp := 964 965################################## 966include $(CLEAR_VARS) 967 968LOCAL_MODULE := nonplat_service_contexts 969LOCAL_MODULE_CLASS := ETC 970LOCAL_MODULE_TAGS := optional 971ifeq ($(PRODUCT_FULL_TREBLE),true) 972LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 973else 974LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 975endif 976 977include $(BUILD_SYSTEM)/base_rules.mk 978 979nonplat_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 980 981nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp 982$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles) 983$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 984$(nonplat_service_contexts.tmp): $(nonplat_svcfiles) 985 @mkdir -p $(dir $@) 986 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 987 988$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 989$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 990 @mkdir -p $(dir $@) 991 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 992 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ 993 994built_nonplat_svc := $(LOCAL_BUILT_MODULE) 995nonplat_svcfiles := 996nonplat_service_contexts.tmp := 997 998################################## 999include $(CLEAR_VARS) 1000 1001LOCAL_MODULE := plat_hwservice_contexts 1002LOCAL_MODULE_CLASS := ETC 1003LOCAL_MODULE_TAGS := optional 1004ifeq ($(PRODUCT_FULL_TREBLE),true) 1005LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1006else 1007LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1008endif 1009 1010include $(BUILD_SYSTEM)/base_rules.mk 1011 1012plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY)) 1013 1014plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp 1015$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles) 1016$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1017$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles) 1018 @mkdir -p $(dir $@) 1019 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1020 1021$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1022$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1023 @mkdir -p $(dir $@) 1024 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1025 $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1026 1027plat_hwsvcfiles := 1028plat_hwservice_contexts.tmp := 1029 1030################################## 1031include $(CLEAR_VARS) 1032 1033LOCAL_MODULE := nonplat_hwservice_contexts 1034LOCAL_MODULE_CLASS := ETC 1035LOCAL_MODULE_TAGS := optional 1036ifeq ($(PRODUCT_FULL_TREBLE),true) 1037LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1038else 1039LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1040endif 1041 1042include $(BUILD_SYSTEM)/base_rules.mk 1043 1044nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1045 1046nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp 1047$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles) 1048$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1049$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles) 1050 @mkdir -p $(dir $@) 1051 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1052 1053$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1054$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1055 @mkdir -p $(dir $@) 1056 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1057 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1058 1059nonplat_hwsvcfiles := 1060nonplat_hwservice_contexts.tmp := 1061 1062################################## 1063include $(CLEAR_VARS) 1064 1065LOCAL_MODULE := vndservice_contexts 1066LOCAL_MODULE_CLASS := ETC 1067LOCAL_MODULE_TAGS := optional 1068ifeq ($(PRODUCT_FULL_TREBLE),true) 1069LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1070else 1071LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1072endif 1073 1074include $(BUILD_SYSTEM)/base_rules.mk 1075 1076vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1077 1078vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp 1079$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) 1080$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1081$(vndservice_contexts.tmp): $(vnd_svcfiles) 1082 @mkdir -p $(dir $@) 1083 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1084 1085$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1086$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1087 @mkdir -p $(dir $@) 1088 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1089 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@ 1090 1091vnd_svcfiles := 1092vndservice_contexts.tmp := 1093################################## 1094include $(CLEAR_VARS) 1095 1096LOCAL_MODULE := plat_mac_permissions.xml 1097LOCAL_MODULE_CLASS := ETC 1098LOCAL_MODULE_TAGS := optional 1099LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1100 1101include $(BUILD_SYSTEM)/base_rules.mk 1102 1103# Build keys.conf 1104plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp 1105$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1106$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY)) 1107 @mkdir -p $(dir $@) 1108 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1109 1110all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY)) 1111 1112# Should be synced with keys.conf. 1113all_plat_keys := platform media shared testkey 1114all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem) 1115 1116$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files) 1117$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1118$(all_plat_mac_perms_files) $(all_plat_keys) 1119 @mkdir -p $(dir $@) 1120 $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \ 1121 $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1122 1123all_mac_perms_files := 1124all_plat_keys := 1125plat_mac_perms_keys.tmp := 1126 1127################################## 1128include $(CLEAR_VARS) 1129 1130LOCAL_MODULE := nonplat_mac_permissions.xml 1131LOCAL_MODULE_CLASS := ETC 1132LOCAL_MODULE_TAGS := optional 1133LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1134 1135include $(BUILD_SYSTEM)/base_rules.mk 1136 1137# Build keys.conf 1138nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp 1139$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1140$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1141 @mkdir -p $(dir $@) 1142 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1143 1144all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1145 1146$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files) 1147$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1148$(all_nonplat_mac_perms_files) 1149 @mkdir -p $(dir $@) 1150 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1151 1152nonplat_mac_perms_keys.tmp := 1153all_nonplat_mac_perms_files := 1154 1155################################## 1156ifeq ($(PRODUCT_FULL_TREBLE),true) 1157include $(CLEAR_VARS) 1158# For Treble builds run tests verifying that processes are properly labeled and 1159# permissions granted do not violate the treble model. 1160LOCAL_MODULE := treble_sepolicy_tests 1161LOCAL_MODULE_CLASS := ETC 1162LOCAL_MODULE_TAGS := tests 1163 1164include $(BUILD_SYSTEM)/base_rules.mk 1165 1166treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests 1167$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc) 1168$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc) 1169$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy) 1170$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py \ 1171$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) 1172 @mkdir -p $(dir $@) 1173 $(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY) 1174 $(hide) touch $@ 1175endif # ($(PRODUCT_FULL_TREBLE),true) 1176################################# 1177 1178add_nl := 1179build_device_policy := 1180build_policy := 1181built_plat_fc := 1182built_nonplat_fc := 1183built_nl := 1184built_plat_cil := 1185built_mapping_cil := 1186built_plat_pc := 1187built_nonplat_cil := 1188built_nonplat_pc := 1189built_nonplat_sc := 1190built_plat_sc := 1191built_precompiled_sepolicy := 1192built_sepolicy := 1193built_plat_svc := 1194built_nonplat_svc := 1195mapping_policy := 1196my_target_arch := 1197plat_pub_policy.cil := 1198reqd_policy_mask.cil := 1199sepolicy_build_files := 1200sepolicy_build_cil_workaround_files := 1201with_asan := 1202 1203include $(call all-makefiles-under,$(LOCAL_PATH)) 1204