| // Copyright (C) 2018 The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package { |
| default_applicable_licenses: ["system_sepolicy_license"], |
| } |
| |
| // Added automatically by a large-scale-change that took the approach of |
| // 'apply every license found to every target'. While this makes sure we respect |
| // every license restriction, it may not be entirely correct. |
| // |
| // e.g. GPL in an MIT project might only apply to the contrib/ directory. |
| // |
| // Please consider splitting the single license below into multiple licenses, |
| // taking care not to lose any license_kind information, and overriding the |
| // default license using the 'licenses: [...]' property on targets as needed. |
| // |
| // For unused files, consider creating a 'filegroup' with "//visibility:private" |
| // to attach the license to, and including a comment whether the files may be |
| // used in the current project. |
| // http://go/android-license-faq |
| license { |
| name: "system_sepolicy_license", |
| visibility: [":__subpackages__"], |
| license_kinds: [ |
| "SPDX-license-identifier-Apache-2.0", |
| "legacy_unencumbered", |
| ], |
| license_text: [ |
| "NOTICE", |
| ], |
| } |
| |
| cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } |
| |
| se_filegroup { |
| name: "26.0.board.compat.map", |
| srcs: [ |
| "compat/26.0/26.0.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "27.0.board.compat.map", |
| srcs: [ |
| "compat/27.0/27.0.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "28.0.board.compat.map", |
| srcs: [ |
| "compat/28.0/28.0.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "29.0.board.compat.map", |
| srcs: [ |
| "compat/29.0/29.0.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "30.0.board.compat.map", |
| srcs: [ |
| "compat/30.0/30.0.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "26.0.board.ignore.map", |
| srcs: [ |
| "compat/26.0/26.0.ignore.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "27.0.board.ignore.map", |
| srcs: [ |
| "compat/27.0/27.0.ignore.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "28.0.board.ignore.map", |
| srcs: [ |
| "compat/28.0/28.0.ignore.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "29.0.board.ignore.map", |
| srcs: [ |
| "compat/29.0/29.0.ignore.cil", |
| ], |
| } |
| |
| se_filegroup { |
| name: "30.0.board.ignore.map", |
| srcs: [ |
| "compat/30.0/30.0.ignore.cil", |
| ], |
| } |
| |
| se_cil_compat_map { |
| name: "plat_26.0.cil", |
| stem: "26.0.cil", |
| bottom_half: [":26.0.board.compat.map"], |
| top_half: "plat_27.0.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "plat_27.0.cil", |
| stem: "27.0.cil", |
| bottom_half: [":27.0.board.compat.map"], |
| top_half: "plat_28.0.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "plat_28.0.cil", |
| stem: "28.0.cil", |
| bottom_half: [":28.0.board.compat.map"], |
| top_half: "plat_29.0.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "plat_29.0.cil", |
| stem: "29.0.cil", |
| bottom_half: [":29.0.board.compat.map"], |
| top_half: "plat_30.0.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "plat_30.0.cil", |
| stem: "30.0.cil", |
| bottom_half: [":30.0.board.compat.map"], |
| // top_half: "plat_31.0.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "system_ext_26.0.cil", |
| stem: "26.0.cil", |
| bottom_half: [":26.0.board.compat.map"], |
| top_half: "system_ext_27.0.cil", |
| system_ext_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "system_ext_27.0.cil", |
| stem: "27.0.cil", |
| bottom_half: [":27.0.board.compat.map"], |
| top_half: "system_ext_28.0.cil", |
| system_ext_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "system_ext_28.0.cil", |
| stem: "28.0.cil", |
| bottom_half: [":28.0.board.compat.map"], |
| top_half: "system_ext_29.0.cil", |
| system_ext_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "system_ext_29.0.cil", |
| stem: "29.0.cil", |
| bottom_half: [":29.0.board.compat.map"], |
| top_half: "system_ext_30.0.cil", |
| system_ext_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "system_ext_30.0.cil", |
| stem: "30.0.cil", |
| bottom_half: [":30.0.board.compat.map"], |
| // top_half: "system_ext_31.0.cil", |
| system_ext_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "product_26.0.cil", |
| stem: "26.0.cil", |
| bottom_half: [":26.0.board.compat.map"], |
| top_half: "product_27.0.cil", |
| product_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "product_27.0.cil", |
| stem: "27.0.cil", |
| bottom_half: [":27.0.board.compat.map"], |
| top_half: "product_28.0.cil", |
| product_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "product_28.0.cil", |
| stem: "28.0.cil", |
| bottom_half: [":28.0.board.compat.map"], |
| top_half: "product_29.0.cil", |
| product_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "product_29.0.cil", |
| stem: "29.0.cil", |
| bottom_half: [":29.0.board.compat.map"], |
| top_half: "product_30.0.cil", |
| product_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "product_30.0.cil", |
| stem: "30.0.cil", |
| bottom_half: [":30.0.board.compat.map"], |
| // top_half: "product_31.0.cil", |
| product_specific: true, |
| } |
| |
| se_cil_compat_map { |
| name: "26.0.ignore.cil", |
| bottom_half: [":26.0.board.ignore.map"], |
| top_half: "27.0.ignore.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "27.0.ignore.cil", |
| bottom_half: [":27.0.board.ignore.map"], |
| top_half: "28.0.ignore.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "28.0.ignore.cil", |
| bottom_half: [":28.0.board.ignore.map"], |
| top_half: "29.0.ignore.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "29.0.ignore.cil", |
| bottom_half: [":29.0.board.ignore.map"], |
| top_half: "30.0.ignore.cil", |
| } |
| |
| se_cil_compat_map { |
| name: "30.0.ignore.cil", |
| bottom_half: [":30.0.board.ignore.map"], |
| // top_half: "31.0.ignore.cil", |
| } |
| |
| prebuilt_etc { |
| name: "26.0.compat.cil", |
| src: "private/compat/26.0/26.0.compat.cil", |
| sub_dir: "selinux/mapping", |
| } |
| |
| prebuilt_etc { |
| name: "27.0.compat.cil", |
| src: "private/compat/27.0/27.0.compat.cil", |
| sub_dir: "selinux/mapping", |
| } |
| |
| prebuilt_etc { |
| name: "28.0.compat.cil", |
| src: "private/compat/28.0/28.0.compat.cil", |
| sub_dir: "selinux/mapping", |
| } |
| |
| prebuilt_etc { |
| name: "29.0.compat.cil", |
| src: "private/compat/29.0/29.0.compat.cil", |
| sub_dir: "selinux/mapping", |
| } |
| |
| prebuilt_etc { |
| name: "30.0.compat.cil", |
| src: "private/compat/30.0/30.0.compat.cil", |
| sub_dir: "selinux/mapping", |
| } |
| |
| se_filegroup { |
| name: "file_contexts_files", |
| srcs: ["file_contexts"], |
| } |
| |
| se_filegroup { |
| name: "file_contexts_asan_files", |
| srcs: ["file_contexts_asan"], |
| } |
| |
| se_filegroup { |
| name: "file_contexts_overlayfs_files", |
| srcs: ["file_contexts_overlayfs"], |
| } |
| |
| se_filegroup { |
| name: "hwservice_contexts_files", |
| srcs: ["hwservice_contexts"], |
| } |
| |
| se_filegroup { |
| name: "property_contexts_files", |
| srcs: ["property_contexts"], |
| } |
| |
| se_filegroup { |
| name: "service_contexts_files", |
| srcs: ["service_contexts"], |
| } |
| |
| se_filegroup { |
| name: "keystore2_key_contexts_files", |
| srcs: ["keystore2_key_contexts"], |
| } |
| |
| file_contexts { |
| name: "plat_file_contexts", |
| srcs: [":file_contexts_files"], |
| product_variables: { |
| address_sanitize: { |
| srcs: [":file_contexts_asan_files"], |
| }, |
| debuggable: { |
| srcs: [":file_contexts_overlayfs_files"], |
| }, |
| }, |
| |
| flatten_apex: { |
| srcs: ["apex/*-file_contexts"], |
| }, |
| |
| recovery_available: true, |
| } |
| |
| file_contexts { |
| name: "vendor_file_contexts", |
| srcs: [":file_contexts_files"], |
| soc_specific: true, |
| recovery_available: true, |
| } |
| |
| file_contexts { |
| name: "system_ext_file_contexts", |
| srcs: [":file_contexts_files"], |
| system_ext_specific: true, |
| recovery_available: true, |
| } |
| |
| file_contexts { |
| name: "product_file_contexts", |
| srcs: [":file_contexts_files"], |
| product_specific: true, |
| recovery_available: true, |
| } |
| |
| file_contexts { |
| name: "odm_file_contexts", |
| srcs: [":file_contexts_files"], |
| device_specific: true, |
| recovery_available: true, |
| } |
| |
| hwservice_contexts { |
| name: "plat_hwservice_contexts", |
| srcs: [":hwservice_contexts_files"], |
| } |
| |
| hwservice_contexts { |
| name: "system_ext_hwservice_contexts", |
| srcs: [":hwservice_contexts_files"], |
| system_ext_specific: true, |
| } |
| |
| hwservice_contexts { |
| name: "product_hwservice_contexts", |
| srcs: [":hwservice_contexts_files"], |
| product_specific: true, |
| } |
| |
| hwservice_contexts { |
| name: "vendor_hwservice_contexts", |
| srcs: [":hwservice_contexts_files"], |
| reqd_mask: true, |
| soc_specific: true, |
| } |
| |
| hwservice_contexts { |
| name: "odm_hwservice_contexts", |
| srcs: [":hwservice_contexts_files"], |
| device_specific: true, |
| } |
| |
| property_contexts { |
| name: "plat_property_contexts", |
| srcs: [":property_contexts_files"], |
| recovery_available: true, |
| } |
| |
| property_contexts { |
| name: "system_ext_property_contexts", |
| srcs: [":property_contexts_files"], |
| system_ext_specific: true, |
| recovery_available: true, |
| } |
| |
| property_contexts { |
| name: "product_property_contexts", |
| srcs: [":property_contexts_files"], |
| product_specific: true, |
| recovery_available: true, |
| } |
| |
| property_contexts { |
| name: "vendor_property_contexts", |
| srcs: [":property_contexts_files"], |
| reqd_mask: true, |
| soc_specific: true, |
| recovery_available: true, |
| } |
| |
| property_contexts { |
| name: "odm_property_contexts", |
| srcs: [":property_contexts_files"], |
| device_specific: true, |
| recovery_available: true, |
| } |
| |
| service_contexts { |
| name: "plat_service_contexts", |
| srcs: [":service_contexts_files"], |
| } |
| |
| service_contexts { |
| name: "system_ext_service_contexts", |
| srcs: [":service_contexts_files"], |
| system_ext_specific: true, |
| } |
| |
| service_contexts { |
| name: "product_service_contexts", |
| srcs: [":service_contexts_files"], |
| product_specific: true, |
| } |
| |
| service_contexts { |
| name: "vendor_service_contexts", |
| srcs: [":service_contexts_files"], |
| reqd_mask: true, |
| soc_specific: true, |
| } |
| |
| keystore2_key_contexts { |
| name: "plat_keystore2_key_contexts", |
| srcs: [":keystore2_key_contexts_files"], |
| } |
| |
| keystore2_key_contexts { |
| name: "system_keystore2_key_contexts", |
| srcs: [":keystore2_key_contexts_files"], |
| system_ext_specific: true, |
| } |
| |
| keystore2_key_contexts { |
| name: "product_keystore2_key_contexts", |
| srcs: [":keystore2_key_contexts_files"], |
| product_specific: true, |
| } |
| |
| keystore2_key_contexts { |
| name: "vendor_keystore2_key_contexts", |
| srcs: [":keystore2_key_contexts_files"], |
| reqd_mask: true, |
| soc_specific: true, |
| } |
| |
| // For vts_treble_sys_prop_test |
| filegroup { |
| name: "private_property_contexts", |
| srcs: ["private/property_contexts"], |
| visibility: [ |
| "//test/vts-testcase/security/system_property", |
| ], |
| } |
| |
| // This is a minimized cil modules to test microdroid. |
| // TODO(b/178993690): migrate cil files to Android.bp and remove below |
| filegroup { |
| name: "microdroid_sepolicy_build_files", |
| srcs: [ |
| // This order is important. Should be identical to sepolicy_build_files in Android.mk |
| "private/security_classes", |
| "private/initial_sids", |
| "private/access_vectors", |
| "public/global_macros", |
| "public/neverallow_macros", |
| "private/mls_macros", |
| "private/mls_decl", |
| "private/mls", |
| "private/policy_capabilities", |
| "public/te_macros", |
| "public/attributes", |
| "private/attributes", |
| "public/ioctl_defines", |
| "public/ioctl_macros", |
| "public/*.te", |
| "private/*.te", |
| "private/roles_decl", |
| "public/roles", |
| "private/users", |
| "private/initial_sid_contexts", |
| "private/fs_use", |
| "private/genfs_contexts", |
| "private/port_contexts", |
| ], |
| } |
| |
| filegroup { |
| name: "microdroid_sepolicy_public_and_reqd_mask_build_files", |
| srcs: [ |
| // This order is important. Should be identical to sepolicy_build_files in Android.mk |
| "reqd_mask/security_classes", |
| "reqd_mask/initial_sids", |
| "reqd_mask/access_vectors", |
| "public/global_macros", |
| "public/neverallow_macros", |
| "reqd_mask/mls_macros", |
| "reqd_mask/mls_decl", |
| "reqd_mask/mls", |
| "public/te_macros", |
| "public/attributes", |
| "public/ioctl_defines", |
| "public/ioctl_macros", |
| "public/*.te", |
| "reqd_mask/*.te", |
| "reqd_mask/roles_decl", |
| "public/roles", |
| "reqd_mask/roles", |
| "reqd_mask/users", |
| "reqd_mask/initial_sid_contexts", |
| ], |
| } |
| |
| filegroup { |
| name: "microdroid_sepolicy_reqd_mask_build_files", |
| srcs: [ |
| // This order is important. Should be identical to sepolicy_build_files in Android.mk |
| "reqd_mask/security_classes", |
| "reqd_mask/initial_sids", |
| "reqd_mask/access_vectors", |
| "reqd_mask/mls_macros", |
| "reqd_mask/mls_decl", |
| "reqd_mask/mls", |
| "reqd_mask/*.te", |
| "reqd_mask/roles_decl", |
| "reqd_mask/roles", |
| "reqd_mask/users", |
| "reqd_mask/initial_sid_contexts", |
| ], |
| } |
| |
| // These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch, |
| // these configurations should be fine to test microdroid on normal devices with full treble. |
| // The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not |
| // running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully |
| // migrated into Soong, these will have correct values. |
| policy_to_conf_flags = "$(location m4) --fatal-warnings " + |
| "-D mls_num_sens=1 -D mls_num_cats=1024 " + |
| "-D target_build_variant=userdebug " + |
| "-D target_with_asan=false " + |
| "-D target_with_native_coverage=false " + |
| "-D target_full_treble=true " + |
| "-D target_compatible_property=true " + |
| "-D target_treble_sysprop_neverallow=true " + |
| "-D target_enforce_sysprop_owner=true " |
| |
| genrule { |
| name: "microdroid_plat_sepolicy.cil_gen", |
| srcs: [":microdroid_sepolicy_build_files"], |
| tools: ["m4", "checkpolicy"], |
| out: ["plat_sepolicy.cil"], |
| cmd: policy_to_conf_flags + |
| "-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" + |
| "&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf", |
| visibility: ["//visibility:private"], |
| } |
| |
| prebuilt_etc { |
| name: "microdroid_plat_sepolicy.cil", |
| src: ":microdroid_plat_sepolicy.cil_gen", |
| filename: "plat_sepolicy.cil", |
| relative_install_path: "selinux", |
| installable: false, |
| } |
| |
| genrule { |
| name: "microdroid_reqd_policy_mask.cil_gen", |
| srcs: [":microdroid_sepolicy_reqd_mask_build_files"], |
| tools: ["m4", "checkpolicy"], |
| out: ["reqd_policy_mask.cil"], |
| cmd: policy_to_conf_flags + |
| "-s $(in) > $(out).conf" + |
| "&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf", |
| visibility: ["//visibility:private"], |
| } |
| |
| genrule { |
| name: "microdroid_plat_mapping_file_gen", |
| srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"], |
| tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"], |
| out: ["10000.0.cil"], |
| cmd: policy_to_conf_flags + |
| "-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" + |
| "&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" + |
| "&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" + |
| "&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)", |
| visibility: ["//visibility:private"], |
| } |
| |
| prebuilt_etc { |
| name: "microdroid_plat_mapping_file", |
| src: ":microdroid_plat_mapping_file_gen", |
| filename: "10000.0.cil", |
| relative_install_path: "selinux/mapping", |
| installable: false, |
| } |
| |
| /////////////////////////////////////////////////////////////////// |
| genrule { |
| name: "microdroid_pub_policy.cil_gen", |
| srcs: [ |
| ":microdroid_sepolicy_public_and_reqd_mask_build_files", |
| ":microdroid_reqd_policy_mask.cil_gen", |
| ], |
| tools: ["m4", "checkpolicy", "build_sepolicy"], |
| out: ["pub_policy.cil"], |
| cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " + |
| "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " + |
| "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)", |
| visibility: ["//visibility:private"], |
| } |
| |
| genrule { |
| name: "microdroid_plat_pub_versioned.cil_gen", |
| srcs: [":microdroid_pub_policy.cil_gen"], |
| tools: ["version_policy"], |
| out: ["plat_pub_versioned.cil"], |
| cmd: "$(location version_policy) " + |
| "-b $(location :microdroid_pub_policy.cil_gen) " + |
| "-t $(location :microdroid_pub_policy.cil_gen) " + |
| "-n 10000.0 " + |
| "-o $(out)", |
| visibility: ["//visibility:private"], |
| } |
| |
| filegroup { |
| name: "microdroid_vendor_sepolicy_build_files", |
| srcs: [ |
| "reqd_mask/security_classes", |
| "reqd_mask/initial_sids", |
| "reqd_mask/access_vectors", |
| "public/global_macros", |
| "public/neverallow_macros", |
| "reqd_mask/mls_macros", |
| "reqd_mask/mls_decl", |
| "reqd_mask/mls", |
| "public/te_macros", |
| "public/attributes", |
| "public/ioctl_defines", |
| "public/ioctl_macros", |
| "public/*.te", |
| "reqd_mask/*.te", |
| "vendor/*.te", |
| "reqd_mask/roles_decl", |
| "public/roles", |
| "reqd_mask/roles", |
| "reqd_mask/users", |
| "reqd_mask/initial_sid_contexts", |
| ], |
| } |
| |
| genrule { |
| name: "microdroid_vendor_sepolicy.cil_gen", |
| srcs: [ |
| ":microdroid_vendor_sepolicy_build_files", |
| ":microdroid_plat_pub_versioned.cil_gen", |
| ":microdroid_pub_policy.cil_gen", |
| ":microdroid_reqd_policy_mask.cil_gen", |
| ], |
| tools: [ |
| "m4", |
| "build_sepolicy", |
| "checkpolicy", |
| "secilc", |
| "version_policy", |
| ], |
| out: ["vendor_sepolicy.cil"], |
| cmd: policy_to_conf_flags + " -s $(locations :microdroid_vendor_sepolicy_build_files) > $(out).conf && " + |
| "$(location build_sepolicy) " + |
| "--android_host_path $$(dirname $(location build_sepolicy)) " + |
| "build_cil " + |
| "--input_policy_conf $(out).conf " + |
| "--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " + |
| "--base_policy $(location :microdroid_pub_policy.cil_gen) " + |
| "--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " + |
| "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " + |
| "--treble_sepolicy_vers 10000.0 " + |
| "--policy_vers 30 " + |
| "--output_cil $(out)", |
| visibility: ["//visibility:private"], |
| } |
| |
| prebuilt_etc { |
| name: "microdroid_vendor_sepolicy.cil", |
| src: ":microdroid_vendor_sepolicy.cil_gen", |
| filename: "vendor_sepolicy.cil", |
| relative_install_path: "selinux", |
| installable: false, |
| } |
| |
| prebuilt_etc { |
| name: "microdroid_plat_pub_versioned.cil", |
| src: ":microdroid_plat_pub_versioned.cil_gen", |
| filename: "plat_pub_versioned.cil", |
| relative_install_path: "selinux", |
| installable: false, |
| } |