| LOCAL_PATH:= $(call my-dir) |
| |
| include $(LOCAL_PATH)/definitions.mk |
| include $(LOCAL_PATH)/policy_version.mk |
| |
| include $(CLEAR_VARS) |
| |
| MLS_SENS=1 |
| MLS_CATS=1024 |
| |
| ifdef BOARD_SEPOLICY_UNION |
| $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) |
| endif |
| |
| ifdef BOARD_SEPOLICY_M4DEFS |
| LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) |
| else |
| LOCAL_ADDITIONAL_M4DEFS := |
| endif |
| |
| # sepolicy is now divided into multiple portions: |
| # public - policy exported on which non-platform policy developers may write |
| # additional policy. types and attributes are versioned and included in |
| # delivered non-platform policy, which is to be combined with platform policy. |
| # private - platform-only policy required for platform functionality but which |
| # is not exported to vendor policy developers and as such may not be assumed |
| # to exist. |
| # vendor - vendor-only policy required for vendor functionality. This policy can |
| # reference the public policy but cannot reference the private policy. This |
| # policy is for components which are produced from the core/non-vendor tree and |
| # placed into a vendor partition. |
| # mapping - This contains policy statements which map the attributes |
| # exposed in the public policy of previous versions to the concrete types used |
| # in this policy to ensure that policy targeting attributes from public |
| # policy from an older platform version continues to work. |
| |
| # build process for device: |
| # 1) convert policies to CIL: |
| # - private + public platform policy to CIL |
| # - mapping file to CIL (should already be in CIL form) |
| # - non-platform public policy to CIL |
| # - non-platform public + private policy to CIL |
| # 2) attributize policy |
| # - run script which takes non-platform public and non-platform combined |
| # private + public policy and produces attributized and versioned |
| # non-platform policy |
| # 3) combine policy files |
| # - combine mapping, platform and non-platform policy. |
| # - compile output binary policy file |
| |
| PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public |
| PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private |
| PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor |
| REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask |
| SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) |
| SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) |
| PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS) |
| PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS) |
| |
| ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY)) |
| HAS_SYSTEM_EXT_SEPOLICY_DIR := true |
| endif |
| |
| # TODO(b/119305624): Currently if the device doesn't have a product partition, |
| # we install product sepolicy into /system/product. We do that because bits of |
| # product sepolicy that's still in /system might depend on bits that have moved |
| # to /product. Once we finish migrating product sepolicy out of system, change |
| # it so that if no product partition is present, product sepolicy artifacts are |
| # not built and installed at all. |
| ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) |
| HAS_PRODUCT_SEPOLICY_DIR := true |
| endif |
| |
| # TODO: move to README when doing the README update and finalizing versioning. |
| # BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy |
| # version identifier corresponding to the sepolicy on which the non-platform |
| # policy is to be based. If unspecified, this will build against the current |
| # public platform policy in tree |
| ifndef BOARD_SEPOLICY_VERS |
| # The default platform policy version. |
| BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION) |
| endif |
| |
| NEVERALLOW_ARG := |
| ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| ifeq ($(TARGET_BUILD_VARIANT),user) |
| $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) |
| endif |
| $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ |
| It does not work in user builds and using it will \ |
| not stop you from failing CTS.) |
| NEVERALLOW_ARG := -N |
| endif |
| |
| # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. |
| # It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and |
| # BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for |
| # backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. |
| ifdef BOARD_SEPOLICY_DIRS |
| BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) |
| endif |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) |
| $(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) |
| endif |
| endif |
| |
| ########################################################### |
| # Compute policy files to be used in policy build. |
| # $(1): files to include |
| # $(2): directories in which to find files |
| ########################################################### |
| |
| define build_policy |
| $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))) |
| endef |
| |
| # Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. |
| # $(1): the set of policy name paths to build |
| build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) |
| |
| # Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. |
| build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) |
| |
| sepolicy_build_files := security_classes \ |
| initial_sids \ |
| access_vectors \ |
| global_macros \ |
| neverallow_macros \ |
| mls_macros \ |
| mls_decl \ |
| mls \ |
| policy_capabilities \ |
| te_macros \ |
| attributes \ |
| ioctl_defines \ |
| ioctl_macros \ |
| *.te \ |
| roles_decl \ |
| roles \ |
| users \ |
| initial_sid_contexts \ |
| fs_use \ |
| genfs_contexts \ |
| port_contexts |
| |
| # Security classes and permissions defined outside of system/sepolicy. |
| security_class_extension_files := $(call build_policy, security_classes access_vectors, \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ |
| $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ |
| $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) |
| |
| ifneq (,$(strip $(security_class_extension_files))) |
| $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files))) |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| # Checks if there are public system_ext policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true |
| endif |
| # Checks if there are public/private system_ext policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_SYSTEM_EXT_SEPOLICY := true |
| endif |
| endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| # Checks if there are public product policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_PRODUCT_PUBLIC_SEPOLICY := true |
| endif |
| # Checks if there are public/private product policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_PRODUCT_SEPOLICY := true |
| endif |
| endif # ifdef HAS_PRODUCT_SEPOLICY_DIR |
| |
| # CIL files which contain workarounds for current limitation of human-readable |
| # module policy language. These files are appended to the CIL files produced |
| # from module language files. |
| sepolicy_build_cil_workaround_files := technical_debt.cil |
| |
| my_target_arch := $(TARGET_ARCH) |
| ifneq (,$(filter mips mips64,$(TARGET_ARCH))) |
| my_target_arch := mips |
| endif |
| |
| intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates |
| |
| with_asan := false |
| ifneq (,$(filter address,$(SANITIZE_TARGET))) |
| with_asan := true |
| endif |
| |
| with_native_coverage := false |
| ifeq ($(NATIVE_COVERAGE),true) |
| with_native_coverage := true |
| endif |
| ifeq ($(CLANG_COVERAGE),true) |
| with_native_coverage := true |
| endif |
| |
| treble_sysprop_neverallow := true |
| ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true) |
| treble_sysprop_neverallow := false |
| endif |
| |
| ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) |
| #$(warning no product shipping level defined) |
| else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) |
| ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),) |
| $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.) |
| endif |
| endif |
| |
| # Library extension for host-side tests |
| ifeq ($(HOST_OS),darwin) |
| SHAREDLIB_EXT=dylib |
| else |
| SHAREDLIB_EXT=so |
| endif |
| |
| # Convert a file_context file for a non-flattened APEX into a file for |
| # flattened APEX. /system/apex/<apex_name> path is prepended to the original paths |
| # $(1): path to the input file_contexts file for non-flattened APEX |
| # $(2): path to the flattened APEX |
| # $(3): path to the generated file_contexts file for flattened APEX |
| # $(4): variable where $(3) is added to |
| define build_flattened_apex_file_contexts |
| $(4) += $(3) |
| $(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2)) |
| $(3): $(1) |
| $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@ |
| endef |
| |
| ################################# |
| |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_policy |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_REQUIRED_MODULES += \ |
| selinux_policy_nonsystem \ |
| selinux_policy_system \ |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| # selinux_policy is a main goal and triggers lots of tests. |
| # Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') |
| # By setting as droidcore's dependency, tests will run on normal builds. |
| droidcore: selinux_policy |
| |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := selinux_policy_system |
| # These build targets are not used on non-Treble devices. However, we build these to avoid |
| # divergence between Treble and non-Treble devices. |
| LOCAL_REQUIRED_MODULES += \ |
| plat_mapping_file \ |
| $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ |
| $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ |
| plat_sepolicy.cil \ |
| plat_sepolicy_and_mapping.sha256 \ |
| secilc \ |
| |
| LOCAL_REQUIRED_MODULES += \ |
| build_sepolicy \ |
| plat_file_contexts \ |
| plat_file_contexts_test \ |
| plat_mac_permissions.xml \ |
| plat_property_contexts \ |
| plat_property_contexts_test \ |
| plat_seapp_contexts \ |
| plat_service_contexts \ |
| plat_service_contexts_test \ |
| plat_hwservice_contexts \ |
| plat_hwservice_contexts_test \ |
| searchpolicy \ |
| |
| # This conditional inclusion closely mimics the conditional logic |
| # inside init/init.cpp for loading SELinux policy from files. |
| ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) |
| # The following files are only allowed for non-Treble devices. |
| LOCAL_REQUIRED_MODULES += \ |
| sepolicy \ |
| vendor_service_contexts \ |
| |
| endif # ($(PRODUCT_SEPOLICY_SPLIT),true) |
| |
| ifneq ($(with_asan),true) |
| ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| LOCAL_REQUIRED_MODULES += \ |
| sepolicy_tests \ |
| $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ |
| |
| ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) |
| LOCAL_REQUIRED_MODULES += \ |
| $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ |
| |
| endif # PRODUCT_SEPOLICY_SPLIT |
| endif # SELINUX_IGNORE_NEVERALLOWS |
| endif # with_asan |
| |
| ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) |
| LOCAL_REQUIRED_MODULES += \ |
| sepolicy_freeze_test \ |
| |
| endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| ################################# |
| |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_policy_nonsystem |
| # Include precompiled policy, unless told otherwise. |
| ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| LOCAL_REQUIRED_MODULES += \ |
| precompiled_sepolicy \ |
| precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \ |
| precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \ |
| system_ext_sepolicy_and_mapping.sha256 \ |
| precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \ |
| product_sepolicy_and_mapping.sha256 \ |
| |
| endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| |
| |
| # These build targets are not used on non-Treble devices. However, we build these to avoid |
| # divergence between Treble and non-Treble devices. |
| LOCAL_REQUIRED_MODULES += \ |
| plat_pub_versioned.cil \ |
| vendor_sepolicy.cil \ |
| plat_sepolicy_vers.txt \ |
| |
| LOCAL_REQUIRED_MODULES += \ |
| vendor_file_contexts \ |
| vendor_file_contexts_test \ |
| vendor_mac_permissions.xml \ |
| vendor_property_contexts \ |
| vendor_property_contexts_test \ |
| vendor_seapp_contexts \ |
| vendor_service_contexts \ |
| vendor_hwservice_contexts \ |
| vendor_hwservice_contexts_test \ |
| vndservice_contexts \ |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| LOCAL_REQUIRED_MODULES += \ |
| odm_sepolicy.cil \ |
| odm_file_contexts \ |
| odm_file_contexts_test \ |
| odm_seapp_contexts \ |
| odm_property_contexts \ |
| odm_property_contexts_test \ |
| odm_hwservice_contexts \ |
| odm_hwservice_contexts_test \ |
| odm_mac_permissions.xml |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY |
| LOCAL_REQUIRED_MODULES += \ |
| system_ext_mapping_file \ |
| $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ |
| |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| LOCAL_REQUIRED_MODULES += \ |
| system_ext_file_contexts \ |
| system_ext_file_contexts_test \ |
| system_ext_hwservice_contexts \ |
| system_ext_hwservice_contexts_test \ |
| system_ext_property_contexts \ |
| system_ext_property_contexts_test \ |
| system_ext_seapp_contexts \ |
| system_ext_service_contexts \ |
| system_ext_service_contexts_test \ |
| system_ext_mac_permissions.xml \ |
| |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += product_sepolicy.cil |
| endif |
| |
| ifdef HAS_PRODUCT_PUBLIC_SEPOLICY |
| LOCAL_REQUIRED_MODULES += \ |
| product_mapping_file \ |
| $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ |
| |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| LOCAL_REQUIRED_MODULES += \ |
| product_file_contexts \ |
| product_file_contexts_test \ |
| product_hwservice_contexts \ |
| product_hwservice_contexts_test \ |
| product_property_contexts \ |
| product_property_contexts_test \ |
| product_seapp_contexts \ |
| product_service_contexts \ |
| product_service_contexts_test \ |
| product_mac_permissions.xml \ |
| |
| endif |
| |
| LOCAL_REQUIRED_MODULES += \ |
| selinux_denial_metadata \ |
| |
| # Builds an addtional userdebug sepolicy into the debug ramdisk. |
| LOCAL_REQUIRED_MODULES += \ |
| userdebug_plat_sepolicy.cil \ |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := sepolicy_neverallows |
| LOCAL_MODULE_CLASS := FAKE |
| LOCAL_MODULE_TAGS := optional |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # sepolicy_policy.conf - All of the policy for the device. This is only used to |
| # check neverallow rules. |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ |
| $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ |
| $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) |
| sepolicy_policy.conf := $(intermediates)/policy.conf |
| $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user |
| $(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(sepolicy_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| # sepolicy_policy_2.conf - All of the policy for the device. This is only used to |
| # check neverallow rules using sepolicy-analyze, similar to CTS. |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ |
| $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ |
| $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) |
| sepolicy_policy_2.conf := $(intermediates)/policy_2.conf |
| $(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user |
| $(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true |
| $(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(sepolicy_policy_2.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf) |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf) |
| $(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \ |
| $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze |
| ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ |
| $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1) |
| $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \ |
| ( echo "" 1>&2; \ |
| echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \ |
| echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \ |
| echo "the policy." 1>&2; \ |
| exit 1 ) |
| endif # ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| $(hide) touch $@.tmp |
| $(hide) mv $@.tmp $@ |
| |
| sepolicy_policy.conf := |
| sepolicy_policy_2.conf := |
| built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE) |
| |
| ################################## |
| # reqd_policy_mask - a policy.conf file which contains only the bare minimum |
| # policy necessary to use checkpolicy. This bare-minimum policy needs to be |
| # present in all policy.conf files, but should not necessarily be exported as |
| # part of the public policy. The rules generated by reqd_policy_mask will allow |
| # the compilation of public policy and subsequent removal of CIL policy that |
| # should not be exported. |
| |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) |
| reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf |
| $(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(reqd_policy_mask.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| # b/37755687 |
| CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 |
| |
| reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil |
| $(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ |
| $(POLICYVERS) -o $@ $< |
| |
| reqd_policy_mask.conf := |
| |
| ################################## |
| # pub_policy - policy that will be exported to be a part of non-platform |
| # policy corresponding to this platform version. This is a limited subset of |
| # policy that would not compile in checkpolicy on its own. To get around this |
| # limitation, add only the required files from private policy, which will |
| # generate CIL policy that will then be filtered out by the reqd_policy_mask. |
| # |
| # There are three pub_policy.cil files below: |
| # - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. |
| # - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. |
| # - plat_pub_policy.cil: exported 'system' policy. |
| # |
| # Those above files will in turn be used to generate the following versioned cil files: |
| # - product_mapping_file: the versioned, exported 'product' policy in product partition. |
| # - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. |
| # - plat_mapping_file: the versioned, exported 'system' policy in system partition. |
| # - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' |
| # policy in vendor partition. |
| # |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) |
| pub_policy.conf := $(intermediates)/pub_policy.conf |
| $(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(pub_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| pub_policy.cil := $(intermediates)/pub_policy.cil |
| $(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf) |
| $(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
| $(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_REQD_MASK) -t $@ |
| |
| pub_policy.conf := |
| |
| ################################## |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) |
| system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf |
| $(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(system_ext_pub_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| |
| system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil |
| $(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf) |
| $(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
| $(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_REQD_MASK) -t $@ |
| |
| system_ext_pub_policy.conf := |
| |
| ################################## |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) |
| plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf |
| $(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(plat_pub_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| |
| plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil |
| $(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) |
| $(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
| $(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_REQD_MASK) -t $@ |
| |
| plat_pub_policy.conf := |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := plat_sepolicy.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # plat_policy.conf - A combination of the private and public platform policy |
| # which will ship with the device. The platform will always reflect the most |
| # recent platform version and is not currently being attributized. |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) |
| plat_policy.conf := $(intermediates)/plat_policy.conf |
| $(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(plat_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ |
| $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) |
| $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/secilc \ |
| $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ |
| $(built_sepolicy_neverallows) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ |
| $(POLICYVERS) -o $@.tmp $< |
| $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null |
| $(hide) mv $@.tmp $@ |
| |
| built_plat_cil := $(LOCAL_BUILT_MODULE) |
| plat_policy.conf := |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := userdebug_plat_sepolicy.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT) |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) |
| userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf |
| $(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug |
| $(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(userdebug_plat_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ |
| $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) |
| $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/secilc \ |
| $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ |
| $(built_sepolicy_neverallows) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ |
| $(POLICYVERS) -o $@.tmp $< |
| $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null |
| $(hide) mv $@.tmp $@ |
| |
| userdebug_plat_policy.conf := |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| LOCAL_MODULE := system_ext_sepolicy.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # system_ext_policy.conf - A combination of the private and public system_ext policy |
| # which will ship with the device. System_ext policy is not attributized. |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) |
| system_ext_policy.conf := $(intermediates)/system_ext_policy.conf |
| $(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(system_ext_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/dontaudit/d' $@ > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil) |
| $(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ |
| $(POLICYVERS) -o $@ $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_PLAT_CIL) -t $@ |
| # Line markers (denoted by ;;) are malformed after above cmd. They are only |
| # used for debugging, so we remove them. |
| $(hide) grep -v ';;' $@ > $@.tmp |
| $(hide) mv $@.tmp $@ |
| # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the |
| # latter doesn't accidentally depend on vendor/odm policies. |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ |
| $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null |
| |
| |
| built_system_ext_cil := $(LOCAL_BUILT_MODULE) |
| system_ext_policy.conf := |
| endif # ifdef HAS_SYSTEM_EXT_SEPOLICY |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| ifdef HAS_PRODUCT_SEPOLICY |
| LOCAL_MODULE := product_sepolicy.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # product_policy.conf - A combination of the private and public product policy |
| # which will ship with the device. Product policy is not attributized. |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ |
| $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) |
| product_policy.conf := $(intermediates)/product_policy.conf |
| $(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(product_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/dontaudit/d' $@ > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) |
| $(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \ |
| $(built_plat_cil) $(built_system_ext_cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ |
| $(POLICYVERS) -o $@ $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_PLAT_CIL_FILES) -t $@ |
| # Line markers (denoted by ;;) are malformed after above cmd. They are only |
| # used for debugging, so we remove them. |
| $(hide) grep -v ';;' $@ > $@.tmp |
| $(hide) mv $@.tmp $@ |
| # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to |
| # make sure that the latter doesn't accidentally depend on vendor/odm policies. |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ |
| $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null |
| |
| |
| built_product_cil := $(LOCAL_BUILT_MODULE) |
| product_policy.conf := |
| endif # ifdef HAS_PRODUCT_SEPOLICY |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := plat_sepolicy_vers.txt |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_PROPRIETARY_MODULE := true |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS) |
| $(LOCAL_BUILT_MODULE) : |
| mkdir -p $(dir $@) |
| echo $(PRIVATE_PLAT_SEPOL_VERS) > $@ |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := plat_mapping_file |
| LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # auto-generate the mapping file for current platform policy, since it needs to |
| # track platform policy development |
| $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) |
| $(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ |
| |
| built_plat_mapping_cil := $(LOCAL_BUILT_MODULE) |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY |
| LOCAL_MODULE := system_ext_mapping_file |
| LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) |
| $(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil) |
| $(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ |
| $(built_plat_mapping_cil) |
| @mkdir -p $(dir $@) |
| # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext' |
| # sepolicy minus plat_mapping_file. |
| $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@ |
| |
| built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE) |
| endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| ifdef HAS_PRODUCT_PUBLIC_SEPOLICY |
| LOCAL_MODULE := product_mapping_file |
| LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) |
| $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) |
| $(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ |
| $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) |
| @mkdir -p $(dir $@) |
| # Generate product mapping file as mapping file of all public sepolicy minus |
| # plat_mapping_file and system_ext_mapping_file. |
| $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_FILTER_CIL_FILES) -t $@ |
| |
| built_product_mapping_cil := $(LOCAL_BUILT_MODULE) |
| endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| # plat_pub_versioned.cil - the exported platform policy associated with the version |
| # that non-platform policy targets. |
| LOCAL_MODULE := plat_pub_versioned.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_PROPRIETARY_MODULE := true |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) |
| $(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil) |
| $(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ |
| $(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \ |
| $(built_product_mapping_cil) |
| $(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ |
| $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \ |
| $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) |
| @mkdir -p $(dir $@) |
| $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ |
| $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null |
| |
| built_pub_vers_cil := $(LOCAL_BUILT_MODULE) |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| # vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined |
| # with the platform-provided policy. It makes use of the reqd_policy_mask files from private |
| # policy and the platform public policy files in order to use checkpolicy. |
| LOCAL_MODULE := vendor_sepolicy.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_PROPRIETARY_MODULE := true |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \ |
| $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) |
| vendor_policy.conf := $(intermediates)/vendor_policy.conf |
| $(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(vendor_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) |
| $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
| $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) |
| $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) |
| $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ |
| $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \ |
| $(built_system_ext_mapping_cil) $(built_product_mapping_cil) |
| $(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil) |
| $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ |
| $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ |
| $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \ |
| $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \ |
| $(built_product_mapping_cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ |
| -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ |
| -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ |
| -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ |
| |
| built_vendor_cil := $(LOCAL_BUILT_MODULE) |
| vendor_policy.conf := |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| # odm_policy.cil - the odm sepolicy. This needs attributization and to be combined |
| # with the platform-provided policy. It makes use of the reqd_policy_mask files from private |
| # policy and the platform public policy files in order to use checkpolicy. |
| LOCAL_MODULE := odm_sepolicy.cil |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_PROPRIETARY_MODULE := true |
| LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \ |
| $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) |
| odm_policy.conf := $(intermediates)/odm_policy.conf |
| $(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) |
| $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(odm_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf) |
| $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
| $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil) |
| $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) |
| $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \ |
| $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \ |
| $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil) |
| $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil) |
| $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ |
| $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \ |
| $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \ |
| $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \ |
| $(built_vendor_cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ |
| -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ |
| -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \ |
| -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ |
| |
| built_odm_cil := $(LOCAL_BUILT_MODULE) |
| odm_policy.conf := |
| odm_policy_raw := |
| endif |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := precompiled_sepolicy |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_PROPRIETARY_MODULE := true |
| |
| ifeq ($(BOARD_USES_ODMIMAGE),true) |
| LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux |
| else |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| endif |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| all_cil_files := \ |
| $(built_plat_cil) \ |
| $(built_plat_mapping_cil) \ |
| $(built_pub_vers_cil) \ |
| $(built_vendor_cil) |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| all_cil_files += $(built_system_ext_cil) |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY |
| all_cil_files += $(built_system_ext_mapping_cil) |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY |
| all_cil_files += $(built_product_cil) |
| endif |
| |
| ifdef HAS_PRODUCT_PUBLIC_SEPOLICY |
| all_cil_files += $(built_product_mapping_cil) |
| endif |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| all_cil_files += $(built_odm_cil) |
| endif |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) |
| $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \ |
| $(PRIVATE_CIL_FILES) -o $@ -f /dev/null |
| |
| built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE) |
| all_cil_files := |
| |
| ################################# |
| # Precompiled sepolicy is loaded if and only if: |
| # - plat_sepolicy_and_mapping.sha256 equals |
| # precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 |
| # AND |
| # - system_ext_sepolicy_and_mapping.sha256 equals |
| # precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 |
| # AND |
| # - product_sepolicy_and_mapping.sha256 equals |
| # precompiled_sepolicy.product_sepolicy_and_mapping.sha256 |
| # See system/core/init/selinux.cpp for details. |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := plat_sepolicy_and_mapping.sha256 |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil) |
| cat $^ | sha256sum | cut -d' ' -f1 > $@ |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256 |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil) |
| cat $^ | sha256sum | cut -d' ' -f1 > $@ |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := product_sepolicy_and_mapping.sha256 |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil) |
| cat $^ | sha256sum | cut -d' ' -f1 > $@ |
| |
| ################################# |
| # SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against |
| # which precompiled_policy was built. |
| ################################# |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| |
| ifeq ($(BOARD_USES_ODMIMAGE),true) |
| LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux |
| else |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| endif |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil) |
| $(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil) |
| cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ |
| |
| ################################# |
| # SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against |
| # which precompiled_policy was built. |
| ################################# |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| |
| ifeq ($(BOARD_USES_ODMIMAGE),true) |
| LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux |
| else |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| endif |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil) |
| $(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil) |
| cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ |
| |
| ################################# |
| # SHA-256 digest of the product_sepolicy.cil and product_mapping_file against |
| # which precompiled_policy was built. |
| ################################# |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256 |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| |
| ifeq ($(BOARD_USES_ODMIMAGE),true) |
| LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux |
| else |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| endif |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil) |
| $(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil) |
| cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ |
| |
| ################################# |
| include $(CLEAR_VARS) |
| # build this target so that we can still perform neverallow checks |
| |
| LOCAL_MODULE := sepolicy |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| all_cil_files := \ |
| $(built_plat_cil) \ |
| $(built_plat_mapping_cil) \ |
| $(built_pub_vers_cil) \ |
| $(built_vendor_cil) |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| all_cil_files += $(built_system_ext_cil) |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY |
| all_cil_files += $(built_system_ext_mapping_cil) |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY |
| all_cil_files += $(built_product_cil) |
| endif |
| |
| ifdef HAS_PRODUCT_PUBLIC_SEPOLICY |
| all_cil_files += $(built_product_mapping_cil) |
| endif |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| all_cil_files += $(built_odm_cil) |
| endif |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) |
| $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ |
| $(built_sepolicy_neverallows) |
| @mkdir -p $(dir $@) |
| $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null |
| $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains |
| $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ |
| echo "==========" 1>&2; \ |
| echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ |
| echo "List of invalid domains:" 1>&2; \ |
| cat $@.permissivedomains 1>&2; \ |
| exit 1; \ |
| fi |
| $(hide) mv $@.tmp $@ |
| |
| built_sepolicy := $(LOCAL_BUILT_MODULE) |
| all_cil_files := |
| |
| ################################# |
| include $(CLEAR_VARS) |
| |
| # keep concrete sepolicy for neverallow checks |
| # If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling. |
| |
| LOCAL_MODULE := sepolicy.recovery |
| LOCAL_MODULE_STEM := sepolicy |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ |
| $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ |
| $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ |
| $(BOARD_ODM_SEPOLICY_DIRS)) |
| sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf |
| $(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) |
| $(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) |
| $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true |
| $(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(sepolicy.recovery.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow |
| $(hide) mv $@.neverallow $@ |
| endif |
| |
| $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/sepolicy-analyze |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ |
| $(POLICYVERS) -o $@.tmp $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains |
| $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ |
| echo "==========" 1>&2; \ |
| echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ |
| echo "List of invalid domains:" 1>&2; \ |
| cat $@.permissivedomains 1>&2; \ |
| exit 1; \ |
| fi |
| $(hide) mv $@.tmp $@ |
| |
| sepolicy.recovery.conf := |
| |
| ################################## |
| # SELinux policy embedded into CTS. |
| # CTS checks neverallow rules of this policy against the policy of the device under test. |
| ################################## |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := general_sepolicy.conf |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := tests |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) |
| $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user |
| $(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts |
| $(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts |
| $(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts |
| $(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true |
| $(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files) |
| $(LOCAL_BUILT_MODULE): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| ################################## |
| # TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. |
| # |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := file_contexts.bin |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # The file_contexts.bin is built in the following way: |
| # 1. Collect all file_contexts files in THIS repository and process them with |
| # m4 into a tmp file called file_contexts.local.tmp. |
| # 2. Collect all device specific file_contexts files and process them with m4 |
| # into a tmp file called file_contexts.device.tmp. |
| # 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on |
| # file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. |
| # 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into |
| # file_contexts.concat.tmp. |
| # 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce |
| # file_contexts.bin. |
| # |
| # Note: That a newline file is placed between each file_context file found to |
| # ensure a proper build when an fc file is missing an ending newline. |
| |
| local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY)) |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY)) |
| endif |
| |
| ifneq ($(filter address,$(SANITIZE_TARGET)),) |
| local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) |
| endif |
| ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) |
| local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) |
| endif |
| |
| # Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed |
| $(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\ |
| $(eval _apex_name := $(call word-colon,1,$(_tuple)))\ |
| $(eval _apex_path := $(call word-colon,2,$(_tuple)))\ |
| $(eval _fc_path := $(call word-colon,3,$(_tuple)))\ |
| $(eval _input := $(_fc_path))\ |
| $(eval _output := $(intermediates)/$(_apex_name)-flattened)\ |
| $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\ |
| ) |
| |
| file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp |
| $(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files) |
| $(file_contexts.local.tmp): $(local_fc_files) $(M4) |
| @mkdir -p $(dir $@) |
| $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@ |
| |
| device_fc_files := $(call build_vendor_policy, file_contexts) |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| device_fc_files += $(call build_odm_policy, file_contexts) |
| endif |
| |
| file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp |
| $(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) |
| $(file_contexts.device.tmp): $(device_fc_files) $(M4) |
| @mkdir -p $(dir $@) |
| $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ |
| |
| file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp |
| $(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) |
| $(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ |
| $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ |
| |
| file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp |
| $(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) |
| $(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4) |
| @mkdir -p $(dir $@) |
| $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@ |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) |
| $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< |
| |
| built_fc := $(LOCAL_BUILT_MODULE) |
| local_fc_files := |
| local_fcfiles_with_nl := |
| device_fc_files := |
| device_fcfiles_with_nl := |
| file_contexts.concat.tmp := |
| file_contexts.device.sorted.tmp := |
| file_contexts.device.tmp := |
| file_contexts.local.tmp := |
| |
| ################################## |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_denial_metadata |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY)) |
| |
| $(LOCAL_BUILT_MODULE) : $(bug_files) |
| @mkdir -p $(dir $@) |
| cat $^ > $@ |
| |
| bug_files := |
| |
| ################################## |
| include $(LOCAL_PATH)/seapp_contexts.mk |
| |
| ################################## |
| include $(LOCAL_PATH)/contexts_tests.mk |
| |
| ################################## |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := vndservice_contexts |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) |
| |
| vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp |
| $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) |
| $(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4) |
| @mkdir -p $(dir $@) |
| $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) |
| $(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) |
| @mkdir -p $(dir $@) |
| sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ |
| $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@ |
| |
| vnd_svcfiles := |
| vndservice_contexts.tmp := |
| |
| ################################## |
| include $(LOCAL_PATH)/mac_permissions.mk |
| |
| ################################# |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := sepolicy_tests |
| LOCAL_MODULE_CLASS := FAKE |
| LOCAL_MODULE_TAGS := optional |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts |
| all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts |
| endif |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts |
| endif |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts |
| endif |
| all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) |
| |
| $(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args) |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) |
| $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy) |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \ |
| $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY) |
| $(hide) touch $@ |
| |
| ################################## |
| intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,) |
| |
| # plat_sepolicy - the current platform policy only, built into a policy binary. |
| # TODO - this currently excludes partner extensions, but support should be added |
| # to enable partners to add their own compatibility mapping |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) |
| base_plat_policy.conf := $(intermediates)/base_plat_policy.conf |
| $(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user |
| $(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true |
| $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(base_plat_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit |
| |
| built_plat_sepolicy := $(intermediates)/built_plat_sepolicy |
| $(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ |
| $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) |
| $(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
| $(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/secilc \ |
| $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ |
| $(built_sepolicy_neverallows) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ |
| $(POLICYVERS) -o $@ $< |
| $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ |
| $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null |
| |
| policy_files := $(call build_policy, $(sepolicy_build_files), \ |
| $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) |
| base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf |
| $(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) |
| $(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) |
| $(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user |
| $(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) |
| $(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) |
| $(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true |
| $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) |
| $(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) |
| $(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) |
| $(base_plat_pub_policy.conf): $(policy_files) $(M4) |
| $(transform-policy-to-conf) |
| |
| base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil |
| $(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf) |
| $(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) |
| $(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ |
| $(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil) |
| @mkdir -p $(dir $@) |
| $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) |
| $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ |
| -f $(PRIVATE_REQD_MASK) -t $@ |
| |
| ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) |
| # Tests for Treble compatibility of current platform policy and vendor policy of |
| # given release version. |
| version_under_treble_tests := 26.0 |
| include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk |
| version_under_treble_tests := 27.0 |
| include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk |
| version_under_treble_tests := 28.0 |
| include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk |
| version_under_treble_tests := 29.0 |
| include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk |
| endif # PRODUCT_SEPOLICY_SPLIT |
| |
| version_under_treble_tests := 26.0 |
| include $(LOCAL_PATH)/compat.mk |
| version_under_treble_tests := 27.0 |
| include $(LOCAL_PATH)/compat.mk |
| version_under_treble_tests := 28.0 |
| include $(LOCAL_PATH)/compat.mk |
| version_under_treble_tests := 29.0 |
| include $(LOCAL_PATH)/compat.mk |
| |
| base_plat_policy.conf := |
| base_plat_pub_policy.conf := |
| plat_sepolicy := |
| all_fc_files := |
| all_fc_args := |
| |
| ################################# |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := sepolicy_freeze_test |
| LOCAL_MODULE_CLASS := FAKE |
| LOCAL_MODULE_TAGS := optional |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| base_plat_public := $(LOCAL_PATH)/public |
| base_plat_private := $(LOCAL_PATH)/private |
| base_plat_public_prebuilt := \ |
| $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public |
| base_plat_private_prebuilt := \ |
| $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private |
| |
| all_frozen_files := $(call build_policy,$(sepolicy_build_files), \ |
| $(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt)) |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public) |
| $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private) |
| $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt) |
| $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt) |
| $(LOCAL_BUILT_MODULE): $(all_frozen_files) |
| ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) |
| @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC) |
| @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE) |
| endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) |
| $(hide) touch $@ |
| |
| base_plat_public := |
| base_plat_private := |
| base_plat_public_prebuilt := |
| base_plat_private_prebuilt := |
| all_frozen_files := |
| |
| ################################# |
| |
| |
| build_vendor_policy := |
| build_odm_policy := |
| build_policy := |
| built_plat_cil := |
| built_system_ext_cil := |
| built_product_cil := |
| built_pub_vers_cil := |
| built_plat_mapping_cil := |
| built_system_ext_mapping_cil := |
| built_product_mapping_cil := |
| built_vendor_cil := |
| built_odm_cil := |
| built_precompiled_sepolicy := |
| built_sepolicy := |
| built_sepolicy_neverallows := |
| built_plat_svc := |
| built_vendor_svc := |
| built_plat_sepolicy := |
| treble_sysprop_neverallow := |
| mapping_policy := |
| my_target_arch := |
| pub_policy.cil := |
| system_ext_pub_policy.cil := |
| plat_pub_policy.cil := |
| reqd_policy_mask.cil := |
| sepolicy_build_files := |
| sepolicy_build_cil_workaround_files := |
| with_asan := |
| |
| include $(call all-makefiles-under,$(LOCAL_PATH)) |