security/samsung/defex_lsm/Makefile - LeafOS-Devices/android_kernel_samsung_universal7904 - Gitiles

 #
 # Makefile for the Defex
 #

 # Features to Enable
 PED_ENABLE=true
 SAFEPLACE_ENABLE=true
 IMMUTABLE_ENABLE=true
 LP_ENABLE=true
 UMH_RESTRICTION_ENABLE=true

 ifneq ($(wildcard $(srctree)/include/crypto/internal/rsa.h),)
     $(warning [DEFEX] INTEGRITY_ENABLE)
     INTEGRITY_ENABLE=true
 endif

 # caches to enable
 CACHES_ENABLE=true

 # OEM Unlock dependency
 OEM_UNLOCK_DEPENDENCY=true

 # use the ramdisk or system_root to store rules file
 RAMDISK_ENABLE=true

 # do signing for rules
 SIGN_ENABLE=true

 obj-y := core/defex_common.o
 obj-y += core/defex_lsm.o
 obj-y += core/defex_main.o
 obj-y += core/defex_get_mode.o
 obj-y += core/defex_sysfs.o
 obj-y += catch_engine/defex_catch_list.o
 obj-y += catch_engine/defex_ht.o
 obj-y += defex_rules.o
 obj-$(CONFIG_COMPAT) += catch_engine/defex_catch_list_compat.o

 # Immutable Feature is applied with permissive mode first.
 DEFEX_DEFINES := -DDEFEX_PERMISSIVE_IM

 ifeq ($(CONFIG_DEFEX_KERNEL_ONLY), y)
     DEFEX_DEFINES += -DDEFEX_KERNEL_ONLY
     ifeq ($(CONFIG_SAMSUNG_PRODUCT_SHIP), y)
         $(warning [DEFEX] Kernel_only & Ship)
     else
         $(warning [DEFEX] Kernel_only & Noship)
         DEFEX_DEFINES += -DDEFEX_PERMISSIVE_SP
         DEFEX_DEFINES += -DDEFEX_PERMISSIVE_IM
         DEFEX_DEFINES += -DDEFEX_PERMISSIVE_LP
         DEFEX_DEFINES += -DDEFEX_DEBUG_ENABLE
     endif
 endif

 ifeq ($(CONFIG_SEC_FACTORY), y)
     DEFEX_DEFINES += -DDEFEX_FACTORY_ENABLE
 endif

 ifeq ($(CONFIG_KUNIT), y)
     DEFEX_DEFINES += -DDEFEX_KUNIT_ENABLED
 else
     DEFEX_DEFINES += -D__visible_for_testing=static
 endif

 ifeq ($(PED_ENABLE), true)
     obj-y += feature_privilege_escalation_detection/defex_priv.o
     DEFEX_DEFINES += -DDEFEX_PED_ENABLE
 endif

 ifeq ($(SAFEPLACE_ENABLE), true)
     obj-y += feature_safeplace/defex_safeplace.o
     DEFEX_DEFINES += -DDEFEX_SAFEPLACE_ENABLE
 endif

 ifeq ($(INTEGRITY_ENABLE), true)
     DEFEX_DEFINES += -DDEFEX_INTEGRITY_ENABLE
 endif

 ifeq ($(IMMUTABLE_ENABLE), true)
     obj-y += feature_immutable/defex_immutable.o
     DEFEX_DEFINES += -DDEFEX_IMMUTABLE_ENABLE
 endif

 ifeq ($(LP_ENABLE), true)
     DEFEX_DEFINES += -DDEFEX_LP_ENABLE
 endif

 ifeq ($(UMH_RESTRICTION_ENABLE), true)
     DEFEX_DEFINES += -DDEFEX_UMH_RESTRICTION_ENABLE
 endif

 ifeq ($(CACHES_ENABLE), true)
     obj-y += catch_engine/defex_caches.o
     DEFEX_DEFINES += -DDEFEX_CACHES_ENABLE
 endif

 ifeq ($(OEM_UNLOCK_DEPENDENCY), true)
     DEFEX_DEFINES += -DDEFEX_DEPENDING_ON_OEMUNLOCK
 endif

 ifeq ($(RAMDISK_ENABLE), true)
     DEFEX_DEFINES += -DDEFEX_RAMDISK_ENABLE
 ifeq ($(SIGN_ENABLE), true)
     obj-y += cert/defex_cert.o
     obj-y += cert/defex_sign.o
     DEFEX_DEFINES += -DDEFEX_SIGN_ENABLE
 endif
 endif

 ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
     obj-y += debug/defex_debug.o
     DEFEX_DEFINES += -DDEFEX_PERMISSIVE_SP
     DEFEX_DEFINES += -DDEFEX_PERMISSIVE_IM
     DEFEX_DEFINES += -DDEFEX_PERMISSIVE_LP
     DEFEX_DEFINES += -DDEFEX_DEBUG_ENABLE
     DEFEX_DEFINES += -DDEFEX_SYSFS_ENABLE
 else
     ifeq ($(CONFIG_SECURITY_DSMS), y)
         DEFEX_DEFINES += -DDEFEX_DSMS_ENABLE
     endif
 endif

 ccflags-y := -Wformat

 EXTRA_CFLAGS += -I$(srctree)/$(src)
 EXTRA_AFLAGS += -Isecurity/samsung/defex_lsm
 EXTRA_CFLAGS += -I$(srctree)/$(src)/cert
 EXTRA_AFLAGS += -Isecurity/samsung/defex_lsm/cert

 ifneq ($(wildcard  $(srctree)/$(src)/pack_rules.c),)
     DEFEX_DEFINES += -DDEFEX_USE_PACKED_RULES
     EXTRA_CFLAGS += $(DEFEX_DEFINES)
     EXTRA_AFLAGS += $(DEFEX_DEFINES)
     hostprogs-y := pack_rules
     HOST_EXTRACFLAGS += $(DEFEX_DEFINES)
     clean-files := $(srctree)/$(src)/defex_packed_rules.inc
     DEPEND_LIST := $(obj)/pack_rules

     quiet_cmd_copy = COPY    $(obj)/pack_rules
           cmd_copy = cp -n $(obj)/pack_rules $(srctree)/$(src)/pack_rules 2>/dev/null || true

     quiet_cmd_pack = PACK    $<
           cmd_pack = $(obj)/pack_rules -p $< $@ $(srctree)/$(src)/defex_packed_rules.bin

     quiet_cmd_mkey = MAKEKEY $<
           cmd_mkey = cp -n $< $@ 2>/dev/null || true

     $(obj)/core/defex_sysfs.o: $(obj)/pack_rules $(srctree)/$(src)/defex_packed_rules.inc

     $(obj)/cert/defex_cert.o: $(obj)/cert/pubkey_eng.der $(obj)/cert/pubkey_user.der

     $(obj)/cert/pubkey_eng.der: $(srctree)/$(src)/cert/x509_five_eng.der
 	$(call cmd,mkey)

     $(obj)/cert/pubkey_user.der: $(srctree)/$(src)/cert/x509_five_user.der
 	$(call cmd,mkey)

     SOURCE_RULES := $(srctree)/$(src)/defex_rules.c
     ifneq ($(wildcard $(srctree)/$(src)/file_list),)
         $(warning '[DEFEX] file_list found')
         SOURCE_RULES := $(srctree)/$(src)/defex_rules_reduced.c
         DEPEND_LIST += $(SOURCE_RULES)
         DEPEND_LIST += $(srctree)/$(src)/file_list
         clean-files += $(DEPEND_LIST)

         quiet_cmd_reduce = REDUCE  $<
               cmd_reduce = $(obj)/pack_rules -r $< $@ $(srctree)/$(src)/file_list

         $(srctree)/$(src)/defex_rules_reduced.c: $(srctree)/$(src)/defex_rules.c $(obj)/pack_rules
 		$(call cmd,reduce)
     endif

     $(srctree)/$(src)/defex_packed_rules.inc: $(SOURCE_RULES) $(DEPEND_LIST)
 	$(call cmd,pack)
 	$(call cmd,copy)

 else
     EXTRA_CFLAGS += $(DEFEX_DEFINES)
     EXTRA_AFLAGS += $(DEFEX_DEFINES)
 endif
	#
	# Makefile for the Defex
	#

	# Features to Enable
	PED_ENABLE=true
	SAFEPLACE_ENABLE=true
	IMMUTABLE_ENABLE=true
	LP_ENABLE=true
	UMH_RESTRICTION_ENABLE=true

	ifneq ($(wildcard $(srctree)/include/crypto/internal/rsa.h),)
	$(warning [DEFEX] INTEGRITY_ENABLE)
	INTEGRITY_ENABLE=true
	endif

	# caches to enable
	CACHES_ENABLE=true

	# OEM Unlock dependency
	OEM_UNLOCK_DEPENDENCY=true

	# use the ramdisk or system_root to store rules file
	RAMDISK_ENABLE=true

	# do signing for rules
	SIGN_ENABLE=true

	obj-y := core/defex_common.o
	obj-y += core/defex_lsm.o
	obj-y += core/defex_main.o
	obj-y += core/defex_get_mode.o
	obj-y += core/defex_sysfs.o
	obj-y += catch_engine/defex_catch_list.o
	obj-y += catch_engine/defex_ht.o
	obj-y += defex_rules.o
	obj-$(CONFIG_COMPAT) += catch_engine/defex_catch_list_compat.o

	# Immutable Feature is applied with permissive mode first.
	DEFEX_DEFINES := -DDEFEX_PERMISSIVE_IM

	ifeq ($(CONFIG_DEFEX_KERNEL_ONLY), y)
	DEFEX_DEFINES += -DDEFEX_KERNEL_ONLY
	ifeq ($(CONFIG_SAMSUNG_PRODUCT_SHIP), y)
	$(warning [DEFEX] Kernel_only & Ship)
	else
	$(warning [DEFEX] Kernel_only & Noship)
	DEFEX_DEFINES += -DDEFEX_PERMISSIVE_SP
	DEFEX_DEFINES += -DDEFEX_PERMISSIVE_IM
	DEFEX_DEFINES += -DDEFEX_PERMISSIVE_LP
	DEFEX_DEFINES += -DDEFEX_DEBUG_ENABLE
	endif
	endif

	ifeq ($(CONFIG_SEC_FACTORY), y)
	DEFEX_DEFINES += -DDEFEX_FACTORY_ENABLE
	endif

	ifeq ($(CONFIG_KUNIT), y)
	DEFEX_DEFINES += -DDEFEX_KUNIT_ENABLED
	else
	DEFEX_DEFINES += -D__visible_for_testing=static
	endif

	ifeq ($(PED_ENABLE), true)
	obj-y += feature_privilege_escalation_detection/defex_priv.o
	DEFEX_DEFINES += -DDEFEX_PED_ENABLE
	endif

	ifeq ($(SAFEPLACE_ENABLE), true)
	obj-y += feature_safeplace/defex_safeplace.o
	DEFEX_DEFINES += -DDEFEX_SAFEPLACE_ENABLE
	endif

	ifeq ($(INTEGRITY_ENABLE), true)
	DEFEX_DEFINES += -DDEFEX_INTEGRITY_ENABLE
	endif

	ifeq ($(IMMUTABLE_ENABLE), true)
	obj-y += feature_immutable/defex_immutable.o
	DEFEX_DEFINES += -DDEFEX_IMMUTABLE_ENABLE
	endif

	ifeq ($(LP_ENABLE), true)
	DEFEX_DEFINES += -DDEFEX_LP_ENABLE
	endif

	ifeq ($(UMH_RESTRICTION_ENABLE), true)
	DEFEX_DEFINES += -DDEFEX_UMH_RESTRICTION_ENABLE
	endif

	ifeq ($(CACHES_ENABLE), true)
	obj-y += catch_engine/defex_caches.o
	DEFEX_DEFINES += -DDEFEX_CACHES_ENABLE
	endif

	ifeq ($(OEM_UNLOCK_DEPENDENCY), true)
	DEFEX_DEFINES += -DDEFEX_DEPENDING_ON_OEMUNLOCK
	endif

	ifeq ($(RAMDISK_ENABLE), true)
	DEFEX_DEFINES += -DDEFEX_RAMDISK_ENABLE
	ifeq ($(SIGN_ENABLE), true)
	obj-y += cert/defex_cert.o
	obj-y += cert/defex_sign.o
	DEFEX_DEFINES += -DDEFEX_SIGN_ENABLE
	endif
	endif

	ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
	obj-y += debug/defex_debug.o
	DEFEX_DEFINES += -DDEFEX_PERMISSIVE_SP
	DEFEX_DEFINES += -DDEFEX_PERMISSIVE_IM
	DEFEX_DEFINES += -DDEFEX_PERMISSIVE_LP
	DEFEX_DEFINES += -DDEFEX_DEBUG_ENABLE
	DEFEX_DEFINES += -DDEFEX_SYSFS_ENABLE
	else
	ifeq ($(CONFIG_SECURITY_DSMS), y)
	DEFEX_DEFINES += -DDEFEX_DSMS_ENABLE
	endif
	endif

	ccflags-y := -Wformat

	EXTRA_CFLAGS += -I$(srctree)/$(src)
	EXTRA_AFLAGS += -Isecurity/samsung/defex_lsm
	EXTRA_CFLAGS += -I$(srctree)/$(src)/cert
	EXTRA_AFLAGS += -Isecurity/samsung/defex_lsm/cert

	ifneq ($(wildcard $(srctree)/$(src)/pack_rules.c),)
	DEFEX_DEFINES += -DDEFEX_USE_PACKED_RULES
	EXTRA_CFLAGS += $(DEFEX_DEFINES)
	EXTRA_AFLAGS += $(DEFEX_DEFINES)
	hostprogs-y := pack_rules
	HOST_EXTRACFLAGS += $(DEFEX_DEFINES)
	clean-files := $(srctree)/$(src)/defex_packed_rules.inc
	DEPEND_LIST := $(obj)/pack_rules

	quiet_cmd_copy = COPY $(obj)/pack_rules
	cmd_copy = cp -n $(obj)/pack_rules $(srctree)/$(src)/pack_rules 2>/dev/null \|\| true

	quiet_cmd_pack = PACK $<
	cmd_pack = $(obj)/pack_rules -p $< $@ $(srctree)/$(src)/defex_packed_rules.bin

	quiet_cmd_mkey = MAKEKEY $<
	cmd_mkey = cp -n $< $@ 2>/dev/null \|\| true

	$(obj)/core/defex_sysfs.o: $(obj)/pack_rules $(srctree)/$(src)/defex_packed_rules.inc

	$(obj)/cert/defex_cert.o: $(obj)/cert/pubkey_eng.der $(obj)/cert/pubkey_user.der

	$(obj)/cert/pubkey_eng.der: $(srctree)/$(src)/cert/x509_five_eng.der
	$(call cmd,mkey)

	$(obj)/cert/pubkey_user.der: $(srctree)/$(src)/cert/x509_five_user.der
	$(call cmd,mkey)

	SOURCE_RULES := $(srctree)/$(src)/defex_rules.c
	ifneq ($(wildcard $(srctree)/$(src)/file_list),)
	$(warning '[DEFEX] file_list found')
	SOURCE_RULES := $(srctree)/$(src)/defex_rules_reduced.c
	DEPEND_LIST += $(SOURCE_RULES)
	DEPEND_LIST += $(srctree)/$(src)/file_list
	clean-files += $(DEPEND_LIST)

	quiet_cmd_reduce = REDUCE $<
	cmd_reduce = $(obj)/pack_rules -r $< $@ $(srctree)/$(src)/file_list

	$(srctree)/$(src)/defex_rules_reduced.c: $(srctree)/$(src)/defex_rules.c $(obj)/pack_rules
	$(call cmd,reduce)
	endif

	$(srctree)/$(src)/defex_packed_rules.inc: $(SOURCE_RULES) $(DEPEND_LIST)
	$(call cmd,pack)
	$(call cmd,copy)

	else
	EXTRA_CFLAGS += $(DEFEX_DEFINES)
	EXTRA_AFLAGS += $(DEFEX_DEFINES)
	endif