| // Copyright (C) 2018 The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package { |
| default_applicable_licenses: ["system_sepolicy_license"], |
| } |
| |
| // Added automatically by a large-scale-change that took the approach of |
| // 'apply every license found to every target'. While this makes sure we respect |
| // every license restriction, it may not be entirely correct. |
| // |
| // e.g. GPL in an MIT project might only apply to the contrib/ directory. |
| // |
| // Please consider splitting the single license below into multiple licenses, |
| // taking care not to lose any license_kind information, and overriding the |
| // default license using the 'licenses: [...]' property on targets as needed. |
| // |
| // For unused files, consider creating a 'filegroup' with "//visibility:private" |
| // to attach the license to, and including a comment whether the files may be |
| // used in the current project. |
| // http://go/android-license-faq |
| license { |
| name: "system_sepolicy_license", |
| visibility: [":__subpackages__"], |
| license_kinds: [ |
| "SPDX-license-identifier-Apache-2.0", |
| "legacy_unencumbered", |
| ], |
| license_text: [ |
| "NOTICE", |
| ], |
| } |
| |
| cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } |
| |
| // For vts_treble_sys_prop_test |
| filegroup { |
| name: "private_property_contexts", |
| srcs: ["private/property_contexts"], |
| visibility: [ |
| "//test/vts-testcase/security/system_property", |
| ], |
| } |
| |
| se_build_files { |
| name: "se_build_files", |
| srcs: [ |
| "security_classes", |
| "initial_sids", |
| "access_vectors", |
| "global_macros", |
| "neverallow_macros", |
| "mls_macros", |
| "mls_decl", |
| "mls", |
| "policy_capabilities", |
| "te_macros", |
| "attributes", |
| "ioctl_defines", |
| "ioctl_macros", |
| "*.te", |
| "roles_decl", |
| "roles", |
| "users", |
| "initial_sid_contexts", |
| "fs_use", |
| "genfs_contexts", |
| "port_contexts", |
| ], |
| } |
| |
| se_build_files { |
| name: "sepolicy_technical_debt", |
| srcs: ["technical_debt.cil"], |
| } |
| |
| reqd_mask_policy = [":se_build_files{.reqd_mask}"] |
| plat_public_policy = [":se_build_files{.plat_public}"] |
| plat_private_policy = [":se_build_files{.plat_private}"] |
| system_ext_public_policy = [":se_build_files{.system_ext_public}"] |
| system_ext_private_policy = [":se_build_files{.system_ext_private}"] |
| product_public_policy = [":se_build_files{.product_public}"] |
| product_private_policy = [":se_build_files{.product_private}"] |
| |
| // reqd_policy_mask - a policy.conf file which contains only the bare minimum |
| // policy necessary to use checkpolicy. |
| // |
| // This bare-minimum policy needs to be present in all policy.conf files, but |
| // should not necessarily be exported as part of the public policy. |
| // |
| // The rules generated by reqd_policy_mask will allow the compilation of public |
| // policy and subsequent removal of CIL policy that should not be exported. |
| se_policy_conf { |
| name: "reqd_policy_mask.conf", |
| srcs: reqd_mask_policy, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "reqd_policy_mask.cil", |
| src: ":reqd_policy_mask.conf", |
| secilc_check: false, |
| installable: false, |
| } |
| |
| // pub_policy - policy that will be exported to be a part of non-platform |
| // policy corresponding to this platform version. |
| // |
| // This is a limited subset of policy that would not compile in checkpolicy on |
| // its own. |
| // |
| // To get around this limitation, add only the required files from private |
| // policy, which will generate CIL policy that will then be filtered out by the |
| // reqd_policy_mask. |
| // |
| // There are three pub_policy.cil files below: |
| // - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. |
| // - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. |
| // - plat_pub_policy.cil: exported 'system' policy. |
| // |
| // Those above files will in turn be used to generate the following versioned cil files: |
| // - product_mapping_file: the versioned, exported 'product' policy in product partition. |
| // - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. |
| // - plat_mapping_file: the versioned, exported 'system' policy in system partition. |
| // - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy |
| // in vendor partition. |
| // |
| se_policy_conf { |
| name: "pub_policy.conf", |
| srcs: plat_public_policy + |
| system_ext_public_policy + |
| product_public_policy + |
| reqd_mask_policy, |
| vendor: true, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "pub_policy.cil", |
| src: ":pub_policy.conf", |
| filter_out: [":reqd_policy_mask.cil"], |
| secilc_check: false, |
| vendor: true, |
| installable: false, |
| } |
| |
| se_policy_conf { |
| name: "system_ext_pub_policy.conf", |
| srcs: plat_public_policy + |
| system_ext_public_policy + |
| reqd_mask_policy, |
| system_ext_specific: true, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "system_ext_pub_policy.cil", |
| src: ":system_ext_pub_policy.conf", |
| filter_out: [":reqd_policy_mask.cil"], |
| secilc_check: false, |
| system_ext_specific: true, |
| installable: false, |
| } |
| |
| se_policy_conf { |
| name: "plat_pub_policy.conf", |
| srcs: plat_public_policy + |
| reqd_mask_policy, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "plat_pub_policy.cil", |
| src: ":plat_pub_policy.conf", |
| filter_out: [":reqd_policy_mask.cil"], |
| secilc_check: false, |
| installable: false, |
| } |
| |
| // plat_policy.conf - A combination of the private and public platform policy |
| // which will ship with the device. |
| // |
| // The platform will always reflect the most recent platform version and is not |
| // currently being attributized. |
| se_policy_conf { |
| name: "plat_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "plat_sepolicy.cil", |
| src: ":plat_sepolicy.conf", |
| additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], |
| } |
| |
| |
| se_policy_conf { |
| name: "apex_sepolicy-33.conf", |
| srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"], |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "apex_sepolicy-33.cil", |
| src: ":apex_sepolicy-33.conf", |
| filter_out: [":plat_sepolicy.cil"], |
| installable: false, |
| stem: "apex_sepolicy.cil", |
| } |
| |
| se_policy_cil { |
| name: "decompiled_sepolicy-without_apex.cil", |
| src: ":precompiled_sepolicy-without_apex", |
| decompile_binary: true, |
| } |
| |
| se_policy_cil { |
| name: "apex_sepolicy-33.decompiled.cil", |
| src: ":precompiled_sepolicy", |
| decompile_binary: true, |
| filter_out: [":decompiled_sepolicy-without_apex.cil"], |
| additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"], |
| secilc_check: false, |
| stem: "apex_sepolicy.decompiled.cil", |
| } |
| |
| // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil |
| se_policy_conf { |
| name: "userdebug_plat_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy, |
| build_variant: "userdebug", |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "userdebug_plat_sepolicy.cil", |
| src: ":userdebug_plat_sepolicy.conf", |
| additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], |
| debug_ramdisk: true, |
| dist: { |
| targets: ["droidcore"], |
| }, |
| } |
| |
| // A copy of the userdebug_plat_policy in GSI. |
| soong_config_module_type { |
| name: "gsi_se_policy_cil", |
| module_type: "se_policy_cil", |
| config_namespace: "ANDROID", |
| bool_variables: [ |
| "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", |
| ], |
| properties: [ |
| "enabled", |
| "installable", |
| ], |
| } |
| |
| gsi_se_policy_cil { |
| name: "system_ext_userdebug_plat_sepolicy.cil", |
| stem: "userdebug_plat_sepolicy.cil", |
| src: ":userdebug_plat_sepolicy.conf", |
| additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], |
| system_ext_specific: true, |
| enabled: false, |
| installable: false, |
| soong_config_variables: { |
| PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { |
| enabled: true, |
| installable: true, |
| }, |
| }, |
| } |
| |
| // system_ext_policy.conf - A combination of the private and public system_ext |
| // policy which will ship with the device. System_ext policy is not attributized |
| se_policy_conf { |
| name: "system_ext_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy + |
| system_ext_public_policy + |
| system_ext_private_policy, |
| system_ext_specific: true, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "system_ext_sepolicy.cil", |
| src: ":system_ext_sepolicy.conf", |
| system_ext_specific: true, |
| filter_out: [":plat_sepolicy.cil"], |
| remove_line_marker: true, |
| } |
| |
| // product_policy.conf - A combination of the private and public product policy |
| // which will ship with the device. Product policy is not attributized |
| se_policy_conf { |
| name: "product_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy + |
| system_ext_public_policy + |
| system_ext_private_policy + |
| product_public_policy + |
| product_private_policy, |
| product_specific: true, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "product_sepolicy.cil", |
| src: ":product_sepolicy.conf", |
| product_specific: true, |
| filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"], |
| remove_line_marker: true, |
| } |
| |
| // policy mapping files |
| // auto-generate the mapping file for current platform policy, since it needs to |
| // track platform policy development |
| se_versioned_policy { |
| name: "plat_mapping_file", |
| base: ":plat_pub_policy.cil", |
| mapping: true, |
| version: "current", |
| relative_install_path: "mapping", // install to /system/etc/selinux/mapping |
| } |
| |
| se_versioned_policy { |
| name: "system_ext_mapping_file", |
| base: ":system_ext_pub_policy.cil", |
| mapping: true, |
| version: "current", |
| filter_out: [":plat_mapping_file"], |
| relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping |
| system_ext_specific: true, |
| } |
| |
| se_versioned_policy { |
| name: "product_mapping_file", |
| base: ":pub_policy.cil", |
| mapping: true, |
| version: "current", |
| filter_out: [":plat_mapping_file", ":system_ext_mapping_file"], |
| relative_install_path: "mapping", // install to /product/etc/selinux/mapping |
| product_specific: true, |
| } |
| |
| // vendor/odm sepolicy |
| // |
| // If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION, |
| // policy files of platform (system, system_ext, product) can't be mixed with |
| // policy files of vendor (vendor, odm). If it's the case, platform policies and |
| // vendor policies are separately built. More specifically, |
| // |
| // - Platform policy files needed to build vendor policies, such as plat_policy, |
| // plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the |
| // prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS). |
| // |
| // - sepolicy_neverallows only checks platform policies, and a new module |
| // sepolicy_neverallows_vendor checks vendor policies. |
| // |
| // - neverallow checks are turned off while compiling precompiled_sepolicy |
| // module and sepolicy module. |
| // |
| // - Vendor policies are not checked on the compat test (compat.mk). |
| // |
| // In such scenario, we can grab platform policy files from the prebuilts/api |
| // directory. But we need more than that: prebuilts of system_ext, product, |
| // system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following |
| // variables are introduced to specify such prebuilts. |
| // |
| // - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask) |
| // - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor) |
| // - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public) |
| // - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private) |
| // - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public) |
| // - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private) |
| // |
| // Vendors are responsible for copying policy files from the old version of the |
| // source tree as prebuilts, and for setting BOARD_*_POLICY variables so they |
| // can be used to build vendor policies. |
| // |
| // To support both mixed build and normal build, platform policy files are |
| // indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal |
| // to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION. |
| // Otherwise, they will be equal to the Makefile variables above. |
| |
| plat_public_policies_for_vendor = [ |
| ":se_build_files{.plat_public_for_vendor}", |
| ":se_build_files{.system_ext_public_for_vendor}", |
| ":se_build_files{.product_public_for_vendor}", |
| ":se_build_files{.reqd_mask_for_vendor}", |
| ] |
| |
| plat_policies_for_vendor = [ |
| ":se_build_files{.plat_public_for_vendor}", |
| ":se_build_files{.plat_private_for_vendor}", |
| ":se_build_files{.system_ext_public_for_vendor}", |
| ":se_build_files{.system_ext_private_for_vendor}", |
| ":se_build_files{.product_public_for_vendor}", |
| ":se_build_files{.product_private_for_vendor}", |
| ] |
| |
| se_policy_conf { |
| name: "plat_policy_for_vendor.conf", |
| srcs: plat_policies_for_vendor, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "plat_policy_for_vendor.cil", |
| src: ":plat_policy_for_vendor.conf", |
| additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"], |
| installable: false, |
| } |
| |
| se_policy_conf { |
| name: "reqd_policy_mask_for_vendor.conf", |
| srcs: [":se_build_files{.reqd_mask_for_vendor}"], |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "reqd_policy_mask_for_vendor.cil", |
| src: ":reqd_policy_mask_for_vendor.conf", |
| secilc_check: false, |
| installable: false, |
| } |
| |
| se_policy_conf { |
| name: "pub_policy_for_vendor.conf", |
| srcs: plat_public_policies_for_vendor, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "pub_policy_for_vendor.cil", |
| src: ":pub_policy_for_vendor.conf", |
| filter_out: [":reqd_policy_mask_for_vendor.cil"], |
| secilc_check: false, |
| installable: false, |
| } |
| |
| se_versioned_policy { |
| name: "plat_mapping_file_for_vendor", |
| base: ":pub_policy_for_vendor.cil", |
| mapping: true, |
| version: "vendor", |
| installable: false, |
| } |
| |
| // plat_pub_versioned.cil - the exported platform policy associated with the version |
| // that non-platform policy targets. |
| se_versioned_policy { |
| name: "plat_pub_versioned.cil", |
| base: ":pub_policy_for_vendor.cil", |
| target_policy: ":pub_policy_for_vendor.cil", |
| version: "vendor", |
| vendor: true, |
| } |
| |
| // vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined |
| // with the platform-provided policy. It makes use of the reqd_policy_mask files from private |
| // policy and the platform public policy files in order to use checkpolicy. |
| se_policy_conf { |
| name: "vendor_sepolicy.conf", |
| srcs: plat_public_policies_for_vendor + [ |
| ":se_build_files{.plat_vendor_for_vendor}", |
| ":se_build_files{.vendor}", |
| ], |
| vendor: true, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "vendor_sepolicy.cil.raw", |
| src: ":vendor_sepolicy.conf", |
| filter_out: [":reqd_policy_mask_for_vendor.cil"], |
| secilc_check: false, // will be done in se_versioned_policy module |
| vendor: true, |
| installable: false, |
| } |
| |
| se_versioned_policy { |
| name: "vendor_sepolicy.cil", |
| base: ":pub_policy_for_vendor.cil", |
| target_policy: ":vendor_sepolicy.cil.raw", |
| version: "vendor", |
| dependent_cils: [ |
| ":plat_policy_for_vendor.cil", |
| ":plat_pub_versioned.cil", |
| ":plat_mapping_file_for_vendor", |
| ], |
| filter_out: [":plat_pub_versioned.cil"], |
| vendor: true, |
| } |
| |
| // odm_policy.cil - the odl sepolicy. This needs attributization and to be combined |
| // with the platform-provided policy. It makes use of the reqd_policy_mask files from private |
| // policy and the platform public policy files in order to use checkpolicy. |
| se_policy_conf { |
| name: "odm_sepolicy.conf", |
| srcs: plat_public_policies_for_vendor + [ |
| ":se_build_files{.plat_vendor_for_vendor}", |
| ":se_build_files{.vendor}", |
| ":se_build_files{.odm}", |
| ], |
| device_specific: true, |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "odm_sepolicy.cil.raw", |
| src: ":odm_sepolicy.conf", |
| filter_out: [ |
| ":reqd_policy_mask_for_vendor.cil", |
| ":vendor_sepolicy.cil", |
| ], |
| secilc_check: false, // will be done in se_versioned_policy module |
| device_specific: true, |
| installable: false, |
| } |
| |
| se_versioned_policy { |
| name: "odm_sepolicy.cil", |
| base: ":pub_policy_for_vendor.cil", |
| target_policy: ":odm_sepolicy.cil.raw", |
| version: "vendor", |
| dependent_cils: [ |
| ":plat_policy_for_vendor.cil", |
| ":plat_pub_versioned.cil", |
| ":plat_mapping_file_for_vendor", |
| ":vendor_sepolicy.cil", |
| ], |
| filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"], |
| device_specific: true, |
| } |
| |
| ////////////////////////////////// |
| // Precompiled sepolicy is loaded if and only if: |
| // - plat_sepolicy_and_mapping.sha256 equals |
| // precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 |
| // AND |
| // - system_ext_sepolicy_and_mapping.sha256 equals |
| // precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 |
| // AND |
| // - product_sepolicy_and_mapping.sha256 equals |
| // precompiled_sepolicy.product_sepolicy_and_mapping.sha256 |
| // AND |
| // - apex_sepolicy.sha256 equals |
| // precompiled_sepolicy.apex_sepolicy.sha256 |
| // See system/core/init/selinux.cpp for details. |
| ////////////////////////////////// |
| genrule { |
| name: "plat_sepolicy_and_mapping.sha256_gen", |
| srcs: [":plat_sepolicy.cil", ":plat_mapping_file"], |
| out: ["plat_sepolicy_and_mapping.sha256"], |
| cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| } |
| |
| prebuilt_etc { |
| name: "plat_sepolicy_and_mapping.sha256", |
| filename: "plat_sepolicy_and_mapping.sha256", |
| src: ":plat_sepolicy_and_mapping.sha256_gen", |
| relative_install_path: "selinux", |
| } |
| |
| genrule { |
| name: "apex_sepolicy.sha256_gen", |
| srcs: [":apex_sepolicy-33.cil"], |
| out: ["apex_sepolicy.sha256"], |
| cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| } |
| |
| prebuilt_etc { |
| name: "apex_sepolicy.sha256", |
| filename: "apex_sepolicy.sha256", |
| src: ":apex_sepolicy.sha256_gen", |
| installable: false, |
| } |
| |
| genrule { |
| name: "system_ext_sepolicy_and_mapping.sha256_gen", |
| srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"], |
| out: ["system_ext_sepolicy_and_mapping.sha256"], |
| cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| } |
| |
| prebuilt_etc { |
| name: "system_ext_sepolicy_and_mapping.sha256", |
| filename: "system_ext_sepolicy_and_mapping.sha256", |
| src: ":system_ext_sepolicy_and_mapping.sha256_gen", |
| relative_install_path: "selinux", |
| system_ext_specific: true, |
| } |
| |
| genrule { |
| name: "product_sepolicy_and_mapping.sha256_gen", |
| srcs: [":product_sepolicy.cil", ":product_mapping_file"], |
| out: ["product_sepolicy_and_mapping.sha256"], |
| cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| } |
| |
| prebuilt_etc { |
| name: "product_sepolicy_and_mapping.sha256", |
| filename: "product_sepolicy_and_mapping.sha256", |
| src: ":product_sepolicy_and_mapping.sha256_gen", |
| relative_install_path: "selinux", |
| product_specific: true, |
| } |
| |
| sepolicy_vers { |
| name: "plat_sepolicy_vers.txt", |
| version: "vendor", |
| vendor: true, |
| } |
| |
| soong_config_module_type { |
| name: "precompiled_sepolicy_prebuilts_defaults", |
| module_type: "prebuilt_defaults", |
| config_namespace: "ANDROID", |
| bool_variables: ["BOARD_USES_ODMIMAGE"], |
| properties: ["vendor", "device_specific"], |
| } |
| |
| precompiled_sepolicy_prebuilts_defaults { |
| name: "precompiled_sepolicy_prebuilts", |
| soong_config_variables: { |
| BOARD_USES_ODMIMAGE: { |
| device_specific: true, |
| conditions_default: { |
| vendor: true, |
| }, |
| }, |
| }, |
| } |
| |
| ////////////////////////////////// |
| // SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against |
| // which precompiled_policy was built. |
| ////////////////////////////////// |
| prebuilt_etc { |
| defaults: ["precompiled_sepolicy_prebuilts"], |
| name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", |
| filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", |
| src: ":plat_sepolicy_and_mapping.sha256_gen", |
| relative_install_path: "selinux", |
| } |
| |
| ////////////////////////////////// |
| // SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy |
| // was built. |
| ////////////////////////////////// |
| prebuilt_etc { |
| defaults: ["precompiled_sepolicy_prebuilts"], |
| name: "precompiled_sepolicy.apex_sepolicy.sha256", |
| filename: "precompiled_sepolicy.apex_sepolicy.sha256", |
| src: ":apex_sepolicy.sha256_gen", |
| relative_install_path: "selinux", |
| } |
| |
| ////////////////////////////////// |
| // SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against |
| // which precompiled_policy was built. |
| ////////////////////////////////// |
| prebuilt_etc { |
| defaults: ["precompiled_sepolicy_prebuilts"], |
| name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", |
| filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", |
| src: ":system_ext_sepolicy_and_mapping.sha256_gen", |
| relative_install_path: "selinux", |
| } |
| |
| ////////////////////////////////// |
| // SHA-256 digest of the product_sepolicy.cil and product_mapping_file against |
| // which precompiled_policy was built. |
| ////////////////////////////////// |
| prebuilt_etc { |
| defaults: ["precompiled_sepolicy_prebuilts"], |
| name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", |
| filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", |
| src: ":product_sepolicy_and_mapping.sha256_gen", |
| relative_install_path: "selinux", |
| } |
| |
| soong_config_module_type { |
| name: "precompiled_se_policy_binary", |
| module_type: "se_policy_binary", |
| config_namespace: "ANDROID", |
| bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"], |
| value_variables: ["MIXED_SEPOLICY_VERSION"], |
| properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"], |
| } |
| |
| precompiled_se_policy_binary { |
| name: "precompiled_sepolicy", |
| srcs: [ |
| ":plat_sepolicy.cil", |
| ":apex_sepolicy-33.cil", |
| ":plat_pub_versioned.cil", |
| ":system_ext_sepolicy.cil", |
| ":product_sepolicy.cil", |
| ":vendor_sepolicy.cil", |
| ":odm_sepolicy.cil", |
| ], |
| soong_config_variables: { |
| BOARD_USES_ODMIMAGE: { |
| device_specific: true, |
| conditions_default: { |
| vendor: true, |
| }, |
| }, |
| IS_TARGET_MIXED_SEPOLICY: { |
| ignore_neverallow: true, |
| }, |
| MIXED_SEPOLICY_VERSION: { |
| srcs: [ |
| ":plat_%s.cil", |
| ":system_ext_%s.cil", |
| ":product_%s.cil", |
| ], |
| conditions_default: { |
| srcs: [ |
| ":plat_mapping_file", |
| ":system_ext_mapping_file", |
| ":product_mapping_file", |
| ], |
| }, |
| }, |
| }, |
| required: [ |
| "sepolicy_neverallows", |
| "sepolicy_neverallows_vendor", |
| ], |
| dist: { |
| targets: ["base-sepolicy-files-for-mapping"], |
| }, |
| } |
| |
| precompiled_se_policy_binary { |
| name: "precompiled_sepolicy-without_apex", |
| srcs: [ |
| ":plat_sepolicy.cil", |
| ":plat_pub_versioned.cil", |
| ":system_ext_sepolicy.cil", |
| ":product_sepolicy.cil", |
| ":vendor_sepolicy.cil", |
| ":odm_sepolicy.cil", |
| ], |
| soong_config_variables: { |
| BOARD_USES_ODMIMAGE: { |
| device_specific: true, |
| conditions_default: { |
| vendor: true, |
| }, |
| }, |
| IS_TARGET_MIXED_SEPOLICY: { |
| ignore_neverallow: true, |
| }, |
| MIXED_SEPOLICY_VERSION: { |
| srcs: [ |
| ":plat_%s.cil", |
| ":system_ext_%s.cil", |
| ":product_%s.cil", |
| ], |
| conditions_default: { |
| srcs: [ |
| ":plat_mapping_file", |
| ":system_ext_mapping_file", |
| ":product_mapping_file", |
| ], |
| }, |
| }, |
| }, |
| required: [ |
| "sepolicy_neverallows", |
| "sepolicy_neverallows_vendor", |
| ], |
| dist: { |
| targets: ["base-sepolicy-files-for-mapping"], |
| }, |
| } |
| |
| // policy for recovery |
| se_policy_conf { |
| name: "recovery_sepolicy.conf", |
| srcs: plat_policies_for_vendor + [ |
| ":se_build_files{.plat_vendor_for_vendor}", |
| ":se_build_files{.vendor}", |
| ":se_build_files{.odm}", |
| ], |
| target_recovery: true, |
| installable: false, |
| recovery: true, |
| } |
| |
| se_policy_cil { |
| name: "recovery_sepolicy.cil", |
| src: ":recovery_sepolicy.conf", |
| secilc_check: false, // will be done in se_policy_binary module |
| installable: false, |
| recovery: true, |
| } |
| |
| se_policy_binary { |
| name: "sepolicy.recovery", |
| srcs: [":recovery_sepolicy.cil"], |
| stem: "sepolicy", |
| recovery: true, |
| } |
| |
| ////////////////////////////////// |
| // SELinux policy embedded into CTS. |
| // CTS checks neverallow rules of this policy against the policy of the device under test. |
| ////////////////////////////////// |
| se_policy_conf { |
| name: "general_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy, |
| build_variant: "user", |
| cts: true, |
| exclude_build_test: true, |
| } |
| |
| ////////////////////////////////// |
| // Base system policy for treble sepolicy tests. |
| // If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ |
| // with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case, |
| // BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil. |
| // See treble_sepolicy_tests_for_release.mk for more details. |
| ////////////////////////////////// |
| se_policy_conf { |
| name: "base_plat_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy, |
| build_variant: "user", |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "base_plat_sepolicy.cil", |
| src: ":base_plat_sepolicy.conf", |
| additional_cil_files: ["private/technical_debt.cil"], |
| installable: false, |
| secilc_check: false, // done by se_policy_binary |
| } |
| |
| se_policy_binary { |
| name: "base_plat_sepolicy", |
| srcs: [":base_plat_sepolicy.cil"], |
| installable: false, |
| dist: { |
| targets: ["base-sepolicy-files-for-mapping"], |
| }, |
| } |
| |
| se_policy_conf { |
| name: "base_system_ext_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy + |
| system_ext_public_policy + |
| system_ext_private_policy, |
| build_variant: "user", |
| installable: false, |
| system_ext_specific: true, |
| } |
| |
| se_policy_cil { |
| name: "base_system_ext_sepolicy.cil", |
| src: ":base_system_ext_sepolicy.conf", |
| additional_cil_files: ["private/technical_debt.cil"], |
| system_ext_specific: true, |
| installable: false, |
| secilc_check: false, // done by se_policy_binary |
| } |
| |
| se_policy_binary { |
| name: "base_system_ext_sepolicy", |
| srcs: [":base_system_ext_sepolicy.cil"], |
| system_ext_specific: true, |
| installable: false, |
| } |
| |
| se_policy_conf { |
| name: "base_product_sepolicy.conf", |
| srcs: plat_public_policy + |
| plat_private_policy + |
| system_ext_public_policy + |
| system_ext_private_policy + |
| product_public_policy + |
| product_private_policy, |
| build_variant: "user", |
| installable: false, |
| product_specific: true, |
| } |
| |
| se_policy_cil { |
| name: "base_product_sepolicy.cil", |
| src: ":base_product_sepolicy.conf", |
| additional_cil_files: ["private/technical_debt.cil"], |
| product_specific: true, |
| installable: false, |
| secilc_check: false, // done by se_policy_binary |
| } |
| |
| se_policy_binary { |
| name: "base_product_sepolicy", |
| srcs: [":base_product_sepolicy.cil"], |
| product_specific: true, |
| installable: false, |
| } |
| |
| se_policy_conf { |
| name: "base_plat_pub_policy.conf", |
| srcs: plat_public_policy + |
| reqd_mask_policy, |
| build_variant: "user", |
| installable: false, |
| } |
| |
| se_policy_cil { |
| name: "base_plat_pub_policy.cil", |
| src: ":base_plat_pub_policy.conf", |
| filter_out: [":reqd_policy_mask.cil"], |
| secilc_check: false, |
| installable: false, |
| dist: { |
| targets: ["base-sepolicy-files-for-mapping"], |
| }, |
| } |
| |
| se_policy_conf { |
| name: "base_system_ext_pub_policy.conf", |
| srcs: plat_public_policy + |
| system_ext_public_policy + |
| reqd_mask_policy, |
| build_variant: "user", |
| installable: false, |
| system_ext_specific: true, |
| } |
| |
| se_policy_cil { |
| name: "base_system_ext_pub_policy.cil", |
| src: ":base_system_ext_pub_policy.conf", |
| filter_out: [":reqd_policy_mask.cil"], |
| secilc_check: false, |
| installable: false, |
| system_ext_specific: true, |
| } |
| |
| se_policy_conf { |
| name: "base_product_pub_policy.conf", |
| srcs: plat_public_policy + |
| system_ext_public_policy + |
| product_public_policy + |
| reqd_mask_policy, |
| build_variant: "user", |
| installable: false, |
| product_specific: true, |
| } |
| |
| se_policy_cil { |
| name: "base_product_pub_policy.cil", |
| src: ":base_product_pub_policy.conf", |
| filter_out: [":reqd_policy_mask.cil"], |
| secilc_check: false, |
| installable: false, |
| product_specific: true, |
| } |
| |
| // bug_map - Bug tracking information for selinux denials loaded by auditd. |
| se_build_files { |
| name: "bug_map_files", |
| srcs: ["bug_map"], |
| } |
| |
| se_bug_map { |
| name: "plat_bug_map", |
| srcs: [":bug_map_files{.plat_private}"], |
| stem: "bug_map", |
| } |
| |
| se_bug_map { |
| name: "system_ext_bug_map", |
| srcs: [":bug_map_files{.system_ext_private}"], |
| stem: "bug_map", |
| system_ext_specific: true, |
| } |
| |
| se_bug_map { |
| name: "vendor_bug_map", |
| srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"], |
| // Legacy file name of the vendor partition bug_map. |
| stem: "selinux_denial_metadata", |
| vendor: true, |
| } |
| |
| se_neverallow_test { |
| name: "sepolicy_neverallows", |
| srcs: plat_public_policy + |
| plat_private_policy + |
| system_ext_public_policy + |
| system_ext_private_policy + |
| product_public_policy + |
| product_private_policy, |
| } |
| |
| se_neverallow_test { |
| name: "sepolicy_neverallows_vendor", |
| srcs: plat_policies_for_vendor + [ |
| ":se_build_files{.plat_vendor_for_vendor}", |
| ":se_build_files{.vendor}", |
| ":se_build_files{.odm}", |
| ], |
| vendor: true, |
| } |
| |
| ////////////////////////////////// |
| // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy |
| // Additional directories can be specified via Makefile variables: |
| // SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS. |
| ////////////////////////////////// |
| se_freeze_test { |
| name: "sepolicy_freeze_test", |
| } |
| |
| ////////////////////////////////// |
| // sepolicy_test checks various types of violations, which can't be easily done |
| // by CIL itself. Refer tests/sepolicy_tests.py for more detail. |
| ////////////////////////////////// |
| genrule { |
| name: "sepolicy_test", |
| srcs: [ |
| ":plat_file_contexts", |
| ":vendor_file_contexts", |
| ":system_ext_file_contexts", |
| ":product_file_contexts", |
| ":odm_file_contexts", |
| ":precompiled_sepolicy", |
| ], |
| tools: ["sepolicy_tests"], |
| out: ["sepolicy_test"], |
| cmd: "$(location sepolicy_tests) " + |
| "-f $(location :plat_file_contexts) " + |
| "-f $(location :vendor_file_contexts) " + |
| "-f $(location :system_ext_file_contexts) " + |
| "-f $(location :product_file_contexts) " + |
| "-f $(location :odm_file_contexts) " + |
| "-p $(location :precompiled_sepolicy) && " + |
| "touch $(out)", |
| } |