| LOCAL_PATH:= $(call my-dir) |
| |
| include $(CLEAR_VARS) |
| |
| ifdef BOARD_SEPOLICY_UNION |
| $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) |
| endif |
| |
| ifdef BOARD_SEPOLICY_M4DEFS |
| LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) |
| else |
| LOCAL_ADDITIONAL_M4DEFS := |
| endif |
| |
| # sepolicy is now divided into multiple portions: |
| # public - policy exported on which non-platform policy developers may write |
| # additional policy. types and attributes are versioned and included in |
| # delivered non-platform policy, which is to be combined with platform policy. |
| # private - platform-only policy required for platform functionality but which |
| # is not exported to vendor policy developers and as such may not be assumed |
| # to exist. |
| # vendor - vendor-only policy required for vendor functionality. This policy can |
| # reference the public policy but cannot reference the private policy. This |
| # policy is for components which are produced from the core/non-vendor tree and |
| # placed into a vendor partition. |
| # mapping - This contains policy statements which map the attributes |
| # exposed in the public policy of previous versions to the concrete types used |
| # in this policy to ensure that policy targeting attributes from public |
| # policy from an older platform version continues to work. |
| |
| # build process for device: |
| # 1) convert policies to CIL: |
| # - private + public platform policy to CIL |
| # - mapping file to CIL (should already be in CIL form) |
| # - non-platform public policy to CIL |
| # - non-platform public + private policy to CIL |
| # 2) attributize policy |
| # - run script which takes non-platform public and non-platform combined |
| # private + public policy and produces attributized and versioned |
| # non-platform policy |
| # 3) combine policy files |
| # - combine mapping, platform and non-platform policy. |
| # - compile output binary policy file |
| |
| PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public |
| PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private |
| PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor |
| REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask |
| |
| SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) |
| SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) |
| |
| PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS) |
| PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS) |
| |
| ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY)) |
| HAS_SYSTEM_EXT_SEPOLICY_DIR := true |
| endif |
| |
| # TODO(b/119305624): Currently if the device doesn't have a product partition, |
| # we install product sepolicy into /system/product. We do that because bits of |
| # product sepolicy that's still in /system might depend on bits that have moved |
| # to /product. Once we finish migrating product sepolicy out of system, change |
| # it so that if no product partition is present, product sepolicy artifacts are |
| # not built and installed at all. |
| ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY)) |
| HAS_PRODUCT_SEPOLICY_DIR := true |
| endif |
| |
| ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| ifeq ($(TARGET_BUILD_VARIANT),user) |
| $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) |
| endif |
| $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ |
| It does not work in user builds and using it will \ |
| not stop you from failing CTS.) |
| endif |
| |
| # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. |
| # It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and |
| # BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for |
| # backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. |
| ifdef BOARD_SEPOLICY_DIRS |
| BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) |
| endif |
| |
| ########################################################### |
| # Compute policy files to be used in policy build. |
| # $(1): files to include |
| # $(2): directories in which to find files |
| ########################################################### |
| |
| define build_policy |
| $(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))) |
| endef |
| |
| sepolicy_build_files := security_classes \ |
| initial_sids \ |
| access_vectors \ |
| global_macros \ |
| neverallow_macros \ |
| mls_macros \ |
| mls_decl \ |
| mls \ |
| policy_capabilities \ |
| te_macros \ |
| attributes \ |
| ioctl_defines \ |
| ioctl_macros \ |
| *.te \ |
| roles_decl \ |
| roles \ |
| users \ |
| initial_sid_contexts \ |
| fs_use \ |
| genfs_contexts \ |
| port_contexts |
| |
| sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \ |
| $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver)))) |
| |
| # Security classes and permissions defined outside of system/sepolicy. |
| security_class_extension_files := $(call build_policy, security_classes access_vectors, \ |
| $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \ |
| $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ |
| $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) |
| |
| ifneq (,$(strip $(security_class_extension_files))) |
| $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files))) |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| # Checks if there are public system_ext policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true |
| endif |
| # Checks if there are public/private system_ext policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_SYSTEM_EXT_SEPOLICY := true |
| endif |
| endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| # Checks if there are public product policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_PRODUCT_PUBLIC_SEPOLICY := true |
| endif |
| # Checks if there are public/private product policy files. |
| policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) |
| ifneq (,$(strip $(policy_files))) |
| HAS_PRODUCT_SEPOLICY := true |
| endif |
| endif # ifdef HAS_PRODUCT_SEPOLICY_DIR |
| |
| with_asan := false |
| ifneq (,$(filter address,$(SANITIZE_TARGET))) |
| with_asan := true |
| endif |
| |
| ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) |
| #$(warning no product shipping level defined) |
| else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) |
| ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),) |
| $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.) |
| endif |
| endif |
| |
| ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) |
| #$(warning no product shipping level defined) |
| else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) |
| ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),) |
| $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.) |
| endif |
| endif |
| |
| ################################# |
| |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_policy |
| LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered |
| LOCAL_LICENSE_CONDITIONS := notice unencumbered |
| LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_REQUIRED_MODULES += \ |
| selinux_policy_nonsystem \ |
| selinux_policy_system \ |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| # selinux_policy is a main goal and triggers lots of tests. |
| # Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') |
| # By setting as droidcore's dependency, tests will run on normal builds. |
| droidcore: selinux_policy |
| |
| include $(CLEAR_VARS) |
| LOCAL_MODULE := selinux_policy_system |
| LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered |
| LOCAL_LICENSE_CONDITIONS := notice unencumbered |
| LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE |
| # These build targets are not used on non-Treble devices. However, we build these to avoid |
| # divergence between Treble and non-Treble devices. |
| LOCAL_REQUIRED_MODULES += \ |
| plat_mapping_file \ |
| $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ |
| $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ |
| plat_sepolicy.cil \ |
| secilc \ |
| |
| # HACK to support vendor blobs using 1000000.0 |
| # TODO(b/314010177): remove after new ToT (202404) fully propagates |
| ifneq (true,$(BOARD_API_LEVEL_FROZEN)) |
| LOCAL_REQUIRED_MODULES += plat_mapping_file_1000000.0 |
| endif |
| |
| ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256 |
| endif |
| |
| LOCAL_REQUIRED_MODULES += \ |
| build_sepolicy \ |
| plat_file_contexts \ |
| plat_file_contexts_test \ |
| plat_keystore2_key_contexts \ |
| plat_mac_permissions.xml \ |
| plat_property_contexts \ |
| plat_property_contexts_test \ |
| plat_seapp_contexts \ |
| plat_service_contexts \ |
| plat_service_contexts_test \ |
| plat_hwservice_contexts \ |
| plat_hwservice_contexts_test \ |
| fuzzer_bindings_test \ |
| plat_bug_map \ |
| searchpolicy \ |
| |
| ifneq ($(with_asan),true) |
| ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
| LOCAL_REQUIRED_MODULES += \ |
| sepolicy_compat_test \ |
| |
| # HACK: sepolicy_test is implemented as genrule |
| # genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work. |
| # Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output |
| LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test |
| LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test |
| |
| LOCAL_REQUIRED_MODULES += \ |
| $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ |
| |
| endif # SELINUX_IGNORE_NEVERALLOWS |
| endif # with_asan |
| |
| ifeq ($(BOARD_API_LEVEL_FROZEN),true) |
| LOCAL_REQUIRED_MODULES += \ |
| se_freeze_test |
| endif |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| ################################# |
| |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_policy_system_ext |
| LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered |
| LOCAL_LICENSE_CONDITIONS := notice unencumbered |
| LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE |
| # Include precompiled policy, unless told otherwise. |
| ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256 |
| endif |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY |
| LOCAL_REQUIRED_MODULES += \ |
| system_ext_mapping_file |
| |
| # HACK to support vendor blobs using 1000000.0 |
| # TODO(b/314010177): remove after new ToT (202404) fully propagates |
| ifneq (true,$(BOARD_API_LEVEL_FROZEN)) |
| LOCAL_REQUIRED_MODULES += system_ext_mapping_file_1000000.0 |
| endif |
| |
| system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY)) |
| |
| LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files))) |
| |
| endif |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| LOCAL_REQUIRED_MODULES += \ |
| system_ext_file_contexts \ |
| system_ext_file_contexts_test \ |
| system_ext_hwservice_contexts \ |
| system_ext_hwservice_contexts_test \ |
| system_ext_property_contexts \ |
| system_ext_property_contexts_test \ |
| system_ext_seapp_contexts \ |
| system_ext_service_contexts \ |
| system_ext_service_contexts_test \ |
| system_ext_mac_permissions.xml \ |
| system_ext_bug_map \ |
| $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ |
| |
| endif |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| ################################# |
| |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_policy_product |
| LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered |
| LOCAL_LICENSE_CONDITIONS := notice unencumbered |
| LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE |
| # Include precompiled policy, unless told otherwise. |
| ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| ifdef HAS_PRODUCT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256 |
| endif |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += product_sepolicy.cil |
| endif |
| |
| ifdef HAS_PRODUCT_PUBLIC_SEPOLICY |
| LOCAL_REQUIRED_MODULES += \ |
| product_mapping_file |
| |
| # HACK to support vendor blobs using 1000000.0 |
| # TODO(b/314010177): remove after new ToT (202404) fully propagates |
| ifneq (true,$(BOARD_API_LEVEL_FROZEN)) |
| LOCAL_REQUIRED_MODULES += product_mapping_file_1000000.0 |
| endif |
| |
| product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY)) |
| |
| LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files))) |
| |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| LOCAL_REQUIRED_MODULES += \ |
| product_file_contexts \ |
| product_file_contexts_test \ |
| product_hwservice_contexts \ |
| product_hwservice_contexts_test \ |
| product_property_contexts \ |
| product_property_contexts_test \ |
| product_seapp_contexts \ |
| product_service_contexts \ |
| product_service_contexts_test \ |
| product_mac_permissions.xml \ |
| |
| endif |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| ################################# |
| |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := selinux_policy_nonsystem |
| LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered |
| LOCAL_LICENSE_CONDITIONS := notice unencumbered |
| LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE |
| # Include precompiled policy, unless told otherwise. |
| ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| LOCAL_REQUIRED_MODULES += \ |
| precompiled_sepolicy \ |
| precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY |
| LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256 |
| endif |
| |
| endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false) |
| |
| |
| # These build targets are not used on non-Treble devices. However, we build these to avoid |
| # divergence between Treble and non-Treble devices. |
| LOCAL_REQUIRED_MODULES += \ |
| plat_pub_versioned.cil \ |
| vendor_sepolicy.cil \ |
| plat_sepolicy_vers.txt \ |
| |
| LOCAL_REQUIRED_MODULES += \ |
| vendor_file_contexts \ |
| vendor_file_contexts_test \ |
| vendor_mac_permissions.xml \ |
| vendor_property_contexts \ |
| vendor_property_contexts_test \ |
| vendor_seapp_contexts \ |
| vendor_service_contexts \ |
| vendor_service_contexts_test \ |
| vendor_hwservice_contexts \ |
| vendor_hwservice_contexts_test \ |
| vendor_bug_map \ |
| vndservice_contexts \ |
| vndservice_contexts_test \ |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| LOCAL_REQUIRED_MODULES += \ |
| odm_sepolicy.cil \ |
| odm_file_contexts \ |
| odm_file_contexts_test \ |
| odm_seapp_contexts \ |
| odm_property_contexts \ |
| odm_property_contexts_test \ |
| odm_service_contexts \ |
| odm_service_contexts_test \ |
| odm_hwservice_contexts \ |
| odm_hwservice_contexts_test \ |
| odm_mac_permissions.xml |
| endif |
| |
| LOCAL_REQUIRED_MODULES += selinux_policy_system_ext |
| LOCAL_REQUIRED_MODULES += selinux_policy_product |
| |
| # Builds an addtional userdebug sepolicy into the debug ramdisk. |
| LOCAL_REQUIRED_MODULES += \ |
| userdebug_plat_sepolicy.cil \ |
| |
| include $(BUILD_PHONY_PACKAGE) |
| |
| ################################## |
| # Policy files are now built with Android.bp. Grab them from intermediate. |
| # See Android.bp for details of policy files. |
| # |
| built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy |
| built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows |
| |
| ################################## |
| # TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. |
| # |
| include $(CLEAR_VARS) |
| |
| LOCAL_MODULE := file_contexts.bin |
| LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered |
| LOCAL_LICENSE_CONDITIONS := notice unencumbered |
| LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE |
| LOCAL_MODULE_CLASS := ETC |
| LOCAL_MODULE_TAGS := optional |
| LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) |
| |
| include $(BUILD_SYSTEM)/base_rules.mk |
| |
| # The file_contexts.bin is built in the following way: |
| # 1. Collect all file_contexts files in THIS repository and process them with |
| # m4 into a tmp file called file_contexts.local.tmp. |
| # 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed |
| # modules with m4 with a tmp file called file_contexts.modules.tmp. |
| # 3. Collect all device specific file_contexts files and process them with m4 |
| # into a tmp file called file_contexts.device.tmp. |
| # 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on |
| # file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. |
| # 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and |
| # file_contexts.device.sorted.tmp into file_contexts.concat.tmp. |
| # 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce |
| # file_contexts.bin. |
| # |
| # Note: That a newline file is placed between each file_context file found to |
| # ensure a proper build when an fc file is missing an ending newline. |
| |
| local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts |
| |
| ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR |
| local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts |
| endif |
| |
| ifdef HAS_PRODUCT_SEPOLICY_DIR |
| local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts |
| endif |
| |
| ########################################################### |
| ## Collect file_contexts files into a single tmp file with m4 |
| ## |
| ## $(1): list of file_contexts files |
| ## $(2): filename into which file_contexts files are merged |
| ########################################################### |
| |
| define _merge-fc-files |
| $(2): $(1) $(M4) |
| $(hide) mkdir -p $$(dir $$@) |
| $(hide) $(M4) --fatal-warnings -s $(1) > $$@ |
| endef |
| |
| define merge-fc-files |
| $(eval $(call _merge-fc-files,$(1),$(2))) |
| endef |
| |
| file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp |
| $(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp)) |
| |
| # The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile. |
| # it gathers LOCAL_FILE_CONTEXTS from product_MODULES |
| file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp |
| |
| device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts |
| |
| ifdef BOARD_ODM_SEPOLICY_DIRS |
| device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts |
| endif |
| |
| file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp |
| $(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) |
| $(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) |
| $(file_contexts.device.tmp): $(device_fc_files) $(M4) |
| @mkdir -p $(dir $@) |
| $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ |
| |
| file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp |
| $(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) |
| $(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ |
| $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ |
| |
| file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp |
| $(call merge-fc-files,\ |
| $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\ |
| $(file_contexts.concat.tmp)) |
| |
| $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) |
| $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc |
| @mkdir -p $(dir $@) |
| $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< |
| $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< |
| |
| local_fc_files := |
| device_fc_files := |
| file_contexts.concat.tmp := |
| file_contexts.device.sorted.tmp := |
| file_contexts.device.tmp := |
| file_contexts.local.tmp := |
| file_contexts.modules.tmp := |
| |
| ################################## |
| # Tests for Treble compatibility of current platform policy and vendor policy of |
| # given release version. |
| |
| ver := $(PLATFORM_SEPOLICY_VERSION) |
| ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),) |
| # If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test |
| base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil |
| base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil |
| else |
| # If not, use ToT for compat test |
| base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil |
| base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil |
| endif |
| ver := |
| |
| $(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \ |
| $(eval version_under_treble_tests := $(v)) \ |
| $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \ |
| ) |
| |
| base_plat_pub_policy.cil := |
| base_product_pub_policy.cil := |
| |
| ################################# |
| |
| |
| build_policy := |
| built_sepolicy := |
| built_sepolicy_neverallows := |
| sepolicy_build_files := |
| with_asan := |