2018-03-22 19:35:02 +01:00
|
|
|
// Copyright (C) 2018 The Android Open Source Project
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2021-02-04 08:07:40 +01:00
|
|
|
package {
|
|
|
|
default_applicable_licenses: ["system_sepolicy_license"],
|
|
|
|
}
|
|
|
|
|
|
|
|
// Added automatically by a large-scale-change that took the approach of
|
|
|
|
// 'apply every license found to every target'. While this makes sure we respect
|
|
|
|
// every license restriction, it may not be entirely correct.
|
|
|
|
//
|
|
|
|
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
|
|
|
|
//
|
|
|
|
// Please consider splitting the single license below into multiple licenses,
|
|
|
|
// taking care not to lose any license_kind information, and overriding the
|
|
|
|
// default license using the 'licenses: [...]' property on targets as needed.
|
|
|
|
//
|
|
|
|
// For unused files, consider creating a 'filegroup' with "//visibility:private"
|
|
|
|
// to attach the license to, and including a comment whether the files may be
|
|
|
|
// used in the current project.
|
|
|
|
// http://go/android-license-faq
|
|
|
|
license {
|
|
|
|
name: "system_sepolicy_license",
|
|
|
|
visibility: [":__subpackages__"],
|
|
|
|
license_kinds: [
|
|
|
|
"SPDX-license-identifier-Apache-2.0",
|
|
|
|
"legacy_unencumbered",
|
|
|
|
],
|
|
|
|
license_text: [
|
|
|
|
"NOTICE",
|
|
|
|
],
|
|
|
|
}
|
|
|
|
|
2019-02-15 21:18:15 +01:00
|
|
|
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
|
|
|
|
|
2020-04-15 07:55:47 +02:00
|
|
|
// For vts_treble_sys_prop_test
|
|
|
|
filegroup {
|
|
|
|
name: "private_property_contexts",
|
|
|
|
srcs: ["private/property_contexts"],
|
|
|
|
visibility: [
|
|
|
|
"//test/vts-testcase/security/system_property",
|
|
|
|
],
|
|
|
|
}
|
2021-02-18 11:15:41 +01:00
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
se_build_files {
|
|
|
|
name: "se_build_files",
|
2021-02-18 11:15:41 +01:00
|
|
|
srcs: [
|
2021-03-22 02:26:13 +01:00
|
|
|
"security_classes",
|
|
|
|
"initial_sids",
|
|
|
|
"access_vectors",
|
|
|
|
"global_macros",
|
|
|
|
"neverallow_macros",
|
|
|
|
"mls_macros",
|
|
|
|
"mls_decl",
|
|
|
|
"mls",
|
|
|
|
"policy_capabilities",
|
|
|
|
"te_macros",
|
|
|
|
"attributes",
|
|
|
|
"ioctl_defines",
|
|
|
|
"ioctl_macros",
|
|
|
|
"*.te",
|
|
|
|
"roles_decl",
|
|
|
|
"roles",
|
|
|
|
"users",
|
|
|
|
"initial_sid_contexts",
|
|
|
|
"fs_use",
|
|
|
|
"genfs_contexts",
|
|
|
|
"port_contexts",
|
2021-02-18 11:15:41 +01:00
|
|
|
],
|
|
|
|
}
|
|
|
|
|
2021-12-16 08:52:14 +01:00
|
|
|
se_build_files {
|
|
|
|
name: "sepolicy_technical_debt",
|
|
|
|
srcs: ["technical_debt.cil"],
|
|
|
|
}
|
|
|
|
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
reqd_mask_policy = [":se_build_files{.reqd_mask}"]
|
|
|
|
plat_public_policy = [":se_build_files{.plat_public}"]
|
|
|
|
plat_private_policy = [":se_build_files{.plat_private}"]
|
|
|
|
system_ext_public_policy = [":se_build_files{.system_ext_public}"]
|
|
|
|
system_ext_private_policy = [":se_build_files{.system_ext_private}"]
|
|
|
|
product_public_policy = [":se_build_files{.product_public}"]
|
|
|
|
product_private_policy = [":se_build_files{.product_private}"]
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
// reqd_policy_mask - a policy.conf file which contains only the bare minimum
|
|
|
|
// policy necessary to use checkpolicy.
|
|
|
|
//
|
|
|
|
// This bare-minimum policy needs to be present in all policy.conf files, but
|
|
|
|
// should not necessarily be exported as part of the public policy.
|
|
|
|
//
|
|
|
|
// The rules generated by reqd_policy_mask will allow the compilation of public
|
|
|
|
// policy and subsequent removal of CIL policy that should not be exported.
|
|
|
|
se_policy_conf {
|
|
|
|
name: "reqd_policy_mask.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: reqd_mask_policy,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
2021-03-17 11:07:15 +01:00
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
se_policy_cil {
|
|
|
|
name: "reqd_policy_mask.cil",
|
|
|
|
src: ":reqd_policy_mask.conf",
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
2021-03-17 11:07:15 +01:00
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
// pub_policy - policy that will be exported to be a part of non-platform
|
|
|
|
// policy corresponding to this platform version.
|
|
|
|
//
|
|
|
|
// This is a limited subset of policy that would not compile in checkpolicy on
|
|
|
|
// its own.
|
|
|
|
//
|
|
|
|
// To get around this limitation, add only the required files from private
|
|
|
|
// policy, which will generate CIL policy that will then be filtered out by the
|
|
|
|
// reqd_policy_mask.
|
|
|
|
//
|
|
|
|
// There are three pub_policy.cil files below:
|
|
|
|
// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
|
|
|
|
// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
|
|
|
|
// - plat_pub_policy.cil: exported 'system' policy.
|
|
|
|
//
|
|
|
|
// Those above files will in turn be used to generate the following versioned cil files:
|
|
|
|
// - product_mapping_file: the versioned, exported 'product' policy in product partition.
|
|
|
|
// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
|
|
|
|
// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
|
|
|
|
// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
|
|
|
|
// in vendor partition.
|
|
|
|
//
|
|
|
|
se_policy_conf {
|
|
|
|
name: "pub_policy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
product_public_policy +
|
|
|
|
reqd_mask_policy,
|
2023-04-26 04:03:35 +02:00
|
|
|
vendor: true,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
2021-03-17 11:07:15 +01:00
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
se_policy_cil {
|
|
|
|
name: "pub_policy.cil",
|
|
|
|
src: ":pub_policy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask.cil"],
|
|
|
|
secilc_check: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
vendor: true,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
2021-03-17 11:07:15 +01:00
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
se_policy_conf {
|
|
|
|
name: "system_ext_pub_policy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
reqd_mask_policy,
|
2023-04-26 04:03:35 +02:00
|
|
|
system_ext_specific: true,
|
2021-03-17 11:07:15 +01:00
|
|
|
installable: false,
|
2021-02-18 11:15:41 +01:00
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
se_policy_cil {
|
|
|
|
name: "system_ext_pub_policy.cil",
|
|
|
|
src: ":system_ext_pub_policy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask.cil"],
|
|
|
|
secilc_check: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
system_ext_specific: true,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "plat_pub_policy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
reqd_mask_policy,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "plat_pub_policy.cil",
|
|
|
|
src: ":plat_pub_policy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask.cil"],
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
// plat_policy.conf - A combination of the private and public platform policy
|
|
|
|
// which will ship with the device.
|
|
|
|
//
|
|
|
|
// The platform will always reflect the most recent platform version and is not
|
|
|
|
// currently being attributized.
|
|
|
|
se_policy_conf {
|
|
|
|
name: "plat_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "plat_sepolicy.cil",
|
|
|
|
src: ":plat_sepolicy.conf",
|
2021-12-16 08:52:14 +01:00
|
|
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
|
2021-03-22 02:26:13 +01:00
|
|
|
}
|
|
|
|
|
2022-08-01 19:20:38 +02:00
|
|
|
|
2021-12-14 13:32:12 +01:00
|
|
|
se_policy_conf {
|
|
|
|
name: "apex_sepolicy-33.conf",
|
2022-08-01 19:20:38 +02:00
|
|
|
srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
|
2021-12-14 13:32:12 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "apex_sepolicy-33.cil",
|
|
|
|
src: ":apex_sepolicy-33.conf",
|
2022-08-01 19:20:38 +02:00
|
|
|
filter_out: [":plat_sepolicy.cil"],
|
2021-12-14 13:32:12 +01:00
|
|
|
installable: false,
|
|
|
|
stem: "apex_sepolicy.cil",
|
|
|
|
}
|
|
|
|
|
2022-08-05 13:38:56 +02:00
|
|
|
se_policy_cil {
|
|
|
|
name: "decompiled_sepolicy-without_apex.cil",
|
|
|
|
src: ":precompiled_sepolicy-without_apex",
|
|
|
|
decompile_binary: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
2022-09-01 18:07:28 +02:00
|
|
|
name: "apex_sepolicy-33.decompiled.cil",
|
2022-08-05 13:38:56 +02:00
|
|
|
src: ":precompiled_sepolicy",
|
|
|
|
decompile_binary: true,
|
|
|
|
filter_out: [":decompiled_sepolicy-without_apex.cil"],
|
|
|
|
additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
|
|
|
|
secilc_check: false,
|
2022-09-01 18:07:28 +02:00
|
|
|
stem: "apex_sepolicy.decompiled.cil",
|
2022-08-05 13:38:56 +02:00
|
|
|
}
|
|
|
|
|
2021-04-29 15:53:20 +02:00
|
|
|
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
|
|
|
|
se_policy_conf {
|
|
|
|
name: "userdebug_plat_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy,
|
2021-04-29 15:53:20 +02:00
|
|
|
build_variant: "userdebug",
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "userdebug_plat_sepolicy.cil",
|
|
|
|
src: ":userdebug_plat_sepolicy.conf",
|
2021-12-16 08:52:14 +01:00
|
|
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
|
2021-04-29 15:53:20 +02:00
|
|
|
debug_ramdisk: true,
|
2021-10-15 21:23:05 +02:00
|
|
|
dist: {
|
|
|
|
targets: ["droidcore"],
|
|
|
|
},
|
2021-04-29 15:53:20 +02:00
|
|
|
}
|
|
|
|
|
2021-09-23 16:14:16 +02:00
|
|
|
// A copy of the userdebug_plat_policy in GSI.
|
|
|
|
soong_config_module_type {
|
|
|
|
name: "gsi_se_policy_cil",
|
|
|
|
module_type: "se_policy_cil",
|
|
|
|
config_namespace: "ANDROID",
|
|
|
|
bool_variables: [
|
|
|
|
"PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
|
|
|
|
],
|
|
|
|
properties: [
|
|
|
|
"enabled",
|
|
|
|
"installable",
|
|
|
|
],
|
|
|
|
}
|
|
|
|
|
|
|
|
gsi_se_policy_cil {
|
|
|
|
name: "system_ext_userdebug_plat_sepolicy.cil",
|
|
|
|
stem: "userdebug_plat_sepolicy.cil",
|
|
|
|
src: ":userdebug_plat_sepolicy.conf",
|
2021-12-16 08:52:14 +01:00
|
|
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
|
2021-09-23 16:14:16 +02:00
|
|
|
system_ext_specific: true,
|
|
|
|
enabled: false,
|
|
|
|
installable: false,
|
|
|
|
soong_config_variables: {
|
|
|
|
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
|
|
|
|
enabled: true,
|
|
|
|
installable: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
// system_ext_policy.conf - A combination of the private and public system_ext
|
|
|
|
// policy which will ship with the device. System_ext policy is not attributized
|
|
|
|
se_policy_conf {
|
|
|
|
name: "system_ext_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
system_ext_private_policy,
|
2023-04-26 04:03:35 +02:00
|
|
|
system_ext_specific: true,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
2021-03-17 11:07:15 +01:00
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
se_policy_cil {
|
|
|
|
name: "system_ext_sepolicy.cil",
|
|
|
|
src: ":system_ext_sepolicy.conf",
|
|
|
|
system_ext_specific: true,
|
|
|
|
filter_out: [":plat_sepolicy.cil"],
|
|
|
|
remove_line_marker: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
// product_policy.conf - A combination of the private and public product policy
|
|
|
|
// which will ship with the device. Product policy is not attributized
|
|
|
|
se_policy_conf {
|
|
|
|
name: "product_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
system_ext_private_policy +
|
|
|
|
product_public_policy +
|
|
|
|
product_private_policy,
|
2023-04-26 04:03:35 +02:00
|
|
|
product_specific: true,
|
2021-03-22 02:26:13 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "product_sepolicy.cil",
|
|
|
|
src: ":product_sepolicy.conf",
|
|
|
|
product_specific: true,
|
|
|
|
filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
|
|
|
|
remove_line_marker: true,
|
|
|
|
}
|
|
|
|
|
2021-03-25 07:37:34 +01:00
|
|
|
// policy mapping files
|
|
|
|
// auto-generate the mapping file for current platform policy, since it needs to
|
|
|
|
// track platform policy development
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "plat_mapping_file",
|
|
|
|
base: ":plat_pub_policy.cil",
|
|
|
|
mapping: true,
|
|
|
|
version: "current",
|
|
|
|
relative_install_path: "mapping", // install to /system/etc/selinux/mapping
|
|
|
|
}
|
|
|
|
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "system_ext_mapping_file",
|
|
|
|
base: ":system_ext_pub_policy.cil",
|
|
|
|
mapping: true,
|
|
|
|
version: "current",
|
|
|
|
filter_out: [":plat_mapping_file"],
|
|
|
|
relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
|
|
|
|
system_ext_specific: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "product_mapping_file",
|
|
|
|
base: ":pub_policy.cil",
|
|
|
|
mapping: true,
|
|
|
|
version: "current",
|
|
|
|
filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
|
|
|
|
relative_install_path: "mapping", // install to /product/etc/selinux/mapping
|
|
|
|
product_specific: true,
|
|
|
|
}
|
|
|
|
|
2021-12-16 11:00:03 +01:00
|
|
|
// vendor/odm sepolicy
|
|
|
|
//
|
|
|
|
// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
|
|
|
|
// policy files of platform (system, system_ext, product) can't be mixed with
|
|
|
|
// policy files of vendor (vendor, odm). If it's the case, platform policies and
|
|
|
|
// vendor policies are separately built. More specifically,
|
|
|
|
//
|
|
|
|
// - Platform policy files needed to build vendor policies, such as plat_policy,
|
|
|
|
// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
|
|
|
|
// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
|
|
|
|
//
|
|
|
|
// - sepolicy_neverallows only checks platform policies, and a new module
|
|
|
|
// sepolicy_neverallows_vendor checks vendor policies.
|
|
|
|
//
|
|
|
|
// - neverallow checks are turned off while compiling precompiled_sepolicy
|
|
|
|
// module and sepolicy module.
|
|
|
|
//
|
|
|
|
// - Vendor policies are not checked on the compat test (compat.mk).
|
|
|
|
//
|
|
|
|
// In such scenario, we can grab platform policy files from the prebuilts/api
|
|
|
|
// directory. But we need more than that: prebuilts of system_ext, product,
|
|
|
|
// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
|
|
|
|
// variables are introduced to specify such prebuilts.
|
|
|
|
//
|
|
|
|
// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
|
|
|
|
// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
|
|
|
|
// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
|
|
|
|
// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
|
|
|
|
// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
|
|
|
|
// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
|
|
|
|
//
|
|
|
|
// Vendors are responsible for copying policy files from the old version of the
|
|
|
|
// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
|
|
|
|
// can be used to build vendor policies.
|
|
|
|
//
|
|
|
|
// To support both mixed build and normal build, platform policy files are
|
|
|
|
// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
|
|
|
|
// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
|
|
|
|
// Otherwise, they will be equal to the Makefile variables above.
|
|
|
|
|
|
|
|
plat_public_policies_for_vendor = [
|
|
|
|
":se_build_files{.plat_public_for_vendor}",
|
|
|
|
":se_build_files{.system_ext_public_for_vendor}",
|
|
|
|
":se_build_files{.product_public_for_vendor}",
|
|
|
|
":se_build_files{.reqd_mask_for_vendor}",
|
|
|
|
]
|
|
|
|
|
|
|
|
plat_policies_for_vendor = [
|
|
|
|
":se_build_files{.plat_public_for_vendor}",
|
|
|
|
":se_build_files{.plat_private_for_vendor}",
|
|
|
|
":se_build_files{.system_ext_public_for_vendor}",
|
|
|
|
":se_build_files{.system_ext_private_for_vendor}",
|
|
|
|
":se_build_files{.product_public_for_vendor}",
|
|
|
|
":se_build_files{.product_private_for_vendor}",
|
|
|
|
]
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "plat_policy_for_vendor.conf",
|
|
|
|
srcs: plat_policies_for_vendor,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "plat_policy_for_vendor.cil",
|
|
|
|
src: ":plat_policy_for_vendor.conf",
|
|
|
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "reqd_policy_mask_for_vendor.conf",
|
|
|
|
srcs: [":se_build_files{.reqd_mask_for_vendor}"],
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "reqd_policy_mask_for_vendor.cil",
|
|
|
|
src: ":reqd_policy_mask_for_vendor.conf",
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "pub_policy_for_vendor.conf",
|
|
|
|
srcs: plat_public_policies_for_vendor,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "pub_policy_for_vendor.cil",
|
|
|
|
src: ":pub_policy_for_vendor.conf",
|
|
|
|
filter_out: [":reqd_policy_mask_for_vendor.cil"],
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "plat_mapping_file_for_vendor",
|
|
|
|
base: ":pub_policy_for_vendor.cil",
|
|
|
|
mapping: true,
|
|
|
|
version: "vendor",
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
2021-03-25 07:37:34 +01:00
|
|
|
// plat_pub_versioned.cil - the exported platform policy associated with the version
|
|
|
|
// that non-platform policy targets.
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "plat_pub_versioned.cil",
|
2021-12-16 11:00:03 +01:00
|
|
|
base: ":pub_policy_for_vendor.cil",
|
|
|
|
target_policy: ":pub_policy_for_vendor.cil",
|
|
|
|
version: "vendor",
|
|
|
|
vendor: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
|
|
|
|
// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
|
|
|
|
// policy and the platform public policy files in order to use checkpolicy.
|
|
|
|
se_policy_conf {
|
|
|
|
name: "vendor_sepolicy.conf",
|
|
|
|
srcs: plat_public_policies_for_vendor + [
|
|
|
|
":se_build_files{.plat_vendor_for_vendor}",
|
|
|
|
":se_build_files{.vendor}",
|
|
|
|
],
|
2023-04-26 04:03:35 +02:00
|
|
|
vendor: true,
|
2021-12-16 11:00:03 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "vendor_sepolicy.cil.raw",
|
|
|
|
src: ":vendor_sepolicy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask_for_vendor.cil"],
|
|
|
|
secilc_check: false, // will be done in se_versioned_policy module
|
2023-04-26 04:03:35 +02:00
|
|
|
vendor: true,
|
2021-12-16 11:00:03 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "vendor_sepolicy.cil",
|
|
|
|
base: ":pub_policy_for_vendor.cil",
|
|
|
|
target_policy: ":vendor_sepolicy.cil.raw",
|
|
|
|
version: "vendor",
|
2021-03-25 07:37:34 +01:00
|
|
|
dependent_cils: [
|
2021-12-16 11:00:03 +01:00
|
|
|
":plat_policy_for_vendor.cil",
|
|
|
|
":plat_pub_versioned.cil",
|
|
|
|
":plat_mapping_file_for_vendor",
|
2021-03-25 07:37:34 +01:00
|
|
|
],
|
2021-12-16 11:00:03 +01:00
|
|
|
filter_out: [":plat_pub_versioned.cil"],
|
2021-03-25 07:37:34 +01:00
|
|
|
vendor: true,
|
|
|
|
}
|
|
|
|
|
2021-12-16 11:00:03 +01:00
|
|
|
// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
|
|
|
|
// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
|
|
|
|
// policy and the platform public policy files in order to use checkpolicy.
|
|
|
|
se_policy_conf {
|
|
|
|
name: "odm_sepolicy.conf",
|
|
|
|
srcs: plat_public_policies_for_vendor + [
|
|
|
|
":se_build_files{.plat_vendor_for_vendor}",
|
|
|
|
":se_build_files{.vendor}",
|
|
|
|
":se_build_files{.odm}",
|
|
|
|
],
|
2023-04-26 04:03:35 +02:00
|
|
|
device_specific: true,
|
2021-12-16 11:00:03 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "odm_sepolicy.cil.raw",
|
|
|
|
src: ":odm_sepolicy.conf",
|
|
|
|
filter_out: [
|
|
|
|
":reqd_policy_mask_for_vendor.cil",
|
|
|
|
":vendor_sepolicy.cil",
|
|
|
|
],
|
|
|
|
secilc_check: false, // will be done in se_versioned_policy module
|
2023-04-26 04:03:35 +02:00
|
|
|
device_specific: true,
|
2021-12-16 11:00:03 +01:00
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_versioned_policy {
|
|
|
|
name: "odm_sepolicy.cil",
|
|
|
|
base: ":pub_policy_for_vendor.cil",
|
|
|
|
target_policy: ":odm_sepolicy.cil.raw",
|
|
|
|
version: "vendor",
|
|
|
|
dependent_cils: [
|
|
|
|
":plat_policy_for_vendor.cil",
|
|
|
|
":plat_pub_versioned.cil",
|
|
|
|
":plat_mapping_file_for_vendor",
|
|
|
|
":vendor_sepolicy.cil",
|
|
|
|
],
|
|
|
|
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
|
|
|
|
device_specific: true,
|
|
|
|
}
|
|
|
|
|
2021-03-25 07:37:34 +01:00
|
|
|
//////////////////////////////////
|
|
|
|
// Precompiled sepolicy is loaded if and only if:
|
|
|
|
// - plat_sepolicy_and_mapping.sha256 equals
|
|
|
|
// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
|
|
|
|
// AND
|
|
|
|
// - system_ext_sepolicy_and_mapping.sha256 equals
|
|
|
|
// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
|
|
|
|
// AND
|
|
|
|
// - product_sepolicy_and_mapping.sha256 equals
|
|
|
|
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
|
2021-12-14 13:32:12 +01:00
|
|
|
// AND
|
|
|
|
// - apex_sepolicy.sha256 equals
|
|
|
|
// precompiled_sepolicy.apex_sepolicy.sha256
|
2021-03-25 07:37:34 +01:00
|
|
|
// See system/core/init/selinux.cpp for details.
|
|
|
|
//////////////////////////////////
|
|
|
|
genrule {
|
|
|
|
name: "plat_sepolicy_and_mapping.sha256_gen",
|
|
|
|
srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
|
|
|
|
out: ["plat_sepolicy_and_mapping.sha256"],
|
|
|
|
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
|
|
|
|
}
|
|
|
|
|
|
|
|
prebuilt_etc {
|
|
|
|
name: "plat_sepolicy_and_mapping.sha256",
|
|
|
|
filename: "plat_sepolicy_and_mapping.sha256",
|
|
|
|
src: ":plat_sepolicy_and_mapping.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
}
|
|
|
|
|
2021-12-14 13:32:12 +01:00
|
|
|
genrule {
|
|
|
|
name: "apex_sepolicy.sha256_gen",
|
|
|
|
srcs: [":apex_sepolicy-33.cil"],
|
|
|
|
out: ["apex_sepolicy.sha256"],
|
|
|
|
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
|
|
|
|
}
|
|
|
|
|
|
|
|
prebuilt_etc {
|
|
|
|
name: "apex_sepolicy.sha256",
|
|
|
|
filename: "apex_sepolicy.sha256",
|
|
|
|
src: ":apex_sepolicy.sha256_gen",
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
2021-03-25 07:37:34 +01:00
|
|
|
genrule {
|
|
|
|
name: "system_ext_sepolicy_and_mapping.sha256_gen",
|
|
|
|
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
|
|
|
|
out: ["system_ext_sepolicy_and_mapping.sha256"],
|
|
|
|
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
|
|
|
|
}
|
|
|
|
|
|
|
|
prebuilt_etc {
|
|
|
|
name: "system_ext_sepolicy_and_mapping.sha256",
|
|
|
|
filename: "system_ext_sepolicy_and_mapping.sha256",
|
|
|
|
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
system_ext_specific: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
genrule {
|
|
|
|
name: "product_sepolicy_and_mapping.sha256_gen",
|
|
|
|
srcs: [":product_sepolicy.cil", ":product_mapping_file"],
|
|
|
|
out: ["product_sepolicy_and_mapping.sha256"],
|
|
|
|
cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
|
|
|
|
}
|
|
|
|
|
|
|
|
prebuilt_etc {
|
|
|
|
name: "product_sepolicy_and_mapping.sha256",
|
|
|
|
filename: "product_sepolicy_and_mapping.sha256",
|
|
|
|
src: ":product_sepolicy_and_mapping.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
product_specific: true,
|
|
|
|
}
|
|
|
|
|
2021-04-29 17:11:43 +02:00
|
|
|
sepolicy_vers {
|
|
|
|
name: "plat_sepolicy_vers.txt",
|
|
|
|
version: "vendor",
|
|
|
|
vendor: true,
|
|
|
|
}
|
|
|
|
|
2021-05-06 13:44:37 +02:00
|
|
|
soong_config_module_type {
|
2021-12-16 11:00:03 +01:00
|
|
|
name: "precompiled_sepolicy_prebuilts_defaults",
|
2021-05-06 13:44:37 +02:00
|
|
|
module_type: "prebuilt_defaults",
|
|
|
|
config_namespace: "ANDROID",
|
|
|
|
bool_variables: ["BOARD_USES_ODMIMAGE"],
|
|
|
|
properties: ["vendor", "device_specific"],
|
|
|
|
}
|
|
|
|
|
2021-12-16 11:00:03 +01:00
|
|
|
precompiled_sepolicy_prebuilts_defaults {
|
|
|
|
name: "precompiled_sepolicy_prebuilts",
|
2021-05-06 13:44:37 +02:00
|
|
|
soong_config_variables: {
|
|
|
|
BOARD_USES_ODMIMAGE: {
|
|
|
|
device_specific: true,
|
|
|
|
conditions_default: {
|
|
|
|
vendor: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
//////////////////////////////////
|
|
|
|
// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
|
|
|
|
// which precompiled_policy was built.
|
|
|
|
//////////////////////////////////
|
|
|
|
prebuilt_etc {
|
2021-12-16 11:00:03 +01:00
|
|
|
defaults: ["precompiled_sepolicy_prebuilts"],
|
2021-05-06 13:44:37 +02:00
|
|
|
name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
|
|
|
|
filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
|
|
|
|
src: ":plat_sepolicy_and_mapping.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
}
|
|
|
|
|
2021-12-14 13:32:12 +01:00
|
|
|
//////////////////////////////////
|
|
|
|
// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
|
|
|
|
// was built.
|
|
|
|
//////////////////////////////////
|
|
|
|
prebuilt_etc {
|
|
|
|
defaults: ["precompiled_sepolicy_prebuilts"],
|
|
|
|
name: "precompiled_sepolicy.apex_sepolicy.sha256",
|
|
|
|
filename: "precompiled_sepolicy.apex_sepolicy.sha256",
|
|
|
|
src: ":apex_sepolicy.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
}
|
|
|
|
|
2021-05-06 13:44:37 +02:00
|
|
|
//////////////////////////////////
|
|
|
|
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
|
|
|
|
// which precompiled_policy was built.
|
|
|
|
//////////////////////////////////
|
|
|
|
prebuilt_etc {
|
2021-12-16 11:00:03 +01:00
|
|
|
defaults: ["precompiled_sepolicy_prebuilts"],
|
2021-05-06 13:44:37 +02:00
|
|
|
name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
|
|
|
|
filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
|
|
|
|
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
}
|
|
|
|
|
|
|
|
//////////////////////////////////
|
|
|
|
// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
|
|
|
|
// which precompiled_policy was built.
|
|
|
|
//////////////////////////////////
|
|
|
|
prebuilt_etc {
|
2021-12-16 11:00:03 +01:00
|
|
|
defaults: ["precompiled_sepolicy_prebuilts"],
|
2021-05-06 13:44:37 +02:00
|
|
|
name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
|
|
|
|
filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
|
|
|
|
src: ":product_sepolicy_and_mapping.sha256_gen",
|
|
|
|
relative_install_path: "selinux",
|
|
|
|
}
|
|
|
|
|
2021-12-16 11:00:03 +01:00
|
|
|
soong_config_module_type {
|
|
|
|
name: "precompiled_se_policy_binary",
|
|
|
|
module_type: "se_policy_binary",
|
|
|
|
config_namespace: "ANDROID",
|
|
|
|
bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
|
|
|
|
value_variables: ["MIXED_SEPOLICY_VERSION"],
|
|
|
|
properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
|
|
|
|
}
|
|
|
|
|
|
|
|
precompiled_se_policy_binary {
|
|
|
|
name: "precompiled_sepolicy",
|
|
|
|
srcs: [
|
|
|
|
":plat_sepolicy.cil",
|
2021-12-14 13:32:12 +01:00
|
|
|
":apex_sepolicy-33.cil",
|
2021-12-16 11:00:03 +01:00
|
|
|
":plat_pub_versioned.cil",
|
|
|
|
":system_ext_sepolicy.cil",
|
|
|
|
":product_sepolicy.cil",
|
|
|
|
":vendor_sepolicy.cil",
|
|
|
|
":odm_sepolicy.cil",
|
|
|
|
],
|
|
|
|
soong_config_variables: {
|
|
|
|
BOARD_USES_ODMIMAGE: {
|
|
|
|
device_specific: true,
|
|
|
|
conditions_default: {
|
|
|
|
vendor: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
IS_TARGET_MIXED_SEPOLICY: {
|
|
|
|
ignore_neverallow: true,
|
|
|
|
},
|
|
|
|
MIXED_SEPOLICY_VERSION: {
|
|
|
|
srcs: [
|
|
|
|
":plat_%s.cil",
|
|
|
|
":system_ext_%s.cil",
|
|
|
|
":product_%s.cil",
|
|
|
|
],
|
|
|
|
conditions_default: {
|
|
|
|
srcs: [
|
|
|
|
":plat_mapping_file",
|
|
|
|
":system_ext_mapping_file",
|
|
|
|
":product_mapping_file",
|
|
|
|
],
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2021-12-22 15:06:53 +01:00
|
|
|
required: [
|
|
|
|
"sepolicy_neverallows",
|
|
|
|
"sepolicy_neverallows_vendor",
|
2022-08-05 13:38:56 +02:00
|
|
|
],
|
|
|
|
dist: {
|
|
|
|
targets: ["base-sepolicy-files-for-mapping"],
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
precompiled_se_policy_binary {
|
|
|
|
name: "precompiled_sepolicy-without_apex",
|
|
|
|
srcs: [
|
|
|
|
":plat_sepolicy.cil",
|
|
|
|
":plat_pub_versioned.cil",
|
|
|
|
":system_ext_sepolicy.cil",
|
|
|
|
":product_sepolicy.cil",
|
|
|
|
":vendor_sepolicy.cil",
|
|
|
|
":odm_sepolicy.cil",
|
|
|
|
],
|
|
|
|
soong_config_variables: {
|
|
|
|
BOARD_USES_ODMIMAGE: {
|
|
|
|
device_specific: true,
|
|
|
|
conditions_default: {
|
|
|
|
vendor: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
IS_TARGET_MIXED_SEPOLICY: {
|
|
|
|
ignore_neverallow: true,
|
|
|
|
},
|
|
|
|
MIXED_SEPOLICY_VERSION: {
|
|
|
|
srcs: [
|
|
|
|
":plat_%s.cil",
|
|
|
|
":system_ext_%s.cil",
|
|
|
|
":product_%s.cil",
|
|
|
|
],
|
|
|
|
conditions_default: {
|
|
|
|
srcs: [
|
|
|
|
":plat_mapping_file",
|
|
|
|
":system_ext_mapping_file",
|
|
|
|
":product_mapping_file",
|
|
|
|
],
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
required: [
|
|
|
|
"sepolicy_neverallows",
|
|
|
|
"sepolicy_neverallows_vendor",
|
2021-12-22 15:06:53 +01:00
|
|
|
],
|
2022-01-21 03:47:54 +01:00
|
|
|
dist: {
|
|
|
|
targets: ["base-sepolicy-files-for-mapping"],
|
|
|
|
},
|
2021-12-16 11:00:03 +01:00
|
|
|
}
|
2021-05-06 13:44:37 +02:00
|
|
|
|
2021-12-28 06:57:03 +01:00
|
|
|
// policy for recovery
|
|
|
|
se_policy_conf {
|
|
|
|
name: "recovery_sepolicy.conf",
|
|
|
|
srcs: plat_policies_for_vendor + [
|
|
|
|
":se_build_files{.plat_vendor_for_vendor}",
|
|
|
|
":se_build_files{.vendor}",
|
|
|
|
":se_build_files{.odm}",
|
|
|
|
],
|
|
|
|
target_recovery: true,
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
recovery: true,
|
2021-12-28 06:57:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "recovery_sepolicy.cil",
|
|
|
|
src: ":recovery_sepolicy.conf",
|
|
|
|
secilc_check: false, // will be done in se_policy_binary module
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
recovery: true,
|
2021-12-28 06:57:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_binary {
|
|
|
|
name: "sepolicy.recovery",
|
|
|
|
srcs: [":recovery_sepolicy.cil"],
|
|
|
|
stem: "sepolicy",
|
|
|
|
recovery: true,
|
|
|
|
}
|
|
|
|
|
2021-03-22 02:26:13 +01:00
|
|
|
//////////////////////////////////
|
|
|
|
// SELinux policy embedded into CTS.
|
|
|
|
// CTS checks neverallow rules of this policy against the policy of the device under test.
|
|
|
|
//////////////////////////////////
|
|
|
|
se_policy_conf {
|
|
|
|
name: "general_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy,
|
2021-03-22 02:26:13 +01:00
|
|
|
build_variant: "user",
|
|
|
|
cts: true,
|
|
|
|
exclude_build_test: true,
|
|
|
|
}
|
2021-09-15 05:01:05 +02:00
|
|
|
|
2021-09-27 15:43:01 +02:00
|
|
|
//////////////////////////////////
|
|
|
|
// Base system policy for treble sepolicy tests.
|
|
|
|
// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
|
|
|
|
// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
|
|
|
|
// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
|
|
|
|
// See treble_sepolicy_tests_for_release.mk for more details.
|
|
|
|
//////////////////////////////////
|
|
|
|
se_policy_conf {
|
|
|
|
name: "base_plat_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy,
|
2021-09-27 15:43:01 +02:00
|
|
|
build_variant: "user",
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "base_plat_sepolicy.cil",
|
|
|
|
src: ":base_plat_sepolicy.conf",
|
|
|
|
additional_cil_files: ["private/technical_debt.cil"],
|
|
|
|
installable: false,
|
|
|
|
secilc_check: false, // done by se_policy_binary
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_binary {
|
|
|
|
name: "base_plat_sepolicy",
|
|
|
|
srcs: [":base_plat_sepolicy.cil"],
|
|
|
|
installable: false,
|
2022-01-21 03:47:54 +01:00
|
|
|
dist: {
|
|
|
|
targets: ["base-sepolicy-files-for-mapping"],
|
|
|
|
},
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "base_system_ext_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
system_ext_private_policy,
|
2021-09-27 15:43:01 +02:00
|
|
|
build_variant: "user",
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
system_ext_specific: true,
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "base_system_ext_sepolicy.cil",
|
|
|
|
src: ":base_system_ext_sepolicy.conf",
|
|
|
|
additional_cil_files: ["private/technical_debt.cil"],
|
|
|
|
system_ext_specific: true,
|
|
|
|
installable: false,
|
|
|
|
secilc_check: false, // done by se_policy_binary
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_binary {
|
|
|
|
name: "base_system_ext_sepolicy",
|
|
|
|
srcs: [":base_system_ext_sepolicy.cil"],
|
|
|
|
system_ext_specific: true,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "base_product_sepolicy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
system_ext_private_policy +
|
|
|
|
product_public_policy +
|
|
|
|
product_private_policy,
|
2021-09-27 15:43:01 +02:00
|
|
|
build_variant: "user",
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
product_specific: true,
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "base_product_sepolicy.cil",
|
|
|
|
src: ":base_product_sepolicy.conf",
|
|
|
|
additional_cil_files: ["private/technical_debt.cil"],
|
|
|
|
product_specific: true,
|
|
|
|
installable: false,
|
|
|
|
secilc_check: false, // done by se_policy_binary
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_binary {
|
|
|
|
name: "base_product_sepolicy",
|
|
|
|
srcs: [":base_product_sepolicy.cil"],
|
|
|
|
product_specific: true,
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "base_plat_pub_policy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
reqd_mask_policy,
|
2021-09-27 15:43:01 +02:00
|
|
|
build_variant: "user",
|
|
|
|
installable: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "base_plat_pub_policy.cil",
|
|
|
|
src: ":base_plat_pub_policy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask.cil"],
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
2022-01-21 03:47:54 +01:00
|
|
|
dist: {
|
|
|
|
targets: ["base-sepolicy-files-for-mapping"],
|
|
|
|
},
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "base_system_ext_pub_policy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
reqd_mask_policy,
|
2021-09-27 15:43:01 +02:00
|
|
|
build_variant: "user",
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
system_ext_specific: true,
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "base_system_ext_pub_policy.cil",
|
|
|
|
src: ":base_system_ext_pub_policy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask.cil"],
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
system_ext_specific: true,
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_conf {
|
|
|
|
name: "base_product_pub_policy.conf",
|
Refactor Android.bp build modules for readability
When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.
This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?
This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_build_files automatically adds plat public and reqd mask
srcs: [":se_build_files{.system_ext_public}"],
}
to:
se_policy_conf {
name: "system_ext_pub_policy.conf",
// se_policy_conf automatically sorts the input files
srcs: [
":se_build_files{.plat_public}",
":se_build_files{.system_ext_public}",
":se_build_files{.reqd_mask}",
],
}
Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3
2021-12-09 15:35:11 +01:00
|
|
|
srcs: plat_public_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
product_public_policy +
|
|
|
|
reqd_mask_policy,
|
2021-09-27 15:43:01 +02:00
|
|
|
build_variant: "user",
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
product_specific: true,
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
se_policy_cil {
|
|
|
|
name: "base_product_pub_policy.cil",
|
|
|
|
src: ":base_product_pub_policy.conf",
|
|
|
|
filter_out: [":reqd_policy_mask.cil"],
|
|
|
|
secilc_check: false,
|
|
|
|
installable: false,
|
2023-04-26 04:03:35 +02:00
|
|
|
product_specific: true,
|
2021-09-27 15:43:01 +02:00
|
|
|
}
|
|
|
|
|
2021-11-08 12:30:04 +01:00
|
|
|
// bug_map - Bug tracking information for selinux denials loaded by auditd.
|
2022-04-22 00:50:22 +02:00
|
|
|
se_build_files {
|
2021-11-08 12:30:04 +01:00
|
|
|
name: "bug_map_files",
|
|
|
|
srcs: ["bug_map"],
|
|
|
|
}
|
|
|
|
|
|
|
|
se_bug_map {
|
|
|
|
name: "plat_bug_map",
|
2022-04-22 00:50:22 +02:00
|
|
|
srcs: [":bug_map_files{.plat_private}"],
|
2021-11-08 12:30:04 +01:00
|
|
|
stem: "bug_map",
|
|
|
|
}
|
|
|
|
|
|
|
|
se_bug_map {
|
|
|
|
name: "system_ext_bug_map",
|
2022-04-22 00:50:22 +02:00
|
|
|
srcs: [":bug_map_files{.system_ext_private}"],
|
2021-11-08 12:30:04 +01:00
|
|
|
stem: "bug_map",
|
|
|
|
system_ext_specific: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_bug_map {
|
|
|
|
name: "vendor_bug_map",
|
2022-04-22 00:50:22 +02:00
|
|
|
srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
|
2021-11-08 12:30:04 +01:00
|
|
|
// Legacy file name of the vendor partition bug_map.
|
|
|
|
stem: "selinux_denial_metadata",
|
|
|
|
vendor: true,
|
|
|
|
}
|
|
|
|
|
2021-12-22 15:06:53 +01:00
|
|
|
se_neverallow_test {
|
|
|
|
name: "sepolicy_neverallows",
|
|
|
|
srcs: plat_public_policy +
|
|
|
|
plat_private_policy +
|
|
|
|
system_ext_public_policy +
|
|
|
|
system_ext_private_policy +
|
|
|
|
product_public_policy +
|
|
|
|
product_private_policy,
|
|
|
|
}
|
|
|
|
|
|
|
|
se_neverallow_test {
|
|
|
|
name: "sepolicy_neverallows_vendor",
|
|
|
|
srcs: plat_policies_for_vendor + [
|
|
|
|
":se_build_files{.plat_vendor_for_vendor}",
|
|
|
|
":se_build_files{.vendor}",
|
|
|
|
":se_build_files{.odm}",
|
|
|
|
],
|
2023-04-26 04:03:35 +02:00
|
|
|
vendor: true,
|
2021-12-22 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
2021-09-15 05:01:05 +02:00
|
|
|
//////////////////////////////////
|
|
|
|
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
|
|
|
|
// Additional directories can be specified via Makefile variables:
|
|
|
|
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
|
|
|
|
//////////////////////////////////
|
|
|
|
se_freeze_test {
|
|
|
|
name: "sepolicy_freeze_test",
|
|
|
|
}
|
2022-02-25 03:26:16 +01:00
|
|
|
|
|
|
|
//////////////////////////////////
|
|
|
|
// sepolicy_test checks various types of violations, which can't be easily done
|
|
|
|
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
|
|
|
|
//////////////////////////////////
|
|
|
|
genrule {
|
|
|
|
name: "sepolicy_test",
|
|
|
|
srcs: [
|
|
|
|
":plat_file_contexts",
|
|
|
|
":vendor_file_contexts",
|
|
|
|
":system_ext_file_contexts",
|
|
|
|
":product_file_contexts",
|
|
|
|
":odm_file_contexts",
|
|
|
|
":precompiled_sepolicy",
|
|
|
|
],
|
|
|
|
tools: ["sepolicy_tests"],
|
|
|
|
out: ["sepolicy_test"],
|
|
|
|
cmd: "$(location sepolicy_tests) " +
|
|
|
|
"-f $(location :plat_file_contexts) " +
|
|
|
|
"-f $(location :vendor_file_contexts) " +
|
|
|
|
"-f $(location :system_ext_file_contexts) " +
|
|
|
|
"-f $(location :product_file_contexts) " +
|
|
|
|
"-f $(location :odm_file_contexts) " +
|
|
|
|
"-p $(location :precompiled_sepolicy) && " +
|
|
|
|
"touch $(out)",
|
|
|
|
}
|