From 07dd59ff14ccf53703042d791427fa04529e1363 Mon Sep 17 00:00:00 2001
From: "P.Adarsh Reddy" <quic_padarshr@quicinc.com>
Date: Mon, 22 Mar 2021 15:55:09 +0530
Subject: [PATCH] Adding sepolicy testcase for system_ext and product.

Types defined in system_ext/public or product/public
can be referenced by vendor side so it is important
to make sure functionality is not broken across version
bumps. So we are adding the treble sepolicy test cases
for system_ext and product sepolicy.

Bug: 173571515
Change-Id: Ia45979497029f83b1ae6712d2d26ffab263a7f91
---
 Android.bp                           |  14 +++
 Android.mk                           | 124 +++++++++++++++++++++++++++
 treble_sepolicy_tests_for_release.mk | 100 ++++++++++++++++++---
 3 files changed, 224 insertions(+), 14 deletions(-)

diff --git a/Android.bp b/Android.bp
index 391411b1b..52144b738 100644
--- a/Android.bp
+++ b/Android.bp
@@ -294,6 +294,20 @@ se_cil_compat_map {
     // top_half: "31.0.ignore.cil",
 }
 
+se_cil_compat_map {
+    name: "system_ext_30.0.ignore.cil",
+    bottom_half: [":30.0.board.ignore.map"],
+    // top_half: "system_ext_31.0.ignore.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_30.0.ignore.cil",
+    bottom_half: [":30.0.board.ignore.map"],
+    // top_half: "product_31.0.ignore.cil",
+    product_specific: true,
+}
+
 se_compat_cil {
     name: "26.0.compat.cil",
     srcs: [":26.0.board.compat.cil"],
diff --git a/Android.mk b/Android.mk
index e058820d9..460109fb2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1461,6 +1461,130 @@ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_polic
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_REQD_MASK) -t $@
 
+
+#####################################################
+intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
+$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
+$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+                $(POLICYVERS) -o $@ $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+
+base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
+$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
+$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+		-f $(PRIVATE_REQD_MASK) -t $@
+
+
+################################################################################
+intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+base_product_policy.conf := $(intermediates)/base_product_policy.conf
+$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_product_sepolicy := $(intermediates)/built_product_sepolicy
+$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+                $(POLICYVERS) -o $@ $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
+$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_pub_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+
+base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
+$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
+$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+                -f $(PRIVATE_REQD_MASK) -t $@
+
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index fdfe9ee60..1f27727a3 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,6 +11,27 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := FAKE
 LOCAL_MODULE_TAGS := optional
 
+# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
+# make file of the system_ext partition.
+SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
+# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
+# make file of the product partition.
+PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
+# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
+# plat_pub_versioned.cil should be in
+# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
+# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
+# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
+# In order to enable treble sepolicy tests for platform, system_ext and product
+# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
+# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
+IS_TREBLE_TEST_ENABLED_PARTNER := false
+ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
+ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+IS_TREBLE_TEST_ENABLED_PARTNER := true
+endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
+
 include $(BUILD_SYSTEM)/base_rules.mk
 
 # $(version)_plat - the platform policy shipped as part of the $(version) release.  This is
@@ -19,6 +40,20 @@ include $(BUILD_SYSTEM)/base_rules.mk
 # been maintained by our mapping files.
 $(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
 $(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+$(version)_PLAT_PUBLIC_POLICY += \
+    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY += \
+    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_PLAT_PUBLIC_POLICY += \
+    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY += \
+    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
+endif # (,$(PRODUCT_PREBUILT_POLICY))
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
 $(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
 $($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
@@ -52,7 +87,6 @@ $(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXE
 
 $(version)_plat_policy.conf :=
 
-
 # $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
 # targeting the $(version) SELinux release.  This ensures that our policy will build
 # when used on a device that has non-platform policy targetting the $(version) release.
@@ -61,6 +95,21 @@ $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/
 $(version)_mapping.ignore.cil := \
     $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
 $(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+$(version)_mapping.cil += \
+    $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
+$(version)_mapping.ignore.cil += \
+    $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_mapping.cil += \
+    $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
+$(version)_mapping.ignore.cil += \
+    $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
+endif # (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
+endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 
 # vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
 # nonplat_sepolicy.cil.
@@ -70,10 +119,18 @@ ifeq (,$(wildcard $($(version)_nonplat)))
 $(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
 endif
 
-$($(version)_compat): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
-$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+cil_files := $(built_plat_cil)
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
+cil_files += $(built_system_ext_cil)
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
+ifneq (,$(PRODUCT_PREBUILT_POLICY)
+cil_files += $(built_product_cil)
+endif # (,$(PRODUCT_PREBUILT_POLICY)
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
+$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
+$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
 		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
 
@@ -86,32 +143,47 @@ $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mappi
 	mkdir -p $(dir $@)
 	cat $^ > $@
 
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+built_sepolicy_files := $(built_product_sepolicy)
+public_cil_files := $(base_product_pub_policy.cil)
+else
+built_sepolicy_files := $(built_plat_sepolicy)
+public_cil_files := $(base_plat_pub_policy.cil)
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 $(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
 ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
 # TODO(b/113124961): remove fake-treble
 $(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
 endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-  $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
-  $(base_plat_pub_policy.cil) \
+  $(all_fc_files) $(built_sepolicy) \
+  $(built_sepolicy_files) \
+  $(public_cil_files) \
   $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
-		$(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
-		-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-		-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-		-u $(PRIVATE_PLAT_PUB_SEPOLICY) \
-		$(PRIVATE_FAKE_TREBLE)
+                $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+                -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+                -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+                -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
+                $(PRIVATE_FAKE_TREBLE)
 	$(hide) touch $@
 
+$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
+$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
+$(version)_PRODUCT_PUBLIC_POLICY :=
+$(version)_PRODUCT_PRIVATE_POLICY :=
 $(version)_PLAT_PUBLIC_POLICY :=
 $(version)_PLAT_PRIVATE_POLICY :=
+built_sepolicy_files :=
+public_cil_files :=
+cil_files :=
 $(version)_compat :=
 $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=