Build vendor/odm sepolicies with Android.bp

The following files are built with Android.bp: - vendor_sepolicy.cil - odm_sepolicy.cil - prebuilt_sepolicy Also, prebuilt_policy.mk is removed as it's now redundant. Bug: 33691272 Test: build and compare artifacts Test: build with rvc-dev sepolicy Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
2021-12-16 19:00:03 +09:00 · 2021-12-16 19:00:03 +09:00 · 3ac62fe9f6
commit 3ac62fe9f6
parent 1d06dc2811
6 changed files with 285 additions and 597 deletions
--- a/Android.bp
+++ b/Android.bp
@ -903,24 +903,193 @@ se_versioned_policy {
    product_specific: true,
 }
 // vendor/odm sepolicy
 //
 // If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
 // policy files of platform (system, system_ext, product) can't be mixed with
 // policy files of vendor (vendor, odm). If it's the case, platform policies and
 // vendor policies are separately built. More specifically,
 //
 // - Platform policy files needed to build vendor policies, such as plat_policy,
 //   plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
 //   prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
 //
 // - sepolicy_neverallows only checks platform policies, and a new module
 //   sepolicy_neverallows_vendor checks vendor policies.
 //
 // - neverallow checks are turned off while compiling precompiled_sepolicy
 //   module and sepolicy module.
 //
 // - Vendor policies are not checked on the compat test (compat.mk).
 //
 // In such scenario, we can grab platform policy files from the prebuilts/api
 // directory. But we need more than that: prebuilts of system_ext, product,
 // system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
 // variables are introduced to specify such prebuilts.
 //
 // - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
 // - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
 // - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
 // - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
 // - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
 // - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
 //
 // Vendors are responsible for copying policy files from the old version of the
 // source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
 // can be used to build vendor policies.
 //
 // To support both mixed build and normal build, platform policy files are
 // indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
 // to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
 // Otherwise, they will be equal to the Makefile variables above.
 plat_public_policies_for_vendor = [
    ":se_build_files{.plat_public_for_vendor}",
    ":se_build_files{.system_ext_public_for_vendor}",
    ":se_build_files{.product_public_for_vendor}",
    ":se_build_files{.reqd_mask_for_vendor}",
 ]
 plat_policies_for_vendor = [
    ":se_build_files{.plat_public_for_vendor}",
    ":se_build_files{.plat_private_for_vendor}",
    ":se_build_files{.system_ext_public_for_vendor}",
    ":se_build_files{.system_ext_private_for_vendor}",
    ":se_build_files{.product_public_for_vendor}",
    ":se_build_files{.product_private_for_vendor}",
 ]
 se_policy_conf {
    name: "plat_policy_for_vendor.conf",
    srcs: plat_policies_for_vendor,
    installable: false,
 }
 se_policy_cil {
    name: "plat_policy_for_vendor.cil",
    src: ":plat_policy_for_vendor.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
    installable: false,
 }
 se_policy_conf {
    name: "reqd_policy_mask_for_vendor.conf",
    srcs: [":se_build_files{.reqd_mask_for_vendor}"],
    installable: false,
 }
 se_policy_cil {
    name: "reqd_policy_mask_for_vendor.cil",
    src: ":reqd_policy_mask_for_vendor.conf",
    secilc_check: false,
    installable: false,
 }
 se_policy_conf {
    name: "pub_policy_for_vendor.conf",
    srcs: plat_public_policies_for_vendor,
    installable: false,
 }
 se_policy_cil {
    name: "pub_policy_for_vendor.cil",
    src: ":pub_policy_for_vendor.conf",
    filter_out: [":reqd_policy_mask_for_vendor.cil"],
    secilc_check: false,
    installable: false,
 }
 se_versioned_policy {
    name: "plat_mapping_file_for_vendor",
    base: ":pub_policy_for_vendor.cil",
    mapping: true,
    version: "vendor",
    installable: false,
 }
 // plat_pub_versioned.cil - the exported platform policy associated with the version
 // that non-platform policy targets.
 se_versioned_policy {
    name: "plat_pub_versioned.cil",
-    base: ":pub_policy.cil",
+    base: ":pub_policy_for_vendor.cil",
-    target_policy: ":pub_policy.cil",
+    target_policy: ":pub_policy_for_vendor.cil",
-    version: "current",
+    version: "vendor",
    dependent_cils: [
        ":plat_sepolicy.cil",
        ":system_ext_sepolicy.cil",
        ":product_sepolicy.cil",
        ":plat_mapping_file",
        ":system_ext_mapping_file",
        ":product_mapping_file",
    ],
    vendor: true,
 }
 // vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
 // with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
 // policy and the platform public policy files in order to use checkpolicy.
 se_policy_conf {
    name: "vendor_sepolicy.conf",
    srcs: plat_public_policies_for_vendor + [
        ":se_build_files{.plat_vendor_for_vendor}",
        ":se_build_files{.vendor}",
    ],
    installable: false,
 }
 se_policy_cil {
    name: "vendor_sepolicy.cil.raw",
    src: ":vendor_sepolicy.conf",
    filter_out: [":reqd_policy_mask_for_vendor.cil"],
    secilc_check: false, // will be done in se_versioned_policy module
    installable: false,
 }
 se_versioned_policy {
    name: "vendor_sepolicy.cil",
    base: ":pub_policy_for_vendor.cil",
    target_policy: ":vendor_sepolicy.cil.raw",
    version: "vendor",
    dependent_cils: [
        ":plat_policy_for_vendor.cil",
        ":plat_pub_versioned.cil",
        ":plat_mapping_file_for_vendor",
    ],
    filter_out: [":plat_pub_versioned.cil"],
    vendor: true,
 }
 // odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
 // with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
 // policy and the platform public policy files in order to use checkpolicy.
 se_policy_conf {
    name: "odm_sepolicy.conf",
    srcs: plat_public_policies_for_vendor + [
        ":se_build_files{.plat_vendor_for_vendor}",
        ":se_build_files{.vendor}",
        ":se_build_files{.odm}",
    ],
    installable: false,
 }
 se_policy_cil {
    name: "odm_sepolicy.cil.raw",
    src: ":odm_sepolicy.conf",
    filter_out: [
        ":reqd_policy_mask_for_vendor.cil",
        ":vendor_sepolicy.cil",
    ],
    secilc_check: false, // will be done in se_versioned_policy module
    installable: false,
 }
 se_versioned_policy {
    name: "odm_sepolicy.cil",
    base: ":pub_policy_for_vendor.cil",
    target_policy: ":odm_sepolicy.cil.raw",
    version: "vendor",
    dependent_cils: [
        ":plat_policy_for_vendor.cil",
        ":plat_pub_versioned.cil",
        ":plat_mapping_file_for_vendor",
        ":vendor_sepolicy.cil",
    ],
    filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
    device_specific: true,
 }
 //////////////////////////////////
 // Precompiled sepolicy is loaded if and only if:
 // - plat_sepolicy_and_mapping.sha256 equals
@ -984,15 +1153,15 @@ sepolicy_vers {
 }
 soong_config_module_type {
-    name: "precompiled_sepolicy_defaults",
+    name: "precompiled_sepolicy_prebuilts_defaults",
    module_type: "prebuilt_defaults",
    config_namespace: "ANDROID",
    bool_variables: ["BOARD_USES_ODMIMAGE"],
    properties: ["vendor", "device_specific"],
 }
-precompiled_sepolicy_defaults {
+precompiled_sepolicy_prebuilts_defaults {
-    name: "precompiled_sepolicy",
+    name: "precompiled_sepolicy_prebuilts",
    soong_config_variables: {
        BOARD_USES_ODMIMAGE: {
            device_specific: true,
@ -1008,7 +1177,7 @@ precompiled_sepolicy_defaults {
 // which precompiled_policy was built.
 //////////////////////////////////
 prebuilt_etc {
-    defaults: ["precompiled_sepolicy"],
+    defaults: ["precompiled_sepolicy_prebuilts"],
    name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
    filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
    src: ":plat_sepolicy_and_mapping.sha256_gen",
@ -1020,7 +1189,7 @@ prebuilt_etc {
 // which precompiled_policy was built.
 //////////////////////////////////
 prebuilt_etc {
-    defaults: ["precompiled_sepolicy"],
+    defaults: ["precompiled_sepolicy_prebuilts"],
    name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
    filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
    src: ":system_ext_sepolicy_and_mapping.sha256_gen",
@ -1032,13 +1201,61 @@ prebuilt_etc {
 // which precompiled_policy was built.
 //////////////////////////////////
 prebuilt_etc {
-    defaults: ["precompiled_sepolicy"],
+    defaults: ["precompiled_sepolicy_prebuilts"],
    name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
    filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
    src: ":product_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
 }
 soong_config_module_type {
    name: "precompiled_se_policy_binary",
    module_type: "se_policy_binary",
    config_namespace: "ANDROID",
    bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
    value_variables: ["MIXED_SEPOLICY_VERSION"],
    properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
 }
 precompiled_se_policy_binary {
    name: "precompiled_sepolicy",
    srcs: [
        ":plat_sepolicy.cil",
        ":plat_pub_versioned.cil",
        ":system_ext_sepolicy.cil",
        ":product_sepolicy.cil",
        ":vendor_sepolicy.cil",
        ":odm_sepolicy.cil",
    ],
    soong_config_variables: {
        BOARD_USES_ODMIMAGE: {
            device_specific: true,
            conditions_default: {
                vendor: true,
            },
        },
        IS_TARGET_MIXED_SEPOLICY: {
            ignore_neverallow: true,
            conditions_default: {
                ignore_neverallow: false,
            },
        },
        MIXED_SEPOLICY_VERSION: {
            srcs: [
                ":plat_%s.cil",
                ":system_ext_%s.cil",
                ":product_%s.cil",
            ],
            conditions_default: {
                srcs: [
                    ":plat_mapping_file",
                    ":system_ext_mapping_file",
                    ":product_mapping_file",
                ],
            },
        },
    },
 }
 //////////////////////////////////
 // SELinux policy embedded into CTS.
--- a/Android.mk
+++ b/Android.mk
@ -81,45 +81,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
 HAS_PRODUCT_SEPOLICY_DIR := true
 endif
 # If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
 # policy files of platform (system, system_ext, product) can't be mixed with
 # policy files of vendor (vendor, odm). If it's the case, platform policies and
 # vendor policies are separately built. More specifically,
 #
 # - Platform policy files needed to build vendor policies, such as plat_policy,
 #   plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
 #   prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
 #
 # - sepolicy_neverallows only checks platform policies, and a new module
 #   sepolicy_neverallows_vendor checks vendor policies.
 #
 # - neverallow checks are turned off while compiling precompiled_sepolicy module
 #   and sepolicy module.
 #
 # - Vendor policies are not checked on the compat test (compat.mk).
 #
 # In such scenario, we can grab platform policy files from the prebuilts/api
 # directory. But we need more than that: prebuilts of system_ext, product,
 # system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
 # are introduced to specify such prebuilts.
 #
 # - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
 # - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
 # - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
 # - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
 # - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
 # - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
 #
 # Vendors are responsible for copying policy files from the old version of the
 # source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
 # be used to build vendor policies. See prebuilt_policy.mk for more details.
 #
 # To support both mixed build and normal build, platform policy files are
 # indirectly referred by {partition}_{public|private}_policy_$(ver) variables
 # when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
 # for more details.
 #
 # sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
 ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
 mixed_sepolicy_build := true
 else
@ -569,7 +530,15 @@ include $(BUILD_PHONY_PACKAGE)
 #################################
 ifeq ($(mixed_sepolicy_build),true)
-include $(LOCAL_PATH)/prebuilt_policy.mk
+ver := $(BOARD_SEPOLICY_VERS)
 reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
 plat_public_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/public
 plat_private_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/private
 system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
 system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
 product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
 product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
 ver :=
 else
 reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
 plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
@ -741,247 +710,36 @@ built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
 endif # ifeq ($(mixed_sepolicy_build),true)
 ##################################
-# plat policy files are now built with Android.bp. Grab them from intermediate.
+# Policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of plat policy files.
+# See Android.bp for details of policy files.
 #
 reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
 reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
 pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
 pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
 system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
 system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
 plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
 plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
 built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
 built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
 built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
 built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
 ifdef HAS_SYSTEM_EXT_SEPOLICY
 built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
 built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
 built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
 built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
 endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
 ifdef HAS_PRODUCT_SEPOLICY
 built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
 built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
 built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
 built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
 endif # ifdef HAS_PRODUCT_SEPOLICY
 built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
 built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-# b/37755687
+built_vendor_cil := $(call intermediates-dir-for,ETC,vendor_sepolicy.cil)/vendor_sepolicy.cil
 CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
 #################################
 include $(CLEAR_VARS)
 # vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
 # with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
 # policy and the platform public policy files in order to use checkpolicy.
 LOCAL_MODULE := vendor_sepolicy.cil
 LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
 LOCAL_LICENSE_CONDITIONS := notice unencumbered
 LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_PROPRIETARY_MODULE := true
 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
 include $(BUILD_SYSTEM)/base_rules.mk
 # Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
  $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
  $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
 vendor_policy.conf := $(intermediates)/vendor_policy.conf
 $(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
 $(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
 $(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(vendor_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
 	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
 $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
 $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
 $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
 $(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
  $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
  $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
 		-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
 		-b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
 		-t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
 built_vendor_cil := $(LOCAL_BUILT_MODULE)
 vendor_policy.conf :=
 #################################
 include $(CLEAR_VARS)
 ifdef BOARD_ODM_SEPOLICY_DIRS
-# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
+built_odm_cil := $(call intermediates-dir-for,ETC,odm_sepolicy.cil)/odm_sepolicy.cil
 # with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
 # policy and the platform public policy files in order to use checkpolicy.
 LOCAL_MODULE := odm_sepolicy.cil
 LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
 LOCAL_LICENSE_CONDITIONS := notice unencumbered
 LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_PROPRIETARY_MODULE := true
 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
 include $(BUILD_SYSTEM)/base_rules.mk
 # Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
  $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
  $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
 odm_policy.conf := $(intermediates)/odm_policy.conf
 $(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
 $(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
 $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(odm_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
 	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
 $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
 $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
 $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
 $(built_vendor_cil)
 $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
  $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
  $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
  $(built_vendor_cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
 		-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
 		-b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
 		-t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
 built_odm_cil := $(LOCAL_BUILT_MODULE)
 odm_policy.conf :=
 odm_policy_raw :=
 endif
 #################################
 include $(CLEAR_VARS)
 LOCAL_MODULE := precompiled_sepolicy
 LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
 LOCAL_LICENSE_CONDITIONS := notice unencumbered
 LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_PROPRIETARY_MODULE := true
 ifeq ($(BOARD_USES_ODMIMAGE),true)
 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
 else
 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
 endif
 include $(BUILD_SYSTEM)/base_rules.mk
 all_cil_files := \
    $(built_plat_cil) \
    $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
    $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
    $(built_vendor_cil)
 ifdef HAS_SYSTEM_EXT_SEPOLICY
 all_cil_files += $(built_system_ext_cil)
 endif
 ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
 all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
 endif
 ifdef HAS_PRODUCT_SEPOLICY
 all_cil_files += $(built_product_cil)
 endif
 ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
 all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
 endif
 ifdef BOARD_ODM_SEPOLICY_DIRS
 all_cil_files += $(built_odm_cil)
 endif
 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
 # Neverallow checks are skipped in a mixed build target.
 $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
 		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
 built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
 all_cil_files :=
 #################################
 # Precompiled sepolicy is loaded if and only if:
 # - plat_sepolicy_and_mapping.sha256 equals
 #   precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
 # AND
 # - system_ext_sepolicy_and_mapping.sha256 equals
 #   precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
 # AND
 # - product_sepolicy_and_mapping.sha256 equals
 #   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
 # See system/core/init/selinux.cpp for details.
 #################################
 #################################
 include $(CLEAR_VARS)
 # build this target so that we can still perform neverallow checks
@ -999,7 +757,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 all_cil_files := \
    $(built_plat_cil) \
    $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
-    $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
+    $(built_pub_vers_cil) \
    $(built_vendor_cil)
 ifdef HAS_SYSTEM_EXT_SEPOLICY
@ -1321,7 +1079,6 @@ built_system_ext_mapping_cil :=
 built_product_mapping_cil :=
 built_vendor_cil :=
 built_odm_cil :=
 built_precompiled_sepolicy :=
 built_sepolicy :=
 built_sepolicy_neverallows :=
 built_plat_svc :=
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@ -95,8 +95,33 @@ func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
 	b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
 	b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
 	b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
 	b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
 	b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
 	b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
 	b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)
 	b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
 	b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
 	if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
 		// vendor uses the same source with plat policy
 		b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
 		b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
 		b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
 		b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
 		b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
 		b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
 		b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
 		b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
 	} else {
 		// use vendor-supplied plat prebuilts
 		b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
 		b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
 		b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
 		b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
 		b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
 		b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
 		b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
 		b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
 	}
 }
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@ -181,7 +181,15 @@ func (c *cilCompatMap) AndroidMk() android.AndroidMkData {
 }
 var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
 var _ android.OutputFileProducer = (*cilCompatMap)(nil)
 func (c *cilCompatMap) GeneratedMapFile() android.Path {
 	return c.installSource
 }
 func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
 	if tag == "" {
 		return android.Paths{c.installSource}, nil
 	}
 	return nil, fmt.Errorf("Unknown tag %q", tag)
 }
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@ -35,8 +35,8 @@ type versionedPolicyProperties struct {
 	// Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
 	Stem *string
-	// Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
+	// Target sepolicy version. Can be a specific version number (e.g. "30.0" for R), "current"
-	// (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+	// (PLATFORM_SEPOLICY_VERSION), or "vendor" (BOARD_SEPOLICY_VERS). Defaults to "current"
 	Version *string
 	// If true, generate mapping file from given base cil file. Cannot be set with target_policy.
@ -90,6 +90,8 @@ func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext)
 	version := proptools.StringDefault(m.properties.Version, "current")
 	if version == "current" {
 		version = ctx.DeviceConfig().PlatformSepolicyVersion()
 	} else if version == "vendor" {
 		version = ctx.DeviceConfig().BoardSepolicyVers()
 	}
 	var stem string
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@ -1,321 +0,0 @@
 # Copyright (C) 2020 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
 # The policy files will only be used to compile vendor and odm policies.
 #
 # Specifically, the following prebuilts are used...
 # - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
 # - BOARD_PLAT_VENDOR_POLICY               (copy of system/sepolicy/vendor from a previous release)
 # - BOARD_REQD_MASK_POLICY                 (copy of reqd_mask from a previous release)
 # - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS  (copy of system_ext public from a previous release)
 # - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
 # - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS     (copy of product public from a previous release)
 # - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS    (copy of product private from a previous release)
 #
 # ... to generate following policy files.
 #
 # - reqd policy mask
 # - plat, system_ext, product public policy
 # - plat, system_ext, product policy
 # - plat, system_ext, product versioned policy
 #
 # These generated policy files will be used only when building vendor policies.
 # They are not installed to system, system_ext, or product partition.
 ver := $(BOARD_SEPOLICY_VERS)
 prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
 plat_public_policy_$(ver) := $(prebuilt_dir)/public
 plat_private_policy_$(ver) := $(prebuilt_dir)/private
 system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
 system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
 product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
 product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
 ##################################
 # policy-to-conf-rule: a helper macro to transform policy files to conf file.
 #
 # This expands to a set of rules which assign variables for transform-policy-to-conf and then call
 # transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
 #
 # $(1): output path (.conf file)
 define policy-to-conf-rule
 $(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
 $(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
 $(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
 $(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
 $(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
 $(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
 $(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
 $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
 $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
 $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
 $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
 $(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
 $(1): PRIVATE_POLICY_FILES := $$(policy_files)
 $(1): $$(policy_files) $$(M4)
 	$$(transform-policy-to-conf)
 endef
 ##################################
 # reqd_policy_mask_$(ver).cil
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
 reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
 # b/37755687
 CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
 reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
 $(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
 		$(POLICYVERS) -o $@ $<
 reqd_policy_mask_$(ver).conf :=
 reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
 ##################################
 # plat_pub_policy_$(ver).cil: exported plat policies
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
 plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
 plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
 $(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
 $(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
 $(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
 $(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_REQD_MASK) -t $@
 plat_pub_policy_$(ver).conf :=
 ##################################
 # plat_mapping_cil_$(ver).cil: versioned exported system policy
 #
 plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
 $(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
 $(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
 built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
 ##################################
 # plat_policy_$(ver).cil: system policy
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
 plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
 plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
 $(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
 $(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
 $(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
  $(HOST_OUT_EXECUTABLES)/secilc \
  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
 		$(POLICYVERS) -o $@.tmp $<
 	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
 	$(hide) mv $@.tmp $@
 plat_policy_$(ver).conf :=
 built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
 ##################################
 # system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
 system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
 system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
 $(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
 $(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
 $(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
 $(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_REQD_MASK) -t $@
 system_ext_pub_policy_$(ver).conf :=
 ##################################
 # system_ext_policy_$(ver).cil: system_ext policy
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
  $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
 system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
 system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
 $(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
 $(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
 $(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
 $(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
 	$(POLICYVERS) -o $@ $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_PLAT_CIL) -t $@
 	# Line markers (denoted by ;;) are malformed after above cmd. They are only
 	# used for debugging, so we remove them.
 	$(hide) grep -v ';;' $@ > $@.tmp
 	$(hide) mv $@.tmp $@
 	# Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
 	# latter doesn't accidentally depend on vendor/odm policies.
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
 		$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
 system_ext_policy_$(ver).conf :=
 built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
 ##################################
 # system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
 #
 system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
 $(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
 $(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
 $(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
 $(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
 $(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
 $(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
 	@mkdir -p $(dir $@)
 	# Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
 	# sepolicy minus plat_mapping_file.
 	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
 built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
 endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
 ifdef HAS_PRODUCT_SEPOLICY_DIR
 ##################################
 # product_policy_$(ver).cil: product policy
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
  $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
  $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
 product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
 product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
 $(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
 $(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
 $(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
 $(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
 $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
 	$(POLICYVERS) -o $@ $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_PLAT_CIL_FILES) -t $@
 	# Line markers (denoted by ;;) are malformed after above cmd. They are only
 	# used for debugging, so we remove them.
 	$(hide) grep -v ';;' $@ > $@.tmp
 	$(hide) mv $@.tmp $@
 	# Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
 	# make sure that the latter doesn't accidentally depend on vendor/odm policies.
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
 		$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
 product_policy_$(ver).conf :=
 built_product_cil_$(ver) := $(product_policy_$(ver).cil)
 endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
 ##################################
 # pub_policy_$(ver).cil: exported plat, system_ext, and product policies
 #
 policy_files := $(call build_policy, $(sepolicy_build_files), \
  $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
  $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
 pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
 $(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
 pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
 $(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
 $(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
 $(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
 $(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_REQD_MASK) -t $@
 pub_policy_$(ver).conf :=
 ifdef HAS_PRODUCT_SEPOLICY_DIR
 ##################################
 # product_mapping_cil_$(ver).cil: versioned exported product policy
 #
 product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
 $(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
 $(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
 $(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
 $(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
 $(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
 $(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
 $(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
 	@mkdir -p $(dir $@)
 	# Generate product mapping file as mapping file of all public sepolicy minus
 	# plat_mapping_file and system_ext_mapping_file.
 	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_FILTER_CIL_FILES) -t $@
 built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
 endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
 ##################################
 # plat_pub_versioned_$(ver).cil - the exported platform policy
 #
 plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
 $(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
 $(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
 $(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
 $(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
 $(built_product_mapping_cil_$(ver))
 $(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
  $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
  $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
 	@mkdir -p $(dir $@)
 	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
 		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
 built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)