From 3c3e59b2a2644f866cea47371e9c92037fb08f6d Mon Sep 17 00:00:00 2001 From: Dan Willemsen Date: Wed, 19 Jun 2019 10:52:50 -0700 Subject: [PATCH] Use prebuilt m4 instead of system m4 Bug: 117561006 Test: treehugger Change-Id: Id794aed10fdffef10490561d2cfeb2a92801b331 --- Android.mk | 121 +++++++++++++++++---------- build/soong/selinux_contexts.go | 3 +- definitions.mk | 4 +- mac_permissions.mk | 45 ++++++---- treble_sepolicy_tests_for_release.mk | 6 +- 5 files changed, 112 insertions(+), 67 deletions(-) diff --git a/Android.mk b/Android.mk index 1779ff2f9..a58ecbe68 100644 --- a/Android.mk +++ b/Android.mk @@ -345,6 +345,10 @@ include $(BUILD_SYSTEM)/base_rules.mk # sepolicy_policy.conf - All of the policy for the device. This is only used to # check neverallow rules. +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ + $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ + $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) sepolicy_policy.conf := $(intermediates)/policy.conf $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -354,15 +358,17 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ -$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ -$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) +$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(sepolicy_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit # sepolicy_policy_2.conf - All of the policy for the device. This is only used to # check neverallow rules using sepolicy-analyze, similar to CTS. +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ + $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ + $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) sepolicy_policy_2.conf := $(intermediates)/policy_2.conf $(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -373,10 +379,8 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \ -$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ -$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) +$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(sepolicy_policy_2.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -409,6 +413,7 @@ built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE) # the compilation of public policy and subsequent removal of CIL policy that # should not be exported. +policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf $(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -419,7 +424,8 @@ $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_cove $(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) +$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(reqd_policy_mask.conf): $(policy_files) $(M4) $(transform-policy-to-conf) # b/37755687 CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 @@ -438,6 +444,8 @@ reqd_policy_mask.conf := # policy that would not compile in checkpolicy on its own. To get around this # limitation, add only the required files from private policy, which will # generate CIL policy that will then be filtered out by the reqd_policy_mask. +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) pub_policy.conf := $(intermediates)/pub_policy.conf $(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -448,8 +456,8 @@ $(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) +$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(pub_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) pub_policy.cil := $(intermediates)/pub_policy.cil $(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf) @@ -464,6 +472,8 @@ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil pub_policy.conf := ################################## +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf $(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -474,8 +484,8 @@ $(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_cover $(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) +$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(plat_pub_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil @@ -503,6 +513,8 @@ include $(BUILD_SYSTEM)/base_rules.mk # plat_policy.conf - A combination of the private and public platform policy # which will ship with the device. The platform will always reflect the most # recent platform version and is not currently being attributized. +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) plat_policy.conf := $(intermediates)/plat_policy.conf $(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -513,8 +525,8 @@ $(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) +$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(plat_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -546,6 +558,8 @@ LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT) include $(BUILD_SYSTEM)/base_rules.mk # userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf $(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -556,8 +570,8 @@ $(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native $(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(userdebug_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) +$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(userdebug_plat_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -590,6 +604,9 @@ include $(BUILD_SYSTEM)/base_rules.mk # product_policy.conf - A combination of the private and public product policy # which will ship with the device. Product policy is not attributized. +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ + $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) product_policy.conf := $(intermediates)/product_policy.conf $(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -600,9 +617,8 @@ $(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_covera $(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(product_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ -$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)) +$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(product_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/dontaudit/d' $@ > $@.dontaudit @@ -732,6 +748,9 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ + $(BOARD_VENDOR_SEPOLICY_DIRS)) vendor_policy.conf := $(intermediates)/vendor_policy.conf $(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -742,9 +761,8 @@ $(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverag $(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ -$(BOARD_VENDOR_SEPOLICY_DIRS)) +$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(vendor_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -783,6 +801,9 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ + $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) odm_policy.conf := $(intermediates)/odm_policy.conf $(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -793,9 +814,8 @@ $(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ - $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) +$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(odm_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -1001,6 +1021,11 @@ LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) include $(BUILD_SYSTEM)/base_rules.mk +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ + $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ + $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ + $(BOARD_ODM_SEPOLICY_DIRS)) sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf $(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -1010,11 +1035,8 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true -$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ - $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \ - $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ - $(BOARD_ODM_SEPOLICY_DIRS)) +$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(sepolicy.recovery.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -1052,6 +1074,8 @@ LOCAL_MODULE_TAGS := tests include $(BUILD_SYSTEM)/base_rules.mk +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) $(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user @@ -1060,8 +1084,8 @@ $(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts $(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts $(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true -$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \ -$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) +$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files) +$(LOCAL_BUILT_MODULE): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -1114,9 +1138,10 @@ ifeq ($(TARGET_FLATTEN_APEX),true) endif file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp -$(file_contexts.local.tmp): $(local_fc_files) +$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files) +$(file_contexts.local.tmp): $(local_fc_files) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $^ > $@ + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@ device_fc_files := $(call build_vendor_policy, file_contexts) @@ -1126,9 +1151,10 @@ endif file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp $(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(file_contexts.device.tmp): $(device_fc_files) +$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files) +$(file_contexts.device.tmp): $(device_fc_files) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@ file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp $(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) @@ -1139,9 +1165,10 @@ $(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@ file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp -$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) +$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) +$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $^ > $@ + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@ $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc @@ -1199,9 +1226,9 @@ vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) $(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(vndservice_contexts.tmp): $(vnd_svcfiles) +$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) $(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) @@ -1249,6 +1276,8 @@ intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,) # to enable partners to add their own compatibility mapping BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY)) BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY)) +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY)) base_plat_policy.conf := $(intermediates)/base_plat_policy.conf $(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -1258,8 +1287,8 @@ $(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY)) +$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(base_plat_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit @@ -1277,6 +1306,8 @@ $(built_sepolicy_neverallows) $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null +policy_files := $(call build_policy, $(sepolicy_build_files), \ + $(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf $(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -1286,8 +1317,8 @@ $(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(base_plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) +$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$(base_plat_pub_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go index 632237cf7..020357ae8 100644 --- a/build/soong/selinux_contexts.go +++ b/build/soong/selinux_contexts.go @@ -263,7 +263,8 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, rule := android.NewRuleBuilder() rule.Command(). - Text("m4 --fatal-warnings -s"). + Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")). + Text("--fatal-warnings -s"). FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()). Inputs(inputs). FlagWithOutput("> ", m.outputPath) diff --git a/definitions.mk b/definitions.mk index 16c8bd669..1a7d06efa 100644 --- a/definitions.mk +++ b/definitions.mk @@ -2,7 +2,7 @@ # processed by checkpolicy define transform-policy-to-conf @mkdir -p $(dir $@) -$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \ +$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ @@ -13,6 +13,6 @@ $(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \ -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \ $(PRIVATE_TGT_RECOVERY) \ - -s $^ > $@ + -s $(PRIVATE_POLICY_FILES) > $@ endef .KATI_READONLY := transform-policy-to-conf diff --git a/mac_permissions.mk b/mac_permissions.mk index 86ea9ab4b..7cb1b98a2 100644 --- a/mac_permissions.mk +++ b/mac_permissions.mk @@ -7,14 +7,16 @@ LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk +all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY)) +all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY)) + # Build keys.conf plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp $(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY)) +$(plat_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_plat_mac_perms_keys) +$(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ - -all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY)) + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@ # Should be synced with keys.conf. all_plat_keys := platform media networkstack shared testkey @@ -27,8 +29,9 @@ $(all_plat_mac_perms_files) $(all_plat_keys) $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \ $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) -all_mac_perms_files := all_plat_keys := +all_plat_mac_perms_files := +all_plat_mac_perms_keys := plat_mac_perms_keys.tmp := ################################## @@ -41,14 +44,16 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk +all_product_mac_perms_keys := $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY)) +all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY)) + # Build keys.conf product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp $(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY)) +$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys) +$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ - -all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY)) + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files) $(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ @@ -58,6 +63,7 @@ $(all_product_mac_perms_files) product_mac_perms_keys.tmp := all_product_mac_perms_files := +all_product_mac_perms_keys := ################################## include $(CLEAR_VARS) @@ -69,14 +75,16 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk +all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) + # Build keys.conf vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp $(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +$(vendor_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_vendor_mac_perms_keys) +$(vendor_mac_perms_keys.tmp): $(all_vendor_mac_perms_keys) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ - -all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@ $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files) $(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ @@ -86,6 +94,7 @@ $(all_vendor_mac_perms_files) vendor_mac_perms_keys.tmp := all_vendor_mac_perms_files := +all_vendor_mac_perms_keys := ################################## include $(CLEAR_VARS) @@ -97,14 +106,16 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk +all_odm_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) + # Build keys.conf odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp $(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +$(odm_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_odm_mac_perms_keys) +$(odm_mac_perms_keys.tmp): $(all_odm_mac_perms_keys) $(M4) @mkdir -p $(dir $@) - $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ - -all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) + $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@ $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files) $(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk index 40e75c050..3d9bca42c 100644 --- a/treble_sepolicy_tests_for_release.mk +++ b/treble_sepolicy_tests_for_release.mk @@ -16,6 +16,7 @@ include $(BUILD_SYSTEM)/base_rules.mk # been maintained by our mapping files. $(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public $(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private +policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY)) $(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf $($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) @@ -25,11 +26,12 @@ $($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true -$($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ -$($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY)) +$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) +$($(version)_plat_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) $(hide) sed '/dontaudit/d' $@ > $@.dontaudit +policy_files := built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy $(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \