tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrate system sepolicy binaries to Soong

Browse source 
Bug: 33691272
Test: m selinux_policy
Test: boot microdroid
Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
This commit is contained in:
Inseob Kim 2021-09-27 13:43:01 +00:00
parent b9d0511de4
commit 4d90b7e78b
3 changed files with 138 additions and 207 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

119
Android.bp
View file

@ -1034,6 +1034,125 @@ se_policy_conf {
exclude_build_test: true, exclude_build_test: true,
} }
//////////////////////////////////
// Base system policy for treble sepolicy tests.
// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
// See treble_sepolicy_tests_for_release.mk for more details.
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
srcs: [":se_build_files{.plat}"],
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_plat_sepolicy.cil",
src: ":base_plat_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
installable: false,
secilc_check: false, // done by se_policy_binary
}
se_policy_binary {
name: "base_plat_sepolicy",
srcs: [":base_plat_sepolicy.cil"],
installable: false,
}
se_policy_conf {
name: "base_system_ext_sepolicy.conf",
srcs: [":se_build_files{.system_ext}"],
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_system_ext_sepolicy.cil",
src: ":base_system_ext_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
system_ext_specific: true,
installable: false,
secilc_check: false, // done by se_policy_binary
}
se_policy_binary {
name: "base_system_ext_sepolicy",
srcs: [":base_system_ext_sepolicy.cil"],
system_ext_specific: true,
installable: false,
}
se_policy_conf {
name: "base_product_sepolicy.conf",
srcs: [":se_build_files{.product}"],
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_product_sepolicy.cil",
src: ":base_product_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
product_specific: true,
installable: false,
secilc_check: false, // done by se_policy_binary
}
se_policy_binary {
name: "base_product_sepolicy",
srcs: [":base_product_sepolicy.cil"],
product_specific: true,
installable: false,
}
se_policy_conf {
name: "base_plat_pub_policy.conf",
srcs: [":se_build_files{.plat_public}"],
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_plat_pub_policy.cil",
src: ":base_plat_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "base_system_ext_pub_policy.conf",
srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_system_ext_pub_policy.cil",
src: ":base_system_ext_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "base_product_pub_policy.conf",
srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
build_variant: "user",
installable: false,
}
se_policy_cil {
name: "base_product_pub_policy.cil",
src: ":base_product_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
////////////////////////////////// //////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables: // Additional directories can be specified via Makefile variables:

211
Android.mk
View file

@ -1304,199 +1304,18 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(
$(hide) touch $@ $(hide) touch $@
################################## ##################################
intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
#####################################################
intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_system_ext_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
################################################################################
intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
base_product_policy.conf := $(intermediates)/base_product_policy.conf
$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
built_product_sepolicy := $(intermediates)/built_product_sepolicy
$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_product_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of # Tests for Treble compatibility of current platform policy and vendor policy of
# given release version. # given release version.
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
version_under_treble_tests := 26.0 version_under_treble_tests := 26.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 27.0 version_under_treble_tests := 27.0
@ -1524,9 +1343,12 @@ include $(LOCAL_PATH)/compat.mk
version_under_treble_tests := 31.0 version_under_treble_tests := 31.0
include $(LOCAL_PATH)/compat.mk include $(LOCAL_PATH)/compat.mk
base_plat_policy.conf := built_plat_sepolicy :=
base_plat_pub_policy.conf := built_system_ext_sepolicy :=
plat_sepolicy := built_product_sepolicy :=
base_plat_pub_policy.cil :=
base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil :=
all_fc_files := all_fc_files :=
all_fc_args := all_fc_args :=
@ -1550,7 +1372,6 @@ built_sepolicy :=
built_sepolicy_neverallows := built_sepolicy_neverallows :=
built_plat_svc := built_plat_svc :=
built_vendor_svc := built_vendor_svc :=
built_plat_sepolicy :=
treble_sysprop_neverallow := treble_sysprop_neverallow :=
enforce_sysprop_owner := enforce_sysprop_owner :=
enforce_debugfs_restriction := enforce_debugfs_restriction :=

15
microdroid/Android.bp
View file

@ -227,24 +227,15 @@ prebuilt_etc {
installable: false, installable: false,
} }
genrule { se_policy_binary {
name: "microdroid_precompiled_sepolicy_gen", name: "microdroid_precompiled_sepolicy",
tools: ["secilc"], stem: "precompiled_sepolicy",
srcs: [ srcs: [
":microdroid_plat_sepolicy.cil", ":microdroid_plat_sepolicy.cil",
":microdroid_plat_mapping_file", ":microdroid_plat_mapping_file",
":microdroid_plat_pub_versioned.cil", ":microdroid_plat_pub_versioned.cil",
":microdroid_vendor_sepolicy.cil", ":microdroid_vendor_sepolicy.cil",
], ],
out: ["precompiled_sepolicy"],
cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
}
prebuilt_etc {
name: "microdroid_precompiled_sepolicy",
src: ":microdroid_precompiled_sepolicy_gen",
filename: "precompiled_sepolicy",
relative_install_path: "selinux",
installable: false, installable: false,
} }