Build prebuilt policy with Soong

... and remove redundant Makefile codes. This also updates commit hook
as we now only use Soong to build sepolicy.

Bug: 296875906
Test: m selinux_policy
Change-Id: I93f0d222a0c10e31c51c9380780a8927c47d62b1
This commit is contained in:
Inseob Kim 2023-09-06 14:39:49 +09:00
parent eb0d40aa85
commit 5d7423ff3d
14 changed files with 183 additions and 250 deletions

View file

@ -752,33 +752,6 @@ se_policy_binary {
}, },
} }
se_policy_conf {
name: "base_system_ext_sepolicy.conf",
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy,
build_variant: "user",
installable: false,
system_ext_specific: true,
}
se_policy_cil {
name: "base_system_ext_sepolicy.cil",
src: ":base_system_ext_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
system_ext_specific: true,
installable: false,
secilc_check: false, // done by se_policy_binary
}
se_policy_binary {
name: "base_system_ext_sepolicy",
srcs: [":base_system_ext_sepolicy.cil"],
system_ext_specific: true,
installable: false,
}
se_policy_conf { se_policy_conf {
name: "base_product_sepolicy.conf", name: "base_product_sepolicy.conf",
srcs: plat_public_policy + srcs: plat_public_policy +
@ -827,25 +800,6 @@ se_policy_cil {
}, },
} }
se_policy_conf {
name: "base_system_ext_pub_policy.conf",
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
build_variant: "user",
installable: false,
system_ext_specific: true,
}
se_policy_cil {
name: "base_system_ext_pub_policy.cil",
src: ":base_system_ext_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
system_ext_specific: true,
}
se_policy_conf { se_policy_conf {
name: "base_product_pub_policy.conf", name: "base_product_pub_policy.conf",
srcs: plat_public_policy + srcs: plat_public_policy +

View file

@ -1,13 +1,7 @@
LOCAL_PATH:= $(call my-dir) LOCAL_PATH:= $(call my-dir)
include $(LOCAL_PATH)/definitions.mk
include $(LOCAL_PATH)/policy_version.mk
include $(CLEAR_VARS) include $(CLEAR_VARS)
MLS_SENS=1
MLS_CATS=1024
ifdef BOARD_SEPOLICY_UNION ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif endif
@ -73,7 +67,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
HAS_PRODUCT_SEPOLICY_DIR := true HAS_PRODUCT_SEPOLICY_DIR := true
endif endif
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user) ifeq ($(TARGET_BUILD_VARIANT),user)
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@ -81,7 +74,6 @@ endif
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
It does not work in user builds and using it will \ It does not work in user builds and using it will \
not stop you from failing CTS.) not stop you from failing CTS.)
NEVERALLOW_ARG := -N
endif endif
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@ -170,36 +162,11 @@ ifdef HAS_PRODUCT_SEPOLICY_DIR
endif endif
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
# CIL files which contain workarounds for current limitation of human-readable
# module policy language. These files are appended to the CIL files produced
# from module language files.
sepolicy_build_cil_workaround_files := technical_debt.cil
my_target_arch := $(TARGET_ARCH)
ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
my_target_arch := mips
endif
intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
with_asan := false with_asan := false
ifneq (,$(filter address,$(SANITIZE_TARGET))) ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true with_asan := true
endif endif
with_native_coverage := false
ifeq ($(NATIVE_COVERAGE),true)
with_native_coverage := true
endif
ifeq ($(CLANG_COVERAGE),true)
with_native_coverage := true
endif
treble_sysprop_neverallow := true
ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
treble_sysprop_neverallow := false
endif
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined) #$(warning no product shipping level defined)
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),) else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -208,16 +175,6 @@ else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
endif endif
endif endif
enforce_sysprop_owner := true
ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
enforce_sysprop_owner := false
endif
enforce_debugfs_restriction := false
ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
enforce_debugfs_restriction := true
endif
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined) #$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -226,13 +183,6 @@ else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
endif endif
endif endif
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
else
SHAREDLIB_EXT=so
endif
################################# #################################
include $(CLEAR_VARS) include $(CLEAR_VARS)
@ -480,16 +430,6 @@ include $(BUILD_PHONY_PACKAGE)
# Policy files are now built with Android.bp. Grab them from intermediate. # Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files. # See Android.bp for details of policy files.
# #
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
endif # ifdef HAS_PRODUCT_SEPOLICY
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
@ -542,6 +482,23 @@ ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif endif
###########################################################
## Collect file_contexts files into a single tmp file with m4
##
## $(1): list of file_contexts files
## $(2): filename into which file_contexts files are merged
###########################################################
define _merge-fc-files
$(2): $(1) $(M4)
$(hide) mkdir -p $$(dir $$@)
$(hide) $(M4) --fatal-warnings -s $(1) > $$@
endef
define merge-fc-files
$(eval $(call _merge-fc-files,$(1),$(2)))
endef
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp)) $(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@ -581,32 +538,14 @@ $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
built_fc := $(LOCAL_BUILT_MODULE)
local_fc_files := local_fc_files :=
local_fcfiles_with_nl :=
device_fc_files := device_fc_files :=
device_fcfiles_with_nl :=
file_contexts.concat.tmp := file_contexts.concat.tmp :=
file_contexts.device.sorted.tmp := file_contexts.device.sorted.tmp :=
file_contexts.device.tmp := file_contexts.device.tmp :=
file_contexts.local.tmp := file_contexts.local.tmp :=
file_contexts.modules.tmp := file_contexts.modules.tmp :=
##################################
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
endif
ifdef HAS_PRODUCT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
################################## ##################################
# Tests for Treble compatibility of current platform policy and vendor policy of # Tests for Treble compatibility of current platform policy and vendor policy of
# given release version. # given release version.
@ -630,8 +569,6 @@ built_product_sepolicy :=
base_plat_pub_policy.cil := base_plat_pub_policy.cil :=
base_system_ext_pub_polcy.cil := base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil := base_product_pub_policy.cil :=
all_fc_files :=
all_fc_args :=
################################# #################################
@ -639,19 +576,7 @@ all_fc_args :=
build_vendor_policy := build_vendor_policy :=
build_odm_policy := build_odm_policy :=
build_policy := build_policy :=
built_plat_cil :=
built_system_ext_cil :=
built_product_cil :=
built_sepolicy := built_sepolicy :=
built_sepolicy_neverallows := built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
enforce_debugfs_restriction :=
my_target_arch :=
sepolicy_build_files := sepolicy_build_files :=
sepolicy_build_cil_workaround_files :=
with_asan := with_asan :=
include $(call all-makefiles-under,$(LOCAL_PATH))

View file

@ -27,7 +27,6 @@ import (
) )
const ( const (
// TODO: sync with Android.mk
MlsSens = 1 MlsSens = 1
MlsCats = 1024 MlsCats = 1024
PolicyVers = 30 PolicyVers = 30

View file

@ -1,39 +0,0 @@
# Command to turn collection of policy files into a policy.conf file to be
# processed by checkpolicy
define transform-policy-to-conf
@mkdir -p $(dir $@)
$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
.KATI_READONLY := transform-policy-to-conf
###########################################################
## Collect file_contexts files into a single tmp file with m4
##
## $(1): list of file_contexts files
## $(2): filename into which file_contexts files are merged
###########################################################
define _merge-fc-files
$(2): $(1) $(M4)
$(hide) mkdir -p $$(dir $$@)
$(hide) $(M4) --fatal-warnings -s $(1) > $$@
endef
define merge-fc-files
$(eval $(call _merge-fc-files,$(1),$(2)))
endef

View file

@ -1,4 +0,0 @@
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
POLICYVERS ?= 30

View file

@ -26,3 +26,30 @@ se_policy_cil {
secilc_check: false, secilc_check: false,
installable: false, installable: false,
} }
se_policy_conf {
name: "29.0_plat_policy.conf",
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.plat_private_29.0}",
":se_build_files{.system_ext_public_29.0}",
":se_build_files{.system_ext_private_29.0}",
":se_build_files{.product_public_29.0}",
":se_build_files{.product_private_29.0}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "29.0_plat_policy.cil",
src: ":29.0_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
installable: false,
}
se_policy_binary {
name: "29.0_plat_policy",
srcs: [":29.0_plat_policy.cil"],
installable: false,
}

View file

@ -26,3 +26,30 @@ se_policy_cil {
secilc_check: false, secilc_check: false,
installable: false, installable: false,
} }
se_policy_conf {
name: "30.0_plat_policy.conf",
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.plat_private_30.0}",
":se_build_files{.system_ext_public_30.0}",
":se_build_files{.system_ext_private_30.0}",
":se_build_files{.product_public_30.0}",
":se_build_files{.product_private_30.0}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "30.0_plat_policy.cil",
src: ":30.0_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
installable: false,
}
se_policy_binary {
name: "30.0_plat_policy",
srcs: [":30.0_plat_policy.cil"],
installable: false,
}

View file

@ -26,3 +26,30 @@ se_policy_cil {
secilc_check: false, secilc_check: false,
installable: false, installable: false,
} }
se_policy_conf {
name: "31.0_plat_policy.conf",
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.plat_private_31.0}",
":se_build_files{.system_ext_public_31.0}",
":se_build_files{.system_ext_private_31.0}",
":se_build_files{.product_public_31.0}",
":se_build_files{.product_private_31.0}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "31.0_plat_policy.cil",
src: ":31.0_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
installable: false,
}
se_policy_binary {
name: "31.0_plat_policy",
srcs: [":31.0_plat_policy.cil"],
installable: false,
}

View file

@ -26,3 +26,30 @@ se_policy_cil {
secilc_check: false, secilc_check: false,
installable: false, installable: false,
} }
se_policy_conf {
name: "32.0_plat_policy.conf",
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.plat_private_32.0}",
":se_build_files{.system_ext_public_32.0}",
":se_build_files{.system_ext_private_32.0}",
":se_build_files{.product_public_32.0}",
":se_build_files{.product_private_32.0}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "32.0_plat_policy.cil",
src: ":32.0_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
installable: false,
}
se_policy_binary {
name: "32.0_plat_policy",
srcs: [":32.0_plat_policy.cil"],
installable: false,
}

View file

@ -26,3 +26,30 @@ se_policy_cil {
secilc_check: false, secilc_check: false,
installable: false, installable: false,
} }
se_policy_conf {
name: "33.0_plat_policy.conf",
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.plat_private_33.0}",
":se_build_files{.system_ext_public_33.0}",
":se_build_files{.system_ext_private_33.0}",
":se_build_files{.product_public_33.0}",
":se_build_files{.product_private_33.0}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "33.0_plat_policy.cil",
src: ":33.0_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
installable: false,
}
se_policy_binary {
name: "33.0_plat_policy",
srcs: [":33.0_plat_policy.cil"],
installable: false,
}

View file

@ -26,3 +26,30 @@ se_policy_cil {
secilc_check: false, secilc_check: false,
installable: false, installable: false,
} }
se_policy_conf {
name: "34.0_plat_policy.conf",
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.plat_private_34.0}",
":se_build_files{.system_ext_public_34.0}",
":se_build_files{.system_ext_private_34.0}",
":se_build_files{.product_public_34.0}",
":se_build_files{.product_private_34.0}",
],
installable: false,
build_variant: "user",
}
se_policy_cil {
name: "34.0_plat_policy.cil",
src: ":34.0_plat_policy.conf",
additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
installable: false,
}
se_policy_binary {
name: "34.0_plat_policy",
srcs: [":34.0_plat_policy.cil"],
installable: false,
}

View file

@ -1,3 +0,0 @@
LOCAL_PATH:= $(call my-dir)
include $(call all-makefiles-under,$(LOCAL_PATH))

View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]') MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }') BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
if [ "$MK" != "$BP" ]; then if [ "$MK" != "$BP" ]; then

View file

@ -11,15 +11,9 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional LOCAL_MODULE_TAGS := optional
# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
# make file of the system_ext partition.
SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
# make file of the product partition.
PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
IS_TREBLE_TEST_ENABLED_PARTNER := false IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),) ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY)) ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true IS_TREBLE_TEST_ENABLED_PARTNER := true
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY)) endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),) endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@ -30,60 +24,11 @@ include $(BUILD_SYSTEM)/base_rules.mk
# built to enable us to determine the diff between the current policy and the # built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has # $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files. # been maintained by our mapping files.
$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public built_$(version)_plat_sepolicy := $(call intermediates-dir-for,ETC,$(version)_plat_policy)/$(version)_plat_policy
$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
$(version)_PLAT_PUBLIC_POLICY += \
$(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
$(version)_PLAT_PRIVATE_POLICY += \
$(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
ifneq (,$(PRODUCT_PREBUILT_POLICY))
$(version)_PLAT_PUBLIC_POLICY += \
$(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
$(version)_PLAT_PRIVATE_POLICY += \
$(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
endif # (,$(PRODUCT_PREBUILT_POLICY))
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$($(version)_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
policy_files :=
built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
# TODO(b/214336258): move to Soong # TODO(b/214336258): move to Soong
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy) $(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
$(version)_plat_policy.conf :=
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \ $(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
@ -106,6 +51,7 @@ endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
# combining the current platform policy with nonplatform policy based on the # combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for # $(version) policy release and also a special ignored file that exists purely for
# these tests. # these tests.
intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil $(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil) $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
mkdir -p $(dir $@) mkdir -p $(dir $@)
@ -135,15 +81,8 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-u $(PRIVATE_PLAT_PUB_SEPOLICY) -u $(PRIVATE_PLAT_PUB_SEPOLICY)
$(hide) touch $@ $(hide) touch $@
$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
$(version)_PRODUCT_PUBLIC_POLICY :=
$(version)_PRODUCT_PRIVATE_POLICY :=
$(version)_PLAT_PUBLIC_POLICY :=
$(version)_PLAT_PRIVATE_POLICY :=
built_sepolicy_files := built_sepolicy_files :=
public_cil_files := public_cil_files :=
cil_files :=
$(version)_mapping.cil := $(version)_mapping.cil :=
$(version)_mapping.combined.cil := $(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil := $(version)_mapping.ignore.cil :=