Build prebuilt policy with Soong
... and remove redundant Makefile codes. This also updates commit hook as we now only use Soong to build sepolicy. Bug: 296875906 Test: m selinux_policy Change-Id: I93f0d222a0c10e31c51c9380780a8927c47d62b1
This commit is contained in:
parent
eb0d40aa85
commit
5d7423ff3d
14 changed files with 183 additions and 250 deletions
46
Android.bp
46
Android.bp
|
@ -752,33 +752,6 @@ se_policy_binary {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
se_policy_conf {
|
|
||||||
name: "base_system_ext_sepolicy.conf",
|
|
||||||
srcs: plat_public_policy +
|
|
||||||
plat_private_policy +
|
|
||||||
system_ext_public_policy +
|
|
||||||
system_ext_private_policy,
|
|
||||||
build_variant: "user",
|
|
||||||
installable: false,
|
|
||||||
system_ext_specific: true,
|
|
||||||
}
|
|
||||||
|
|
||||||
se_policy_cil {
|
|
||||||
name: "base_system_ext_sepolicy.cil",
|
|
||||||
src: ":base_system_ext_sepolicy.conf",
|
|
||||||
additional_cil_files: ["private/technical_debt.cil"],
|
|
||||||
system_ext_specific: true,
|
|
||||||
installable: false,
|
|
||||||
secilc_check: false, // done by se_policy_binary
|
|
||||||
}
|
|
||||||
|
|
||||||
se_policy_binary {
|
|
||||||
name: "base_system_ext_sepolicy",
|
|
||||||
srcs: [":base_system_ext_sepolicy.cil"],
|
|
||||||
system_ext_specific: true,
|
|
||||||
installable: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
se_policy_conf {
|
se_policy_conf {
|
||||||
name: "base_product_sepolicy.conf",
|
name: "base_product_sepolicy.conf",
|
||||||
srcs: plat_public_policy +
|
srcs: plat_public_policy +
|
||||||
|
@ -827,25 +800,6 @@ se_policy_cil {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
se_policy_conf {
|
|
||||||
name: "base_system_ext_pub_policy.conf",
|
|
||||||
srcs: plat_public_policy +
|
|
||||||
system_ext_public_policy +
|
|
||||||
reqd_mask_policy,
|
|
||||||
build_variant: "user",
|
|
||||||
installable: false,
|
|
||||||
system_ext_specific: true,
|
|
||||||
}
|
|
||||||
|
|
||||||
se_policy_cil {
|
|
||||||
name: "base_system_ext_pub_policy.cil",
|
|
||||||
src: ":base_system_ext_pub_policy.conf",
|
|
||||||
filter_out: [":reqd_policy_mask.cil"],
|
|
||||||
secilc_check: false,
|
|
||||||
installable: false,
|
|
||||||
system_ext_specific: true,
|
|
||||||
}
|
|
||||||
|
|
||||||
se_policy_conf {
|
se_policy_conf {
|
||||||
name: "base_product_pub_policy.conf",
|
name: "base_product_pub_policy.conf",
|
||||||
srcs: plat_public_policy +
|
srcs: plat_public_policy +
|
||||||
|
|
109
Android.mk
109
Android.mk
|
@ -1,13 +1,7 @@
|
||||||
LOCAL_PATH:= $(call my-dir)
|
LOCAL_PATH:= $(call my-dir)
|
||||||
|
|
||||||
include $(LOCAL_PATH)/definitions.mk
|
|
||||||
include $(LOCAL_PATH)/policy_version.mk
|
|
||||||
|
|
||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
|
|
||||||
MLS_SENS=1
|
|
||||||
MLS_CATS=1024
|
|
||||||
|
|
||||||
ifdef BOARD_SEPOLICY_UNION
|
ifdef BOARD_SEPOLICY_UNION
|
||||||
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
|
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
|
||||||
endif
|
endif
|
||||||
|
@ -73,7 +67,6 @@ ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
|
||||||
HAS_PRODUCT_SEPOLICY_DIR := true
|
HAS_PRODUCT_SEPOLICY_DIR := true
|
||||||
endif
|
endif
|
||||||
|
|
||||||
NEVERALLOW_ARG :=
|
|
||||||
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
|
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
|
||||||
ifeq ($(TARGET_BUILD_VARIANT),user)
|
ifeq ($(TARGET_BUILD_VARIANT),user)
|
||||||
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
|
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
|
||||||
|
@ -81,7 +74,6 @@ endif
|
||||||
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
|
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
|
||||||
It does not work in user builds and using it will \
|
It does not work in user builds and using it will \
|
||||||
not stop you from failing CTS.)
|
not stop you from failing CTS.)
|
||||||
NEVERALLOW_ARG := -N
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
|
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
|
||||||
|
@ -170,36 +162,11 @@ ifdef HAS_PRODUCT_SEPOLICY_DIR
|
||||||
endif
|
endif
|
||||||
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
|
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
|
||||||
|
|
||||||
# CIL files which contain workarounds for current limitation of human-readable
|
|
||||||
# module policy language. These files are appended to the CIL files produced
|
|
||||||
# from module language files.
|
|
||||||
sepolicy_build_cil_workaround_files := technical_debt.cil
|
|
||||||
|
|
||||||
my_target_arch := $(TARGET_ARCH)
|
|
||||||
ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
|
|
||||||
my_target_arch := mips
|
|
||||||
endif
|
|
||||||
|
|
||||||
intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
|
|
||||||
|
|
||||||
with_asan := false
|
with_asan := false
|
||||||
ifneq (,$(filter address,$(SANITIZE_TARGET)))
|
ifneq (,$(filter address,$(SANITIZE_TARGET)))
|
||||||
with_asan := true
|
with_asan := true
|
||||||
endif
|
endif
|
||||||
|
|
||||||
with_native_coverage := false
|
|
||||||
ifeq ($(NATIVE_COVERAGE),true)
|
|
||||||
with_native_coverage := true
|
|
||||||
endif
|
|
||||||
ifeq ($(CLANG_COVERAGE),true)
|
|
||||||
with_native_coverage := true
|
|
||||||
endif
|
|
||||||
|
|
||||||
treble_sysprop_neverallow := true
|
|
||||||
ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
|
|
||||||
treble_sysprop_neverallow := false
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
|
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
|
||||||
#$(warning no product shipping level defined)
|
#$(warning no product shipping level defined)
|
||||||
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
||||||
|
@ -208,16 +175,6 @@ else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
enforce_sysprop_owner := true
|
|
||||||
ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
|
|
||||||
enforce_sysprop_owner := false
|
|
||||||
endif
|
|
||||||
|
|
||||||
enforce_debugfs_restriction := false
|
|
||||||
ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
|
|
||||||
enforce_debugfs_restriction := true
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
|
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
|
||||||
#$(warning no product shipping level defined)
|
#$(warning no product shipping level defined)
|
||||||
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
||||||
|
@ -226,13 +183,6 @@ else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# Library extension for host-side tests
|
|
||||||
ifeq ($(HOST_OS),darwin)
|
|
||||||
SHAREDLIB_EXT=dylib
|
|
||||||
else
|
|
||||||
SHAREDLIB_EXT=so
|
|
||||||
endif
|
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
|
|
||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
|
@ -480,16 +430,6 @@ include $(BUILD_PHONY_PACKAGE)
|
||||||
# Policy files are now built with Android.bp. Grab them from intermediate.
|
# Policy files are now built with Android.bp. Grab them from intermediate.
|
||||||
# See Android.bp for details of policy files.
|
# See Android.bp for details of policy files.
|
||||||
#
|
#
|
||||||
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
|
|
||||||
|
|
||||||
ifdef HAS_SYSTEM_EXT_SEPOLICY
|
|
||||||
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
|
|
||||||
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
|
|
||||||
|
|
||||||
ifdef HAS_PRODUCT_SEPOLICY
|
|
||||||
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
|
|
||||||
endif # ifdef HAS_PRODUCT_SEPOLICY
|
|
||||||
|
|
||||||
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
|
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
|
||||||
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
|
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
|
||||||
|
|
||||||
|
@ -542,6 +482,23 @@ ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
|
||||||
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
|
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
###########################################################
|
||||||
|
## Collect file_contexts files into a single tmp file with m4
|
||||||
|
##
|
||||||
|
## $(1): list of file_contexts files
|
||||||
|
## $(2): filename into which file_contexts files are merged
|
||||||
|
###########################################################
|
||||||
|
|
||||||
|
define _merge-fc-files
|
||||||
|
$(2): $(1) $(M4)
|
||||||
|
$(hide) mkdir -p $$(dir $$@)
|
||||||
|
$(hide) $(M4) --fatal-warnings -s $(1) > $$@
|
||||||
|
endef
|
||||||
|
|
||||||
|
define merge-fc-files
|
||||||
|
$(eval $(call _merge-fc-files,$(1),$(2)))
|
||||||
|
endef
|
||||||
|
|
||||||
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
|
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
|
||||||
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
|
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
|
||||||
|
|
||||||
|
@ -581,32 +538,14 @@ $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_
|
||||||
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
|
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
|
||||||
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
|
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
|
||||||
|
|
||||||
built_fc := $(LOCAL_BUILT_MODULE)
|
|
||||||
local_fc_files :=
|
local_fc_files :=
|
||||||
local_fcfiles_with_nl :=
|
|
||||||
device_fc_files :=
|
device_fc_files :=
|
||||||
device_fcfiles_with_nl :=
|
|
||||||
file_contexts.concat.tmp :=
|
file_contexts.concat.tmp :=
|
||||||
file_contexts.device.sorted.tmp :=
|
file_contexts.device.sorted.tmp :=
|
||||||
file_contexts.device.tmp :=
|
file_contexts.device.tmp :=
|
||||||
file_contexts.local.tmp :=
|
file_contexts.local.tmp :=
|
||||||
file_contexts.modules.tmp :=
|
file_contexts.modules.tmp :=
|
||||||
|
|
||||||
##################################
|
|
||||||
|
|
||||||
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
|
|
||||||
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
|
|
||||||
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
|
|
||||||
all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
|
|
||||||
endif
|
|
||||||
ifdef HAS_PRODUCT_SEPOLICY_DIR
|
|
||||||
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
|
|
||||||
endif
|
|
||||||
ifdef BOARD_ODM_SEPOLICY_DIRS
|
|
||||||
all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
|
|
||||||
endif
|
|
||||||
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
|
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
# Tests for Treble compatibility of current platform policy and vendor policy of
|
# Tests for Treble compatibility of current platform policy and vendor policy of
|
||||||
# given release version.
|
# given release version.
|
||||||
|
@ -630,8 +569,6 @@ built_product_sepolicy :=
|
||||||
base_plat_pub_policy.cil :=
|
base_plat_pub_policy.cil :=
|
||||||
base_system_ext_pub_polcy.cil :=
|
base_system_ext_pub_polcy.cil :=
|
||||||
base_product_pub_policy.cil :=
|
base_product_pub_policy.cil :=
|
||||||
all_fc_files :=
|
|
||||||
all_fc_args :=
|
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
|
|
||||||
|
@ -639,19 +576,7 @@ all_fc_args :=
|
||||||
build_vendor_policy :=
|
build_vendor_policy :=
|
||||||
build_odm_policy :=
|
build_odm_policy :=
|
||||||
build_policy :=
|
build_policy :=
|
||||||
built_plat_cil :=
|
|
||||||
built_system_ext_cil :=
|
|
||||||
built_product_cil :=
|
|
||||||
built_sepolicy :=
|
built_sepolicy :=
|
||||||
built_sepolicy_neverallows :=
|
built_sepolicy_neverallows :=
|
||||||
built_plat_svc :=
|
|
||||||
built_vendor_svc :=
|
|
||||||
treble_sysprop_neverallow :=
|
|
||||||
enforce_sysprop_owner :=
|
|
||||||
enforce_debugfs_restriction :=
|
|
||||||
my_target_arch :=
|
|
||||||
sepolicy_build_files :=
|
sepolicy_build_files :=
|
||||||
sepolicy_build_cil_workaround_files :=
|
|
||||||
with_asan :=
|
with_asan :=
|
||||||
|
|
||||||
include $(call all-makefiles-under,$(LOCAL_PATH))
|
|
||||||
|
|
|
@ -27,7 +27,6 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// TODO: sync with Android.mk
|
|
||||||
MlsSens = 1
|
MlsSens = 1
|
||||||
MlsCats = 1024
|
MlsCats = 1024
|
||||||
PolicyVers = 30
|
PolicyVers = 30
|
||||||
|
|
|
@ -1,39 +0,0 @@
|
||||||
# Command to turn collection of policy files into a policy.conf file to be
|
|
||||||
# processed by checkpolicy
|
|
||||||
define transform-policy-to-conf
|
|
||||||
@mkdir -p $(dir $@)
|
|
||||||
$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
|
|
||||||
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
|
|
||||||
-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
|
|
||||||
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
|
|
||||||
-D target_arch=$(PRIVATE_TGT_ARCH) \
|
|
||||||
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
|
|
||||||
-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
|
|
||||||
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
|
|
||||||
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
|
|
||||||
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
|
|
||||||
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
|
|
||||||
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
|
|
||||||
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
|
|
||||||
-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
|
|
||||||
$(PRIVATE_TGT_RECOVERY) \
|
|
||||||
-s $(PRIVATE_POLICY_FILES) > $@
|
|
||||||
endef
|
|
||||||
.KATI_READONLY := transform-policy-to-conf
|
|
||||||
|
|
||||||
###########################################################
|
|
||||||
## Collect file_contexts files into a single tmp file with m4
|
|
||||||
##
|
|
||||||
## $(1): list of file_contexts files
|
|
||||||
## $(2): filename into which file_contexts files are merged
|
|
||||||
###########################################################
|
|
||||||
|
|
||||||
define _merge-fc-files
|
|
||||||
$(2): $(1) $(M4)
|
|
||||||
$(hide) mkdir -p $$(dir $$@)
|
|
||||||
$(hide) $(M4) --fatal-warnings -s $(1) > $$@
|
|
||||||
endef
|
|
||||||
|
|
||||||
define merge-fc-files
|
|
||||||
$(eval $(call _merge-fc-files,$(1),$(2)))
|
|
||||||
endef
|
|
|
@ -1,4 +0,0 @@
|
||||||
# SELinux policy version.
|
|
||||||
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
|
|
||||||
# Must be within the compatibility range reported by checkpolicy -V.
|
|
||||||
POLICYVERS ?= 30
|
|
|
@ -26,3 +26,30 @@ se_policy_cil {
|
||||||
secilc_check: false,
|
secilc_check: false,
|
||||||
installable: false,
|
installable: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
se_policy_conf {
|
||||||
|
name: "29.0_plat_policy.conf",
|
||||||
|
srcs: [
|
||||||
|
":se_build_files{.plat_public_29.0}",
|
||||||
|
":se_build_files{.plat_private_29.0}",
|
||||||
|
":se_build_files{.system_ext_public_29.0}",
|
||||||
|
":se_build_files{.system_ext_private_29.0}",
|
||||||
|
":se_build_files{.product_public_29.0}",
|
||||||
|
":se_build_files{.product_private_29.0}",
|
||||||
|
],
|
||||||
|
installable: false,
|
||||||
|
build_variant: "user",
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_cil {
|
||||||
|
name: "29.0_plat_policy.cil",
|
||||||
|
src: ":29.0_plat_policy.conf",
|
||||||
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_binary {
|
||||||
|
name: "29.0_plat_policy",
|
||||||
|
srcs: [":29.0_plat_policy.cil"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
|
@ -26,3 +26,30 @@ se_policy_cil {
|
||||||
secilc_check: false,
|
secilc_check: false,
|
||||||
installable: false,
|
installable: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
se_policy_conf {
|
||||||
|
name: "30.0_plat_policy.conf",
|
||||||
|
srcs: [
|
||||||
|
":se_build_files{.plat_public_30.0}",
|
||||||
|
":se_build_files{.plat_private_30.0}",
|
||||||
|
":se_build_files{.system_ext_public_30.0}",
|
||||||
|
":se_build_files{.system_ext_private_30.0}",
|
||||||
|
":se_build_files{.product_public_30.0}",
|
||||||
|
":se_build_files{.product_private_30.0}",
|
||||||
|
],
|
||||||
|
installable: false,
|
||||||
|
build_variant: "user",
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_cil {
|
||||||
|
name: "30.0_plat_policy.cil",
|
||||||
|
src: ":30.0_plat_policy.conf",
|
||||||
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_binary {
|
||||||
|
name: "30.0_plat_policy",
|
||||||
|
srcs: [":30.0_plat_policy.cil"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
|
@ -26,3 +26,30 @@ se_policy_cil {
|
||||||
secilc_check: false,
|
secilc_check: false,
|
||||||
installable: false,
|
installable: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
se_policy_conf {
|
||||||
|
name: "31.0_plat_policy.conf",
|
||||||
|
srcs: [
|
||||||
|
":se_build_files{.plat_public_31.0}",
|
||||||
|
":se_build_files{.plat_private_31.0}",
|
||||||
|
":se_build_files{.system_ext_public_31.0}",
|
||||||
|
":se_build_files{.system_ext_private_31.0}",
|
||||||
|
":se_build_files{.product_public_31.0}",
|
||||||
|
":se_build_files{.product_private_31.0}",
|
||||||
|
],
|
||||||
|
installable: false,
|
||||||
|
build_variant: "user",
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_cil {
|
||||||
|
name: "31.0_plat_policy.cil",
|
||||||
|
src: ":31.0_plat_policy.conf",
|
||||||
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_binary {
|
||||||
|
name: "31.0_plat_policy",
|
||||||
|
srcs: [":31.0_plat_policy.cil"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
|
@ -26,3 +26,30 @@ se_policy_cil {
|
||||||
secilc_check: false,
|
secilc_check: false,
|
||||||
installable: false,
|
installable: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
se_policy_conf {
|
||||||
|
name: "32.0_plat_policy.conf",
|
||||||
|
srcs: [
|
||||||
|
":se_build_files{.plat_public_32.0}",
|
||||||
|
":se_build_files{.plat_private_32.0}",
|
||||||
|
":se_build_files{.system_ext_public_32.0}",
|
||||||
|
":se_build_files{.system_ext_private_32.0}",
|
||||||
|
":se_build_files{.product_public_32.0}",
|
||||||
|
":se_build_files{.product_private_32.0}",
|
||||||
|
],
|
||||||
|
installable: false,
|
||||||
|
build_variant: "user",
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_cil {
|
||||||
|
name: "32.0_plat_policy.cil",
|
||||||
|
src: ":32.0_plat_policy.conf",
|
||||||
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_binary {
|
||||||
|
name: "32.0_plat_policy",
|
||||||
|
srcs: [":32.0_plat_policy.cil"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
|
@ -26,3 +26,30 @@ se_policy_cil {
|
||||||
secilc_check: false,
|
secilc_check: false,
|
||||||
installable: false,
|
installable: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
se_policy_conf {
|
||||||
|
name: "33.0_plat_policy.conf",
|
||||||
|
srcs: [
|
||||||
|
":se_build_files{.plat_public_33.0}",
|
||||||
|
":se_build_files{.plat_private_33.0}",
|
||||||
|
":se_build_files{.system_ext_public_33.0}",
|
||||||
|
":se_build_files{.system_ext_private_33.0}",
|
||||||
|
":se_build_files{.product_public_33.0}",
|
||||||
|
":se_build_files{.product_private_33.0}",
|
||||||
|
],
|
||||||
|
installable: false,
|
||||||
|
build_variant: "user",
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_cil {
|
||||||
|
name: "33.0_plat_policy.cil",
|
||||||
|
src: ":33.0_plat_policy.conf",
|
||||||
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_binary {
|
||||||
|
name: "33.0_plat_policy",
|
||||||
|
srcs: [":33.0_plat_policy.cil"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
|
@ -26,3 +26,30 @@ se_policy_cil {
|
||||||
secilc_check: false,
|
secilc_check: false,
|
||||||
installable: false,
|
installable: false,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
se_policy_conf {
|
||||||
|
name: "34.0_plat_policy.conf",
|
||||||
|
srcs: [
|
||||||
|
":se_build_files{.plat_public_34.0}",
|
||||||
|
":se_build_files{.plat_private_34.0}",
|
||||||
|
":se_build_files{.system_ext_public_34.0}",
|
||||||
|
":se_build_files{.system_ext_private_34.0}",
|
||||||
|
":se_build_files{.product_public_34.0}",
|
||||||
|
":se_build_files{.product_private_34.0}",
|
||||||
|
],
|
||||||
|
installable: false,
|
||||||
|
build_variant: "user",
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_cil {
|
||||||
|
name: "34.0_plat_policy.cil",
|
||||||
|
src: ":34.0_plat_policy.conf",
|
||||||
|
additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
se_policy_binary {
|
||||||
|
name: "34.0_plat_policy",
|
||||||
|
srcs: [":34.0_plat_policy.cil"],
|
||||||
|
installable: false,
|
||||||
|
}
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
LOCAL_PATH:= $(call my-dir)
|
|
||||||
|
|
||||||
include $(call all-makefiles-under,$(LOCAL_PATH))
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
|
MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
|
||||||
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
|
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
|
||||||
|
|
||||||
if [ "$MK" != "$BP" ]; then
|
if [ "$MK" != "$BP" ]; then
|
||||||
|
|
|
@ -11,15 +11,9 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
|
||||||
LOCAL_MODULE_CLASS := FAKE
|
LOCAL_MODULE_CLASS := FAKE
|
||||||
LOCAL_MODULE_TAGS := optional
|
LOCAL_MODULE_TAGS := optional
|
||||||
|
|
||||||
# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
|
|
||||||
# make file of the system_ext partition.
|
|
||||||
SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
|
|
||||||
# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
|
|
||||||
# make file of the product partition.
|
|
||||||
PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
|
|
||||||
IS_TREBLE_TEST_ENABLED_PARTNER := false
|
IS_TREBLE_TEST_ENABLED_PARTNER := false
|
||||||
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
||||||
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
|
ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
|
||||||
IS_TREBLE_TEST_ENABLED_PARTNER := true
|
IS_TREBLE_TEST_ENABLED_PARTNER := true
|
||||||
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
|
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
|
||||||
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
|
||||||
|
@ -30,60 +24,11 @@ include $(BUILD_SYSTEM)/base_rules.mk
|
||||||
# built to enable us to determine the diff between the current policy and the
|
# built to enable us to determine the diff between the current policy and the
|
||||||
# $(version) policy, which will be used in tests to make sure that compatibility has
|
# $(version) policy, which will be used in tests to make sure that compatibility has
|
||||||
# been maintained by our mapping files.
|
# been maintained by our mapping files.
|
||||||
$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
|
built_$(version)_plat_sepolicy := $(call intermediates-dir-for,ETC,$(version)_plat_policy)/$(version)_plat_policy
|
||||||
$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
|
|
||||||
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
|
||||||
ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
|
|
||||||
$(version)_PLAT_PUBLIC_POLICY += \
|
|
||||||
$(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
|
|
||||||
$(version)_PLAT_PRIVATE_POLICY += \
|
|
||||||
$(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
|
|
||||||
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
|
|
||||||
ifneq (,$(PRODUCT_PREBUILT_POLICY))
|
|
||||||
$(version)_PLAT_PUBLIC_POLICY += \
|
|
||||||
$(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
|
|
||||||
$(version)_PLAT_PRIVATE_POLICY += \
|
|
||||||
$(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
|
|
||||||
endif # (,$(PRODUCT_PREBUILT_POLICY))
|
|
||||||
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
|
||||||
policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
|
|
||||||
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
|
|
||||||
$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
|
||||||
$($(version)_plat_policy.conf): $(policy_files) $(M4)
|
|
||||||
$(transform-policy-to-conf)
|
|
||||||
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
|
|
||||||
|
|
||||||
policy_files :=
|
|
||||||
|
|
||||||
built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
|
|
||||||
$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
|
|
||||||
$(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
|
|
||||||
$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
|
|
||||||
$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
|
||||||
$(HOST_OUT_EXECUTABLES)/secilc \
|
|
||||||
$(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
|
|
||||||
$(built_sepolicy_neverallows)
|
|
||||||
@mkdir -p $(dir $@)
|
|
||||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
|
|
||||||
$(POLICYVERS) -o $@ $<
|
|
||||||
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
|
|
||||||
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
|
|
||||||
|
|
||||||
$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
|
|
||||||
|
|
||||||
# TODO(b/214336258): move to Soong
|
# TODO(b/214336258): move to Soong
|
||||||
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
|
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
|
||||||
|
|
||||||
$(version)_plat_policy.conf :=
|
|
||||||
|
|
||||||
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
|
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
|
||||||
$(version)_mapping.ignore.cil := \
|
$(version)_mapping.ignore.cil := \
|
||||||
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
|
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
|
||||||
|
@ -106,6 +51,7 @@ endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
|
||||||
# combining the current platform policy with nonplatform policy based on the
|
# combining the current platform policy with nonplatform policy based on the
|
||||||
# $(version) policy release and also a special ignored file that exists purely for
|
# $(version) policy release and also a special ignored file that exists purely for
|
||||||
# these tests.
|
# these tests.
|
||||||
|
intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
|
||||||
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
|
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
|
||||||
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
|
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
|
||||||
mkdir -p $(dir $@)
|
mkdir -p $(dir $@)
|
||||||
|
@ -135,15 +81,8 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
|
||||||
-u $(PRIVATE_PLAT_PUB_SEPOLICY)
|
-u $(PRIVATE_PLAT_PUB_SEPOLICY)
|
||||||
$(hide) touch $@
|
$(hide) touch $@
|
||||||
|
|
||||||
$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
|
|
||||||
$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
|
|
||||||
$(version)_PRODUCT_PUBLIC_POLICY :=
|
|
||||||
$(version)_PRODUCT_PRIVATE_POLICY :=
|
|
||||||
$(version)_PLAT_PUBLIC_POLICY :=
|
|
||||||
$(version)_PLAT_PRIVATE_POLICY :=
|
|
||||||
built_sepolicy_files :=
|
built_sepolicy_files :=
|
||||||
public_cil_files :=
|
public_cil_files :=
|
||||||
cil_files :=
|
|
||||||
$(version)_mapping.cil :=
|
$(version)_mapping.cil :=
|
||||||
$(version)_mapping.combined.cil :=
|
$(version)_mapping.combined.cil :=
|
||||||
$(version)_mapping.ignore.cil :=
|
$(version)_mapping.ignore.cil :=
|
||||||
|
|
Loading…
Reference in a new issue