Build platform side policy with Soong
This replaces the following policy files with Android.bp modules: - reqd_policy_mask.cil - plat_sepolicy.cil - system_ext_sepolicy.cil - product_sepolicy.cil - plat_pub_policy.cil - system_ext_pub_policy.cil - pub_policy.cil - general_sepolicy.conf (for CTS) Also microdroid's system policy now uses above. Bug: 33691272 Bug: 178993690 Test: policy files stay same Test: boot normal device and microdroid, see sepolicy works Test: build CtsSecurityHostTestCases Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
This commit is contained in:
Inseob Kim
parent
df1a0dee63
commit
7629e86053
2 changed files with 225 additions and 524 deletions
380
Android.bp
380
Android.bp
|
|
@ -493,137 +493,190 @@ filegroup {
|
|||
],
|
||||
}
|
||||
|
||||
// This is a minimized cil modules to test microdroid.
|
||||
// TODO(b/178993690): migrate cil files to Android.bp and remove below
|
||||
filegroup {
|
||||
name: "microdroid_sepolicy_build_files",
|
||||
se_build_files {
|
||||
name: "se_build_files",
|
||||
srcs: [
|
||||
// This order is important. Should be identical to sepolicy_build_files in Android.mk
|
||||
"private/security_classes",
|
||||
"private/initial_sids",
|
||||
"private/access_vectors",
|
||||
"public/global_macros",
|
||||
"public/neverallow_macros",
|
||||
"private/mls_macros",
|
||||
"private/mls_decl",
|
||||
"private/mls",
|
||||
"private/policy_capabilities",
|
||||
"public/te_macros",
|
||||
"public/attributes",
|
||||
"private/attributes",
|
||||
"public/ioctl_defines",
|
||||
"public/ioctl_macros",
|
||||
"public/*.te",
|
||||
"private/*.te",
|
||||
"private/roles_decl",
|
||||
"public/roles",
|
||||
"private/users",
|
||||
"private/initial_sid_contexts",
|
||||
"private/fs_use",
|
||||
"private/genfs_contexts",
|
||||
"private/port_contexts",
|
||||
"security_classes",
|
||||
"initial_sids",
|
||||
"access_vectors",
|
||||
"global_macros",
|
||||
"neverallow_macros",
|
||||
"mls_macros",
|
||||
"mls_decl",
|
||||
"mls",
|
||||
"policy_capabilities",
|
||||
"te_macros",
|
||||
"attributes",
|
||||
"ioctl_defines",
|
||||
"ioctl_macros",
|
||||
"*.te",
|
||||
"roles_decl",
|
||||
"roles",
|
||||
"users",
|
||||
"initial_sid_contexts",
|
||||
"fs_use",
|
||||
"genfs_contexts",
|
||||
"port_contexts",
|
||||
],
|
||||
}
|
||||
|
||||
filegroup {
|
||||
name: "microdroid_sepolicy_public_and_reqd_mask_build_files",
|
||||
srcs: [
|
||||
// This order is important. Should be identical to sepolicy_build_files in Android.mk
|
||||
"reqd_mask/security_classes",
|
||||
"reqd_mask/initial_sids",
|
||||
"reqd_mask/access_vectors",
|
||||
"public/global_macros",
|
||||
"public/neverallow_macros",
|
||||
"reqd_mask/mls_macros",
|
||||
"reqd_mask/mls_decl",
|
||||
"reqd_mask/mls",
|
||||
"public/te_macros",
|
||||
"public/attributes",
|
||||
"public/ioctl_defines",
|
||||
"public/ioctl_macros",
|
||||
"public/*.te",
|
||||
"reqd_mask/*.te",
|
||||
"reqd_mask/roles_decl",
|
||||
"public/roles",
|
||||
"reqd_mask/roles",
|
||||
"reqd_mask/users",
|
||||
"reqd_mask/initial_sid_contexts",
|
||||
],
|
||||
}
|
||||
|
||||
filegroup {
|
||||
name: "microdroid_sepolicy_reqd_mask_build_files",
|
||||
srcs: [
|
||||
// This order is important. Should be identical to sepolicy_build_files in Android.mk
|
||||
"reqd_mask/security_classes",
|
||||
"reqd_mask/initial_sids",
|
||||
"reqd_mask/access_vectors",
|
||||
"reqd_mask/mls_macros",
|
||||
"reqd_mask/mls_decl",
|
||||
"reqd_mask/mls",
|
||||
"reqd_mask/*.te",
|
||||
"reqd_mask/roles_decl",
|
||||
"reqd_mask/roles",
|
||||
"reqd_mask/users",
|
||||
"reqd_mask/initial_sid_contexts",
|
||||
],
|
||||
}
|
||||
|
||||
// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
|
||||
// these configurations should be fine to test microdroid on normal devices with full treble.
|
||||
// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
|
||||
// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
|
||||
// migrated into Soong, these will have correct values.
|
||||
policy_to_conf_flags = "$(location m4) --fatal-warnings " +
|
||||
"-D mls_num_sens=1 -D mls_num_cats=1024 " +
|
||||
"-D target_build_variant=userdebug " +
|
||||
"-D target_with_asan=false " +
|
||||
"-D target_with_native_coverage=false " +
|
||||
"-D target_full_treble=true " +
|
||||
"-D target_compatible_property=true " +
|
||||
"-D target_treble_sysprop_neverallow=true " +
|
||||
"-D target_enforce_sysprop_owner=true "
|
||||
|
||||
genrule {
|
||||
name: "microdroid_plat_sepolicy.cil_gen",
|
||||
srcs: [":microdroid_sepolicy_build_files"],
|
||||
tools: ["m4", "checkpolicy"],
|
||||
out: ["plat_sepolicy.cil"],
|
||||
cmd: policy_to_conf_flags +
|
||||
"-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" +
|
||||
"&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf",
|
||||
visibility: ["//visibility:private"],
|
||||
}
|
||||
|
||||
prebuilt_etc {
|
||||
name: "microdroid_plat_sepolicy.cil",
|
||||
src: ":microdroid_plat_sepolicy.cil_gen",
|
||||
filename: "plat_sepolicy.cil",
|
||||
relative_install_path: "selinux",
|
||||
// reqd_policy_mask - a policy.conf file which contains only the bare minimum
|
||||
// policy necessary to use checkpolicy.
|
||||
//
|
||||
// This bare-minimum policy needs to be present in all policy.conf files, but
|
||||
// should not necessarily be exported as part of the public policy.
|
||||
//
|
||||
// The rules generated by reqd_policy_mask will allow the compilation of public
|
||||
// policy and subsequent removal of CIL policy that should not be exported.
|
||||
se_policy_conf {
|
||||
name: "reqd_policy_mask.conf",
|
||||
srcs: [":se_build_files{.reqd_mask}"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
genrule {
|
||||
name: "microdroid_reqd_policy_mask.cil_gen",
|
||||
srcs: [":microdroid_sepolicy_reqd_mask_build_files"],
|
||||
tools: ["m4", "checkpolicy"],
|
||||
out: ["reqd_policy_mask.cil"],
|
||||
cmd: policy_to_conf_flags +
|
||||
"-s $(in) > $(out).conf" +
|
||||
"&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf",
|
||||
visibility: ["//visibility:private"],
|
||||
se_policy_cil {
|
||||
name: "reqd_policy_mask.cil",
|
||||
src: ":reqd_policy_mask.conf",
|
||||
secilc_check: false,
|
||||
installable: false,
|
||||
}
|
||||
|
||||
// pub_policy - policy that will be exported to be a part of non-platform
|
||||
// policy corresponding to this platform version.
|
||||
//
|
||||
// This is a limited subset of policy that would not compile in checkpolicy on
|
||||
// its own.
|
||||
//
|
||||
// To get around this limitation, add only the required files from private
|
||||
// policy, which will generate CIL policy that will then be filtered out by the
|
||||
// reqd_policy_mask.
|
||||
//
|
||||
// There are three pub_policy.cil files below:
|
||||
// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
|
||||
// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
|
||||
// - plat_pub_policy.cil: exported 'system' policy.
|
||||
//
|
||||
// Those above files will in turn be used to generate the following versioned cil files:
|
||||
// - product_mapping_file: the versioned, exported 'product' policy in product partition.
|
||||
// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
|
||||
// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
|
||||
// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
|
||||
// in vendor partition.
|
||||
//
|
||||
se_policy_conf {
|
||||
name: "pub_policy.conf",
|
||||
srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "pub_policy.cil",
|
||||
src: ":pub_policy.conf",
|
||||
filter_out: [":reqd_policy_mask.cil"],
|
||||
secilc_check: false,
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_conf {
|
||||
name: "system_ext_pub_policy.conf",
|
||||
srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "system_ext_pub_policy.cil",
|
||||
src: ":system_ext_pub_policy.conf",
|
||||
filter_out: [":reqd_policy_mask.cil"],
|
||||
secilc_check: false,
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_conf {
|
||||
name: "plat_pub_policy.conf",
|
||||
srcs: [":se_build_files{.plat_public}"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "plat_pub_policy.cil",
|
||||
src: ":plat_pub_policy.conf",
|
||||
filter_out: [":reqd_policy_mask.cil"],
|
||||
secilc_check: false,
|
||||
installable: false,
|
||||
}
|
||||
|
||||
// plat_policy.conf - A combination of the private and public platform policy
|
||||
// which will ship with the device.
|
||||
//
|
||||
// The platform will always reflect the most recent platform version and is not
|
||||
// currently being attributized.
|
||||
se_policy_conf {
|
||||
name: "plat_sepolicy.conf",
|
||||
srcs: [":se_build_files{.plat}"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "plat_sepolicy.cil",
|
||||
src: ":plat_sepolicy.conf",
|
||||
additional_cil_files: ["private/technical_debt.cil"],
|
||||
}
|
||||
|
||||
// system_ext_policy.conf - A combination of the private and public system_ext
|
||||
// policy which will ship with the device. System_ext policy is not attributized
|
||||
se_policy_conf {
|
||||
name: "system_ext_sepolicy.conf",
|
||||
srcs: [":se_build_files{.system_ext}"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "system_ext_sepolicy.cil",
|
||||
src: ":system_ext_sepolicy.conf",
|
||||
system_ext_specific: true,
|
||||
filter_out: [":plat_sepolicy.cil"],
|
||||
remove_line_marker: true,
|
||||
}
|
||||
|
||||
// product_policy.conf - A combination of the private and public product policy
|
||||
// which will ship with the device. Product policy is not attributized
|
||||
se_policy_conf {
|
||||
name: "product_sepolicy.conf",
|
||||
srcs: [":se_build_files{.product}"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "product_sepolicy.cil",
|
||||
src: ":product_sepolicy.conf",
|
||||
product_specific: true,
|
||||
filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
|
||||
remove_line_marker: true,
|
||||
}
|
||||
|
||||
//////////////////////////////////
|
||||
// SELinux policy embedded into CTS.
|
||||
// CTS checks neverallow rules of this policy against the policy of the device under test.
|
||||
//////////////////////////////////
|
||||
se_policy_conf {
|
||||
name: "general_sepolicy.conf",
|
||||
srcs: [":se_build_files{.plat}"],
|
||||
build_variant: "user",
|
||||
cts: true,
|
||||
exclude_build_test: true,
|
||||
}
|
||||
|
||||
//////////////////////////////////
|
||||
// modules for microdroid
|
||||
// TODO(b/178993690): migrate Android.mk to Android.bp and remove below
|
||||
//////////////////////////////////
|
||||
genrule {
|
||||
name: "microdroid_plat_mapping_file_gen",
|
||||
srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"],
|
||||
tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"],
|
||||
srcs: [":plat_pub_policy.cil", ":reqd_policy_mask.cil"],
|
||||
tools: ["build_sepolicy", "version_policy"],
|
||||
out: ["10000.0.cil"],
|
||||
cmd: policy_to_conf_flags +
|
||||
"-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" +
|
||||
"&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" +
|
||||
"&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" +
|
||||
"&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)",
|
||||
cmd: "$(location build_sepolicy) filter_out -f $(location :reqd_policy_mask.cil) -t $(location :plat_pub_policy.cil)" +
|
||||
"&& $(location version_policy) -b $(location :plat_pub_policy.cil) -m -n 10000.0 -o $(out)",
|
||||
visibility: ["//visibility:private"],
|
||||
}
|
||||
|
||||
|
|
@ -635,34 +688,29 @@ prebuilt_etc {
|
|||
installable: false,
|
||||
}
|
||||
|
||||
///////////////////////////////////////////////////////////////////
|
||||
genrule {
|
||||
name: "microdroid_pub_policy.cil_gen",
|
||||
srcs: [
|
||||
":microdroid_sepolicy_public_and_reqd_mask_build_files",
|
||||
":microdroid_reqd_policy_mask.cil_gen",
|
||||
],
|
||||
tools: ["m4", "checkpolicy", "build_sepolicy"],
|
||||
out: ["pub_policy.cil"],
|
||||
cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
|
||||
"$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
|
||||
"$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
|
||||
visibility: ["//visibility:private"],
|
||||
}
|
||||
|
||||
// Normally plat_pub_versioned.cil is built from pub_policy.cil (including system_ext and product).
|
||||
// But microdroid only has system, so its plat_pub_versioned.cil uses plat_pub_policy.cil.
|
||||
genrule {
|
||||
name: "microdroid_plat_pub_versioned.cil_gen",
|
||||
srcs: [":microdroid_pub_policy.cil_gen"],
|
||||
srcs: [":plat_pub_policy.cil"],
|
||||
tools: ["version_policy"],
|
||||
out: ["plat_pub_versioned.cil"],
|
||||
cmd: "$(location version_policy) " +
|
||||
"-b $(location :microdroid_pub_policy.cil_gen) " +
|
||||
"-t $(location :microdroid_pub_policy.cil_gen) " +
|
||||
"-b $(location :plat_pub_policy.cil) " +
|
||||
"-t $(location :plat_pub_policy.cil) " +
|
||||
"-n 10000.0 " +
|
||||
"-o $(out)",
|
||||
visibility: ["//visibility:private"],
|
||||
}
|
||||
|
||||
prebuilt_etc {
|
||||
name: "microdroid_plat_pub_versioned.cil",
|
||||
src: ":microdroid_plat_pub_versioned.cil_gen",
|
||||
filename: "plat_pub_versioned.cil",
|
||||
relative_install_path: "selinux",
|
||||
installable: false,
|
||||
}
|
||||
|
||||
filegroup {
|
||||
name: "microdroid_vendor_sepolicy_build_files",
|
||||
srcs: [
|
||||
|
|
@ -689,13 +737,28 @@ filegroup {
|
|||
],
|
||||
}
|
||||
|
||||
// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
|
||||
// these configurations should be fine to test microdroid on normal devices with full treble.
|
||||
// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
|
||||
// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
|
||||
// migrated into Soong, these will have correct values.
|
||||
policy_to_conf_flags = "$(location m4) --fatal-warnings " +
|
||||
"-D mls_num_sens=1 -D mls_num_cats=1024 " +
|
||||
"-D target_build_variant=userdebug " +
|
||||
"-D target_with_asan=false " +
|
||||
"-D target_with_native_coverage=false " +
|
||||
"-D target_full_treble=true " +
|
||||
"-D target_compatible_property=true " +
|
||||
"-D target_treble_sysprop_neverallow=true " +
|
||||
"-D target_enforce_sysprop_owner=true "
|
||||
|
||||
genrule {
|
||||
name: "microdroid_vendor_sepolicy.cil_gen",
|
||||
srcs: [
|
||||
":microdroid_vendor_sepolicy_build_files",
|
||||
":microdroid_plat_pub_versioned.cil_gen",
|
||||
":microdroid_pub_policy.cil_gen",
|
||||
":microdroid_reqd_policy_mask.cil_gen",
|
||||
":pub_policy.cil",
|
||||
":reqd_policy_mask.cil",
|
||||
],
|
||||
tools: [
|
||||
"m4",
|
||||
|
|
@ -711,9 +774,9 @@ genrule {
|
|||
"build_cil " +
|
||||
"--input_policy_conf $(out).conf " +
|
||||
"--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
|
||||
"--base_policy $(location :microdroid_pub_policy.cil_gen) " +
|
||||
"--base_policy $(location :pub_policy.cil) " +
|
||||
"--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
|
||||
"--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
|
||||
"--reqd_mask $(location :reqd_policy_mask.cil) " +
|
||||
"--treble_sepolicy_vers 10000.0 " +
|
||||
"--policy_vers 30 " +
|
||||
"--output_cil $(out)",
|
||||
|
|
@ -727,38 +790,3 @@ prebuilt_etc {
|
|||
relative_install_path: "selinux",
|
||||
installable: false,
|
||||
}
|
||||
|
||||
prebuilt_etc {
|
||||
name: "microdroid_plat_pub_versioned.cil",
|
||||
src: ":microdroid_plat_pub_versioned.cil_gen",
|
||||
filename: "plat_pub_versioned.cil",
|
||||
relative_install_path: "selinux",
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_build_files {
|
||||
name: "se_build_files",
|
||||
srcs: [
|
||||
"security_classes",
|
||||
"initial_sids",
|
||||
"access_vectors",
|
||||
"global_macros",
|
||||
"neverallow_macros",
|
||||
"mls_macros",
|
||||
"mls_decl",
|
||||
"mls",
|
||||
"policy_capabilities",
|
||||
"te_macros",
|
||||
"attributes",
|
||||
"ioctl_defines",
|
||||
"ioctl_macros",
|
||||
"*.te",
|
||||
"roles_decl",
|
||||
"roles",
|
||||
"users",
|
||||
"initial_sid_contexts",
|
||||
"fs_use",
|
||||
"genfs_contexts",
|
||||
"port_contexts",
|
||||
],
|
||||
}
|
||||
|
|
|
|||
369
Android.mk
369
Android.mk
|
|
@ -741,209 +741,36 @@ built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
|
|||
endif # ifeq ($(mixed_sepolicy_build),true)
|
||||
|
||||
##################################
|
||||
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
|
||||
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
|
||||
# present in all policy.conf files, but should not necessarily be exported as
|
||||
# part of the public policy. The rules generated by reqd_policy_mask will allow
|
||||
# the compilation of public policy and subsequent removal of CIL policy that
|
||||
# should not be exported.
|
||||
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
|
||||
reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
|
||||
$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(reqd_policy_mask.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
# b/37755687
|
||||
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
|
||||
|
||||
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
|
||||
$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
|
||||
$(POLICYVERS) -o $@ $<
|
||||
|
||||
reqd_policy_mask.conf :=
|
||||
# plat policy files are now built with Android.bp. Grab them from intermediate.
|
||||
# See Android.bp for details of plat policy files.
|
||||
#
|
||||
reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
|
||||
reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
|
||||
|
||||
##################################
|
||||
# pub_policy - policy that will be exported to be a part of non-platform
|
||||
# policy corresponding to this platform version. This is a limited subset of
|
||||
# policy that would not compile in checkpolicy on its own. To get around this
|
||||
# limitation, add only the required files from private policy, which will
|
||||
# generate CIL policy that will then be filtered out by the reqd_policy_mask.
|
||||
#
|
||||
# There are three pub_policy.cil files below:
|
||||
# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
|
||||
# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
|
||||
# - plat_pub_policy.cil: exported 'system' policy.
|
||||
#
|
||||
# Those above files will in turn be used to generate the following versioned cil files:
|
||||
# - product_mapping_file: the versioned, exported 'product' policy in product partition.
|
||||
# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
|
||||
# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
|
||||
# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
|
||||
# policy in vendor partition.
|
||||
#
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
|
||||
pub_policy.conf := $(intermediates)/pub_policy.conf
|
||||
$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(pub_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
pub_policy.cil := $(intermediates)/pub_policy.cil
|
||||
$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
|
||||
$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
|
||||
$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
||||
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
|
||||
-f $(PRIVATE_REQD_MASK) -t $@
|
||||
|
||||
pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
|
||||
pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
|
||||
|
||||
pub_policy.conf :=
|
||||
|
||||
##################################
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
|
||||
system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
|
||||
$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(system_ext_pub_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
||||
system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
|
||||
$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
|
||||
$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
|
||||
$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
||||
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
|
||||
-f $(PRIVATE_REQD_MASK) -t $@
|
||||
|
||||
system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
|
||||
system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
|
||||
|
||||
system_ext_pub_policy.conf :=
|
||||
|
||||
##################################
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
|
||||
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
|
||||
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(plat_pub_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
|
||||
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
|
||||
$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
|
||||
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
|
||||
$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
||||
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
|
||||
-f $(PRIVATE_REQD_MASK) -t $@
|
||||
|
||||
plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
|
||||
plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
|
||||
|
||||
plat_pub_policy.conf :=
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := plat_sepolicy.cil
|
||||
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
|
||||
LOCAL_LICENSE_CONDITIONS := notice unencumbered
|
||||
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
# plat_policy.conf - A combination of the private and public platform policy
|
||||
# which will ship with the device. The platform will always reflect the most
|
||||
# recent platform version and is not currently being attributized.
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
|
||||
plat_policy.conf := $(intermediates)/plat_policy.conf
|
||||
$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(plat_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
|
||||
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
|
||||
$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
||||
$(HOST_OUT_EXECUTABLES)/secilc \
|
||||
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
|
||||
$(built_sepolicy_neverallows)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
|
||||
$(POLICYVERS) -o $@.tmp $<
|
||||
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
|
||||
$(hide) mv $@.tmp $@
|
||||
|
||||
built_plat_cil := $(LOCAL_BUILT_MODULE)
|
||||
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
|
||||
built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
|
||||
plat_policy.conf :=
|
||||
|
||||
ifdef HAS_SYSTEM_EXT_SEPOLICY
|
||||
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
|
||||
built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
|
||||
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
|
||||
|
||||
ifdef HAS_PRODUCT_SEPOLICY
|
||||
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
|
||||
built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
|
||||
endif # ifdef HAS_PRODUCT_SEPOLICY
|
||||
|
||||
# b/37755687
|
||||
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
|
@ -997,128 +824,6 @@ userdebug_plat_policy.conf :=
|
|||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
ifdef HAS_SYSTEM_EXT_SEPOLICY
|
||||
LOCAL_MODULE := system_ext_sepolicy.cil
|
||||
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
|
||||
LOCAL_LICENSE_CONDITIONS := notice unencumbered
|
||||
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
# system_ext_policy.conf - A combination of the private and public system_ext policy
|
||||
# which will ship with the device. System_ext policy is not attributized.
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
|
||||
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
|
||||
system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
|
||||
$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(system_ext_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
|
||||
$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
||||
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
|
||||
$(POLICYVERS) -o $@ $<
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
|
||||
-f $(PRIVATE_PLAT_CIL) -t $@
|
||||
# Line markers (denoted by ;;) are malformed after above cmd. They are only
|
||||
# used for debugging, so we remove them.
|
||||
$(hide) grep -v ';;' $@ > $@.tmp
|
||||
$(hide) mv $@.tmp $@
|
||||
# Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
|
||||
# latter doesn't accidentally depend on vendor/odm policies.
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
|
||||
$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
|
||||
|
||||
|
||||
built_system_ext_cil := $(LOCAL_BUILT_MODULE)
|
||||
built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
|
||||
system_ext_policy.conf :=
|
||||
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
ifdef HAS_PRODUCT_SEPOLICY
|
||||
LOCAL_MODULE := product_sepolicy.cil
|
||||
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
|
||||
LOCAL_LICENSE_CONDITIONS := notice unencumbered
|
||||
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
# product_policy.conf - A combination of the private and public product policy
|
||||
# which will ship with the device. Product policy is not attributized.
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
|
||||
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
|
||||
$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
|
||||
product_policy.conf := $(intermediates)/product_policy.conf
|
||||
$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
|
||||
$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
|
||||
$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
|
||||
$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
|
||||
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
|
||||
$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
|
||||
$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
|
||||
$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(product_policy.conf): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
|
||||
$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
|
||||
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
|
||||
$(built_plat_cil) $(built_system_ext_cil)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
|
||||
$(POLICYVERS) -o $@ $<
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
|
||||
-f $(PRIVATE_PLAT_CIL_FILES) -t $@
|
||||
# Line markers (denoted by ;;) are malformed after above cmd. They are only
|
||||
# used for debugging, so we remove them.
|
||||
$(hide) grep -v ';;' $@ > $@.tmp
|
||||
$(hide) mv $@.tmp $@
|
||||
# Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
|
||||
# make sure that the latter doesn't accidentally depend on vendor/odm policies.
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
|
||||
$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
|
||||
|
||||
|
||||
built_product_cil := $(LOCAL_BUILT_MODULE)
|
||||
built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
|
||||
product_policy.conf :=
|
||||
endif # ifdef HAS_PRODUCT_SEPOLICY
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := plat_sepolicy_vers.txt
|
||||
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
|
||||
LOCAL_LICENSE_CONDITIONS := notice unencumbered
|
||||
|
|
@ -1687,38 +1392,6 @@ $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpo
|
|||
|
||||
sepolicy.recovery.conf :=
|
||||
|
||||
##################################
|
||||
# SELinux policy embedded into CTS.
|
||||
# CTS checks neverallow rules of this policy against the policy of the device under test.
|
||||
##################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := general_sepolicy.conf
|
||||
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
|
||||
LOCAL_LICENSE_CONDITIONS := notice unencumbered
|
||||
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := tests
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
policy_files := $(call build_policy, $(sepolicy_build_files), \
|
||||
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
|
||||
$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
|
||||
$(transform-policy-to-conf)
|
||||
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
|
||||
|
||||
##################################
|
||||
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in a new issue