Adding sepolicy testcase for system_ext and product.

Types defined in system_ext/public or product/public can be referenced by vendor side so it is important to make sure functionality is not broken across version bumps. So we are adding the treble sepolicy test cases for system_ext and product sepolicy. Bug: 173571515 Change-Id: Ia45979497029f83b1ae6712d2d26ffab263a7f91 Merged-In: Ia45979497029f83b1ae6712d2d26ffab263a7f91
2021-03-22 15:55:09 +05:30 · 2021-03-22 15:55:09 +05:30 · cd05d74494
commit cd05d74494
parent 3ca8160351
3 changed files with 224 additions and 14 deletions
--- a/Android.bp
+++ b/Android.bp
@ -294,6 +294,20 @@ se_cil_compat_map {
    // top_half: "31.0.ignore.cil",
 }

+se_cil_compat_map {
+    name: "system_ext_30.0.ignore.cil",
+    bottom_half: [":30.0.board.ignore.map"],
+    // top_half: "system_ext_31.0.ignore.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_30.0.ignore.cil",
+    bottom_half: [":30.0.board.ignore.map"],
+    // top_half: "product_31.0.ignore.cil",
+    product_specific: true,
+}
+
 se_compat_cil {
    name: "26.0.compat.cil",
    srcs: [":26.0.board.compat.cil"],
--- a/Android.mk
+++ b/Android.mk
@ -1487,6 +1487,130 @@ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_polic
 	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
 		-f $(PRIVATE_REQD_MASK) -t $@

+
+#####################################################
+intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
+$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
+$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+                $(POLICYVERS) -o $@ $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+
+base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
+$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
+$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+		-f $(PRIVATE_REQD_MASK) -t $@
+
+
+################################################################################
+intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+  $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+base_product_policy.conf := $(intermediates)/base_product_policy.conf
+$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+	$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_product_sepolicy := $(intermediates)/built_product_sepolicy
+$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+  $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+                $(POLICYVERS) -o $@ $<
+	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
+$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_pub_policy.conf): $(policy_files) $(M4)
+	$(transform-policy-to-conf)
+
+base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
+$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
+$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+	$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+                -f $(PRIVATE_REQD_MASK) -t $@
+
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@ -11,6 +11,27 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
 LOCAL_MODULE_CLASS := FAKE
 LOCAL_MODULE_TAGS := optional

+# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
+# make file of the system_ext partition.
+SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
+# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
+# make file of the product partition.
+PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
+# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
+# plat_pub_versioned.cil should be in
+# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
+# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
+# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
+# In order to enable treble sepolicy tests for platform, system_ext and product
+# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
+# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
+IS_TREBLE_TEST_ENABLED_PARTNER := false
+ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
+ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+IS_TREBLE_TEST_ENABLED_PARTNER := true
+endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
+endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
+
 include $(BUILD_SYSTEM)/base_rules.mk

 # $(version)_plat - the platform policy shipped as part of the $(version) release.  This is
@ -19,6 +40,20 @@ include $(BUILD_SYSTEM)/base_rules.mk
 # been maintained by our mapping files.
 $(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
 $(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+$(version)_PLAT_PUBLIC_POLICY += \
+    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY += \
+    $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_PLAT_PUBLIC_POLICY += \
+    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY += \
+    $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
+endif # (,$(PRODUCT_PREBUILT_POLICY))
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
 $(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
 $($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
@ -52,7 +87,6 @@ $(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXE

 $(version)_plat_policy.conf :=

-
 # $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
 # targeting the $(version) SELinux release.  This ensures that our policy will build
 # when used on a device that has non-platform policy targetting the $(version) release.
@ -61,6 +95,21 @@ $(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/
 $(version)_mapping.ignore.cil := \
    $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
 $(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+$(version)_mapping.cil += \
+    $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
+$(version)_mapping.ignore.cil += \
+    $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_mapping.cil += \
+    $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
+$(version)_mapping.ignore.cil += \
+    $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
+endif # (,$(PRODUCT_PREBUILT_POLICY))
+$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
+endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)

 # vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
 # nonplat_sepolicy.cil.
@ -70,10 +119,18 @@ ifeq (,$(wildcard $($(version)_nonplat)))
 $(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
 endif

-$($(version)_compat): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
-$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+cil_files := $(built_plat_cil)
+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
+cil_files += $(built_system_ext_cil)
+endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
+ifneq (,$(PRODUCT_PREBUILT_POLICY)
+cil_files += $(built_product_cil)
+endif # (,$(PRODUCT_PREBUILT_POLICY)
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
+$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
+$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
 		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null

@ -86,32 +143,47 @@ $($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mappi
 	mkdir -p $(dir $@)
 	cat $^ > $@

+ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
+built_sepolicy_files := $(built_product_sepolicy)
+public_cil_files := $(base_product_pub_policy.cil)
+else
+built_sepolicy_files := $(built_plat_sepolicy)
+public_cil_files := $(base_plat_pub_policy.cil)
+endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
 $(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
 ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
 # TODO(b/113124961): remove fake-treble
 $(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
 endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-  $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
-  $(base_plat_pub_policy.cil) \
+  $(all_fc_files) $(built_sepolicy) \
+  $(built_sepolicy_files) \
+  $(public_cil_files) \
  $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
-		$(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
-		-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-		-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-		-u $(PRIVATE_PLAT_PUB_SEPOLICY) \
-		$(PRIVATE_FAKE_TREBLE)
+                $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+                -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+                -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+                -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
+                $(PRIVATE_FAKE_TREBLE)
 	$(hide) touch $@

+$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
+$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
+$(version)_PRODUCT_PUBLIC_POLICY :=
+$(version)_PRODUCT_PRIVATE_POLICY :=
 $(version)_PLAT_PUBLIC_POLICY :=
 $(version)_PLAT_PRIVATE_POLICY :=
+built_sepolicy_files :=
+public_cil_files :=
+cil_files :=
 $(version)_compat :=
 $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=