# Copyright (C) 2020 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS. # The policy files will only be used to compile vendor and odm policies. # # Specifically, the following prebuilts are used... # - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS} # - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release) # - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release) # - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release) # - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release) # - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release) # - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release) # # ... to generate following policy files. # # - reqd policy mask # - plat, system_ext, product public policy # - plat, system_ext, product policy # - plat, system_ext, product versioned policy # # These generated policy files will be used only when building vendor policies. # They are not installed to system, system_ext, or product partition. ver := $(BOARD_SEPOLICY_VERS) prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver) plat_public_policy_$(ver) := $(prebuilt_dir)/public plat_private_policy_$(ver) := $(prebuilt_dir)/private system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS) system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS) product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS) product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS) ################################## # policy-to-conf-rule: a helper macro to transform policy files to conf file. # # This expands to a set of rules which assign variables for transform-policy-to-conf and then call # transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro. # # $(1): output path (.conf file) define policy-to-conf-rule $(1): PRIVATE_MLS_SENS := $$(MLS_SENS) $(1): PRIVATE_MLS_CATS := $$(MLS_CATS) $(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT) $(1): PRIVATE_TGT_ARCH := $$(my_target_arch) $(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan) $(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage) $(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS) $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT) $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY) $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow) $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner) $(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction) $(1): PRIVATE_POLICY_FILES := $$(policy_files) $(1): $$(policy_files) $$(M4) $$(transform-policy-to-conf) endef ################################## # reqd_policy_mask_$(ver).cil # policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY)) reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf $(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf))) # b/37755687 CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil $(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ $(POLICYVERS) -o $@ $< reqd_policy_mask_$(ver).conf := reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY) ################################## # plat_pub_policy_$(ver).cil: exported plat policies # policy_files := $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy_$(ver)) $(reqd_policy_$(ver))) plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf $(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf))) plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil $(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf) $(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil) $(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil) @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_REQD_MASK) -t $@ plat_pub_policy_$(ver).conf := ################################## # plat_mapping_cil_$(ver).cil: versioned exported system policy # plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil $(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver) $(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy @mkdir -p $(dir $@) $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver)) ################################## # plat_policy_$(ver).cil: system policy # policy_files := $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) ) plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf $(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf))) plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil $(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver))) $(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) $(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ $(HOST_OUT_EXECUTABLES)/secilc \ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver))) @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ $(POLICYVERS) -o $@.tmp $< $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null $(hide) mv $@.tmp $@ plat_policy_$(ver).conf := built_plat_cil_$(ver) := $(plat_policy_$(ver).cil) ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR ################################## # system_ext_pub_policy_$(ver).cil: exported system and system_ext policy # policy_files := $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver))) system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf $(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf))) system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil $(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf) $(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil) $(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil) @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_REQD_MASK) -t $@ system_ext_pub_policy_$(ver).conf := ################################## # system_ext_policy_$(ver).cil: system_ext policy # policy_files := $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) ) system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf $(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf))) system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil $(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) $(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver)) $(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ $(POLICYVERS) -o $@ $< $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_PLAT_CIL) -t $@ # Line markers (denoted by ;;) are malformed after above cmd. They are only # used for debugging, so we remove them. $(hide) grep -v ';;' $@ > $@.tmp $(hide) mv $@.tmp $@ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the # latter doesn't accidentally depend on vendor/odm policies. $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null system_ext_policy_$(ver).conf := built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil) ################################## # system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy # system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil $(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver) $(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver)) $(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy $(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver)) $(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil) @mkdir -p $(dir $@) # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext' # sepolicy minus plat_mapping_file. $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@ built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver)) endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR ifdef HAS_PRODUCT_SEPOLICY_DIR ################################## # product_policy_$(ver).cil: product policy # policy_files := $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \ $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) ) product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf $(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf))) product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil $(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) $(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \ $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ $(POLICYVERS) -o $@ $< $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_PLAT_CIL) -t $@ # Line markers (denoted by ;;) are malformed after above cmd. They are only # used for debugging, so we remove them. $(hide) grep -v ';;' $@ > $@.tmp $(hide) mv $@.tmp $@ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to # make sure that the latter doesn't accidentally depend on vendor/odm policies. $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null product_policy_$(ver).conf := built_product_cil_$(ver) := $(product_policy_$(ver).cil) endif # ifdef HAS_PRODUCT_SEPOLICY_DIR ################################## # pub_policy_$(ver).cil: exported plat, system_ext, and product policies # policy_files := $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \ $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) ) pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf $(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf))) pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil $(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf) $(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil) $(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ $(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil) @mkdir -p $(dir $@) $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_REQD_MASK) -t $@ pub_policy_$(ver).conf := ifdef HAS_PRODUCT_SEPOLICY_DIR ################################## # product_mapping_cil_$(ver).cil: versioned exported product policy # product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil $(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver) $(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil) $(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy $(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy $(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver)) $(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver)) @mkdir -p $(dir $@) # Generate product mapping file as mapping file of all public sepolicy minus # plat_mapping_file and system_ext_mapping_file. $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ -f $(PRIVATE_FILTER_CIL_FILES) -t $@ built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver)) endif # ifdef HAS_PRODUCT_SEPOLICY_DIR ################################## # plat_pub_versioned_$(ver).cil - the exported platform policy # plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil $(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver) $(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil) $(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \ $(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \ $(built_product_mapping_cil_$(ver)) $(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \ $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver)) @mkdir -p $(dir $@) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)