platform_system_sepolicy/prebuilt_policy.mk
Hridya Valsaraju a885dd84c7 Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
2021-05-02 21:41:53 -07:00

321 lines
16 KiB
Makefile

# Copyright (C) 2020 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
# The policy files will only be used to compile vendor and odm policies.
#
# Specifically, the following prebuilts are used...
# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
#
# ... to generate following policy files.
#
# - reqd policy mask
# - plat, system_ext, product public policy
# - plat, system_ext, product policy
# - plat, system_ext, product versioned policy
#
# These generated policy files will be used only when building vendor policies.
# They are not installed to system, system_ext, or product partition.
ver := $(BOARD_SEPOLICY_VERS)
prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
plat_public_policy_$(ver) := $(prebuilt_dir)/public
plat_private_policy_$(ver) := $(prebuilt_dir)/private
system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
##################################
# policy-to-conf-rule: a helper macro to transform policy files to conf file.
#
# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
#
# $(1): output path (.conf file)
define policy-to-conf-rule
$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
$(1): PRIVATE_POLICY_FILES := $$(policy_files)
$(1): $$(policy_files) $$(M4)
$$(transform-policy-to-conf)
endef
##################################
# reqd_policy_mask_$(ver).cil
#
policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
# b/37755687
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
$(POLICYVERS) -o $@ $<
reqd_policy_mask_$(ver).conf :=
reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
##################################
# plat_pub_policy_$(ver).cil: exported plat policies
#
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
plat_pub_policy_$(ver).conf :=
##################################
# plat_mapping_cil_$(ver).cil: versioned exported system policy
#
plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
##################################
# plat_policy_$(ver).cil: system policy
#
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@.tmp $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
$(hide) mv $@.tmp $@
plat_policy_$(ver).conf :=
built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
##################################
# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
#
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
system_ext_pub_policy_$(ver).conf :=
##################################
# system_ext_policy_$(ver).cil: system_ext policy
#
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
$(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_PLAT_CIL) -t $@
# Line markers (denoted by ;;) are malformed after above cmd. They are only
# used for debugging, so we remove them.
$(hide) grep -v ';;' $@ > $@.tmp
$(hide) mv $@.tmp $@
# Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
# latter doesn't accidentally depend on vendor/odm policies.
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
system_ext_policy_$(ver).conf :=
built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
##################################
# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
#
system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
@mkdir -p $(dir $@)
# Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
# sepolicy minus plat_mapping_file.
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
ifdef HAS_PRODUCT_SEPOLICY_DIR
##################################
# product_policy_$(ver).cil: product policy
#
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
$(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
$(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_PLAT_CIL) -t $@
# Line markers (denoted by ;;) are malformed after above cmd. They are only
# used for debugging, so we remove them.
$(hide) grep -v ';;' $@ > $@.tmp
$(hide) mv $@.tmp $@
# Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
# make sure that the latter doesn't accidentally depend on vendor/odm policies.
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
$(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
product_policy_$(ver).conf :=
built_product_cil_$(ver) := $(product_policy_$(ver).cil)
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
##################################
# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
#
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
$(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
pub_policy_$(ver).conf :=
ifdef HAS_PRODUCT_SEPOLICY_DIR
##################################
# product_mapping_cil_$(ver).cil: versioned exported product policy
#
product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
@mkdir -p $(dir $@)
# Generate product mapping file as mapping file of all public sepolicy minus
# plat_mapping_file and system_ext_mapping_file.
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
##################################
# plat_pub_versioned_$(ver).cil - the exported platform policy
#
plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
$(built_product_mapping_cil_$(ver))
$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
$(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
$(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)