cc9a09953b
build_sepolicy internally uses other tools like checkpolicy and version_policy. The dependencies are used to be found under out/host/linux-x86/bin. But that assumption doesn't hold when soong tried to sandbox command invocations. This change fixes the problem by setting --android_host_path to the directory where build_sepolicy is sandboxed and also by adding the internal dependeicies to the `tools` property so that they are copied to the sandbox directory. Bug: N/A Test: choosecombo into aosp_x86_64 and run m out/soong/.intermediates/system/sepolicy/microdroid_vendor_sepolicy.cil_gen/gen/vendor_sepolicy.cil Change-Id: I28ae1f9013439f3ca1196b3816e0388ced5246e1
737 lines
19 KiB
Text
737 lines
19 KiB
Text
// Copyright (C) 2018 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package {
|
|
default_applicable_licenses: ["system_sepolicy_license"],
|
|
}
|
|
|
|
// Added automatically by a large-scale-change that took the approach of
|
|
// 'apply every license found to every target'. While this makes sure we respect
|
|
// every license restriction, it may not be entirely correct.
|
|
//
|
|
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
|
|
//
|
|
// Please consider splitting the single license below into multiple licenses,
|
|
// taking care not to lose any license_kind information, and overriding the
|
|
// default license using the 'licenses: [...]' property on targets as needed.
|
|
//
|
|
// For unused files, consider creating a 'filegroup' with "//visibility:private"
|
|
// to attach the license to, and including a comment whether the files may be
|
|
// used in the current project.
|
|
// http://go/android-license-faq
|
|
license {
|
|
name: "system_sepolicy_license",
|
|
visibility: [":__subpackages__"],
|
|
license_kinds: [
|
|
"SPDX-license-identifier-Apache-2.0",
|
|
"legacy_unencumbered",
|
|
],
|
|
license_text: [
|
|
"NOTICE",
|
|
],
|
|
}
|
|
|
|
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
|
|
|
|
se_filegroup {
|
|
name: "26.0.board.compat.map",
|
|
srcs: [
|
|
"compat/26.0/26.0.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "27.0.board.compat.map",
|
|
srcs: [
|
|
"compat/27.0/27.0.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "28.0.board.compat.map",
|
|
srcs: [
|
|
"compat/28.0/28.0.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "29.0.board.compat.map",
|
|
srcs: [
|
|
"compat/29.0/29.0.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "30.0.board.compat.map",
|
|
srcs: [
|
|
"compat/30.0/30.0.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "26.0.board.ignore.map",
|
|
srcs: [
|
|
"compat/26.0/26.0.ignore.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "27.0.board.ignore.map",
|
|
srcs: [
|
|
"compat/27.0/27.0.ignore.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "28.0.board.ignore.map",
|
|
srcs: [
|
|
"compat/28.0/28.0.ignore.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "29.0.board.ignore.map",
|
|
srcs: [
|
|
"compat/29.0/29.0.ignore.cil",
|
|
],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "30.0.board.ignore.map",
|
|
srcs: [
|
|
"compat/30.0/30.0.ignore.cil",
|
|
],
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "plat_26.0.cil",
|
|
stem: "26.0.cil",
|
|
bottom_half: [":26.0.board.compat.map"],
|
|
top_half: "plat_27.0.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "plat_27.0.cil",
|
|
stem: "27.0.cil",
|
|
bottom_half: [":27.0.board.compat.map"],
|
|
top_half: "plat_28.0.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "plat_28.0.cil",
|
|
stem: "28.0.cil",
|
|
bottom_half: [":28.0.board.compat.map"],
|
|
top_half: "plat_29.0.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "plat_29.0.cil",
|
|
stem: "29.0.cil",
|
|
bottom_half: [":29.0.board.compat.map"],
|
|
top_half: "plat_30.0.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "plat_30.0.cil",
|
|
stem: "30.0.cil",
|
|
bottom_half: [":30.0.board.compat.map"],
|
|
// top_half: "plat_31.0.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "system_ext_26.0.cil",
|
|
stem: "26.0.cil",
|
|
bottom_half: [":26.0.board.compat.map"],
|
|
top_half: "system_ext_27.0.cil",
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "system_ext_27.0.cil",
|
|
stem: "27.0.cil",
|
|
bottom_half: [":27.0.board.compat.map"],
|
|
top_half: "system_ext_28.0.cil",
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "system_ext_28.0.cil",
|
|
stem: "28.0.cil",
|
|
bottom_half: [":28.0.board.compat.map"],
|
|
top_half: "system_ext_29.0.cil",
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "system_ext_29.0.cil",
|
|
stem: "29.0.cil",
|
|
bottom_half: [":29.0.board.compat.map"],
|
|
top_half: "system_ext_30.0.cil",
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "system_ext_30.0.cil",
|
|
stem: "30.0.cil",
|
|
bottom_half: [":30.0.board.compat.map"],
|
|
// top_half: "system_ext_31.0.cil",
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "product_26.0.cil",
|
|
stem: "26.0.cil",
|
|
bottom_half: [":26.0.board.compat.map"],
|
|
top_half: "product_27.0.cil",
|
|
product_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "product_27.0.cil",
|
|
stem: "27.0.cil",
|
|
bottom_half: [":27.0.board.compat.map"],
|
|
top_half: "product_28.0.cil",
|
|
product_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "product_28.0.cil",
|
|
stem: "28.0.cil",
|
|
bottom_half: [":28.0.board.compat.map"],
|
|
top_half: "product_29.0.cil",
|
|
product_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "product_29.0.cil",
|
|
stem: "29.0.cil",
|
|
bottom_half: [":29.0.board.compat.map"],
|
|
top_half: "product_30.0.cil",
|
|
product_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "product_30.0.cil",
|
|
stem: "30.0.cil",
|
|
bottom_half: [":30.0.board.compat.map"],
|
|
// top_half: "product_31.0.cil",
|
|
product_specific: true,
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "26.0.ignore.cil",
|
|
bottom_half: [":26.0.board.ignore.map"],
|
|
top_half: "27.0.ignore.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "27.0.ignore.cil",
|
|
bottom_half: [":27.0.board.ignore.map"],
|
|
top_half: "28.0.ignore.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "28.0.ignore.cil",
|
|
bottom_half: [":28.0.board.ignore.map"],
|
|
top_half: "29.0.ignore.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "29.0.ignore.cil",
|
|
bottom_half: [":29.0.board.ignore.map"],
|
|
top_half: "30.0.ignore.cil",
|
|
}
|
|
|
|
se_cil_compat_map {
|
|
name: "30.0.ignore.cil",
|
|
bottom_half: [":30.0.board.ignore.map"],
|
|
// top_half: "31.0.ignore.cil",
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "26.0.compat.cil",
|
|
src: "private/compat/26.0/26.0.compat.cil",
|
|
sub_dir: "selinux/mapping",
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "27.0.compat.cil",
|
|
src: "private/compat/27.0/27.0.compat.cil",
|
|
sub_dir: "selinux/mapping",
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "28.0.compat.cil",
|
|
src: "private/compat/28.0/28.0.compat.cil",
|
|
sub_dir: "selinux/mapping",
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "29.0.compat.cil",
|
|
src: "private/compat/29.0/29.0.compat.cil",
|
|
sub_dir: "selinux/mapping",
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "30.0.compat.cil",
|
|
src: "private/compat/30.0/30.0.compat.cil",
|
|
sub_dir: "selinux/mapping",
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "file_contexts_files",
|
|
srcs: ["file_contexts"],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "file_contexts_asan_files",
|
|
srcs: ["file_contexts_asan"],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "file_contexts_overlayfs_files",
|
|
srcs: ["file_contexts_overlayfs"],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "hwservice_contexts_files",
|
|
srcs: ["hwservice_contexts"],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "property_contexts_files",
|
|
srcs: ["property_contexts"],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "service_contexts_files",
|
|
srcs: ["service_contexts"],
|
|
}
|
|
|
|
se_filegroup {
|
|
name: "keystore2_key_contexts_files",
|
|
srcs: ["keystore2_key_contexts"],
|
|
}
|
|
|
|
file_contexts {
|
|
name: "plat_file_contexts",
|
|
srcs: [":file_contexts_files"],
|
|
product_variables: {
|
|
address_sanitize: {
|
|
srcs: [":file_contexts_asan_files"],
|
|
},
|
|
debuggable: {
|
|
srcs: [":file_contexts_overlayfs_files"],
|
|
},
|
|
},
|
|
|
|
flatten_apex: {
|
|
srcs: ["apex/*-file_contexts"],
|
|
},
|
|
|
|
recovery_available: true,
|
|
}
|
|
|
|
file_contexts {
|
|
name: "vendor_file_contexts",
|
|
srcs: [":file_contexts_files"],
|
|
soc_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
file_contexts {
|
|
name: "system_ext_file_contexts",
|
|
srcs: [":file_contexts_files"],
|
|
system_ext_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
file_contexts {
|
|
name: "product_file_contexts",
|
|
srcs: [":file_contexts_files"],
|
|
product_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
file_contexts {
|
|
name: "odm_file_contexts",
|
|
srcs: [":file_contexts_files"],
|
|
device_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
hwservice_contexts {
|
|
name: "plat_hwservice_contexts",
|
|
srcs: [":hwservice_contexts_files"],
|
|
}
|
|
|
|
hwservice_contexts {
|
|
name: "system_ext_hwservice_contexts",
|
|
srcs: [":hwservice_contexts_files"],
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
hwservice_contexts {
|
|
name: "product_hwservice_contexts",
|
|
srcs: [":hwservice_contexts_files"],
|
|
product_specific: true,
|
|
}
|
|
|
|
hwservice_contexts {
|
|
name: "vendor_hwservice_contexts",
|
|
srcs: [":hwservice_contexts_files"],
|
|
reqd_mask: true,
|
|
soc_specific: true,
|
|
}
|
|
|
|
hwservice_contexts {
|
|
name: "odm_hwservice_contexts",
|
|
srcs: [":hwservice_contexts_files"],
|
|
device_specific: true,
|
|
}
|
|
|
|
property_contexts {
|
|
name: "plat_property_contexts",
|
|
srcs: [":property_contexts_files"],
|
|
recovery_available: true,
|
|
}
|
|
|
|
property_contexts {
|
|
name: "system_ext_property_contexts",
|
|
srcs: [":property_contexts_files"],
|
|
system_ext_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
property_contexts {
|
|
name: "product_property_contexts",
|
|
srcs: [":property_contexts_files"],
|
|
product_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
property_contexts {
|
|
name: "vendor_property_contexts",
|
|
srcs: [":property_contexts_files"],
|
|
reqd_mask: true,
|
|
soc_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
property_contexts {
|
|
name: "odm_property_contexts",
|
|
srcs: [":property_contexts_files"],
|
|
device_specific: true,
|
|
recovery_available: true,
|
|
}
|
|
|
|
service_contexts {
|
|
name: "plat_service_contexts",
|
|
srcs: [":service_contexts_files"],
|
|
}
|
|
|
|
service_contexts {
|
|
name: "system_ext_service_contexts",
|
|
srcs: [":service_contexts_files"],
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
service_contexts {
|
|
name: "product_service_contexts",
|
|
srcs: [":service_contexts_files"],
|
|
product_specific: true,
|
|
}
|
|
|
|
service_contexts {
|
|
name: "vendor_service_contexts",
|
|
srcs: [":service_contexts_files"],
|
|
reqd_mask: true,
|
|
soc_specific: true,
|
|
}
|
|
|
|
keystore2_key_contexts {
|
|
name: "plat_keystore2_key_contexts",
|
|
srcs: [":keystore2_key_contexts_files"],
|
|
}
|
|
|
|
keystore2_key_contexts {
|
|
name: "system_keystore2_key_contexts",
|
|
srcs: [":keystore2_key_contexts_files"],
|
|
system_ext_specific: true,
|
|
}
|
|
|
|
keystore2_key_contexts {
|
|
name: "product_keystore2_key_contexts",
|
|
srcs: [":keystore2_key_contexts_files"],
|
|
product_specific: true,
|
|
}
|
|
|
|
keystore2_key_contexts {
|
|
name: "vendor_keystore2_key_contexts",
|
|
srcs: [":keystore2_key_contexts_files"],
|
|
reqd_mask: true,
|
|
soc_specific: true,
|
|
}
|
|
|
|
// For vts_treble_sys_prop_test
|
|
filegroup {
|
|
name: "private_property_contexts",
|
|
srcs: ["private/property_contexts"],
|
|
visibility: [
|
|
"//test/vts-testcase/security/system_property",
|
|
],
|
|
}
|
|
|
|
// This is a minimized cil modules to test microdroid.
|
|
// TODO(b/178993690): migrate cil files to Android.bp and remove below
|
|
filegroup {
|
|
name: "microdroid_sepolicy_build_files",
|
|
srcs: [
|
|
// This order is important. Should be identical to sepolicy_build_files in Android.mk
|
|
"private/security_classes",
|
|
"private/initial_sids",
|
|
"private/access_vectors",
|
|
"public/global_macros",
|
|
"public/neverallow_macros",
|
|
"private/mls_macros",
|
|
"private/mls_decl",
|
|
"private/mls",
|
|
"private/policy_capabilities",
|
|
"public/te_macros",
|
|
"public/attributes",
|
|
"private/attributes",
|
|
"public/ioctl_defines",
|
|
"public/ioctl_macros",
|
|
"public/*.te",
|
|
"private/*.te",
|
|
"private/roles_decl",
|
|
"public/roles",
|
|
"private/users",
|
|
"private/initial_sid_contexts",
|
|
"private/fs_use",
|
|
"private/genfs_contexts",
|
|
"private/port_contexts",
|
|
],
|
|
}
|
|
|
|
filegroup {
|
|
name: "microdroid_sepolicy_public_and_reqd_mask_build_files",
|
|
srcs: [
|
|
// This order is important. Should be identical to sepolicy_build_files in Android.mk
|
|
"reqd_mask/security_classes",
|
|
"reqd_mask/initial_sids",
|
|
"reqd_mask/access_vectors",
|
|
"public/global_macros",
|
|
"public/neverallow_macros",
|
|
"reqd_mask/mls_macros",
|
|
"reqd_mask/mls_decl",
|
|
"reqd_mask/mls",
|
|
"public/te_macros",
|
|
"public/attributes",
|
|
"public/ioctl_defines",
|
|
"public/ioctl_macros",
|
|
"public/*.te",
|
|
"reqd_mask/*.te",
|
|
"reqd_mask/roles_decl",
|
|
"public/roles",
|
|
"reqd_mask/roles",
|
|
"reqd_mask/users",
|
|
"reqd_mask/initial_sid_contexts",
|
|
],
|
|
}
|
|
|
|
filegroup {
|
|
name: "microdroid_sepolicy_reqd_mask_build_files",
|
|
srcs: [
|
|
// This order is important. Should be identical to sepolicy_build_files in Android.mk
|
|
"reqd_mask/security_classes",
|
|
"reqd_mask/initial_sids",
|
|
"reqd_mask/access_vectors",
|
|
"reqd_mask/mls_macros",
|
|
"reqd_mask/mls_decl",
|
|
"reqd_mask/mls",
|
|
"reqd_mask/*.te",
|
|
"reqd_mask/roles_decl",
|
|
"reqd_mask/roles",
|
|
"reqd_mask/users",
|
|
"reqd_mask/initial_sid_contexts",
|
|
],
|
|
}
|
|
|
|
// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
|
|
// these configurations should be fine to test microdroid on normal devices with full treble.
|
|
// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
|
|
// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
|
|
// migrated into Soong, these will have correct values.
|
|
policy_to_conf_flags = "$(location m4) --fatal-warnings " +
|
|
"-D mls_num_sens=1 -D mls_num_cats=1024 " +
|
|
"-D target_build_variant=userdebug " +
|
|
"-D target_with_asan=false " +
|
|
"-D target_with_native_coverage=false " +
|
|
"-D target_full_treble=true " +
|
|
"-D target_compatible_property=true " +
|
|
"-D target_treble_sysprop_neverallow=true " +
|
|
"-D target_enforce_sysprop_owner=true "
|
|
|
|
genrule {
|
|
name: "microdroid_plat_sepolicy.cil_gen",
|
|
srcs: [":microdroid_sepolicy_build_files"],
|
|
tools: ["m4", "checkpolicy"],
|
|
out: ["plat_sepolicy.cil"],
|
|
cmd: policy_to_conf_flags +
|
|
"-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" +
|
|
"&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf",
|
|
visibility: ["//visibility:private"],
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "microdroid_plat_sepolicy.cil",
|
|
src: ":microdroid_plat_sepolicy.cil_gen",
|
|
filename: "plat_sepolicy.cil",
|
|
relative_install_path: "selinux",
|
|
installable: false,
|
|
}
|
|
|
|
genrule {
|
|
name: "microdroid_reqd_policy_mask.cil_gen",
|
|
srcs: [":microdroid_sepolicy_reqd_mask_build_files"],
|
|
tools: ["m4", "checkpolicy"],
|
|
out: ["reqd_policy_mask.cil"],
|
|
cmd: policy_to_conf_flags +
|
|
"-s $(in) > $(out).conf" +
|
|
"&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf",
|
|
visibility: ["//visibility:private"],
|
|
}
|
|
|
|
genrule {
|
|
name: "microdroid_plat_mapping_file_gen",
|
|
srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"],
|
|
tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"],
|
|
out: ["10000.0.cil"],
|
|
cmd: policy_to_conf_flags +
|
|
"-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" +
|
|
"&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" +
|
|
"&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" +
|
|
"&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)",
|
|
visibility: ["//visibility:private"],
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "microdroid_plat_mapping_file",
|
|
src: ":microdroid_plat_mapping_file_gen",
|
|
filename: "10000.0.cil",
|
|
relative_install_path: "selinux/mapping",
|
|
installable: false,
|
|
}
|
|
|
|
///////////////////////////////////////////////////////////////////
|
|
genrule {
|
|
name: "microdroid_pub_policy.cil_gen",
|
|
srcs: [
|
|
":microdroid_sepolicy_public_and_reqd_mask_build_files",
|
|
":microdroid_reqd_policy_mask.cil_gen",
|
|
],
|
|
tools: ["m4", "checkpolicy", "build_sepolicy"],
|
|
out: ["pub_policy.cil"],
|
|
cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
|
|
"$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
|
|
"$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
|
|
visibility: ["//visibility:private"],
|
|
}
|
|
|
|
genrule {
|
|
name: "microdroid_plat_pub_versioned.cil_gen",
|
|
srcs: [":microdroid_pub_policy.cil_gen"],
|
|
tools: ["version_policy"],
|
|
out: ["plat_pub_versioned.cil"],
|
|
cmd: "$(location version_policy) " +
|
|
"-b $(location :microdroid_pub_policy.cil_gen) " +
|
|
"-t $(location :microdroid_pub_policy.cil_gen) " +
|
|
"-n 10000.0 " +
|
|
"-o $(out)",
|
|
visibility: ["//visibility:private"],
|
|
}
|
|
|
|
filegroup {
|
|
name: "microdroid_vendor_sepolicy_build_files",
|
|
srcs: [
|
|
"reqd_mask/security_classes",
|
|
"reqd_mask/initial_sids",
|
|
"reqd_mask/access_vectors",
|
|
"public/global_macros",
|
|
"public/neverallow_macros",
|
|
"reqd_mask/mls_macros",
|
|
"reqd_mask/mls_decl",
|
|
"reqd_mask/mls",
|
|
"public/te_macros",
|
|
"public/attributes",
|
|
"public/ioctl_defines",
|
|
"public/ioctl_macros",
|
|
"public/*.te",
|
|
"reqd_mask/*.te",
|
|
"vendor/*.te",
|
|
"reqd_mask/roles_decl",
|
|
"public/roles",
|
|
"reqd_mask/roles",
|
|
"reqd_mask/users",
|
|
"reqd_mask/initial_sid_contexts",
|
|
],
|
|
}
|
|
|
|
genrule {
|
|
name: "microdroid_vendor_sepolicy.cil_gen",
|
|
srcs: [
|
|
":microdroid_vendor_sepolicy_build_files",
|
|
":microdroid_plat_pub_versioned.cil_gen",
|
|
":microdroid_pub_policy.cil_gen",
|
|
":microdroid_reqd_policy_mask.cil_gen",
|
|
],
|
|
tools: [
|
|
"m4",
|
|
"build_sepolicy",
|
|
"checkpolicy",
|
|
"secilc",
|
|
"version_policy",
|
|
],
|
|
out: ["vendor_sepolicy.cil"],
|
|
cmd: policy_to_conf_flags + " -s $(locations :microdroid_vendor_sepolicy_build_files) > $(out).conf && " +
|
|
"$(location build_sepolicy) " +
|
|
"--android_host_path $$(dirname $(location build_sepolicy)) " +
|
|
"build_cil " +
|
|
"--input_policy_conf $(out).conf " +
|
|
"--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
|
|
"--base_policy $(location :microdroid_pub_policy.cil_gen) " +
|
|
"--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
|
|
"--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
|
|
"--treble_sepolicy_vers 10000.0 " +
|
|
"--policy_vers 30 " +
|
|
"--output_cil $(out)",
|
|
visibility: ["//visibility:private"],
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "microdroid_vendor_sepolicy.cil",
|
|
src: ":microdroid_vendor_sepolicy.cil_gen",
|
|
filename: "vendor_sepolicy.cil",
|
|
relative_install_path: "selinux",
|
|
installable: false,
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "microdroid_plat_pub_versioned.cil",
|
|
src: ":microdroid_plat_pub_versioned.cil_gen",
|
|
filename: "plat_pub_versioned.cil",
|
|
relative_install_path: "selinux",
|
|
installable: false,
|
|
}
|