Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/Android.bp b/microdroid/sepolicy/Android.bp
new file mode 100644
index 0000000..9bb6408
--- /dev/null
+++ b/microdroid/sepolicy/Android.bp
@@ -0,0 +1,286 @@
+system_policy_files = [
+    "system/private/security_classes",
+    "system/private/initial_sids",
+    "system/private/access_vectors",
+    "system/public/global_macros",
+    "system/public/neverallow_macros",
+    "system/private/mls_macros",
+    "system/private/mls_decl",
+    "system/private/mls",
+    "system/private/policy_capabilities",
+    "system/public/te_macros",
+    "system/public/attributes",
+    "system/private/attributes",
+    "system/public/ioctl_defines",
+    "system/public/ioctl_macros",
+    "system/public/*.te",
+    "system/private/*.te",
+    "system/private/roles_decl",
+    "system/public/roles",
+    "system/private/users",
+    "system/private/initial_sid_contexts",
+    "system/private/fs_use",
+    "system/private/genfs_contexts",
+    "system/private/port_contexts",
+]
+
+reqd_mask_files = [
+    "reqd_mask/security_classes",
+    "reqd_mask/initial_sids",
+    "reqd_mask/access_vectors",
+    "reqd_mask/mls_macros",
+    "reqd_mask/mls_decl",
+    "reqd_mask/mls",
+    "reqd_mask/reqd_mask.te",
+    "reqd_mask/roles_decl",
+    "reqd_mask/roles",
+    "reqd_mask/users",
+    "reqd_mask/initial_sid_contexts",
+]
+
+system_public_policy_files = [
+    "reqd_mask/security_classes",
+    "reqd_mask/initial_sids",
+    "reqd_mask/access_vectors",
+    "system/public/global_macros",
+    "system/public/neverallow_macros",
+    "reqd_mask/mls_macros",
+    "reqd_mask/mls_decl",
+    "reqd_mask/mls",
+    "system/public/te_macros",
+    "system/public/attributes",
+    "system/public/ioctl_defines",
+    "system/public/ioctl_macros",
+    "system/public/*.te",
+    "reqd_mask/reqd_mask.te",
+    "reqd_mask/roles_decl",
+    "reqd_mask/roles",
+    "system/public/roles",
+    "reqd_mask/users",
+    "reqd_mask/initial_sid_contexts",
+]
+
+vendor_policy_files = [
+    "reqd_mask/security_classes",
+    "reqd_mask/initial_sids",
+    "reqd_mask/access_vectors",
+    "system/public/global_macros",
+    "system/public/neverallow_macros",
+    "reqd_mask/mls_macros",
+    "reqd_mask/mls_decl",
+    "reqd_mask/mls",
+    "system/public/te_macros",
+    "system/public/attributes",
+    "system/public/ioctl_defines",
+    "system/public/ioctl_macros",
+    "system/public/*.te",
+    "reqd_mask/reqd_mask.te",
+    "vendor/*.te",
+    "reqd_mask/roles_decl",
+    "reqd_mask/roles",
+    "system/public/roles",
+    "reqd_mask/users",
+    "reqd_mask/initial_sid_contexts",
+]
+
+se_policy_conf {
+    name: "microdroid_reqd_policy_mask.conf",
+    srcs: reqd_mask_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_reqd_policy_mask.cil",
+    src: ":microdroid_reqd_policy_mask.conf",
+    secilc_check: false,
+    installable: false,
+}
+
+se_policy_conf {
+    name: "microdroid_plat_sepolicy.conf",
+    srcs: system_policy_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_plat_sepolicy.cil",
+    stem: "plat_sepolicy.cil",
+    src: ":microdroid_plat_sepolicy.conf",
+    additional_cil_files: ["system/private/technical_debt.cil"],
+    installable: false,
+}
+
+se_policy_conf {
+    name: "microdroid_plat_pub_policy.conf",
+    srcs: system_public_policy_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_plat_pub_policy.cil",
+    src: ":microdroid_plat_pub_policy.conf",
+    filter_out: [":microdroid_reqd_policy_mask.cil"],
+    secilc_check: false,
+    installable: false,
+}
+
+se_versioned_policy {
+    name: "microdroid_plat_mapping_file",
+    base: ":microdroid_plat_pub_policy.cil",
+    mapping: true,
+    version: "current",
+    relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+    installable: false,
+}
+
+se_versioned_policy {
+    name: "microdroid_plat_pub_versioned.cil",
+    stem: "plat_pub_versioned.cil",
+    base: ":microdroid_plat_pub_policy.cil",
+    target_policy: ":microdroid_plat_pub_policy.cil",
+    version: "current",
+    dependent_cils: [
+        ":microdroid_plat_sepolicy.cil",
+        ":microdroid_plat_mapping_file",
+    ],
+    installable: false,
+}
+
+se_policy_conf {
+    name: "microdroid_vendor_sepolicy.conf",
+    srcs: vendor_policy_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_vendor_sepolicy.cil.raw",
+    src: ":microdroid_vendor_sepolicy.conf",
+    filter_out: [":microdroid_reqd_policy_mask.cil"],
+    secilc_check: false, // will be done in se_versioned_policy module
+    installable: false,
+}
+
+se_versioned_policy {
+    name: "microdroid_vendor_sepolicy.cil",
+    stem: "vendor_sepolicy.cil",
+    base: ":microdroid_plat_pub_policy.cil",
+    target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+    version: "current", // microdroid is bundled to system
+    dependent_cils: [
+        ":microdroid_plat_sepolicy.cil",
+        ":microdroid_plat_pub_versioned.cil",
+        ":microdroid_plat_mapping_file",
+    ],
+    filter_out: [":microdroid_plat_pub_versioned.cil"],
+    installable: false,
+}
+
+sepolicy_vers {
+    name: "microdroid_plat_sepolicy_vers.txt",
+    version: "platform",
+    stem: "plat_sepolicy_vers.txt",
+    installable: false,
+}
+
+// sepolicy sha256 for vendor
+genrule {
+    name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
+    srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"],
+    out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
+    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+    name: "microdroid_plat_sepolicy_and_mapping.sha256",
+    src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+    filename: "plat_sepolicy_and_mapping.sha256",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+    src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+    filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_precompiled_sepolicy_gen",
+    tools: ["secilc"],
+    srcs: [
+        ":microdroid_plat_sepolicy.cil",
+        ":microdroid_plat_mapping_file",
+        ":microdroid_plat_pub_versioned.cil",
+        ":microdroid_vendor_sepolicy.cil",
+    ],
+    out: ["precompiled_sepolicy"],
+    cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
+}
+
+prebuilt_etc {
+    name: "microdroid_precompiled_sepolicy",
+    src: ":microdroid_precompiled_sepolicy_gen",
+    filename: "precompiled_sepolicy",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_file_contexts.gen",
+    srcs: ["system/private/file_contexts"],
+    tools: ["fc_sort"],
+    out: ["file_contexts"],
+    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+         "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+    name: "microdroid_file_contexts",
+    filename: "plat_file_contexts",
+    src: ":microdroid_file_contexts.gen",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_vendor_file_contexts.gen",
+    srcs: ["vendor/file_contexts"],
+    tools: ["fc_sort"],
+    out: ["file_contexts"],
+    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+         "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+    name: "microdroid_hwservice_contexts",
+    filename: "plat_hwservice_contexts",
+    src: "system/private/hwservice_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_property_contexts",
+    filename: "plat_property_contexts",
+    src: "system/private/property_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_service_contexts",
+    filename: "plat_service_contexts",
+    src: "system/private/service_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_keystore2_key_contexts",
+    filename: "plat_keystore2_key_contexts",
+    src: "system/private/keystore2_key_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}