Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame^] | 1 | system_policy_files = [ |
| 2 | "system/private/security_classes", |
| 3 | "system/private/initial_sids", |
| 4 | "system/private/access_vectors", |
| 5 | "system/public/global_macros", |
| 6 | "system/public/neverallow_macros", |
| 7 | "system/private/mls_macros", |
| 8 | "system/private/mls_decl", |
| 9 | "system/private/mls", |
| 10 | "system/private/policy_capabilities", |
| 11 | "system/public/te_macros", |
| 12 | "system/public/attributes", |
| 13 | "system/private/attributes", |
| 14 | "system/public/ioctl_defines", |
| 15 | "system/public/ioctl_macros", |
| 16 | "system/public/*.te", |
| 17 | "system/private/*.te", |
| 18 | "system/private/roles_decl", |
| 19 | "system/public/roles", |
| 20 | "system/private/users", |
| 21 | "system/private/initial_sid_contexts", |
| 22 | "system/private/fs_use", |
| 23 | "system/private/genfs_contexts", |
| 24 | "system/private/port_contexts", |
| 25 | ] |
| 26 | |
| 27 | reqd_mask_files = [ |
| 28 | "reqd_mask/security_classes", |
| 29 | "reqd_mask/initial_sids", |
| 30 | "reqd_mask/access_vectors", |
| 31 | "reqd_mask/mls_macros", |
| 32 | "reqd_mask/mls_decl", |
| 33 | "reqd_mask/mls", |
| 34 | "reqd_mask/reqd_mask.te", |
| 35 | "reqd_mask/roles_decl", |
| 36 | "reqd_mask/roles", |
| 37 | "reqd_mask/users", |
| 38 | "reqd_mask/initial_sid_contexts", |
| 39 | ] |
| 40 | |
| 41 | system_public_policy_files = [ |
| 42 | "reqd_mask/security_classes", |
| 43 | "reqd_mask/initial_sids", |
| 44 | "reqd_mask/access_vectors", |
| 45 | "system/public/global_macros", |
| 46 | "system/public/neverallow_macros", |
| 47 | "reqd_mask/mls_macros", |
| 48 | "reqd_mask/mls_decl", |
| 49 | "reqd_mask/mls", |
| 50 | "system/public/te_macros", |
| 51 | "system/public/attributes", |
| 52 | "system/public/ioctl_defines", |
| 53 | "system/public/ioctl_macros", |
| 54 | "system/public/*.te", |
| 55 | "reqd_mask/reqd_mask.te", |
| 56 | "reqd_mask/roles_decl", |
| 57 | "reqd_mask/roles", |
| 58 | "system/public/roles", |
| 59 | "reqd_mask/users", |
| 60 | "reqd_mask/initial_sid_contexts", |
| 61 | ] |
| 62 | |
| 63 | vendor_policy_files = [ |
| 64 | "reqd_mask/security_classes", |
| 65 | "reqd_mask/initial_sids", |
| 66 | "reqd_mask/access_vectors", |
| 67 | "system/public/global_macros", |
| 68 | "system/public/neverallow_macros", |
| 69 | "reqd_mask/mls_macros", |
| 70 | "reqd_mask/mls_decl", |
| 71 | "reqd_mask/mls", |
| 72 | "system/public/te_macros", |
| 73 | "system/public/attributes", |
| 74 | "system/public/ioctl_defines", |
| 75 | "system/public/ioctl_macros", |
| 76 | "system/public/*.te", |
| 77 | "reqd_mask/reqd_mask.te", |
| 78 | "vendor/*.te", |
| 79 | "reqd_mask/roles_decl", |
| 80 | "reqd_mask/roles", |
| 81 | "system/public/roles", |
| 82 | "reqd_mask/users", |
| 83 | "reqd_mask/initial_sid_contexts", |
| 84 | ] |
| 85 | |
| 86 | se_policy_conf { |
| 87 | name: "microdroid_reqd_policy_mask.conf", |
| 88 | srcs: reqd_mask_files, |
| 89 | installable: false, |
| 90 | } |
| 91 | |
| 92 | se_policy_cil { |
| 93 | name: "microdroid_reqd_policy_mask.cil", |
| 94 | src: ":microdroid_reqd_policy_mask.conf", |
| 95 | secilc_check: false, |
| 96 | installable: false, |
| 97 | } |
| 98 | |
| 99 | se_policy_conf { |
| 100 | name: "microdroid_plat_sepolicy.conf", |
| 101 | srcs: system_policy_files, |
| 102 | installable: false, |
| 103 | } |
| 104 | |
| 105 | se_policy_cil { |
| 106 | name: "microdroid_plat_sepolicy.cil", |
| 107 | stem: "plat_sepolicy.cil", |
| 108 | src: ":microdroid_plat_sepolicy.conf", |
| 109 | additional_cil_files: ["system/private/technical_debt.cil"], |
| 110 | installable: false, |
| 111 | } |
| 112 | |
| 113 | se_policy_conf { |
| 114 | name: "microdroid_plat_pub_policy.conf", |
| 115 | srcs: system_public_policy_files, |
| 116 | installable: false, |
| 117 | } |
| 118 | |
| 119 | se_policy_cil { |
| 120 | name: "microdroid_plat_pub_policy.cil", |
| 121 | src: ":microdroid_plat_pub_policy.conf", |
| 122 | filter_out: [":microdroid_reqd_policy_mask.cil"], |
| 123 | secilc_check: false, |
| 124 | installable: false, |
| 125 | } |
| 126 | |
| 127 | se_versioned_policy { |
| 128 | name: "microdroid_plat_mapping_file", |
| 129 | base: ":microdroid_plat_pub_policy.cil", |
| 130 | mapping: true, |
| 131 | version: "current", |
| 132 | relative_install_path: "mapping", // install to /system/etc/selinux/mapping |
| 133 | installable: false, |
| 134 | } |
| 135 | |
| 136 | se_versioned_policy { |
| 137 | name: "microdroid_plat_pub_versioned.cil", |
| 138 | stem: "plat_pub_versioned.cil", |
| 139 | base: ":microdroid_plat_pub_policy.cil", |
| 140 | target_policy: ":microdroid_plat_pub_policy.cil", |
| 141 | version: "current", |
| 142 | dependent_cils: [ |
| 143 | ":microdroid_plat_sepolicy.cil", |
| 144 | ":microdroid_plat_mapping_file", |
| 145 | ], |
| 146 | installable: false, |
| 147 | } |
| 148 | |
| 149 | se_policy_conf { |
| 150 | name: "microdroid_vendor_sepolicy.conf", |
| 151 | srcs: vendor_policy_files, |
| 152 | installable: false, |
| 153 | } |
| 154 | |
| 155 | se_policy_cil { |
| 156 | name: "microdroid_vendor_sepolicy.cil.raw", |
| 157 | src: ":microdroid_vendor_sepolicy.conf", |
| 158 | filter_out: [":microdroid_reqd_policy_mask.cil"], |
| 159 | secilc_check: false, // will be done in se_versioned_policy module |
| 160 | installable: false, |
| 161 | } |
| 162 | |
| 163 | se_versioned_policy { |
| 164 | name: "microdroid_vendor_sepolicy.cil", |
| 165 | stem: "vendor_sepolicy.cil", |
| 166 | base: ":microdroid_plat_pub_policy.cil", |
| 167 | target_policy: ":microdroid_vendor_sepolicy.cil.raw", |
| 168 | version: "current", // microdroid is bundled to system |
| 169 | dependent_cils: [ |
| 170 | ":microdroid_plat_sepolicy.cil", |
| 171 | ":microdroid_plat_pub_versioned.cil", |
| 172 | ":microdroid_plat_mapping_file", |
| 173 | ], |
| 174 | filter_out: [":microdroid_plat_pub_versioned.cil"], |
| 175 | installable: false, |
| 176 | } |
| 177 | |
| 178 | sepolicy_vers { |
| 179 | name: "microdroid_plat_sepolicy_vers.txt", |
| 180 | version: "platform", |
| 181 | stem: "plat_sepolicy_vers.txt", |
| 182 | installable: false, |
| 183 | } |
| 184 | |
| 185 | // sepolicy sha256 for vendor |
| 186 | genrule { |
| 187 | name: "microdroid_plat_sepolicy_and_mapping.sha256_gen", |
| 188 | srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"], |
| 189 | out: ["microdroid_plat_sepolicy_and_mapping.sha256"], |
| 190 | cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| 191 | } |
| 192 | |
| 193 | prebuilt_etc { |
| 194 | name: "microdroid_plat_sepolicy_and_mapping.sha256", |
| 195 | src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen", |
| 196 | filename: "plat_sepolicy_and_mapping.sha256", |
| 197 | relative_install_path: "selinux", |
| 198 | installable: false, |
| 199 | } |
| 200 | |
| 201 | prebuilt_etc { |
| 202 | name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", |
| 203 | src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen", |
| 204 | filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", |
| 205 | relative_install_path: "selinux", |
| 206 | installable: false, |
| 207 | } |
| 208 | |
| 209 | genrule { |
| 210 | name: "microdroid_precompiled_sepolicy_gen", |
| 211 | tools: ["secilc"], |
| 212 | srcs: [ |
| 213 | ":microdroid_plat_sepolicy.cil", |
| 214 | ":microdroid_plat_mapping_file", |
| 215 | ":microdroid_plat_pub_versioned.cil", |
| 216 | ":microdroid_vendor_sepolicy.cil", |
| 217 | ], |
| 218 | out: ["precompiled_sepolicy"], |
| 219 | cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null", |
| 220 | } |
| 221 | |
| 222 | prebuilt_etc { |
| 223 | name: "microdroid_precompiled_sepolicy", |
| 224 | src: ":microdroid_precompiled_sepolicy_gen", |
| 225 | filename: "precompiled_sepolicy", |
| 226 | relative_install_path: "selinux", |
| 227 | installable: false, |
| 228 | } |
| 229 | |
| 230 | genrule { |
| 231 | name: "microdroid_file_contexts.gen", |
| 232 | srcs: ["system/private/file_contexts"], |
| 233 | tools: ["fc_sort"], |
| 234 | out: ["file_contexts"], |
| 235 | cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " + |
| 236 | "$(location fc_sort) -i $(out).tmp -o $(out)", |
| 237 | } |
| 238 | |
| 239 | prebuilt_etc { |
| 240 | name: "microdroid_file_contexts", |
| 241 | filename: "plat_file_contexts", |
| 242 | src: ":microdroid_file_contexts.gen", |
| 243 | relative_install_path: "selinux", |
| 244 | installable: false, |
| 245 | } |
| 246 | |
| 247 | genrule { |
| 248 | name: "microdroid_vendor_file_contexts.gen", |
| 249 | srcs: ["vendor/file_contexts"], |
| 250 | tools: ["fc_sort"], |
| 251 | out: ["file_contexts"], |
| 252 | cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " + |
| 253 | "$(location fc_sort) -i $(out).tmp -o $(out)", |
| 254 | } |
| 255 | |
| 256 | prebuilt_etc { |
| 257 | name: "microdroid_hwservice_contexts", |
| 258 | filename: "plat_hwservice_contexts", |
| 259 | src: "system/private/hwservice_contexts", |
| 260 | relative_install_path: "selinux", |
| 261 | installable: false, |
| 262 | } |
| 263 | |
| 264 | prebuilt_etc { |
| 265 | name: "microdroid_property_contexts", |
| 266 | filename: "plat_property_contexts", |
| 267 | src: "system/private/property_contexts", |
| 268 | relative_install_path: "selinux", |
| 269 | installable: false, |
| 270 | } |
| 271 | |
| 272 | prebuilt_etc { |
| 273 | name: "microdroid_service_contexts", |
| 274 | filename: "plat_service_contexts", |
| 275 | src: "system/private/service_contexts", |
| 276 | relative_install_path: "selinux", |
| 277 | installable: false, |
| 278 | } |
| 279 | |
| 280 | prebuilt_etc { |
| 281 | name: "microdroid_keystore2_key_contexts", |
| 282 | filename: "plat_keystore2_key_contexts", |
| 283 | src: "system/private/keystore2_key_contexts", |
| 284 | relative_install_path: "selinux", |
| 285 | installable: false, |
| 286 | } |