Migrate mapping files to Android.bp
Bug: 33691272
Test: boot cf && boot microdroid && see precompiled sepolicy works
Change-Id: I92c9cb873506d24b335cc0fd489269df216280be
diff --git a/Android.bp b/Android.bp
index 0e9693a..56d9066 100644
--- a/Android.bp
+++ b/Android.bp
@@ -654,6 +654,111 @@
remove_line_marker: true,
}
+// policy mapping files
+// auto-generate the mapping file for current platform policy, since it needs to
+// track platform policy development
+se_versioned_policy {
+ name: "plat_mapping_file",
+ base: ":plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+}
+
+se_versioned_policy {
+ name: "system_ext_mapping_file",
+ base: ":system_ext_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file"],
+ relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
+ system_ext_specific: true,
+}
+
+se_versioned_policy {
+ name: "product_mapping_file",
+ base: ":pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
+ relative_install_path: "mapping", // install to /product/etc/selinux/mapping
+ product_specific: true,
+}
+
+// plat_pub_versioned.cil - the exported platform policy associated with the version
+// that non-platform policy targets.
+se_versioned_policy {
+ name: "plat_pub_versioned.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ vendor: true,
+}
+
+//////////////////////////////////
+// Precompiled sepolicy is loaded if and only if:
+// - plat_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+// AND
+// - system_ext_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+// AND
+// - product_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// See system/core/init/selinux.cpp for details.
+//////////////////////////////////
+genrule {
+ name: "plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
+ out: ["plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "plat_sepolicy_and_mapping.sha256",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+genrule {
+ name: "system_ext_sepolicy_and_mapping.sha256_gen",
+ srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
+ out: ["system_ext_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "system_ext_sepolicy_and_mapping.sha256",
+ filename: "system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ system_ext_specific: true,
+}
+
+genrule {
+ name: "product_sepolicy_and_mapping.sha256_gen",
+ srcs: [":product_sepolicy.cil", ":product_mapping_file"],
+ out: ["product_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "product_sepolicy_and_mapping.sha256",
+ filename: "product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ product_specific: true,
+}
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
diff --git a/Android.mk b/Android.mk
index 7c4ddbe..767a864 100644
--- a/Android.mk
+++ b/Android.mk
@@ -758,17 +758,26 @@
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
+built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
+built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
+
# b/37755687
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
@@ -843,122 +852,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_MODULE := system_ext_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
-endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_MODULE := product_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
-endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-# plat_pub_versioned.cil - the exported platform policy associated with the version
-# that non-platform policy targets.
-LOCAL_MODULE := plat_pub_versioned.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
-$(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -1154,52 +1047,6 @@
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
#################################
# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against