Merge "Remove code about mixed sepolicy build" into main
diff --git a/Android.bp b/Android.bp
index cac0748..b0544cf 100644
--- a/Android.bp
+++ b/Android.bp
@@ -359,116 +359,16 @@
product_specific: true,
}
+//////////////////////////////////
// vendor/odm sepolicy
-//
-// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-// policy files of platform (system, system_ext, product) can't be mixed with
-// policy files of vendor (vendor, odm). If it's the case, platform policies and
-// vendor policies are separately built. More specifically,
-//
-// - Platform policy files needed to build vendor policies, such as plat_policy,
-// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-//
-// - sepolicy_neverallows only checks platform policies, and a new module
-// sepolicy_neverallows_vendor checks vendor policies.
-//
-// - neverallow checks are turned off while compiling precompiled_sepolicy
-// module and sepolicy module.
-//
-// - Vendor policies are not checked on the compat test (compat.mk).
-//
-// In such scenario, we can grab platform policy files from the prebuilts/api
-// directory. But we need more than that: prebuilts of system_ext, product,
-// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
-// variables are introduced to specify such prebuilts.
-//
-// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-//
-// Vendors are responsible for copying policy files from the old version of the
-// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
-// can be used to build vendor policies.
-//
-// To support both mixed build and normal build, platform policy files are
-// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
-// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
-// Otherwise, they will be equal to the Makefile variables above.
-
-plat_public_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.reqd_mask_for_vendor}",
-]
-
-plat_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.plat_private_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.system_ext_private_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.product_private_for_vendor}",
-]
-
-se_policy_conf {
- name: "plat_policy_for_vendor.conf",
- srcs: plat_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_policy_for_vendor.cil",
- src: ":plat_policy_for_vendor.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
- installable: false,
-}
-
-se_policy_conf {
- name: "reqd_policy_mask_for_vendor.conf",
- srcs: [":se_build_files{.reqd_mask_for_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask_for_vendor.cil",
- src: ":reqd_policy_mask_for_vendor.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "pub_policy_for_vendor.conf",
- srcs: plat_public_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy_for_vendor.cil",
- src: ":pub_policy_for_vendor.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "plat_mapping_file_for_vendor",
- base: ":pub_policy_for_vendor.cil",
- mapping: true,
- version: "vendor",
- installable: false,
-}
+//////////////////////////////////
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
version: "vendor",
vendor: true,
}
@@ -478,8 +378,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
],
vendor: true,
@@ -489,7 +392,7 @@
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
vendor: true,
installable: false,
@@ -497,13 +400,15 @@
se_versioned_policy {
name: "vendor_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
],
filter_out: [":plat_pub_versioned.cil"],
vendor: true,
@@ -514,8 +419,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -527,7 +435,7 @@
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
- ":reqd_policy_mask_for_vendor.cil",
+ ":reqd_policy_mask.cil",
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
@@ -537,13 +445,15 @@
se_versioned_policy {
name: "odm_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
@@ -701,9 +611,8 @@
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
- value_variables: ["MIXED_SEPOLICY_VERSION"],
- properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
}
precompiled_se_policy_binary {
@@ -716,6 +625,9 @@
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -724,27 +636,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -760,6 +654,9 @@
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -768,27 +665,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -798,8 +677,13 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -1003,7 +887,7 @@
se_bug_map {
name: "vendor_bug_map",
- srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
@@ -1016,17 +900,11 @@
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
- product_private_policy,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows_vendor",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
- vendor: true,
}
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index d496f1d..b39ee44 100644
--- a/Android.mk
+++ b/Android.mk
@@ -73,12 +73,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
-mixed_sepolicy_build := true
-else
-mixed_sepolicy_build :=
-endif
-
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@@ -98,21 +92,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
-# Set default values for these prebuilt directories
-ifeq (,$(BOARD_REQD_MASK_POLICY))
-BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
-endif
-
-ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
-BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
-endif
-
-$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
- $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
- BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
- ) \
-)))
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -125,7 +104,7 @@
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@@ -513,7 +492,6 @@
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index ed92f1a..db028e6 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -103,28 +103,6 @@
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
- if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- // vendor uses the same source with plat policy
- b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
- b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
- b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
- b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
- b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
- b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
- b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
- b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
- } else {
- // use vendor-supplied plat prebuilts
- b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
- b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
- b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
- b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
- b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
- b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
- }
-
// directories used for compat tests and Treble tests
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 5982ae6..f2bb9c0 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -99,7 +99,7 @@
file_contexts {
name: "vendor_file_contexts",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
@@ -108,7 +108,7 @@
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
@@ -174,9 +174,9 @@
hwservice_contexts {
name: "vendor_hwservice_contexts",
srcs: [
- ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
- ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ":hwservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -216,9 +216,9 @@
property_contexts {
name: "vendor_property_contexts",
srcs: [
- ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
- ":property_contexts_files{.reqd_mask_for_vendor}",
+ ":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -260,9 +260,9 @@
service_contexts {
name: "vendor_service_contexts",
srcs: [
- ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
- ":service_contexts_files{.reqd_mask_for_vendor}",
+ ":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -297,9 +297,9 @@
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
srcs: [
- ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
- ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -332,14 +332,14 @@
seapp_contexts {
name: "vendor_seapp_contexts",
srcs: [
- ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
- ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ":seapp_contexts_files{.reqd_mask}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
soc_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -351,9 +351,9 @@
":seapp_contexts_files{.odm}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
device_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -362,9 +362,9 @@
vndservice_contexts {
name: "vndservice_contexts",
srcs: [
- ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
- ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ":vndservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
index 401f78c..16132c6 100644
--- a/mac_permissions/Android.bp
+++ b/mac_permissions/Android.bp
@@ -72,14 +72,14 @@
mac_permissions {
name: "vendor_mac_permissions.xml",
keys: [
- ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.plat_vendor}",
":keys.conf{.vendor}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
- ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.plat_vendor}",
":mac_permissions.xml{.vendor}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
vendor: true,
}
@@ -88,11 +88,11 @@
name: "odm_mac_permissions.xml",
keys: [
":keys.conf{.odm}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.odm}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
device_specific: true,
}