Reland "Build platform side policy with Soong"
This reverts commit d869d02758a3d711f0092fc48cc506b3d0117f4a.
Reason for revert: fixed breakage
The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf
Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
diff --git a/Android.mk b/Android.mk
index 77513a0..7c4ddbe 100644
--- a/Android.mk
+++ b/Android.mk
@@ -741,209 +741,36 @@
endif # ifeq ($(mixed_sepolicy_build),true)
##################################
-# reqd_policy_mask - a policy.conf file which contains only the bare minimum
-# policy necessary to use checkpolicy. This bare-minimum policy needs to be
-# present in all policy.conf files, but should not necessarily be exported as
-# part of the public policy. The rules generated by reqd_policy_mask will allow
-# the compilation of public policy and subsequent removal of CIL policy that
-# should not be exported.
-
-policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
-reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
-$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(reqd_policy_mask.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
-$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask.conf :=
+# plat policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of plat policy files.
+#
+reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
-##################################
-# pub_policy - policy that will be exported to be a part of non-platform
-# policy corresponding to this platform version. This is a limited subset of
-# policy that would not compile in checkpolicy on its own. To get around this
-# limitation, add only the required files from private policy, which will
-# generate CIL policy that will then be filtered out by the reqd_policy_mask.
-#
-# There are three pub_policy.cil files below:
-# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
-# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
-# - plat_pub_policy.cil: exported 'system' policy.
-#
-# Those above files will in turn be used to generate the following versioned cil files:
-# - product_mapping_file: the versioned, exported 'product' policy in product partition.
-# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
-# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
-# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
-# policy in vendor partition.
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-pub_policy.conf := $(intermediates)/pub_policy.conf
-$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-pub_policy.cil := $(intermediates)/pub_policy.cil
-$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
-$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
-$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
-$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
-$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-system_ext_pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
-$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
-$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
-$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
-plat_pub_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# plat_policy.conf - A combination of the private and public platform policy
-# which will ship with the device. The platform will always reflect the most
-# recent platform version and is not currently being attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-plat_policy.conf := $(intermediates)/plat_policy.conf
-$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-built_plat_cil := $(LOCAL_BUILT_MODULE)
+built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
-plat_policy.conf :=
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
+
+ifdef HAS_PRODUCT_SEPOLICY
+built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+endif # ifdef HAS_PRODUCT_SEPOLICY
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
#################################
include $(CLEAR_VARS)
@@ -997,128 +824,6 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_MODULE := system_ext_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# system_ext_policy.conf - A combination of the private and public system_ext policy
-# which will ship with the device. System_ext policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
-$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-
-built_system_ext_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
-system_ext_policy.conf :=
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_MODULE := product_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# product_policy.conf - A combination of the private and public product policy
-# which will ship with the device. Product policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-product_policy.conf := $(intermediates)/product_policy.conf
-$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
-$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_system_ext_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-
-built_product_cil := $(LOCAL_BUILT_MODULE)
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
-product_policy.conf :=
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -1688,38 +1393,6 @@
sepolicy.recovery.conf :=
##################################
-# SELinux policy embedded into CTS.
-# CTS checks neverallow rules of this policy against the policy of the device under test.
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_sepolicy.conf
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
-$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
-$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
include $(CLEAR_VARS)