Revert "Build platform side policy with Soong"
This reverts commit 7629e86053aed5d5d898bff8c94e60b8fbcb6eda.
Reason for revert: broke build
Change-Id: I97dc1ea78901cab62404780e7ee096ad45c0b21b
diff --git a/Android.bp b/Android.bp
index 80da56b..aca6e40 100644
--- a/Android.bp
+++ b/Android.bp
@@ -493,190 +493,137 @@
],
}
-se_build_files {
- name: "se_build_files",
+// This is a minimized cil modules to test microdroid.
+// TODO(b/178993690): migrate cil files to Android.bp and remove below
+filegroup {
+ name: "microdroid_sepolicy_build_files",
srcs: [
- "security_classes",
- "initial_sids",
- "access_vectors",
- "global_macros",
- "neverallow_macros",
- "mls_macros",
- "mls_decl",
- "mls",
- "policy_capabilities",
- "te_macros",
- "attributes",
- "ioctl_defines",
- "ioctl_macros",
- "*.te",
- "roles_decl",
- "roles",
- "users",
- "initial_sid_contexts",
- "fs_use",
- "genfs_contexts",
- "port_contexts",
+ // This order is important. Should be identical to sepolicy_build_files in Android.mk
+ "private/security_classes",
+ "private/initial_sids",
+ "private/access_vectors",
+ "public/global_macros",
+ "public/neverallow_macros",
+ "private/mls_macros",
+ "private/mls_decl",
+ "private/mls",
+ "private/policy_capabilities",
+ "public/te_macros",
+ "public/attributes",
+ "private/attributes",
+ "public/ioctl_defines",
+ "public/ioctl_macros",
+ "public/*.te",
+ "private/*.te",
+ "private/roles_decl",
+ "public/roles",
+ "private/users",
+ "private/initial_sid_contexts",
+ "private/fs_use",
+ "private/genfs_contexts",
+ "private/port_contexts",
],
}
-// reqd_policy_mask - a policy.conf file which contains only the bare minimum
-// policy necessary to use checkpolicy.
-//
-// This bare-minimum policy needs to be present in all policy.conf files, but
-// should not necessarily be exported as part of the public policy.
-//
-// The rules generated by reqd_policy_mask will allow the compilation of public
-// policy and subsequent removal of CIL policy that should not be exported.
-se_policy_conf {
- name: "reqd_policy_mask.conf",
- srcs: [":se_build_files{.reqd_mask}"],
+filegroup {
+ name: "microdroid_sepolicy_public_and_reqd_mask_build_files",
+ srcs: [
+ // This order is important. Should be identical to sepolicy_build_files in Android.mk
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "public/global_macros",
+ "public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "public/te_macros",
+ "public/attributes",
+ "public/ioctl_defines",
+ "public/ioctl_macros",
+ "public/*.te",
+ "reqd_mask/*.te",
+ "reqd_mask/roles_decl",
+ "public/roles",
+ "reqd_mask/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+ ],
+}
+
+filegroup {
+ name: "microdroid_sepolicy_reqd_mask_build_files",
+ srcs: [
+ // This order is important. Should be identical to sepolicy_build_files in Android.mk
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "reqd_mask/*.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+ ],
+}
+
+// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
+// these configurations should be fine to test microdroid on normal devices with full treble.
+// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
+// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
+// migrated into Soong, these will have correct values.
+policy_to_conf_flags = "$(location m4) --fatal-warnings " +
+"-D mls_num_sens=1 -D mls_num_cats=1024 " +
+"-D target_build_variant=userdebug " +
+"-D target_with_asan=false " +
+"-D target_with_native_coverage=false " +
+"-D target_full_treble=true " +
+"-D target_compatible_property=true " +
+"-D target_treble_sysprop_neverallow=true " +
+"-D target_enforce_sysprop_owner=true "
+
+genrule {
+ name: "microdroid_plat_sepolicy.cil_gen",
+ srcs: [":microdroid_sepolicy_build_files"],
+ tools: ["m4", "checkpolicy"],
+ out: ["plat_sepolicy.cil"],
+ cmd: policy_to_conf_flags +
+ "-s $(locations :microdroid_sepolicy_build_files) > $(out).conf" +
+ "&& $(location checkpolicy) -M -C -c 30 -o $(out) $(out).conf",
+ visibility: ["//visibility:private"],
+}
+
+prebuilt_etc {
+ name: "microdroid_plat_sepolicy.cil",
+ src: ":microdroid_plat_sepolicy.cil_gen",
+ filename: "plat_sepolicy.cil",
+ relative_install_path: "selinux",
installable: false,
}
-se_policy_cil {
- name: "reqd_policy_mask.cil",
- src: ":reqd_policy_mask.conf",
- secilc_check: false,
- installable: false,
+genrule {
+ name: "microdroid_reqd_policy_mask.cil_gen",
+ srcs: [":microdroid_sepolicy_reqd_mask_build_files"],
+ tools: ["m4", "checkpolicy"],
+ out: ["reqd_policy_mask.cil"],
+ cmd: policy_to_conf_flags +
+ "-s $(in) > $(out).conf" +
+ "&& $(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf",
+ visibility: ["//visibility:private"],
}
-// pub_policy - policy that will be exported to be a part of non-platform
-// policy corresponding to this platform version.
-//
-// This is a limited subset of policy that would not compile in checkpolicy on
-// its own.
-//
-// To get around this limitation, add only the required files from private
-// policy, which will generate CIL policy that will then be filtered out by the
-// reqd_policy_mask.
-//
-// There are three pub_policy.cil files below:
-// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
-// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
-// - plat_pub_policy.cil: exported 'system' policy.
-//
-// Those above files will in turn be used to generate the following versioned cil files:
-// - product_mapping_file: the versioned, exported 'product' policy in product partition.
-// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
-// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
-// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
-// in vendor partition.
-//
-se_policy_conf {
- name: "pub_policy.conf",
- srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy.cil",
- src: ":pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "system_ext_pub_policy.conf",
- srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
- installable: false,
-}
-
-se_policy_cil {
- name: "system_ext_pub_policy.cil",
- src: ":system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "plat_pub_policy.conf",
- srcs: [":se_build_files{.plat_public}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_pub_policy.cil",
- src: ":plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-// plat_policy.conf - A combination of the private and public platform policy
-// which will ship with the device.
-//
-// The platform will always reflect the most recent platform version and is not
-// currently being attributized.
-se_policy_conf {
- name: "plat_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_sepolicy.cil",
- src: ":plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
-}
-
-// system_ext_policy.conf - A combination of the private and public system_ext
-// policy which will ship with the device. System_ext policy is not attributized
-se_policy_conf {
- name: "system_ext_sepolicy.conf",
- srcs: [":se_build_files{.system_ext}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "system_ext_sepolicy.cil",
- src: ":system_ext_sepolicy.conf",
- system_ext_specific: true,
- filter_out: [":plat_sepolicy.cil"],
- remove_line_marker: true,
-}
-
-// product_policy.conf - A combination of the private and public product policy
-// which will ship with the device. Product policy is not attributized
-se_policy_conf {
- name: "product_sepolicy.conf",
- srcs: [":se_build_files{.product}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "product_sepolicy.cil",
- src: ":product_sepolicy.conf",
- product_specific: true,
- filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
- remove_line_marker: true,
-}
-
-//////////////////////////////////
-// SELinux policy embedded into CTS.
-// CTS checks neverallow rules of this policy against the policy of the device under test.
-//////////////////////////////////
-se_policy_conf {
- name: "general_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
- build_variant: "user",
- cts: true,
- exclude_build_test: true,
-}
-
-//////////////////////////////////
-// modules for microdroid
-// TODO(b/178993690): migrate Android.mk to Android.bp and remove below
-//////////////////////////////////
genrule {
name: "microdroid_plat_mapping_file_gen",
- srcs: [":plat_pub_policy.cil", ":reqd_policy_mask.cil"],
- tools: ["build_sepolicy", "version_policy"],
+ srcs: [":microdroid_sepolicy_public_and_reqd_mask_build_files", ":microdroid_reqd_policy_mask.cil_gen"],
+ tools: ["m4", "checkpolicy", "build_sepolicy", "version_policy"],
out: ["10000.0.cil"],
- cmd: "$(location build_sepolicy) filter_out -f $(location :reqd_policy_mask.cil) -t $(location :plat_pub_policy.cil)" +
- "&& $(location version_policy) -b $(location :plat_pub_policy.cil) -m -n 10000.0 -o $(out)",
+ cmd: policy_to_conf_flags +
+ "-s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf" +
+ "&& $(location checkpolicy) -M -C -c 30 -o $(out).pub $(out).conf" +
+ "&& $(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out).pub" +
+ "&& $(location version_policy) -b $(out).pub -m -n 10000.0 -o $(out)",
visibility: ["//visibility:private"],
}
@@ -688,27 +635,32 @@
installable: false,
}
-// Normally plat_pub_versioned.cil is built from pub_policy.cil (including system_ext and product).
-// But microdroid only has system, so its plat_pub_versioned.cil uses plat_pub_policy.cil.
+///////////////////////////////////////////////////////////////////
genrule {
- name: "microdroid_plat_pub_versioned.cil_gen",
- srcs: [":plat_pub_policy.cil"],
- tools: ["version_policy"],
- out: ["plat_pub_versioned.cil"],
- cmd: "$(location version_policy) " +
- "-b $(location :plat_pub_policy.cil) " +
- "-t $(location :plat_pub_policy.cil) " +
- "-n 10000.0 " +
- "-o $(out)",
+ name: "microdroid_pub_policy.cil_gen",
+ srcs: [
+ ":microdroid_sepolicy_public_and_reqd_mask_build_files",
+ ":microdroid_reqd_policy_mask.cil_gen",
+ ],
+ tools: ["m4", "checkpolicy", "build_sepolicy"],
+ out: ["pub_policy.cil"],
+ cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
+ "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
+ "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
visibility: ["//visibility:private"],
}
-prebuilt_etc {
- name: "microdroid_plat_pub_versioned.cil",
- src: ":microdroid_plat_pub_versioned.cil_gen",
- filename: "plat_pub_versioned.cil",
- relative_install_path: "selinux",
- installable: false,
+genrule {
+ name: "microdroid_plat_pub_versioned.cil_gen",
+ srcs: [":microdroid_pub_policy.cil_gen"],
+ tools: ["version_policy"],
+ out: ["plat_pub_versioned.cil"],
+ cmd: "$(location version_policy) " +
+ "-b $(location :microdroid_pub_policy.cil_gen) " +
+ "-t $(location :microdroid_pub_policy.cil_gen) " +
+ "-n 10000.0 " +
+ "-o $(out)",
+ visibility: ["//visibility:private"],
}
filegroup {
@@ -737,28 +689,13 @@
],
}
-// These variables are based on aosp_cf_x86_64_only_phone-userdebug. Other than target_arch,
-// these configurations should be fine to test microdroid on normal devices with full treble.
-// The exception is target_arch. But as target_arch is meaningful only on mips, and as we are not
-// running microdroid on mips for now, we skip assigning target_arch here. After cil files are fully
-// migrated into Soong, these will have correct values.
-policy_to_conf_flags = "$(location m4) --fatal-warnings " +
-"-D mls_num_sens=1 -D mls_num_cats=1024 " +
-"-D target_build_variant=userdebug " +
-"-D target_with_asan=false " +
-"-D target_with_native_coverage=false " +
-"-D target_full_treble=true " +
-"-D target_compatible_property=true " +
-"-D target_treble_sysprop_neverallow=true " +
-"-D target_enforce_sysprop_owner=true "
-
genrule {
name: "microdroid_vendor_sepolicy.cil_gen",
srcs: [
":microdroid_vendor_sepolicy_build_files",
":microdroid_plat_pub_versioned.cil_gen",
- ":pub_policy.cil",
- ":reqd_policy_mask.cil",
+ ":microdroid_pub_policy.cil_gen",
+ ":microdroid_reqd_policy_mask.cil_gen",
],
tools: [
"m4",
@@ -774,9 +711,9 @@
"build_cil " +
"--input_policy_conf $(out).conf " +
"--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
- "--base_policy $(location :pub_policy.cil) " +
+ "--base_policy $(location :microdroid_pub_policy.cil_gen) " +
"--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
- "--reqd_mask $(location :reqd_policy_mask.cil) " +
+ "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
"--treble_sepolicy_vers 10000.0 " +
"--policy_vers 30 " +
"--output_cil $(out)",
@@ -790,3 +727,38 @@
relative_install_path: "selinux",
installable: false,
}
+
+prebuilt_etc {
+ name: "microdroid_plat_pub_versioned.cil",
+ src: ":microdroid_plat_pub_versioned.cil_gen",
+ filename: "plat_pub_versioned.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+se_build_files {
+ name: "se_build_files",
+ srcs: [
+ "security_classes",
+ "initial_sids",
+ "access_vectors",
+ "global_macros",
+ "neverallow_macros",
+ "mls_macros",
+ "mls_decl",
+ "mls",
+ "policy_capabilities",
+ "te_macros",
+ "attributes",
+ "ioctl_defines",
+ "ioctl_macros",
+ "*.te",
+ "roles_decl",
+ "roles",
+ "users",
+ "initial_sid_contexts",
+ "fs_use",
+ "genfs_contexts",
+ "port_contexts",
+ ],
+}
diff --git a/Android.mk b/Android.mk
index 7c4ddbe..77513a0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -741,37 +741,210 @@
endif # ifeq ($(mixed_sepolicy_build),true)
##################################
-# plat policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of plat policy files.
-#
-reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
-reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
+# reqd_policy_mask - a policy.conf file which contains only the bare minimum
+# policy necessary to use checkpolicy. This bare-minimum policy needs to be
+# present in all policy.conf files, but should not necessarily be exported as
+# part of the public policy. The rules generated by reqd_policy_mask will allow
+# the compilation of public policy and subsequent removal of CIL policy that
+# should not be exported.
-pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
-pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-
-system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
-system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-
-plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
-plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
-
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
+policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
+reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
+$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(reqd_policy_mask.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
# b/37755687
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
+$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
+
+reqd_policy_mask.conf :=
+reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
+
+##################################
+# pub_policy - policy that will be exported to be a part of non-platform
+# policy corresponding to this platform version. This is a limited subset of
+# policy that would not compile in checkpolicy on its own. To get around this
+# limitation, add only the required files from private policy, which will
+# generate CIL policy that will then be filtered out by the reqd_policy_mask.
+#
+# There are three pub_policy.cil files below:
+# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+# - plat_pub_policy.cil: exported 'system' policy.
+#
+# Those above files will in turn be used to generate the following versioned cil files:
+# - product_mapping_file: the versioned, exported 'product' policy in product partition.
+# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
+# policy in vendor partition.
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+pub_policy.conf := $(intermediates)/pub_policy.conf
+$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+pub_policy.cil := $(intermediates)/pub_policy.cil
+$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
+$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
+
+pub_policy.conf :=
+
+##################################
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
+$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(system_ext_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
+$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
+$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
+
+system_ext_pub_policy.conf :=
+
+##################################
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
+$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(plat_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
+$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
+$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
+
+plat_pub_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# plat_policy.conf - A combination of the private and public platform policy
+# which will ship with the device. The platform will always reflect the most
+# recent platform version and is not currently being attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+plat_policy.conf := $(intermediates)/plat_policy.conf
+$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(plat_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+built_plat_cil := $(LOCAL_BUILT_MODULE)
+built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
+plat_policy.conf :=
+
#################################
include $(CLEAR_VARS)
@@ -824,6 +997,128 @@
#################################
include $(CLEAR_VARS)
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_MODULE := system_ext_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# system_ext_policy.conf - A combination of the private and public system_ext policy
+# which will ship with the device. System_ext policy is not attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
+$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(system_ext_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+
+built_system_ext_cil := $(LOCAL_BUILT_MODULE)
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+system_ext_policy.conf :=
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_MODULE := product_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# product_policy.conf - A combination of the private and public product policy
+# which will ship with the device. Product policy is not attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+product_policy.conf := $(intermediates)/product_policy.conf
+$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(product_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
+$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_system_ext_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL_FILES) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
+ # make sure that the latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+
+built_product_cil := $(LOCAL_BUILT_MODULE)
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+product_policy.conf :=
+endif # ifdef HAS_PRODUCT_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -1393,6 +1688,38 @@
sepolicy.recovery.conf :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := general_sepolicy.conf
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
+$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
+$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
include $(CLEAR_VARS)