Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 08d4c8fa6e015f58de9fb7c89411f2055caf40c6 / . / Android.bp
blob: a43a689b0adb725d133b1354ceeb67b875419d22 [file] [log] [blame]
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]1// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Bob Badour601ebb42021-02-03 23:07:40 -0800[diff] [blame]15package {
16 default_applicable_licenses: ["system_sepolicy_license"],
17}
18
19// Added automatically by a large-scale-change that took the approach of
20// 'apply every license found to every target'. While this makes sure we respect
21// every license restriction, it may not be entirely correct.
22//
23// e.g. GPL in an MIT project might only apply to the contrib/ directory.
24//
25// Please consider splitting the single license below into multiple licenses,
26// taking care not to lose any license_kind information, and overriding the
27// default license using the 'licenses: [...]' property on targets as needed.
28//
29// For unused files, consider creating a 'filegroup' with "//visibility:private"
30// to attach the license to, and including a comment whether the files may be
31// used in the current project.
32// http://go/android-license-faq
33license {
34 name: "system_sepolicy_license",
35 visibility: [":__subpackages__"],
36 license_kinds: [
37 "SPDX-license-identifier-Apache-2.0",
38 "legacy_unencumbered",
39 ],
40 license_text: [
41 "NOTICE",
42 ],
43}
44
Jeff Vander Stoepecd288f2019-02-15 12:18:15 -0800[diff] [blame]45cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
46
Tri Vo84e247a2018-03-25 20:03:58 -0700[diff] [blame]47se_filegroup {
48 name: "26.0.board.compat.map",
49 srcs: [
50 "compat/26.0/26.0.cil",
51 ],
52}
53
54se_filegroup {
55 name: "27.0.board.compat.map",
56 srcs: [
57 "compat/27.0/27.0.cil",
58 ],
59}
60
Jae Shin1fa96342018-07-11 18:30:44 +0900[diff] [blame]61se_filegroup {
62 name: "28.0.board.compat.map",
63 srcs: [
64 "compat/28.0/28.0.cil",
65 ],
66}
67
Jinguang Donge0125692019-03-05 17:20:54 +0800[diff] [blame]68se_filegroup {
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]69 name: "29.0.board.compat.map",
70 srcs: [
71 "compat/29.0/29.0.cil",
72 ],
73}
74
75se_filegroup {
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]76 name: "30.0.board.compat.map",
77 srcs: [
78 "compat/30.0/30.0.cil",
79 ],
80}
81
82se_filegroup {
Yi-Yo Chiang8be93c02021-04-13 02:49:29 +0800[diff] [blame]83 name: "26.0.board.compat.cil",
84 srcs: [
85 "compat/26.0/26.0.compat.cil",
86 ],
87}
88
89se_filegroup {
90 name: "27.0.board.compat.cil",
91 srcs: [
92 "compat/27.0/27.0.compat.cil",
93 ],
94}
95
96se_filegroup {
97 name: "28.0.board.compat.cil",
98 srcs: [
99 "compat/28.0/28.0.compat.cil",
100 ],
101}
102
103se_filegroup {
104 name: "29.0.board.compat.cil",
105 srcs: [
106 "compat/29.0/29.0.compat.cil",
107 ],
108}
109
110se_filegroup {
111 name: "30.0.board.compat.cil",
112 srcs: [
113 "compat/30.0/30.0.compat.cil",
114 ],
115}
116
117se_filegroup {
Jinguang Donge0125692019-03-05 17:20:54 +0800[diff] [blame]118 name: "26.0.board.ignore.map",
119 srcs: [
120 "compat/26.0/26.0.ignore.cil",
121 ],
122}
123
124se_filegroup {
125 name: "27.0.board.ignore.map",
126 srcs: [
127 "compat/27.0/27.0.ignore.cil",
128 ],
129}
130
131se_filegroup {
132 name: "28.0.board.ignore.map",
133 srcs: [
134 "compat/28.0/28.0.ignore.cil",
135 ],
136}
137
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]138se_filegroup {
139 name: "29.0.board.ignore.map",
140 srcs: [
141 "compat/29.0/29.0.ignore.cil",
142 ],
143}
144
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]145se_filegroup {
146 name: "30.0.board.ignore.map",
147 srcs: [
148 "compat/30.0/30.0.ignore.cil",
149 ],
150}
151
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]152se_cil_compat_map {
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]153 name: "plat_26.0.cil",
154 stem: "26.0.cil",
Tri Vo438684b2018-09-29 17:47:10 -0700[diff] [blame]155 bottom_half: [":26.0.board.compat.map"],
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]156 top_half: "plat_27.0.cil",
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]157}
158
159se_cil_compat_map {
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]160 name: "plat_27.0.cil",
161 stem: "27.0.cil",
Tri Vo438684b2018-09-29 17:47:10 -0700[diff] [blame]162 bottom_half: [":27.0.board.compat.map"],
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]163 top_half: "plat_28.0.cil",
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]164}
Jae Shin1fa96342018-07-11 18:30:44 +0900[diff] [blame]165
166se_cil_compat_map {
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]167 name: "plat_28.0.cil",
168 stem: "28.0.cil",
Tri Vo438684b2018-09-29 17:47:10 -0700[diff] [blame]169 bottom_half: [":28.0.board.compat.map"],
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]170 top_half: "plat_29.0.cil",
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]171}
172
173se_cil_compat_map {
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]174 name: "plat_29.0.cil",
175 stem: "29.0.cil",
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]176 bottom_half: [":29.0.board.compat.map"],
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]177 top_half: "plat_30.0.cil",
178}
179
180se_cil_compat_map {
181 name: "plat_30.0.cil",
182 stem: "30.0.cil",
183 bottom_half: [":30.0.board.compat.map"],
184 // top_half: "plat_31.0.cil",
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]185}
186
187se_cil_compat_map {
188 name: "system_ext_26.0.cil",
189 stem: "26.0.cil",
190 bottom_half: [":26.0.board.compat.map"],
191 top_half: "system_ext_27.0.cil",
192 system_ext_specific: true,
193}
194
195se_cil_compat_map {
196 name: "system_ext_27.0.cil",
197 stem: "27.0.cil",
198 bottom_half: [":27.0.board.compat.map"],
199 top_half: "system_ext_28.0.cil",
200 system_ext_specific: true,
201}
202
203se_cil_compat_map {
204 name: "system_ext_28.0.cil",
205 stem: "28.0.cil",
206 bottom_half: [":28.0.board.compat.map"],
207 top_half: "system_ext_29.0.cil",
208 system_ext_specific: true,
209}
210
211se_cil_compat_map {
212 name: "system_ext_29.0.cil",
213 stem: "29.0.cil",
214 bottom_half: [":29.0.board.compat.map"],
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]215 top_half: "system_ext_30.0.cil",
216 system_ext_specific: true,
217}
218
219se_cil_compat_map {
220 name: "system_ext_30.0.cil",
221 stem: "30.0.cil",
222 bottom_half: [":30.0.board.compat.map"],
223 // top_half: "system_ext_31.0.cil",
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]224 system_ext_specific: true,
225}
226
227se_cil_compat_map {
228 name: "product_26.0.cil",
229 stem: "26.0.cil",
230 bottom_half: [":26.0.board.compat.map"],
231 top_half: "product_27.0.cil",
232 product_specific: true,
233}
234
235se_cil_compat_map {
236 name: "product_27.0.cil",
237 stem: "27.0.cil",
238 bottom_half: [":27.0.board.compat.map"],
239 top_half: "product_28.0.cil",
240 product_specific: true,
241}
242
243se_cil_compat_map {
244 name: "product_28.0.cil",
245 stem: "28.0.cil",
246 bottom_half: [":28.0.board.compat.map"],
247 top_half: "product_29.0.cil",
248 product_specific: true,
249}
250
251se_cil_compat_map {
252 name: "product_29.0.cil",
253 stem: "29.0.cil",
254 bottom_half: [":29.0.board.compat.map"],
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]255 top_half: "product_30.0.cil",
256 product_specific: true,
257}
258
259se_cil_compat_map {
260 name: "product_30.0.cil",
261 stem: "30.0.cil",
262 bottom_half: [":30.0.board.compat.map"],
263 // top_half: "product_31.0.cil",
Tri Vo61178552019-10-10 16:29:40 -0700[diff] [blame]264 product_specific: true,
Tri Vo438684b2018-09-29 17:47:10 -0700[diff] [blame]265}
266
267se_cil_compat_map {
268 name: "26.0.ignore.cil",
Jinguang Donge0125692019-03-05 17:20:54 +0800[diff] [blame]269 bottom_half: [":26.0.board.ignore.map"],
Tri Vo438684b2018-09-29 17:47:10 -0700[diff] [blame]270 top_half: "27.0.ignore.cil",
271}
272
273se_cil_compat_map {
274 name: "27.0.ignore.cil",
Jinguang Donge0125692019-03-05 17:20:54 +0800[diff] [blame]275 bottom_half: [":27.0.board.ignore.map"],
Tri Vo438684b2018-09-29 17:47:10 -0700[diff] [blame]276 top_half: "28.0.ignore.cil",
277}
278
279se_cil_compat_map {
280 name: "28.0.ignore.cil",
Jinguang Donge0125692019-03-05 17:20:54 +0800[diff] [blame]281 bottom_half: [":28.0.board.ignore.map"],
Tri Voe381deb2019-06-12 15:52:30 -0700[diff] [blame]282 top_half: "29.0.ignore.cil",
Jae Shin1fa96342018-07-11 18:30:44 +0900[diff] [blame]283}
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]284
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]285se_cil_compat_map {
286 name: "29.0.ignore.cil",
287 bottom_half: [":29.0.board.ignore.map"],
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]288 top_half: "30.0.ignore.cil",
289}
290
291se_cil_compat_map {
292 name: "30.0.ignore.cil",
293 bottom_half: [":30.0.board.ignore.map"],
294 // top_half: "31.0.ignore.cil",
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]295}
296
P.Adarsh Reddy07dd59f2021-03-22 15:55:09 +0530[diff] [blame]297se_cil_compat_map {
298 name: "system_ext_30.0.ignore.cil",
299 bottom_half: [":30.0.board.ignore.map"],
300 // top_half: "system_ext_31.0.ignore.cil",
301 system_ext_specific: true,
302}
303
304se_cil_compat_map {
305 name: "product_30.0.ignore.cil",
306 bottom_half: [":30.0.board.ignore.map"],
307 // top_half: "product_31.0.ignore.cil",
308 product_specific: true,
309}
310
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]311se_compat_cil {
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]312 name: "26.0.compat.cil",
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]313 srcs: [":26.0.board.compat.cil"],
Jeff Vander Stoep564e2922019-05-02 13:48:44 -0700[diff] [blame]314}
315
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]316se_compat_cil {
Jeff Vander Stoep564e2922019-05-02 13:48:44 -0700[diff] [blame]317 name: "27.0.compat.cil",
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]318 srcs: [":27.0.board.compat.cil"],
Jeff Vander Stoep564e2922019-05-02 13:48:44 -0700[diff] [blame]319}
320
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]321se_compat_cil {
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]322 name: "28.0.compat.cil",
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]323 srcs: [":28.0.board.compat.cil"],
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]324}
325
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]326se_compat_cil {
Tri Vo50aa0292019-06-01 17:04:13 -0700[diff] [blame]327 name: "29.0.compat.cil",
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]328 srcs: [":29.0.board.compat.cil"],
Jeff Vander Stoep564e2922019-05-02 13:48:44 -0700[diff] [blame]329}
330
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]331se_compat_cil {
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]332 name: "30.0.compat.cil",
Yi-Yo Chianga2251122021-04-13 02:51:48 +0800[diff] [blame]333 srcs: [":30.0.board.compat.cil"],
Inseob Kimace36ab2020-05-07 20:19:05 +0900[diff] [blame]334}
335
Yi-Yo Chiang8be93c02021-04-13 02:49:29 +0800[diff] [blame]336se_compat_cil {
337 name: "system_ext_26.0.compat.cil",
338 srcs: [":26.0.board.compat.cil"],
339 stem: "26.0.compat.cil",
340 system_ext_specific: true,
341}
342
343se_compat_cil {
344 name: "system_ext_27.0.compat.cil",
345 srcs: [":27.0.board.compat.cil"],
346 stem: "27.0.compat.cil",
347 system_ext_specific: true,
348}
349
350se_compat_cil {
351 name: "system_ext_28.0.compat.cil",
352 srcs: [":28.0.board.compat.cil"],
353 stem: "28.0.compat.cil",
354 system_ext_specific: true,
355}
356
357se_compat_cil {
358 name: "system_ext_29.0.compat.cil",
359 srcs: [":29.0.board.compat.cil"],
360 stem: "29.0.compat.cil",
361 system_ext_specific: true,
362}
363
364se_compat_cil {
365 name: "system_ext_30.0.compat.cil",
366 srcs: [":30.0.board.compat.cil"],
367 stem: "30.0.compat.cil",
368 system_ext_specific: true,
369}
370
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]371se_filegroup {
372 name: "file_contexts_files",
373 srcs: ["file_contexts"],
374}
375
376se_filegroup {
377 name: "file_contexts_asan_files",
378 srcs: ["file_contexts_asan"],
379}
380
381se_filegroup {
382 name: "file_contexts_overlayfs_files",
383 srcs: ["file_contexts_overlayfs"],
384}
385
386se_filegroup {
387 name: "hwservice_contexts_files",
388 srcs: ["hwservice_contexts"],
389}
390
391se_filegroup {
392 name: "property_contexts_files",
393 srcs: ["property_contexts"],
394}
395
396se_filegroup {
397 name: "service_contexts_files",
398 srcs: ["service_contexts"],
399}
400
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700[diff] [blame]401se_filegroup {
402 name: "keystore2_key_contexts_files",
403 srcs: ["keystore2_key_contexts"],
404}
405
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]406file_contexts {
407 name: "plat_file_contexts",
408 srcs: [":file_contexts_files"],
409 product_variables: {
410 address_sanitize: {
411 srcs: [":file_contexts_asan_files"],
412 },
413 debuggable: {
414 srcs: [":file_contexts_overlayfs_files"],
415 },
416 },
417
418 flatten_apex: {
419 srcs: ["apex/*-file_contexts"],
420 },
421
422 recovery_available: true,
423}
424
425file_contexts {
426 name: "vendor_file_contexts",
427 srcs: [":file_contexts_files"],
428 soc_specific: true,
429 recovery_available: true,
430}
431
432file_contexts {
Bowgo Tsai86a048d2019-09-09 22:04:06 +0800[diff] [blame]433 name: "system_ext_file_contexts",
434 srcs: [":file_contexts_files"],
435 system_ext_specific: true,
436 recovery_available: true,
437}
438
439file_contexts {
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]440 name: "product_file_contexts",
441 srcs: [":file_contexts_files"],
442 product_specific: true,
443 recovery_available: true,
444}
445
446file_contexts {
447 name: "odm_file_contexts",
448 srcs: [":file_contexts_files"],
449 device_specific: true,
450 recovery_available: true,
451}
452
453hwservice_contexts {
454 name: "plat_hwservice_contexts",
455 srcs: [":hwservice_contexts_files"],
456}
457
458hwservice_contexts {
Bowgo Tsai241d36e2019-09-09 22:05:10 +0800[diff] [blame]459 name: "system_ext_hwservice_contexts",
460 srcs: [":hwservice_contexts_files"],
461 system_ext_specific: true,
462}
463
464hwservice_contexts {
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]465 name: "product_hwservice_contexts",
466 srcs: [":hwservice_contexts_files"],
467 product_specific: true,
468}
469
470hwservice_contexts {
471 name: "vendor_hwservice_contexts",
472 srcs: [":hwservice_contexts_files"],
473 reqd_mask: true,
474 soc_specific: true,
475}
476
477hwservice_contexts {
478 name: "odm_hwservice_contexts",
479 srcs: [":hwservice_contexts_files"],
480 device_specific: true,
481}
482
483property_contexts {
484 name: "plat_property_contexts",
485 srcs: [":property_contexts_files"],
486 recovery_available: true,
487}
488
489property_contexts {
Bowgo Tsai1864cd02019-09-09 18:09:22 +0800[diff] [blame]490 name: "system_ext_property_contexts",
491 srcs: [":property_contexts_files"],
492 system_ext_specific: true,
493 recovery_available: true,
494}
495
496property_contexts {
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]497 name: "product_property_contexts",
498 srcs: [":property_contexts_files"],
499 product_specific: true,
500 recovery_available: true,
501}
502
503property_contexts {
504 name: "vendor_property_contexts",
505 srcs: [":property_contexts_files"],
506 reqd_mask: true,
507 soc_specific: true,
508 recovery_available: true,
509}
510
511property_contexts {
512 name: "odm_property_contexts",
513 srcs: [":property_contexts_files"],
514 device_specific: true,
515 recovery_available: true,
516}
517
518service_contexts {
519 name: "plat_service_contexts",
520 srcs: [":service_contexts_files"],
521}
522
523service_contexts {
Bowgo Tsai98231162019-09-09 22:05:29 +0800[diff] [blame]524 name: "system_ext_service_contexts",
525 srcs: [":service_contexts_files"],
526 system_ext_specific: true,
527}
528
529service_contexts {
Inseob Kimb554e592019-04-15 20:10:46 +0900[diff] [blame]530 name: "product_service_contexts",
531 srcs: [":service_contexts_files"],
532 product_specific: true,
533}
534
535service_contexts {
536 name: "vendor_service_contexts",
537 srcs: [":service_contexts_files"],
538 reqd_mask: true,
539 soc_specific: true,
540}
yangbill3e345372020-04-15 13:55:47 +0800[diff] [blame]541
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700[diff] [blame]542keystore2_key_contexts {
543 name: "plat_keystore2_key_contexts",
544 srcs: [":keystore2_key_contexts_files"],
545}
546
547keystore2_key_contexts {
548 name: "system_keystore2_key_contexts",
549 srcs: [":keystore2_key_contexts_files"],
550 system_ext_specific: true,
551}
552
553keystore2_key_contexts {
554 name: "product_keystore2_key_contexts",
555 srcs: [":keystore2_key_contexts_files"],
556 product_specific: true,
557}
558
559keystore2_key_contexts {
560 name: "vendor_keystore2_key_contexts",
561 srcs: [":keystore2_key_contexts_files"],
562 reqd_mask: true,
563 soc_specific: true,
564}
565
yangbill3e345372020-04-15 13:55:47 +0800[diff] [blame]566// For vts_treble_sys_prop_test
567filegroup {
568 name: "private_property_contexts",
569 srcs: ["private/property_contexts"],
570 visibility: [
571 "//test/vts-testcase/security/system_property",
572 ],
573}
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]574
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]575se_build_files {
576 name: "se_build_files",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]577 srcs: [
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]578 "security_classes",
579 "initial_sids",
580 "access_vectors",
581 "global_macros",
582 "neverallow_macros",
583 "mls_macros",
584 "mls_decl",
585 "mls",
586 "policy_capabilities",
587 "te_macros",
588 "attributes",
589 "ioctl_defines",
590 "ioctl_macros",
591 "*.te",
592 "roles_decl",
593 "roles",
594 "users",
595 "initial_sid_contexts",
596 "fs_use",
597 "genfs_contexts",
598 "port_contexts",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]599 ],
600}
601
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]602// reqd_policy_mask - a policy.conf file which contains only the bare minimum
603// policy necessary to use checkpolicy.
604//
605// This bare-minimum policy needs to be present in all policy.conf files, but
606// should not necessarily be exported as part of the public policy.
607//
608// The rules generated by reqd_policy_mask will allow the compilation of public
609// policy and subsequent removal of CIL policy that should not be exported.
610se_policy_conf {
611 name: "reqd_policy_mask.conf",
612 srcs: [":se_build_files{.reqd_mask}"],
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]613 installable: false,
614}
615
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]616se_policy_cil {
617 name: "reqd_policy_mask.cil",
618 src: ":reqd_policy_mask.conf",
619 secilc_check: false,
620 installable: false,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]621}
622
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]623// pub_policy - policy that will be exported to be a part of non-platform
624// policy corresponding to this platform version.
625//
626// This is a limited subset of policy that would not compile in checkpolicy on
627// its own.
628//
629// To get around this limitation, add only the required files from private
630// policy, which will generate CIL policy that will then be filtered out by the
631// reqd_policy_mask.
632//
633// There are three pub_policy.cil files below:
634// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
635// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
636// - plat_pub_policy.cil: exported 'system' policy.
637//
638// Those above files will in turn be used to generate the following versioned cil files:
639// - product_mapping_file: the versioned, exported 'product' policy in product partition.
640// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
641// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
642// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
643// in vendor partition.
644//
645se_policy_conf {
646 name: "pub_policy.conf",
647 srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
648 installable: false,
649}
650
651se_policy_cil {
652 name: "pub_policy.cil",
653 src: ":pub_policy.conf",
654 filter_out: [":reqd_policy_mask.cil"],
655 secilc_check: false,
656 installable: false,
657}
658
659se_policy_conf {
660 name: "system_ext_pub_policy.conf",
661 srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
662 installable: false,
663}
664
665se_policy_cil {
666 name: "system_ext_pub_policy.cil",
667 src: ":system_ext_pub_policy.conf",
668 filter_out: [":reqd_policy_mask.cil"],
669 secilc_check: false,
670 installable: false,
671}
672
673se_policy_conf {
674 name: "plat_pub_policy.conf",
675 srcs: [":se_build_files{.plat_public}"],
676 installable: false,
677}
678
679se_policy_cil {
680 name: "plat_pub_policy.cil",
681 src: ":plat_pub_policy.conf",
682 filter_out: [":reqd_policy_mask.cil"],
683 secilc_check: false,
684 installable: false,
685}
686
687// plat_policy.conf - A combination of the private and public platform policy
688// which will ship with the device.
689//
690// The platform will always reflect the most recent platform version and is not
691// currently being attributized.
692se_policy_conf {
693 name: "plat_sepolicy.conf",
694 srcs: [":se_build_files{.plat}"],
695 installable: false,
696}
697
698se_policy_cil {
699 name: "plat_sepolicy.cil",
700 src: ":plat_sepolicy.conf",
701 additional_cil_files: ["private/technical_debt.cil"],
702}
703
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]704// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
705se_policy_conf {
706 name: "userdebug_plat_sepolicy.conf",
707 srcs: [":se_build_files{.plat}"],
708 build_variant: "userdebug",
709 installable: false,
710}
711
712se_policy_cil {
713 name: "userdebug_plat_sepolicy.cil",
714 src: ":userdebug_plat_sepolicy.conf",
715 additional_cil_files: ["private/technical_debt.cil"],
716 debug_ramdisk: true,
717}
718
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]719// system_ext_policy.conf - A combination of the private and public system_ext
720// policy which will ship with the device. System_ext policy is not attributized
721se_policy_conf {
722 name: "system_ext_sepolicy.conf",
723 srcs: [":se_build_files{.system_ext}"],
724 installable: false,
725}
726
727se_policy_cil {
728 name: "system_ext_sepolicy.cil",
729 src: ":system_ext_sepolicy.conf",
730 system_ext_specific: true,
731 filter_out: [":plat_sepolicy.cil"],
732 remove_line_marker: true,
733}
734
735// product_policy.conf - A combination of the private and public product policy
736// which will ship with the device. Product policy is not attributized
737se_policy_conf {
738 name: "product_sepolicy.conf",
739 srcs: [":se_build_files{.product}"],
740 installable: false,
741}
742
743se_policy_cil {
744 name: "product_sepolicy.cil",
745 src: ":product_sepolicy.conf",
746 product_specific: true,
747 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
748 remove_line_marker: true,
749}
750
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]751// policy mapping files
752// auto-generate the mapping file for current platform policy, since it needs to
753// track platform policy development
754se_versioned_policy {
755 name: "plat_mapping_file",
756 base: ":plat_pub_policy.cil",
757 mapping: true,
758 version: "current",
759 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
760}
761
762se_versioned_policy {
763 name: "system_ext_mapping_file",
764 base: ":system_ext_pub_policy.cil",
765 mapping: true,
766 version: "current",
767 filter_out: [":plat_mapping_file"],
768 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
769 system_ext_specific: true,
770}
771
772se_versioned_policy {
773 name: "product_mapping_file",
774 base: ":pub_policy.cil",
775 mapping: true,
776 version: "current",
777 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
778 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
779 product_specific: true,
780}
781
782// plat_pub_versioned.cil - the exported platform policy associated with the version
783// that non-platform policy targets.
784se_versioned_policy {
785 name: "plat_pub_versioned.cil",
786 base: ":pub_policy.cil",
787 target_policy: ":pub_policy.cil",
788 version: "current",
789 dependent_cils: [
790 ":plat_sepolicy.cil",
791 ":system_ext_sepolicy.cil",
792 ":product_sepolicy.cil",
793 ":plat_mapping_file",
794 ":system_ext_mapping_file",
795 ":product_mapping_file",
796 ],
797 vendor: true,
798}
799
800//////////////////////////////////
801// Precompiled sepolicy is loaded if and only if:
802// - plat_sepolicy_and_mapping.sha256 equals
803// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
804// AND
805// - system_ext_sepolicy_and_mapping.sha256 equals
806// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
807// AND
808// - product_sepolicy_and_mapping.sha256 equals
809// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
810// See system/core/init/selinux.cpp for details.
811//////////////////////////////////
812genrule {
813 name: "plat_sepolicy_and_mapping.sha256_gen",
814 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
815 out: ["plat_sepolicy_and_mapping.sha256"],
816 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
817}
818
819prebuilt_etc {
820 name: "plat_sepolicy_and_mapping.sha256",
821 filename: "plat_sepolicy_and_mapping.sha256",
822 src: ":plat_sepolicy_and_mapping.sha256_gen",
823 relative_install_path: "selinux",
824}
825
826genrule {
827 name: "system_ext_sepolicy_and_mapping.sha256_gen",
828 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
829 out: ["system_ext_sepolicy_and_mapping.sha256"],
830 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
831}
832
833prebuilt_etc {
834 name: "system_ext_sepolicy_and_mapping.sha256",
835 filename: "system_ext_sepolicy_and_mapping.sha256",
836 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
837 relative_install_path: "selinux",
838 system_ext_specific: true,
839}
840
841genrule {
842 name: "product_sepolicy_and_mapping.sha256_gen",
843 srcs: [":product_sepolicy.cil", ":product_mapping_file"],
844 out: ["product_sepolicy_and_mapping.sha256"],
845 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
846}
847
848prebuilt_etc {
849 name: "product_sepolicy_and_mapping.sha256",
850 filename: "product_sepolicy_and_mapping.sha256",
851 src: ":product_sepolicy_and_mapping.sha256_gen",
852 relative_install_path: "selinux",
853 product_specific: true,
854}
855
Inseob Kim1c056b12021-04-30 00:11:43 +0900[diff] [blame]856sepolicy_vers {
857 name: "plat_sepolicy_vers.txt",
858 version: "vendor",
859 vendor: true,
860}
861
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]862soong_config_module_type {
863 name: "precompiled_sepolicy_defaults",
864 module_type: "prebuilt_defaults",
865 config_namespace: "ANDROID",
866 bool_variables: ["BOARD_USES_ODMIMAGE"],
867 properties: ["vendor", "device_specific"],
868}
869
870precompiled_sepolicy_defaults {
871 name: "precompiled_sepolicy",
872 soong_config_variables: {
873 BOARD_USES_ODMIMAGE: {
874 device_specific: true,
875 conditions_default: {
876 vendor: true,
877 },
878 },
879 },
880}
881
882//////////////////////////////////
883// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
884// which precompiled_policy was built.
885//////////////////////////////////
886prebuilt_etc {
887 defaults: ["precompiled_sepolicy"],
888 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
889 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
890 src: ":plat_sepolicy_and_mapping.sha256_gen",
891 relative_install_path: "selinux",
892}
893
894//////////////////////////////////
895// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
896// which precompiled_policy was built.
897//////////////////////////////////
898prebuilt_etc {
899 defaults: ["precompiled_sepolicy"],
900 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
901 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
902 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
903 relative_install_path: "selinux",
904}
905
906//////////////////////////////////
907// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
908// which precompiled_policy was built.
909//////////////////////////////////
910prebuilt_etc {
911 defaults: ["precompiled_sepolicy"],
912 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
913 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
914 src: ":product_sepolicy_and_mapping.sha256_gen",
915 relative_install_path: "selinux",
916}
917
918
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]919//////////////////////////////////
920// SELinux policy embedded into CTS.
921// CTS checks neverallow rules of this policy against the policy of the device under test.
922//////////////////////////////////
923se_policy_conf {
924 name: "general_sepolicy.conf",
925 srcs: [":se_build_files{.plat}"],
926 build_variant: "user",
927 cts: true,
928 exclude_build_test: true,
929}