Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 113f4d6fed0e4abd94841ef8d8fabdf2c9951759 / . / microdroid / Android.bp
blob: e9b4b1e245740d4c3502945b8adbbddbdff1b2ce [file] [log] [blame]
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]1// Copyright (C) 2021 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package {
16 // http://go/android-license-faq
17 // A large-scale-change added 'default_applicable_licenses' to import
18 // the below license kinds from "system_sepolicy_license":
19 // SPDX-license-identifier-Apache-2.0
20 default_applicable_licenses: ["system_sepolicy_license"],
21}
22
23system_policy_files = [
24 "system/private/security_classes",
25 "system/private/initial_sids",
26 "system/private/access_vectors",
27 "system/public/global_macros",
28 "system/public/neverallow_macros",
29 "system/private/mls_macros",
30 "system/private/mls_decl",
31 "system/private/mls",
32 "system/private/policy_capabilities",
33 "system/public/te_macros",
34 "system/public/attributes",
35 "system/private/attributes",
36 "system/public/ioctl_defines",
37 "system/public/ioctl_macros",
38 "system/public/*.te",
39 "system/private/*.te",
40 "system/private/roles_decl",
41 "system/public/roles",
42 "system/private/users",
43 "system/private/initial_sid_contexts",
44 "system/private/fs_use",
45 "system/private/genfs_contexts",
46 "system/private/port_contexts",
47]
48
49reqd_mask_files = [
50 "reqd_mask/security_classes",
51 "reqd_mask/initial_sids",
52 "reqd_mask/access_vectors",
53 "reqd_mask/mls_macros",
54 "reqd_mask/mls_decl",
55 "reqd_mask/mls",
56 "reqd_mask/reqd_mask.te",
57 "reqd_mask/roles_decl",
58 "reqd_mask/roles",
59 "reqd_mask/users",
60 "reqd_mask/initial_sid_contexts",
61]
62
63system_public_policy_files = [
64 "reqd_mask/security_classes",
65 "reqd_mask/initial_sids",
66 "reqd_mask/access_vectors",
67 "system/public/global_macros",
68 "system/public/neverallow_macros",
69 "reqd_mask/mls_macros",
70 "reqd_mask/mls_decl",
71 "reqd_mask/mls",
72 "system/public/te_macros",
73 "system/public/attributes",
74 "system/public/ioctl_defines",
75 "system/public/ioctl_macros",
76 "system/public/*.te",
77 "reqd_mask/reqd_mask.te",
78 "reqd_mask/roles_decl",
79 "reqd_mask/roles",
80 "system/public/roles",
81 "reqd_mask/users",
82 "reqd_mask/initial_sid_contexts",
83]
84
85vendor_policy_files = [
86 "reqd_mask/security_classes",
87 "reqd_mask/initial_sids",
88 "reqd_mask/access_vectors",
89 "system/public/global_macros",
90 "system/public/neverallow_macros",
91 "reqd_mask/mls_macros",
92 "reqd_mask/mls_decl",
93 "reqd_mask/mls",
94 "system/public/te_macros",
95 "system/public/attributes",
96 "system/public/ioctl_defines",
97 "system/public/ioctl_macros",
98 "system/public/*.te",
99 "reqd_mask/reqd_mask.te",
100 "vendor/*.te",
101 "reqd_mask/roles_decl",
102 "reqd_mask/roles",
103 "system/public/roles",
104 "reqd_mask/users",
105 "reqd_mask/initial_sid_contexts",
106]
107
108se_policy_conf {
109 name: "microdroid_reqd_policy_mask.conf",
Inseob Kim113f4d62024-07-18 11:29:51 +0900[diff] [blame^]110 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]111 srcs: reqd_mask_files,
112 installable: false,
Inseob Kim35e87362022-03-10 13:16:13 +0900[diff] [blame]113 mls_cats: 1,
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]114}
115
116se_policy_cil {
117 name: "microdroid_reqd_policy_mask.cil",
118 src: ":microdroid_reqd_policy_mask.conf",
119 secilc_check: false,
120 installable: false,
121}
122
123se_policy_conf {
124 name: "microdroid_plat_sepolicy.conf",
Inseob Kim113f4d62024-07-18 11:29:51 +0900[diff] [blame^]125 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]126 srcs: system_policy_files,
127 installable: false,
Inseob Kim35e87362022-03-10 13:16:13 +0900[diff] [blame]128 mls_cats: 1,
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]129}
130
131se_policy_cil {
132 name: "microdroid_plat_sepolicy.cil",
133 stem: "plat_sepolicy.cil",
134 src: ":microdroid_plat_sepolicy.conf",
135 installable: false,
136}
137
138se_policy_conf {
139 name: "microdroid_plat_pub_policy.conf",
Inseob Kim113f4d62024-07-18 11:29:51 +0900[diff] [blame^]140 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]141 srcs: system_public_policy_files,
142 installable: false,
Inseob Kim35e87362022-03-10 13:16:13 +0900[diff] [blame]143 mls_cats: 1,
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]144}
145
146se_policy_cil {
147 name: "microdroid_plat_pub_policy.cil",
148 src: ":microdroid_plat_pub_policy.conf",
149 filter_out: [":microdroid_reqd_policy_mask.cil"],
150 secilc_check: false,
151 installable: false,
152}
153
154se_versioned_policy {
155 name: "microdroid_plat_mapping_file",
156 base: ":microdroid_plat_pub_policy.cil",
157 mapping: true,
158 version: "current",
159 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
160 installable: false,
161}
162
163se_versioned_policy {
164 name: "microdroid_plat_pub_versioned.cil",
165 stem: "plat_pub_versioned.cil",
166 base: ":microdroid_plat_pub_policy.cil",
167 target_policy: ":microdroid_plat_pub_policy.cil",
168 version: "current",
169 dependent_cils: [
170 ":microdroid_plat_sepolicy.cil",
171 ":microdroid_plat_mapping_file",
172 ],
173 installable: false,
174}
175
176se_policy_conf {
177 name: "microdroid_vendor_sepolicy.conf",
Inseob Kim113f4d62024-07-18 11:29:51 +0900[diff] [blame^]178 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]179 srcs: vendor_policy_files,
180 installable: false,
Inseob Kim35e87362022-03-10 13:16:13 +0900[diff] [blame]181 mls_cats: 1,
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]182}
183
184se_policy_cil {
185 name: "microdroid_vendor_sepolicy.cil.raw",
186 src: ":microdroid_vendor_sepolicy.conf",
187 filter_out: [":microdroid_reqd_policy_mask.cil"],
188 secilc_check: false, // will be done in se_versioned_policy module
189 installable: false,
190}
191
192se_versioned_policy {
193 name: "microdroid_vendor_sepolicy.cil",
194 stem: "vendor_sepolicy.cil",
195 base: ":microdroid_plat_pub_policy.cil",
196 target_policy: ":microdroid_vendor_sepolicy.cil.raw",
197 version: "current", // microdroid is bundled to system
198 dependent_cils: [
199 ":microdroid_plat_sepolicy.cil",
200 ":microdroid_plat_pub_versioned.cil",
201 ":microdroid_plat_mapping_file",
202 ],
203 filter_out: [":microdroid_plat_pub_versioned.cil"],
204 installable: false,
205}
206
207sepolicy_vers {
208 name: "microdroid_plat_sepolicy_vers.txt",
209 version: "platform",
210 stem: "plat_sepolicy_vers.txt",
211 installable: false,
212}
213
214// sepolicy sha256 for vendor
215genrule {
216 name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame]217 srcs: [
218 ":microdroid_plat_sepolicy.cil",
219 ":microdroid_plat_mapping_file",
220 ],
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]221 out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
222 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
223}
224
225prebuilt_etc {
226 name: "microdroid_plat_sepolicy_and_mapping.sha256",
227 src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
228 filename: "plat_sepolicy_and_mapping.sha256",
229 relative_install_path: "selinux",
230 installable: false,
231}
232
233prebuilt_etc {
234 name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
235 src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
236 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
237 relative_install_path: "selinux",
238 installable: false,
239}
240
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]241se_policy_binary {
242 name: "microdroid_precompiled_sepolicy",
Nikita Ioffe4e6839e2023-06-14 20:29:37 +0000[diff] [blame]243 stem: "microdroid_precompiled_sepolicy",
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]244 srcs: [
245 ":microdroid_plat_sepolicy.cil",
246 ":microdroid_plat_mapping_file",
247 ":microdroid_plat_pub_versioned.cil",
248 ":microdroid_vendor_sepolicy.cil",
249 ],
Jiyong Park2fcfc6f2024-05-01 19:55:46 +0900[diff] [blame]250 no_full_install: true,
Jiyong Parkc99fde92022-12-05 14:11:24 +0900[diff] [blame]251
252 // b/259729287. In Microdroid, su is allowed to be in permissive mode.
253 // This is to support fully debuggable VMs on user builds. This is safe
254 // because we don't start adbd at all on non-debuggable VMs.
255 permissive_domains_on_user_builds: ["su"],
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]256}
257
258genrule {
259 name: "microdroid_file_contexts.gen",
260 srcs: ["system/private/file_contexts"],
261 tools: ["fc_sort"],
262 out: ["file_contexts"],
263 cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame]264 "$(location fc_sort) -i $(out).tmp -o $(out)",
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]265}
266
267prebuilt_etc {
268 name: "microdroid_file_contexts",
269 filename: "plat_file_contexts",
270 src: ":microdroid_file_contexts.gen",
271 relative_install_path: "selinux",
Jiyong Park2fcfc6f2024-05-01 19:55:46 +0900[diff] [blame]272 no_full_install: true,
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]273}
274
275genrule {
276 name: "microdroid_vendor_file_contexts.gen",
277 srcs: ["vendor/file_contexts"],
278 tools: ["fc_sort"],
279 out: ["file_contexts"],
280 cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame]281 "$(location fc_sort) -i $(out).tmp -o $(out)",
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]282}
283
284prebuilt_etc {
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]285 name: "microdroid_property_contexts",
286 filename: "plat_property_contexts",
287 src: "system/private/property_contexts",
288 relative_install_path: "selinux",
Jiyong Park2fcfc6f2024-05-01 19:55:46 +0900[diff] [blame]289 no_full_install: true,
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]290}
291
Inseob Kim74caef32022-02-09 23:28:20 +0900[diff] [blame]292// For CTS
293se_policy_conf {
294 name: "microdroid_general_sepolicy.conf",
295 srcs: system_policy_files,
296 exclude_build_test: true,
297 installable: false,
Inseob Kim35e87362022-03-10 13:16:13 +0900[diff] [blame]298 mls_cats: 1,
Inseob Kim74caef32022-02-09 23:28:20 +0900[diff] [blame]299}