Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 262edc382ae4da130b211203bf05c03179794616 / . / Android.mk
blob: 2ef72fc7081612e7b8b276f68f5e236af411345b [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1LOCAL_PATH:= $(call my-dir)
William Robertsf0e0a942012-08-27 15:41:15 -0700[diff] [blame]2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]3include $(CLEAR_VARS)
4
5# SELinux policy version.
Stephen Smalleyb4f17062015-03-13 10:03:52 -0400[diff] [blame]6# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]7# Must be within the compatibility range reported by checkpolicy -V.
Jeff Vander Stoep3a0ce492015-12-07 08:30:43 -0800[diff] [blame]8POLICYVERS ?= 30
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]9
10MLS_SENS=1
11MLS_CATS=1024
12
Stephen Smalleyb4f17062015-03-13 10:03:52 -0400[diff] [blame]13ifdef BOARD_SEPOLICY_REPLACE
14$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
15endif
16
17ifdef BOARD_SEPOLICY_IGNORE
18$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
19endif
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]20
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]21ifdef BOARD_SEPOLICY_UNION
22$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
23endif
Robert Craig6b0ff472014-01-29 13:10:58 -0500[diff] [blame]24
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]25ifdef BOARD_SEPOLICY_M4DEFS
26LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
27endif
28
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]29# sepolicy is now divided into multiple portions:
30# public - policy exported on which non-platform policy developers may write
31# additional policy. types and attributes are versioned and included in
32# delivered non-platform policy, which is to be combined with platform policy.
33# private - platform-only policy required for platform functionality but which
34# is not exported to vendor policy developers and as such may not be assumed
35# to exist.
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]36# mapping - This contains policy statements which map the attributes
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]37# exposed in the public policy of previous versions to the concrete types used
38# in this policy to ensure that policy targeting attributes from public
39# policy from an older platform version continues to work.
40
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]41# build process for device:
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]42# 1) convert policies to CIL:
43# - private + public platform policy to CIL
44# - mapping file to CIL (should already be in CIL form)
45# - non-platform public policy to CIL
46# - non-platform public + private policy to CIL
47# 2) attributize policy
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]48# - run script which takes non-platform public and non-platform combined
49# private + public policy and produces attributized and versioned
50# non-platform policy
51# 3) combine policy files
52# - combine mapping, platform and non-platform policy.
53# - compile output binary policy file
54
55PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
56PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]57REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
58
59# TODO: move to README when doing the README update and finalizing versioning.
60# BOARD_SEPOLICY_VERS should contain the platform version identifier
61# corresponding to the platform on which the non-platform policy is to be
62# based. If unspecified, this will build against the current public platform
63# policy in tree.
64# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
65# is associated with the given BOARD_SEPOLICY_VERS. The policy therein will be
66# versioned according to the BOARD_SEPOLICY_VERS identifier and included as
67# part of the non-platform policy to ensure removal of access in future
68# platform policy does not break non-platform policy.
69ifndef BOARD_SEPOLICY_VERS
70$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
71BOARD_SEPOLICY_VERS := current
72BOARD_SEPOLICY_VERS_DIR := $(PLAT_PUBLIC_POLICY)
73else
74ifndef BOARD_SEPOLICY_VERS_DIR
75$(error BOARD_SEPOLICY_VERS_DIR not specified for versioned sepolicy.)
76endif
77endif
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]78
79###########################################################
80# Compute policy files to be used in policy build.
81# $(1): files to include
82# $(2): directories in which to find files
83###########################################################
84
85define build_policy
86$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
87endef
William Roberts29d14682016-01-04 12:20:57 -0800[diff] [blame]88
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]89# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
90# $(1): the set of policy name paths to build
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]91build_device_policy = $(call build_policy, $(1), $(BOARD_SEPOLICY_DIRS))
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]92
Richard Hainesc8801fe2015-12-11 10:39:19 +0000[diff] [blame]93# Add a file containing only a newline in-between each policy configuration
94# 'contexts' file. This will allow OEM policy configuration files without a
95# final newline (0x0A) to be built correctly by the m4(1) macro processor.
96# $(1): the set of contexts file names.
97# $(2): the file containing only 0x0A.
98add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry)))
99
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]100sepolicy_build_files := security_classes \
101 initial_sids \
102 access_vectors \
103 global_macros \
Nick Kralevicha17a2662014-11-05 15:30:41 -0800[diff] [blame]104 neverallow_macros \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]105 mls_macros \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]106 mls_decl \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]107 mls \
108 policy_capabilities \
109 te_macros \
110 attributes \
Jeff Vander Stoepcbaa2b72015-12-22 10:39:34 -0800[diff] [blame]111 ioctl_defines \
Jeff Vander Stoepde9b5302015-06-05 15:28:55 -0700[diff] [blame]112 ioctl_macros \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]113 *.te \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]114 roles_decl \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]115 roles \
116 users \
117 initial_sid_contexts \
118 fs_use \
119 genfs_contexts \
120 port_contexts
121
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]122my_target_arch := $(TARGET_ARCH)
123ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
124 my_target_arch := mips
125endif
126
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]127##################################
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]128# reqd_policy_mask - a policy.conf file which contains only the bare minimum
129# policy necessary to use checkpolicy. This bare-minimum policy needs to be
130# present in all policy.conf files, but should not necessarily be exported as
131# part of the public policy. The rules generated by reqd_policy_mask will allow
132# the compilation of public policy and subsequent removal of CIL policy that
133# should not be exported.
134
135reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
136$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
137$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]138$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]139$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
140$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
141 @mkdir -p $(dir $@)
142 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
143 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
144 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]145 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]146 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]147 -s $^ > $@
148
149reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
150$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
151 @mkdir -p $(dir $@)
152 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c $(POLICYVERS) -o $@ $<
153
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]154reqd_policy_mask.conf :=
155
156##################################
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]157# plat_pub_policy - policy that will be exported to be a part of non-platform
158# policy corresponding to this platform version. This is a limited subset of
159# policy that would not compile in checkpolicy on its own. To get around this
160# limitation, add only the required files from private policy, which will
161# generate CIL policy that will then be filtered out by the reqd_policy_mask.
162plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
163$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
164$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]165$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]166$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
167$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
168$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
169 @mkdir -p $(dir $@)
170 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
171 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
172 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]173 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]174 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]175 -s $^ > $@
176
177plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]178$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
179$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
180$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]181 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]182 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
183 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]184
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]185plat_pub_policy.conf :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]186
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]187##################################
188include $(CLEAR_VARS)
189
190LOCAL_MODULE := sectxfile_nl
191LOCAL_MODULE_CLASS := ETC
192LOCAL_MODULE_TAGS := optional
193
194# Create a file containing newline only to add between context config files
195include $(BUILD_SYSTEM)/base_rules.mk
196$(LOCAL_BUILT_MODULE):
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]197 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]198 $(hide) echo > $@
199
200built_nl := $(LOCAL_BUILT_MODULE)
201
202#################################
203include $(CLEAR_VARS)
204
205LOCAL_MODULE := plat_sepolicy.cil
206LOCAL_MODULE_CLASS := ETC
207LOCAL_MODULE_TAGS := optional
208LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]209
210include $(BUILD_SYSTEM)/base_rules.mk
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]211
212# plat_policy.conf - A combination of the private and public platform policy
213# which will ship with the device. The platform will always reflect the most
214# recent platform version and is not currently being attributized.
215plat_policy.conf := $(intermediates)/plat_policy.conf
216$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
217$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]218$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]219$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
220$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]221$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
222 @mkdir -p $(dir $@)
223 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
224 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
225 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]226 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]227 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]228 -s $^ > $@
229 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
230
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]231plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
232$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]233 @mkdir -p $(dir $@)
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]234 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]235
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]236$(LOCAL_BUILT_MODULE): $(plat_policy_nvr)
237 @mkdir -p $(dir $@)
238 grep -v neverallow $< > $@
239
240plat_policy.conf :=
241
242#################################
243include $(CLEAR_VARS)
244
245LOCAL_MODULE := mapping_sepolicy.cil
246LOCAL_MODULE_CLASS := ETC
247LOCAL_MODULE_TAGS := optional
248LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]249
250include $(BUILD_SYSTEM)/base_rules.mk
251
252# auto-generate the mapping file for current platform policy, since it needs to
253# track platform policy development
254current_mapping.cil := $(intermediates)/mapping/current.cil
255$(current_mapping.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
256$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
257 @mkdir -p $(dir $@)
258 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
259
260ifeq ($(BOARD_SEPOLICY_VERS), current)
261mapping_policy_nvr := $(current_mapping.cil)
262else
263mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
264endif
265
266$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr)
267 grep -v neverallow $< > $@
268
269current_mapping.cil :=
270
271#################################
272include $(CLEAR_VARS)
273
274LOCAL_MODULE := nonplat_sepolicy.cil
275LOCAL_MODULE_CLASS := ETC
276LOCAL_MODULE_TAGS := optional
277LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]278
279include $(BUILD_SYSTEM)/base_rules.mk
280
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]281# nonplat_policy.conf - A combination of the non-platform private and the
282# exported platform policy associated with the version the non-platform policy
283# targets. This needs attributization and to be combined with the
284# platform-provided policy. Like plat_pub_policy.conf, this needs to make use
285# of the reqd_policy_mask files from private policy in order to use checkpolicy.
286nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
287$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
288$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]289$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]290$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
291$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
292$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(BOARD_SEPOLICY_DIRS))
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]293 @mkdir -p $(dir $@)
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]294 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
295 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
Nick Kralevich623975f2014-01-11 01:31:03 -0800[diff] [blame]296 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]297 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]298 -D target_arch=$(PRIVATE_TGT_ARCH) \
Nick Kralevich623975f2014-01-11 01:31:03 -0800[diff] [blame]299 -s $^ > $@
Robert Craig65d4f442013-03-27 06:30:25 -0400[diff] [blame]300 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]301
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]302nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
303$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
304$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
305$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
306$(reqd_policy_mask.cil)
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]307 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]308 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
309 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]310
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]311nonplat_policy_nvr := $(intermediates)/nonplat_policy_nvr.cil
312$(nonplat_policy_nvr) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
313$(nonplat_policy_nvr) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
314$(nonplat_policy_nvr) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]315$(HOST_OUT_EXECUTABLES)/version_policy
316 @mkdir -p $(dir $@)
317 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
318
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]319$(LOCAL_BUILT_MODULE): $(nonplat_policy_nvr)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]320 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]321 grep -v neverallow $< > $@
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]322
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]323nonplat_policy.conf :=
324nonplat_policy_raw :=
325
326#################################
327include $(CLEAR_VARS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]328# build this target so that we can still perform neverallow checks
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]329
330LOCAL_MODULE := sepolicy
331LOCAL_MODULE_CLASS := ETC
332LOCAL_MODULE_TAGS := optional
Daniel Cashman65d01342016-12-17 00:53:26 +0000[diff] [blame]333LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]334
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]335include $(BUILD_SYSTEM)/base_rules.mk
336
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]337all_cil_files := \
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]338 $(plat_policy_nvr) \
339 $(mapping_policy_nvr) \
340 $(nonplat_policy_nvr) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]341
342$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
343$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
344 @mkdir -p $(dir $@)
345 $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp
Nick Kralevichbca98ef2016-02-26 20:06:52 -0800[diff] [blame]346 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
347 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
348 echo "==========" 1>&2; \
349 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
350 echo "List of invalid domains:" 1>&2; \
351 cat $@.permissivedomains 1>&2; \
352 exit 1; \
353 fi
354 $(hide) mv $@.tmp $@
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]355
Ying Wangd8b122c2012-10-25 19:01:31 -0700[diff] [blame]356built_sepolicy := $(LOCAL_BUILT_MODULE)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]357all_cil_files :=
Stephen Smalley01a58af2012-10-02 12:46:37 -0400[diff] [blame]358
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]359##################################
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]360plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf
361$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
362$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
363$(plat_pub_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
364$(plat_pub_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
365$(plat_pub_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
366$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]367 @mkdir -p $(dir $@)
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]368 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
369 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]370 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]371 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]372 -D target_arch=$(PRIVATE_TGT_ARCH) \
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]373 -D target_recovery=true \
374 -s $^ > $@
375
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]376plat_pub_policy.recovery.cil := $(intermediates)/plat_pub_policy.recovery.cil
377$(plat_pub_policy.recovery.cil): PRIVATE_POL_CONF := $(plat_pub_policy.recovery.conf)
378$(plat_pub_policy.recovery.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
379$(plat_pub_policy.recovery.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
380$(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]381 @mkdir -p $(dir $@)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]382 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
383 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
384
385plat_pub_policy.recovery.conf :=
386
387#################################
388include $(CLEAR_VARS)
389
390LOCAL_MODULE := plat_sepolicy.recovery.cil
391LOCAL_MODULE_CLASS := ETC
392LOCAL_MODULE_TAGS := optional
393LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
394
395include $(BUILD_SYSTEM)/base_rules.mk
396
397plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf
398$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
399$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
400$(plat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
401$(plat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
402$(plat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
403$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
404 @mkdir -p $(dir $@)
405 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
406 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
407 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]408 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]409 -D target_arch=$(PRIVATE_TGT_ARCH) \
410 -D target_recovery=true \
411 -s $^ > $@
412 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
413
414plat_policy_nvr.recovery := $(intermediates)/plat_policy_nvr.recovery.cil
415$(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
416 @mkdir -p $(dir $@)
417 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
418
419$(LOCAL_BUILT_MODULE): $(plat_policy_nvr.recovery)
420 @mkdir -p $(dir $@)
421 grep -v neverallow $< > $@
422
423plat_policy.recovery.conf :=
424
425#################################
426include $(CLEAR_VARS)
427
428LOCAL_MODULE := mapping_sepolicy.recovery.cil
429LOCAL_MODULE_CLASS := ETC
430LOCAL_MODULE_TAGS := optional
431LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
432
433include $(BUILD_SYSTEM)/base_rules.mk
434
435# auto-generate the mapping file for current platform policy, since it needs to
436# track platform policy development
437current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
438$(current_mapping.recovery.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
439$(current_mapping.recovery.cil) : $(plat_pub_policy.recovery.cil) $(HOST_OUT_EXECUTABLES)/version_policy
440 @mkdir -p $(dir $@)
441 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
442
443ifeq ($(BOARD_SEPOLICY_VERS), current)
444mapping_policy_nvr.recovery := $(current_mapping.recovery.cil)
445else
446mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil, \
447$(PLAT_PRIVATE_POLICY)/mapping)
448endif
449
450$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr.recovery)
451 grep -v neverallow $< > $@
452
453current_mapping.recovery.cil :=
454
455#################################
456include $(CLEAR_VARS)
457
458LOCAL_MODULE := nonplat_sepolicy.recovery.cil
459LOCAL_MODULE_CLASS := ETC
460LOCAL_MODULE_TAGS := optional
461LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
462
463include $(BUILD_SYSTEM)/base_rules.mk
464
465nonplat_policy.recovery.conf := $(intermediates)/nonplat_policy.recovery.conf
466$(nonplat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
467$(nonplat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
468$(nonplat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
469$(nonplat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
470$(nonplat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
471$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(BOARD_SEPOLICY_DIRS))
472 @mkdir -p $(dir $@)
473 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
474 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
475 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]476 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]477 -D target_arch=$(PRIVATE_TGT_ARCH) \
478 -D target_recovery=true \
479 -s $^ > $@
480 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
481
482nonplat_policy_raw.recovery := $(intermediates)/nonplat_policy_raw.recovery.cil
483$(nonplat_policy_raw.recovery): PRIVATE_POL_CONF := $(nonplat_policy.recovery.conf)
484$(nonplat_policy_raw.recovery): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
485$(nonplat_policy_raw.recovery): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.recovery.conf) \
486$(reqd_policy_mask.cil)
487 @mkdir -p $(dir $@)
488 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
489 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
490
491nonplat_policy_nvr.recovery := $(intermediates)/nonplat_policy_nvr.recovery.cil
492$(nonplat_policy_nvr.recovery) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
493$(nonplat_policy_nvr.recovery) : PRIVATE_TGT_POL := $(nonplat_policy_raw.recovery)
494$(nonplat_policy_nvr.recovery) : $(plat_pub_policy.recovery.cil) $(nonplat_policy_raw.recovery) \
495$(HOST_OUT_EXECUTABLES)/version_policy
496 @mkdir -p $(dir $@)
497 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
498
499$(LOCAL_BUILT_MODULE): $(nonplat_policy_nvr.recovery)
500 @mkdir -p $(dir $@)
501 grep -v neverallow $< > $@
502
503nonplat_policy.recovery.conf :=
504nonplat_policy_raw.recovery :=
505
506##################################
507include $(CLEAR_VARS)
508
509# keep concrete sepolicy for neverallow checks
510
511LOCAL_MODULE := sepolicy.recovery
512LOCAL_MODULE_CLASS := ETC
513LOCAL_MODULE_TAGS := optional
Daniel Cashman65d01342016-12-17 00:53:26 +0000[diff] [blame]514LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]515
516include $(BUILD_SYSTEM)/base_rules.mk
517
518all_cil_files.recovery := \
519 $(plat_policy_nvr.recovery) \
520 $(mapping_policy_nvr.recovery) \
521 $(nonplat_policy_nvr.recovery) \
522
523$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files.recovery)
524$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files.recovery)
525 @mkdir -p $(dir $@)
526 $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp
Nick Kralevichbca98ef2016-02-26 20:06:52 -0800[diff] [blame]527 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
528 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
529 echo "==========" 1>&2; \
530 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
531 echo "List of invalid domains:" 1>&2; \
532 cat $@.permissivedomains 1>&2; \
533 exit 1; \
534 fi
535 $(hide) mv $@.tmp $@
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]536
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]537all_cil_files.recovery :=
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]538
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]539##################################
540include $(CLEAR_VARS)
541
542LOCAL_MODULE := general_sepolicy.conf
543LOCAL_MODULE_CLASS := ETC
544LOCAL_MODULE_TAGS := tests
545
546include $(BUILD_SYSTEM)/base_rules.mk
547
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]548$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
549$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]550$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]551$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
552$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]553 mkdir -p $(dir $@)
554 $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
555 -D target_build_variant=user \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]556 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]557 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]558 -s $^ > $@
559 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
560
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]561built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]562exp_sepolicy_build_files :=
563
564##################################
Stephen Smalley01a58af2012-10-02 12:46:37 -0400[diff] [blame]565include $(CLEAR_VARS)
566
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]567LOCAL_MODULE := sepolicy.general
568LOCAL_MODULE_CLASS := ETC
569LOCAL_MODULE_TAGS := tests
570
571include $(BUILD_SYSTEM)/base_rules.mk
572
573$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
574$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
575 @mkdir -p $(dir $@)
Nick Kralevich6ef10bd2016-02-29 16:59:33 -0800[diff] [blame]576 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]577
578built_general_sepolicy := $(LOCAL_BUILT_MODULE)
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]579
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]580##################################
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]581# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
582#
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]583include $(CLEAR_VARS)
584
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]585LOCAL_MODULE := file_contexts.bin
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]586LOCAL_MODULE_CLASS := ETC
587LOCAL_MODULE_TAGS := optional
588LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
589
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]590include $(BUILD_SYSTEM)/base_rules.mk
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]591
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]592# The file_contexts.bin is built in the following way:
593# 1. Collect all file_contexts files in THIS repository and process them with
594# m4 into a tmp file called file_contexts.local.tmp.
595# 2. Collect all device specific file_contexts files and process them with m4
596# into a tmp file called file_contexts.device.tmp.
597# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
598# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
599# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
600# file_contexts.concat.tmp.
601# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
602# file_contexts.bin.
603#
604# Note: That a newline file is placed between each file_context file found to
605# ensure a proper build when an fc file is missing an ending newline.
William Roberts29d14682016-01-04 12:20:57 -0800[diff] [blame]606
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]607local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]608ifneq ($(filter address,$(SANITIZE_TARGET)),)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]609 local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]610endif
611local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
612
613file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
614$(file_contexts.local.tmp): $(local_fcfiles_with_nl)
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]615 @mkdir -p $(dir $@)
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]616 $(hide) m4 -s $^ > $@
617
618device_fc_files := $(call build_device_policy, file_contexts)
619device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
620
621file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
622$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
623$(file_contexts.device.tmp): $(device_fcfiles_with_nl)
624 @mkdir -p $(dir $@)
625 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
626
627file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
628$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
629$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
630 @mkdir -p $(dir $@)
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]631 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]632 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
633
634file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
635$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
636 @mkdir -p $(dir $@)
637 $(hide) m4 -s $^ > $@
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]638
William Roberts3746a0a2015-09-25 10:18:44 -0700[diff] [blame]639$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]640$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]641 @mkdir -p $(dir $@)
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]642 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]643 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
644
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]645built_fc := $(LOCAL_BUILT_MODULE)
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]646local_fc_files :=
647local_fcfiles_with_nl :=
648device_fc_files :=
649device_fcfiles_with_nl :=
650file_contexts.concat.tmp :=
651file_contexts.device.sorted.tmp :=
652file_contexts.device.tmp :=
653file_contexts.local.tmp :=
William Roberts171a0622012-08-16 10:55:05 -0700[diff] [blame]654
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]655##################################
656include $(CLEAR_VARS)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]657
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]658LOCAL_MODULE := plat_file_contexts
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]659LOCAL_MODULE_CLASS := ETC
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]660LOCAL_MODULE_TAGS := optional
661LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]662
663include $(BUILD_SYSTEM)/base_rules.mk
664
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]665local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
666ifneq ($(filter address,$(SANITIZE_TARGET)),)
667 local_fc_files += $(PLAT_PRIVATE_POLICY)/file_contexts_asan
668endif
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]669
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]670$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles)
671$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
672$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(local_fcfiles) $(built_sepolicy)
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]673 @mkdir -p $(dir $@)
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]674 $(hide) m4 -s $(PRIVATE_FC_FILES) > $@
675 $(hide) $< $(PRIVATE_SEPOLICY) $@
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]676
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]677built_plat_fc := $(LOCAL_BUILT_MODULE)
678local_fc_files :=
679
680##################################
681include $(CLEAR_VARS)
682
683LOCAL_MODULE := nonplat_file_contexts
684LOCAL_MODULE_CLASS := ETC
685LOCAL_MODULE_TAGS := optional
686LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
687
688include $(BUILD_SYSTEM)/base_rules.mk
689
690nonplat_fc_files := $(call build_device_policy, file_contexts)
691nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
692
693$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
694$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
695$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
696$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
697$(device_fcfiles_with_nl) $(built_sepolicy)
698 @mkdir -p $(dir $@)
699 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
700 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
701 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
702
703built_nonplat_fc := $(LOCAL_BUILT_MODULE)
704nonplat_fc_files :=
705nonplat_fcfiles_with_nl :=
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]706
707##################################
708include $(CLEAR_VARS)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]709LOCAL_MODULE := plat_seapp_contexts
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]710LOCAL_MODULE_CLASS := ETC
711LOCAL_MODULE_TAGS := optional
712LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
713
William Roberts171a0622012-08-16 10:55:05 -0700[diff] [blame]714include $(BUILD_SYSTEM)/base_rules.mk
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]715
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]716plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
William Roberts171a0622012-08-16 10:55:05 -0700[diff] [blame]717
Ying Wangd8b122c2012-10-25 19:01:31 -0700[diff] [blame]718$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]719$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
720$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
William Robertsf0e0a942012-08-27 15:41:15 -0700[diff] [blame]721 @mkdir -p $(dir $@)
William Roberts99fe8df2015-06-30 13:53:51 -0700[diff] [blame]722 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]723
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]724built_plat_sc := $(LOCAL_BUILT_MODULE)
725plat_sc_files :=
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]726
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]727##################################
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]728include $(CLEAR_VARS)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]729LOCAL_MODULE := nonplat_seapp_contexts
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]730LOCAL_MODULE_CLASS := ETC
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]731LOCAL_MODULE_TAGS := optional
732LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]733
734include $(BUILD_SYSTEM)/base_rules.mk
735
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]736nonplat_sc_files := $(call build_policy, seapp_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]737
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]738$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
739$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
740$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]741 @mkdir -p $(dir $@)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]742 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]743
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]744built_nonplat_sc := $(LOCAL_BUILT_MODULE)
745nonplat_sc_files :=
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]746
747##################################
748include $(CLEAR_VARS)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]749LOCAL_MODULE := plat_seapp_neverallows
William Roberts4ee71312015-06-25 11:59:30 -0700[diff] [blame]750LOCAL_MODULE_CLASS := ETC
751LOCAL_MODULE_TAGS := tests
752
753include $(BUILD_SYSTEM)/base_rules.mk
754
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]755$(LOCAL_BUILT_MODULE): $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
William Roberts4ee71312015-06-25 11:59:30 -0700[diff] [blame]756 @mkdir -p $(dir $@)
757 - $(hide) grep -ie '^neverallow' $< > $@
758
William Roberts4ee71312015-06-25 11:59:30 -0700[diff] [blame]759
760##################################
761include $(CLEAR_VARS)
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]762
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]763LOCAL_MODULE := plat_property_contexts
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]764LOCAL_MODULE_CLASS := ETC
765LOCAL_MODULE_TAGS := optional
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]766# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]767LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
768
769include $(BUILD_SYSTEM)/base_rules.mk
770
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]771plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]772
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]773plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
774$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
775$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
776$(plat_property_contexts.tmp): $(plat_pcfiles)
William Roberts7f81b332015-09-29 13:52:37 -0700[diff] [blame]777 @mkdir -p $(dir $@)
Colin Cross9eb6c872015-10-01 21:25:09 +0000[diff] [blame]778 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]779
780
781$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]782$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]783 @mkdir -p $(dir $@)
William Roberts371918c2016-04-06 11:40:08 -0700[diff] [blame]784 $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]785 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]786
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]787built_plat_pc := $(LOCAL_BUILT_MODULE)
788plat_pc_files :=
789plat_property_contexts.tmp :=
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]790
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]791##################################
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]792include $(CLEAR_VARS)
793
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]794LOCAL_MODULE := nonplat_property_contexts
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]795LOCAL_MODULE_CLASS := ETC
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]796LOCAL_MODULE_TAGS := optional
797# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
798LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]799
Stephen Smalleyc9361732015-03-13 09:36:57 -0400[diff] [blame]800include $(BUILD_SYSTEM)/base_rules.mk
801
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]802nonplat_pcfiles := $(call build_policy, property_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]803
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]804nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
805$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
806$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
807$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
808 @mkdir -p $(dir $@)
809 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
810
811
812$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
813$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]814 @mkdir -p $(dir $@)
William Roberts371918c2016-04-06 11:40:08 -0700[diff] [blame]815 $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]816 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]817
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]818built_nonplat_pc := $(LOCAL_BUILT_MODULE)
819nonplat_pc_files :=
820nonplat_property_contexts.tmp :=
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]821
822##################################
823include $(CLEAR_VARS)
824
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]825LOCAL_MODULE := plat_service_contexts
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]826LOCAL_MODULE_CLASS := ETC
827LOCAL_MODULE_TAGS := optional
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]828# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]829LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
830
831include $(BUILD_SYSTEM)/base_rules.mk
832
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]833plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]834
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]835plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
836$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
837$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
838$(plat_service_contexts.tmp): $(plat_svcfiles)
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]839 @mkdir -p $(dir $@)
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]840 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]841
842$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]843$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]844 @mkdir -p $(dir $@)
William Robertsc9fce3f2016-04-06 11:53:04 -0700[diff] [blame]845 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]846 $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]847
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]848built_plat_svc := $(LOCAL_BUILT_MODULE)
849plat_svcfiles :=
850plat_service_contexts.tmp :=
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]851
852##################################
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]853include $(CLEAR_VARS)
854
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]855LOCAL_MODULE := nonplat_service_contexts
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]856LOCAL_MODULE_CLASS := ETC
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]857LOCAL_MODULE_TAGS := optional
858# TODO: Change module path to TARGET_VENDOR_OUT after b/27805372
859LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]860
861include $(BUILD_SYSTEM)/base_rules.mk
862
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]863nonplat_svcfiles := $(call build_policy, service_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]864
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]865nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
866$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
867$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
868$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
869 @mkdir -p $(dir $@)
870 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
871
872$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
873$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]874 @mkdir -p $(dir $@)
William Robertsc9fce3f2016-04-06 11:53:04 -0700[diff] [blame]875 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]876 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]877
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]878built_nonplat_svc := $(LOCAL_BUILT_MODULE)
879nonplat_svcfiles :=
880nonplat_service_contexts.tmp :=
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]881
882##################################
883include $(CLEAR_VARS)
884
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]885LOCAL_MODULE := plat_mac_permissions.xml
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]886LOCAL_MODULE_CLASS := ETC
887LOCAL_MODULE_TAGS := optional
888LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
889
William Roberts2c8a55d2012-11-30 14:59:09 -0800[diff] [blame]890include $(BUILD_SYSTEM)/base_rules.mk
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]891
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]892# Build keys.conf
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]893plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
894$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
895$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY))
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]896 @mkdir -p $(dir $@)
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]897 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]898
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]899all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]900
Shinichiro Hamajief0c14d2016-05-13 16:04:58 +0900[diff] [blame]901# Should be synced with keys.conf.
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]902all_plat_keys := platform media shared testkey
903all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
Shinichiro Hamajief0c14d2016-05-13 16:04:58 +0900[diff] [blame]904
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]905$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
906$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
907$(all_plat_mac_perms_files) $(all_plat_keys)
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]908 @mkdir -p $(dir $@)
Nick Kralevichc3c90522013-10-25 12:25:36 -0700[diff] [blame]909 $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]910 $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]911
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]912all_mac_perms_files :=
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]913all_plat_keys :=
914plat_mac_perms_keys.tmp :=
915
916##################################
917include $(CLEAR_VARS)
918
919LOCAL_MODULE := nonplat_mac_permissions.xml
920LOCAL_MODULE_CLASS := ETC
921LOCAL_MODULE_TAGS := optional
922LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
923
924include $(BUILD_SYSTEM)/base_rules.mk
925
926# Build keys.conf
927nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
928$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
929$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
930 @mkdir -p $(dir $@)
931 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
932
933all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
934
935$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
936$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
937$(all_nonplat_mac_perms_files)
938 @mkdir -p $(dir $@)
939 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
940
941nonplat_mac_perms_keys.tmp :=
942all_nonplat_mac_perms_files :=
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]943
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]944##################################
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]945include $(CLEAR_VARS)
946
947LOCAL_MODULE := selinux_version
948LOCAL_MODULE_CLASS := ETC
949LOCAL_MODULE_TAGS := optional
950LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
951
952include $(BUILD_SYSTEM)/base_rules.mk
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]953$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_plat_pc) $(built_nonplat_pc) $(built_plat_fc) \
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]954$(buit_nonplat_fc) $(built_plat_sc) $(built_nonplat_sc) $(built_plat_svc) $(built_nonplat_svc)
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]955 @mkdir -p $(dir $@)
Colin Cross29a463d2015-07-17 13:08:41 -0700[diff] [blame]956 $(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]957
958##################################
rpcraig47cd3962012-10-17 21:09:52 -0400[diff] [blame]959
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]960add_nl :=
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]961build_device_policy :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]962build_policy :=
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]963built_plat_fc :=
964built_nonplat_fc :=
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]965built_general_sepolicy :=
966built_general_sepolicy.conf :=
Richard Hainesc8801fe2015-12-11 10:39:19 +0000[diff] [blame]967built_nl :=
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame^]968built_plat_pc :=
969built_nonplat_pc :=
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]970built_nonplat_sc :=
971built_plat_sc :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]972built_sepolicy :=
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]973built_plat_svc :=
974built_nonplat_svc :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]975mapping_policy_nvr :=
976mapping_policy_nvr.recovery :=
977my_target_arch :=
978nonplat_policy_nvr :=
979nonplat_policy_nvr.recovery :=
980plat_policy_nvr :=
981plat_policy_nvr.recovery :=
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]982plat_pub_policy.cil :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]983plat_pub_policy.recovery.cil :=
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]984reqd_policy_mask.cil :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]985sepolicy_build_files :=
Alice Chucdfb06f2012-11-01 11:33:04 -0700[diff] [blame]986
987include $(call all-makefiles-under,$(LOCAL_PATH))