Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4b9929e2fc65c943ca6742dc5cfd9d8e380f8046 / . / Android.bp
blob: b66f95c1d7922b6026543d960ffabd1b3f787f0f [file] [log] [blame]
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]1// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Bob Badour601ebb42021-02-03 23:07:40 -0800[diff] [blame]15package {
16 default_applicable_licenses: ["system_sepolicy_license"],
17}
18
19// Added automatically by a large-scale-change that took the approach of
20// 'apply every license found to every target'. While this makes sure we respect
21// every license restriction, it may not be entirely correct.
22//
23// e.g. GPL in an MIT project might only apply to the contrib/ directory.
24//
25// Please consider splitting the single license below into multiple licenses,
26// taking care not to lose any license_kind information, and overriding the
27// default license using the 'licenses: [...]' property on targets as needed.
28//
29// For unused files, consider creating a 'filegroup' with "//visibility:private"
30// to attach the license to, and including a comment whether the files may be
31// used in the current project.
32// http://go/android-license-faq
33license {
34 name: "system_sepolicy_license",
35 visibility: [":__subpackages__"],
36 license_kinds: [
37 "SPDX-license-identifier-Apache-2.0",
38 "legacy_unencumbered",
39 ],
40 license_text: [
41 "NOTICE",
42 ],
43}
44
Jeff Vander Stoepecd288f2019-02-15 12:18:15 -0800[diff] [blame]45cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
46
yangbill3e345372020-04-15 13:55:47 +0800[diff] [blame]47// For vts_treble_sys_prop_test
48filegroup {
49 name: "private_property_contexts",
50 srcs: ["private/property_contexts"],
51 visibility: [
52 "//test/vts-testcase/security/system_property",
53 ],
54}
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]55
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]56se_build_files {
57 name: "se_build_files",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]58 srcs: [
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]59 "security_classes",
60 "initial_sids",
61 "access_vectors",
62 "global_macros",
63 "neverallow_macros",
64 "mls_macros",
65 "mls_decl",
66 "mls",
67 "policy_capabilities",
68 "te_macros",
69 "attributes",
70 "ioctl_defines",
71 "ioctl_macros",
72 "*.te",
73 "roles_decl",
74 "roles",
75 "users",
76 "initial_sid_contexts",
77 "fs_use",
78 "genfs_contexts",
79 "port_contexts",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]80 ],
81}
82
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]83se_build_files {
84 name: "sepolicy_technical_debt",
85 srcs: ["technical_debt.cil"],
86}
87
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]88reqd_mask_policy = [":se_build_files{.reqd_mask}"]
89plat_public_policy = [":se_build_files{.plat_public}"]
90plat_private_policy = [":se_build_files{.plat_private}"]
91system_ext_public_policy = [":se_build_files{.system_ext_public}"]
92system_ext_private_policy = [":se_build_files{.system_ext_private}"]
93product_public_policy = [":se_build_files{.product_public}"]
94product_private_policy = [":se_build_files{.product_private}"]
95
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]96// reqd_policy_mask - a policy.conf file which contains only the bare minimum
97// policy necessary to use checkpolicy.
98//
99// This bare-minimum policy needs to be present in all policy.conf files, but
100// should not necessarily be exported as part of the public policy.
101//
102// The rules generated by reqd_policy_mask will allow the compilation of public
103// policy and subsequent removal of CIL policy that should not be exported.
104se_policy_conf {
105 name: "reqd_policy_mask.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]106 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]107 srcs: reqd_mask_policy,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]108 installable: false,
109}
110
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]111se_policy_cil {
112 name: "reqd_policy_mask.cil",
113 src: ":reqd_policy_mask.conf",
114 secilc_check: false,
115 installable: false,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]116}
117
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]118// pub_policy - policy that will be exported to be a part of non-platform
119// policy corresponding to this platform version.
120//
121// This is a limited subset of policy that would not compile in checkpolicy on
122// its own.
123//
124// To get around this limitation, add only the required files from private
125// policy, which will generate CIL policy that will then be filtered out by the
126// reqd_policy_mask.
127//
128// There are three pub_policy.cil files below:
129// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
130// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
131// - plat_pub_policy.cil: exported 'system' policy.
132//
133// Those above files will in turn be used to generate the following versioned cil files:
134// - product_mapping_file: the versioned, exported 'product' policy in product partition.
135// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
136// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
137// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
138// in vendor partition.
139//
140se_policy_conf {
141 name: "pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]142 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]143 srcs: plat_public_policy +
144 system_ext_public_policy +
145 product_public_policy +
146 reqd_mask_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]147 vendor: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]148 installable: false,
149}
150
151se_policy_cil {
152 name: "pub_policy.cil",
153 src: ":pub_policy.conf",
154 filter_out: [":reqd_policy_mask.cil"],
155 secilc_check: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]156 vendor: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]157 installable: false,
158}
159
160se_policy_conf {
161 name: "system_ext_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]162 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]163 srcs: plat_public_policy +
164 system_ext_public_policy +
165 reqd_mask_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]166 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]167 installable: false,
168}
169
170se_policy_cil {
171 name: "system_ext_pub_policy.cil",
172 src: ":system_ext_pub_policy.conf",
173 filter_out: [":reqd_policy_mask.cil"],
174 secilc_check: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]175 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]176 installable: false,
177}
178
179se_policy_conf {
180 name: "plat_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]181 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]182 srcs: plat_public_policy +
183 reqd_mask_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]184 installable: false,
185}
186
187se_policy_cil {
188 name: "plat_pub_policy.cil",
189 src: ":plat_pub_policy.conf",
190 filter_out: [":reqd_policy_mask.cil"],
191 secilc_check: false,
192 installable: false,
193}
194
195// plat_policy.conf - A combination of the private and public platform policy
196// which will ship with the device.
197//
198// The platform will always reflect the most recent platform version and is not
199// currently being attributized.
200se_policy_conf {
201 name: "plat_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]202 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]203 srcs: plat_public_policy +
204 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]205 installable: false,
206}
207
208se_policy_cil {
209 name: "plat_sepolicy.cil",
210 src: ":plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]211 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kim4b9929e2024-03-28 17:52:32 +0900[diff] [blame^]212 dist: {
213 targets: ["sepolicy_finalize"],
214 },
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]215}
216
Lokesh Gidra1269a172022-08-01 17:20:38 +0000[diff] [blame]217
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]218// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
219se_policy_conf {
220 name: "userdebug_plat_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]221 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]222 srcs: plat_public_policy +
223 plat_private_policy,
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]224 build_variant: "userdebug",
225 installable: false,
226}
227
228se_policy_cil {
229 name: "userdebug_plat_sepolicy.cil",
230 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]231 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]232 debug_ramdisk: true,
Yi-Yo Chiang68478b12021-10-16 03:23:05 +0800[diff] [blame]233 dist: {
234 targets: ["droidcore"],
235 },
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]236}
237
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000[diff] [blame]238// A copy of the userdebug_plat_policy in GSI.
239soong_config_module_type {
240 name: "gsi_se_policy_cil",
241 module_type: "se_policy_cil",
242 config_namespace: "ANDROID",
243 bool_variables: [
244 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
245 ],
246 properties: [
247 "enabled",
248 "installable",
249 ],
250}
251
252gsi_se_policy_cil {
253 name: "system_ext_userdebug_plat_sepolicy.cil",
254 stem: "userdebug_plat_sepolicy.cil",
255 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]256 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000[diff] [blame]257 system_ext_specific: true,
258 enabled: false,
259 installable: false,
260 soong_config_variables: {
261 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
262 enabled: true,
263 installable: true,
264 },
265 },
266}
267
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]268// system_ext_policy.conf - A combination of the private and public system_ext
269// policy which will ship with the device. System_ext policy is not attributized
270se_policy_conf {
271 name: "system_ext_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]272 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]273 srcs: plat_public_policy +
274 plat_private_policy +
275 system_ext_public_policy +
276 system_ext_private_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]277 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]278 installable: false,
279}
280
281se_policy_cil {
282 name: "system_ext_sepolicy.cil",
283 src: ":system_ext_sepolicy.conf",
284 system_ext_specific: true,
285 filter_out: [":plat_sepolicy.cil"],
286 remove_line_marker: true,
287}
288
289// product_policy.conf - A combination of the private and public product policy
290// which will ship with the device. Product policy is not attributized
291se_policy_conf {
292 name: "product_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]293 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]294 srcs: plat_public_policy +
295 plat_private_policy +
296 system_ext_public_policy +
297 system_ext_private_policy +
298 product_public_policy +
299 product_private_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]300 product_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]301 installable: false,
302}
303
304se_policy_cil {
305 name: "product_sepolicy.cil",
306 src: ":product_sepolicy.conf",
307 product_specific: true,
308 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
309 remove_line_marker: true,
310}
311
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]312// policy mapping files
313// auto-generate the mapping file for current platform policy, since it needs to
314// track platform policy development
315se_versioned_policy {
316 name: "plat_mapping_file",
317 base: ":plat_pub_policy.cil",
318 mapping: true,
319 version: "current",
320 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
Inseob Kim4b9929e2024-03-28 17:52:32 +0900[diff] [blame^]321 dist: {
322 targets: ["sepolicy_finalize"],
323 },
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]324}
325
326se_versioned_policy {
327 name: "system_ext_mapping_file",
328 base: ":system_ext_pub_policy.cil",
329 mapping: true,
330 version: "current",
331 filter_out: [":plat_mapping_file"],
332 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
333 system_ext_specific: true,
334}
335
336se_versioned_policy {
337 name: "product_mapping_file",
338 base: ":pub_policy.cil",
339 mapping: true,
340 version: "current",
341 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
342 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
343 product_specific: true,
344}
345
Inseob Kime41e95e2024-02-13 02:19:24 +0000[diff] [blame]346// HACK to support vendor blobs using 1000000.0
347// TODO(b/314010177): remove after new ToT (202404) fully propagates
348se_versioned_policy {
349 name: "plat_mapping_file_1000000.0",
350 base: ":plat_pub_policy.cil",
351 mapping: true,
352 version: "1000000.0",
353 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
354}
355
356se_versioned_policy {
357 name: "system_ext_mapping_file_1000000.0",
358 base: ":system_ext_pub_policy.cil",
359 mapping: true,
360 version: "1000000.0",
361 filter_out: [":plat_mapping_file"],
362 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
363 system_ext_specific: true,
364}
365
366se_versioned_policy {
367 name: "product_mapping_file_1000000.0",
368 base: ":pub_policy.cil",
369 mapping: true,
370 version: "1000000.0",
371 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
372 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
373 product_specific: true,
374}
375
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]376//////////////////////////////////
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]377// vendor/odm sepolicy
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]378//////////////////////////////////
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]379
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]380// plat_pub_versioned.cil - the exported platform policy associated with the version
381// that non-platform policy targets.
382se_versioned_policy {
383 name: "plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]384 base: ":pub_policy.cil",
385 target_policy: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]386 version: "vendor",
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]387 vendor: true,
388}
389
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]390// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
391// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
392// policy and the platform public policy files in order to use checkpolicy.
393se_policy_conf {
394 name: "vendor_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]395 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]396 srcs: plat_public_policy +
397 system_ext_public_policy +
398 product_public_policy +
399 reqd_mask_policy + [
400 ":se_build_files{.plat_vendor}",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]401 ":se_build_files{.vendor}",
402 ],
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]403 vendor: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]404 installable: false,
405}
406
407se_policy_cil {
408 name: "vendor_sepolicy.cil.raw",
409 src: ":vendor_sepolicy.conf",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]410 filter_out: [":reqd_policy_mask.cil"],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]411 secilc_check: false, // will be done in se_versioned_policy module
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]412 vendor: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]413 installable: false,
414}
415
416se_versioned_policy {
417 name: "vendor_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]418 base: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]419 target_policy: ":vendor_sepolicy.cil.raw",
420 version: "vendor",
421 dependent_cils: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]422 ":plat_sepolicy.cil",
423 ":system_ext_sepolicy.cil",
424 ":product_sepolicy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]425 ":plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]426 ":plat_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]427 ],
428 filter_out: [":plat_pub_versioned.cil"],
429 vendor: true,
430}
431
432// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
433// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
434// policy and the platform public policy files in order to use checkpolicy.
435se_policy_conf {
436 name: "odm_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]437 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]438 srcs: plat_public_policy +
439 system_ext_public_policy +
440 product_public_policy +
441 reqd_mask_policy + [
442 ":se_build_files{.plat_vendor}",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]443 ":se_build_files{.vendor}",
444 ":se_build_files{.odm}",
445 ],
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]446 device_specific: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]447 installable: false,
448}
449
450se_policy_cil {
451 name: "odm_sepolicy.cil.raw",
452 src: ":odm_sepolicy.conf",
453 filter_out: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]454 ":reqd_policy_mask.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]455 ":vendor_sepolicy.cil",
456 ],
457 secilc_check: false, // will be done in se_versioned_policy module
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]458 device_specific: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]459 installable: false,
460}
461
462se_versioned_policy {
463 name: "odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]464 base: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]465 target_policy: ":odm_sepolicy.cil.raw",
466 version: "vendor",
467 dependent_cils: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]468 ":plat_sepolicy.cil",
469 ":system_ext_sepolicy.cil",
470 ":product_sepolicy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]471 ":plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]472 ":plat_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]473 ":vendor_sepolicy.cil",
474 ],
475 filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
476 device_specific: true,
477}
478
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]479//////////////////////////////////
480// Precompiled sepolicy is loaded if and only if:
481// - plat_sepolicy_and_mapping.sha256 equals
482// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
483// AND
484// - system_ext_sepolicy_and_mapping.sha256 equals
485// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
486// AND
487// - product_sepolicy_and_mapping.sha256 equals
488// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
489// See system/core/init/selinux.cpp for details.
490//////////////////////////////////
491genrule {
492 name: "plat_sepolicy_and_mapping.sha256_gen",
493 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
494 out: ["plat_sepolicy_and_mapping.sha256"],
495 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
496}
497
498prebuilt_etc {
499 name: "plat_sepolicy_and_mapping.sha256",
500 filename: "plat_sepolicy_and_mapping.sha256",
501 src: ":plat_sepolicy_and_mapping.sha256_gen",
502 relative_install_path: "selinux",
503}
504
505genrule {
506 name: "system_ext_sepolicy_and_mapping.sha256_gen",
507 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
508 out: ["system_ext_sepolicy_and_mapping.sha256"],
509 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
510}
511
512prebuilt_etc {
513 name: "system_ext_sepolicy_and_mapping.sha256",
514 filename: "system_ext_sepolicy_and_mapping.sha256",
515 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
516 relative_install_path: "selinux",
517 system_ext_specific: true,
518}
519
520genrule {
521 name: "product_sepolicy_and_mapping.sha256_gen",
522 srcs: [":product_sepolicy.cil", ":product_mapping_file"],
523 out: ["product_sepolicy_and_mapping.sha256"],
524 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
525}
526
527prebuilt_etc {
528 name: "product_sepolicy_and_mapping.sha256",
529 filename: "product_sepolicy_and_mapping.sha256",
530 src: ":product_sepolicy_and_mapping.sha256_gen",
531 relative_install_path: "selinux",
532 product_specific: true,
533}
534
Inseob Kim1c056b12021-04-30 00:11:43 +0900[diff] [blame]535sepolicy_vers {
536 name: "plat_sepolicy_vers.txt",
537 version: "vendor",
538 vendor: true,
539}
540
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]541soong_config_module_type {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]542 name: "precompiled_sepolicy_prebuilts_defaults",
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]543 module_type: "prebuilt_defaults",
544 config_namespace: "ANDROID",
545 bool_variables: ["BOARD_USES_ODMIMAGE"],
546 properties: ["vendor", "device_specific"],
547}
548
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]549precompiled_sepolicy_prebuilts_defaults {
550 name: "precompiled_sepolicy_prebuilts",
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]551 soong_config_variables: {
552 BOARD_USES_ODMIMAGE: {
553 device_specific: true,
554 conditions_default: {
555 vendor: true,
556 },
557 },
558 },
559}
560
561//////////////////////////////////
562// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
563// which precompiled_policy was built.
564//////////////////////////////////
565prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]566 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]567 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
568 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
569 src: ":plat_sepolicy_and_mapping.sha256_gen",
570 relative_install_path: "selinux",
571}
572
573//////////////////////////////////
574// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
575// which precompiled_policy was built.
576//////////////////////////////////
577prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]578 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]579 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
580 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
581 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
582 relative_install_path: "selinux",
583}
584
585//////////////////////////////////
586// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
587// which precompiled_policy was built.
588//////////////////////////////////
589prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]590 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]591 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
592 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
593 src: ":product_sepolicy_and_mapping.sha256_gen",
594 relative_install_path: "selinux",
595}
596
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]597soong_config_module_type {
598 name: "precompiled_se_policy_binary",
599 module_type: "se_policy_binary",
600 config_namespace: "ANDROID",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]601 bool_variables: ["BOARD_USES_ODMIMAGE"],
602 properties: ["vendor", "device_specific"],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]603}
604
Garfield Tand8c51f22023-10-02 14:17:04 -0700[diff] [blame]605filegroup {
606 name: "precompiled_sepolicy_srcs",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]607 srcs: [
608 ":plat_sepolicy.cil",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]609 ":plat_pub_versioned.cil",
610 ":system_ext_sepolicy.cil",
611 ":product_sepolicy.cil",
612 ":vendor_sepolicy.cil",
613 ":odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]614 ":plat_mapping_file",
615 ":system_ext_mapping_file",
616 ":product_mapping_file",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]617 ],
Garfield Tand8c51f22023-10-02 14:17:04 -0700[diff] [blame]618 // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
619 // Useful when some partitions need to be bind mounted across VM boundaries.
620 visibility: ["//visibility:public"],
621}
622
623precompiled_se_policy_binary {
624 name: "precompiled_sepolicy",
625 srcs: [
626 ":precompiled_sepolicy_srcs",
627 ],
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]628 soong_config_variables: {
629 BOARD_USES_ODMIMAGE: {
630 device_specific: true,
631 conditions_default: {
632 vendor: true,
633 },
634 },
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]635 },
636 required: [
637 "sepolicy_neverallows",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]638 ],
639 dist: {
640 targets: ["base-sepolicy-files-for-mapping"],
641 },
642}
643
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]644// policy for recovery
645se_policy_conf {
646 name: "recovery_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]647 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]648 srcs: plat_public_policy +
649 plat_private_policy +
650 system_ext_public_policy +
651 system_ext_private_policy +
652 product_public_policy +
653 product_private_policy + [
654 ":se_build_files{.plat_vendor}",
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]655 ":se_build_files{.vendor}",
656 ":se_build_files{.odm}",
657 ],
658 target_recovery: true,
659 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]660 recovery: true,
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]661}
662
663se_policy_cil {
664 name: "recovery_sepolicy.cil",
665 src: ":recovery_sepolicy.conf",
666 secilc_check: false, // will be done in se_policy_binary module
667 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]668 recovery: true,
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]669}
670
671se_policy_binary {
672 name: "sepolicy.recovery",
673 srcs: [":recovery_sepolicy.cil"],
674 stem: "sepolicy",
675 recovery: true,
676}
677
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]678//////////////////////////////////
679// SELinux policy embedded into CTS.
680// CTS checks neverallow rules of this policy against the policy of the device under test.
681//////////////////////////////////
682se_policy_conf {
683 name: "general_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]684 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]685 srcs: plat_public_policy +
686 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]687 build_variant: "user",
688 cts: true,
689 exclude_build_test: true,
Inseob Kim4b9929e2024-03-28 17:52:32 +0900[diff] [blame^]690 dist: {
691 targets: ["sepolicy_finalize"],
692 },
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]693}
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]694
695//////////////////////////////////
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]696// Base system policy for treble sepolicy tests.
697// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
698// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
699// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
700// See treble_sepolicy_tests_for_release.mk for more details.
701//////////////////////////////////
702se_policy_conf {
703 name: "base_plat_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]704 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]705 srcs: plat_public_policy +
706 plat_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]707 build_variant: "user",
708 installable: false,
709}
710
711se_policy_cil {
712 name: "base_plat_sepolicy.cil",
713 src: ":base_plat_sepolicy.conf",
714 additional_cil_files: ["private/technical_debt.cil"],
715 installable: false,
716 secilc_check: false, // done by se_policy_binary
717}
718
719se_policy_binary {
720 name: "base_plat_sepolicy",
721 srcs: [":base_plat_sepolicy.cil"],
722 installable: false,
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]723 dist: {
724 targets: ["base-sepolicy-files-for-mapping"],
725 },
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]726}
727
728se_policy_conf {
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]729 name: "base_product_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]730 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]731 srcs: plat_public_policy +
732 plat_private_policy +
733 system_ext_public_policy +
734 system_ext_private_policy +
735 product_public_policy +
736 product_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]737 build_variant: "user",
738 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]739 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]740}
741
742se_policy_cil {
743 name: "base_product_sepolicy.cil",
744 src: ":base_product_sepolicy.conf",
745 additional_cil_files: ["private/technical_debt.cil"],
746 product_specific: true,
747 installable: false,
748 secilc_check: false, // done by se_policy_binary
749}
750
751se_policy_binary {
752 name: "base_product_sepolicy",
753 srcs: [":base_product_sepolicy.cil"],
754 product_specific: true,
755 installable: false,
756}
757
758se_policy_conf {
759 name: "base_plat_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]760 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]761 srcs: plat_public_policy +
762 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]763 build_variant: "user",
764 installable: false,
765}
766
767se_policy_cil {
768 name: "base_plat_pub_policy.cil",
769 src: ":base_plat_pub_policy.conf",
770 filter_out: [":reqd_policy_mask.cil"],
771 secilc_check: false,
772 installable: false,
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]773 dist: {
774 targets: ["base-sepolicy-files-for-mapping"],
775 },
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]776}
777
778se_policy_conf {
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]779 name: "base_product_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]780 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]781 srcs: plat_public_policy +
782 system_ext_public_policy +
783 product_public_policy +
784 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]785 build_variant: "user",
786 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]787 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]788}
789
790se_policy_cil {
791 name: "base_product_pub_policy.cil",
792 src: ":base_product_pub_policy.conf",
793 filter_out: [":reqd_policy_mask.cil"],
794 secilc_check: false,
795 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]796 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]797}
798
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]799// bug_map - Bug tracking information for selinux denials loaded by auditd.
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]800se_build_files {
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]801 name: "bug_map_files",
802 srcs: ["bug_map"],
803}
804
805se_bug_map {
806 name: "plat_bug_map",
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]807 srcs: [":bug_map_files{.plat_private}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]808 stem: "bug_map",
809}
810
811se_bug_map {
812 name: "system_ext_bug_map",
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]813 srcs: [":bug_map_files{.system_ext_private}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]814 stem: "bug_map",
815 system_ext_specific: true,
816}
817
818se_bug_map {
819 name: "vendor_bug_map",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]820 srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]821 // Legacy file name of the vendor partition bug_map.
822 stem: "selinux_denial_metadata",
823 vendor: true,
824}
825
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]826se_neverallow_test {
827 name: "sepolicy_neverallows",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]828 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]829 srcs: plat_public_policy +
830 plat_private_policy +
831 system_ext_public_policy +
832 system_ext_private_policy +
833 product_public_policy +
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]834 product_private_policy + [
835 ":se_build_files{.plat_vendor}",
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]836 ":se_build_files{.vendor}",
837 ":se_build_files{.odm}",
838 ],
839}
840
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]841//////////////////////////////////
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]842// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
843// Additional directories can be specified via Makefile variables:
844// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
845//////////////////////////////////
846se_freeze_test {
Inseob Kim36d9d392023-09-04 17:40:03 +0900[diff] [blame]847 name: "se_freeze_test",
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]848}
Inseob Kim61257ca2022-02-25 11:26:16 +0900[diff] [blame]849
850//////////////////////////////////
851// sepolicy_test checks various types of violations, which can't be easily done
852// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
853//////////////////////////////////
854genrule {
855 name: "sepolicy_test",
856 srcs: [
857 ":plat_file_contexts",
858 ":vendor_file_contexts",
859 ":system_ext_file_contexts",
860 ":product_file_contexts",
861 ":odm_file_contexts",
862 ":precompiled_sepolicy",
863 ],
864 tools: ["sepolicy_tests"],
865 out: ["sepolicy_test"],
866 cmd: "$(location sepolicy_tests) " +
867 "-f $(location :plat_file_contexts) " +
868 "-f $(location :vendor_file_contexts) " +
869 "-f $(location :system_ext_file_contexts) " +
870 "-f $(location :product_file_contexts) " +
871 "-f $(location :odm_file_contexts) " +
872 "-p $(location :precompiled_sepolicy) && " +
873 "touch $(out)",
874}
Inseob Kim3a9d91c2023-09-27 17:39:07 +0900[diff] [blame]875
876//////////////////////////////////
877// TestDevTypeViolations can't run on old devices (V or before)
878//////////////////////////////////
879
880soong_config_module_type {
881 name: "dev_type_test_genrule",
882 module_type: "genrule",
883 config_namespace: "ANDROID",
884 bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
885 properties: ["cmd"],
886}
887
888dev_type_test_genrule {
889 name: "sepolicy_dev_type_test",
890 srcs: [
891 ":plat_file_contexts",
892 ":vendor_file_contexts",
893 ":system_ext_file_contexts",
894 ":product_file_contexts",
895 ":odm_file_contexts",
896 ":precompiled_sepolicy",
897 ],
898 tools: ["sepolicy_tests"],
899 out: ["sepolicy_dev_type_test"],
900 soong_config_variables: {
901 CHECK_DEV_TYPE_VIOLATIONS: {
902 cmd: "$(location sepolicy_tests) " +
903 "-f $(location :plat_file_contexts) " +
904 "-f $(location :vendor_file_contexts) " +
905 "-f $(location :system_ext_file_contexts) " +
906 "-f $(location :product_file_contexts) " +
907 "-f $(location :odm_file_contexts) " +
908 "-p $(location :precompiled_sepolicy) " +
909 "-t TestDevTypeViolations && " +
910 "touch $(out)",
911 conditions_default: {
912 cmd: "touch $(out)",
913 },
914 },
915 },
916}