Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6c6aa01ae43dbc972e6642851c8da5296437459e / . / Android.bp
blob: b0544cf54325106d7fe22acef485ca8f55b21596 [file] [log] [blame]
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]1// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Bob Badour601ebb42021-02-03 23:07:40 -0800[diff] [blame]15package {
16 default_applicable_licenses: ["system_sepolicy_license"],
17}
18
19// Added automatically by a large-scale-change that took the approach of
20// 'apply every license found to every target'. While this makes sure we respect
21// every license restriction, it may not be entirely correct.
22//
23// e.g. GPL in an MIT project might only apply to the contrib/ directory.
24//
25// Please consider splitting the single license below into multiple licenses,
26// taking care not to lose any license_kind information, and overriding the
27// default license using the 'licenses: [...]' property on targets as needed.
28//
29// For unused files, consider creating a 'filegroup' with "//visibility:private"
30// to attach the license to, and including a comment whether the files may be
31// used in the current project.
32// http://go/android-license-faq
33license {
34 name: "system_sepolicy_license",
35 visibility: [":__subpackages__"],
36 license_kinds: [
37 "SPDX-license-identifier-Apache-2.0",
38 "legacy_unencumbered",
39 ],
40 license_text: [
41 "NOTICE",
42 ],
43}
44
Jeff Vander Stoepecd288f2019-02-15 12:18:15 -0800[diff] [blame]45cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
46
yangbill3e345372020-04-15 13:55:47 +0800[diff] [blame]47// For vts_treble_sys_prop_test
48filegroup {
49 name: "private_property_contexts",
50 srcs: ["private/property_contexts"],
51 visibility: [
52 "//test/vts-testcase/security/system_property",
53 ],
54}
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]55
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]56se_build_files {
57 name: "se_build_files",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]58 srcs: [
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]59 "security_classes",
60 "initial_sids",
61 "access_vectors",
62 "global_macros",
63 "neverallow_macros",
64 "mls_macros",
65 "mls_decl",
66 "mls",
67 "policy_capabilities",
68 "te_macros",
69 "attributes",
70 "ioctl_defines",
71 "ioctl_macros",
72 "*.te",
73 "roles_decl",
74 "roles",
75 "users",
76 "initial_sid_contexts",
77 "fs_use",
78 "genfs_contexts",
79 "port_contexts",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]80 ],
81}
82
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]83se_build_files {
84 name: "sepolicy_technical_debt",
85 srcs: ["technical_debt.cil"],
86}
87
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]88reqd_mask_policy = [":se_build_files{.reqd_mask}"]
89plat_public_policy = [":se_build_files{.plat_public}"]
90plat_private_policy = [":se_build_files{.plat_private}"]
91system_ext_public_policy = [":se_build_files{.system_ext_public}"]
92system_ext_private_policy = [":se_build_files{.system_ext_private}"]
93product_public_policy = [":se_build_files{.product_public}"]
94product_private_policy = [":se_build_files{.product_private}"]
95
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]96// reqd_policy_mask - a policy.conf file which contains only the bare minimum
97// policy necessary to use checkpolicy.
98//
99// This bare-minimum policy needs to be present in all policy.conf files, but
100// should not necessarily be exported as part of the public policy.
101//
102// The rules generated by reqd_policy_mask will allow the compilation of public
103// policy and subsequent removal of CIL policy that should not be exported.
104se_policy_conf {
105 name: "reqd_policy_mask.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]106 srcs: reqd_mask_policy,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]107 installable: false,
108}
109
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]110se_policy_cil {
111 name: "reqd_policy_mask.cil",
112 src: ":reqd_policy_mask.conf",
113 secilc_check: false,
114 installable: false,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]115}
116
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]117// pub_policy - policy that will be exported to be a part of non-platform
118// policy corresponding to this platform version.
119//
120// This is a limited subset of policy that would not compile in checkpolicy on
121// its own.
122//
123// To get around this limitation, add only the required files from private
124// policy, which will generate CIL policy that will then be filtered out by the
125// reqd_policy_mask.
126//
127// There are three pub_policy.cil files below:
128// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
129// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
130// - plat_pub_policy.cil: exported 'system' policy.
131//
132// Those above files will in turn be used to generate the following versioned cil files:
133// - product_mapping_file: the versioned, exported 'product' policy in product partition.
134// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
135// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
136// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
137// in vendor partition.
138//
139se_policy_conf {
140 name: "pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]141 srcs: plat_public_policy +
142 system_ext_public_policy +
143 product_public_policy +
144 reqd_mask_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]145 vendor: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]146 installable: false,
147}
148
149se_policy_cil {
150 name: "pub_policy.cil",
151 src: ":pub_policy.conf",
152 filter_out: [":reqd_policy_mask.cil"],
153 secilc_check: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]154 vendor: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]155 installable: false,
156}
157
158se_policy_conf {
159 name: "system_ext_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]160 srcs: plat_public_policy +
161 system_ext_public_policy +
162 reqd_mask_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]163 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]164 installable: false,
165}
166
167se_policy_cil {
168 name: "system_ext_pub_policy.cil",
169 src: ":system_ext_pub_policy.conf",
170 filter_out: [":reqd_policy_mask.cil"],
171 secilc_check: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]172 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]173 installable: false,
174}
175
176se_policy_conf {
177 name: "plat_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]178 srcs: plat_public_policy +
179 reqd_mask_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]180 installable: false,
181}
182
183se_policy_cil {
184 name: "plat_pub_policy.cil",
185 src: ":plat_pub_policy.conf",
186 filter_out: [":reqd_policy_mask.cil"],
187 secilc_check: false,
188 installable: false,
189}
190
191// plat_policy.conf - A combination of the private and public platform policy
192// which will ship with the device.
193//
194// The platform will always reflect the most recent platform version and is not
195// currently being attributized.
196se_policy_conf {
197 name: "plat_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]198 srcs: plat_public_policy +
199 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]200 installable: false,
201}
202
203se_policy_cil {
204 name: "plat_sepolicy.cil",
205 src: ":plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]206 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]207}
208
Lokesh Gidra1269a172022-08-01 17:20:38 +0000[diff] [blame]209
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]210se_policy_conf {
211 name: "apex_sepolicy-33.conf",
Lokesh Gidra1269a172022-08-01 17:20:38 +0000[diff] [blame]212 srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]213 installable: false,
214}
215
216se_policy_cil {
217 name: "apex_sepolicy-33.cil",
218 src: ":apex_sepolicy-33.conf",
Lokesh Gidra1269a172022-08-01 17:20:38 +0000[diff] [blame]219 filter_out: [":plat_sepolicy.cil"],
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]220 installable: false,
221 stem: "apex_sepolicy.cil",
222}
223
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]224se_policy_cil {
225 name: "decompiled_sepolicy-without_apex.cil",
226 src: ":precompiled_sepolicy-without_apex",
227 decompile_binary: true,
228}
229
230se_policy_cil {
Sandro3f5c18c2022-09-01 16:07:28 +0000[diff] [blame]231 name: "apex_sepolicy-33.decompiled.cil",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]232 src: ":precompiled_sepolicy",
233 decompile_binary: true,
234 filter_out: [":decompiled_sepolicy-without_apex.cil"],
235 additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
236 secilc_check: false,
Sandro3f5c18c2022-09-01 16:07:28 +0000[diff] [blame]237 stem: "apex_sepolicy.decompiled.cil",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]238}
239
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]240// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
241se_policy_conf {
242 name: "userdebug_plat_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]243 srcs: plat_public_policy +
244 plat_private_policy,
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]245 build_variant: "userdebug",
246 installable: false,
247}
248
249se_policy_cil {
250 name: "userdebug_plat_sepolicy.cil",
251 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]252 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]253 debug_ramdisk: true,
Yi-Yo Chiang68478b12021-10-16 03:23:05 +0800[diff] [blame]254 dist: {
255 targets: ["droidcore"],
256 },
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]257}
258
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000[diff] [blame]259// A copy of the userdebug_plat_policy in GSI.
260soong_config_module_type {
261 name: "gsi_se_policy_cil",
262 module_type: "se_policy_cil",
263 config_namespace: "ANDROID",
264 bool_variables: [
265 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
266 ],
267 properties: [
268 "enabled",
269 "installable",
270 ],
271}
272
273gsi_se_policy_cil {
274 name: "system_ext_userdebug_plat_sepolicy.cil",
275 stem: "userdebug_plat_sepolicy.cil",
276 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]277 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000[diff] [blame]278 system_ext_specific: true,
279 enabled: false,
280 installable: false,
281 soong_config_variables: {
282 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
283 enabled: true,
284 installable: true,
285 },
286 },
287}
288
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]289// system_ext_policy.conf - A combination of the private and public system_ext
290// policy which will ship with the device. System_ext policy is not attributized
291se_policy_conf {
292 name: "system_ext_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]293 srcs: plat_public_policy +
294 plat_private_policy +
295 system_ext_public_policy +
296 system_ext_private_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]297 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]298 installable: false,
299}
300
301se_policy_cil {
302 name: "system_ext_sepolicy.cil",
303 src: ":system_ext_sepolicy.conf",
304 system_ext_specific: true,
305 filter_out: [":plat_sepolicy.cil"],
306 remove_line_marker: true,
307}
308
309// product_policy.conf - A combination of the private and public product policy
310// which will ship with the device. Product policy is not attributized
311se_policy_conf {
312 name: "product_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]313 srcs: plat_public_policy +
314 plat_private_policy +
315 system_ext_public_policy +
316 system_ext_private_policy +
317 product_public_policy +
318 product_private_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]319 product_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]320 installable: false,
321}
322
323se_policy_cil {
324 name: "product_sepolicy.cil",
325 src: ":product_sepolicy.conf",
326 product_specific: true,
327 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
328 remove_line_marker: true,
329}
330
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]331// policy mapping files
332// auto-generate the mapping file for current platform policy, since it needs to
333// track platform policy development
334se_versioned_policy {
335 name: "plat_mapping_file",
336 base: ":plat_pub_policy.cil",
337 mapping: true,
338 version: "current",
339 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
340}
341
342se_versioned_policy {
343 name: "system_ext_mapping_file",
344 base: ":system_ext_pub_policy.cil",
345 mapping: true,
346 version: "current",
347 filter_out: [":plat_mapping_file"],
348 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
349 system_ext_specific: true,
350}
351
352se_versioned_policy {
353 name: "product_mapping_file",
354 base: ":pub_policy.cil",
355 mapping: true,
356 version: "current",
357 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
358 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
359 product_specific: true,
360}
361
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]362//////////////////////////////////
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]363// vendor/odm sepolicy
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]364//////////////////////////////////
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]365
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]366// plat_pub_versioned.cil - the exported platform policy associated with the version
367// that non-platform policy targets.
368se_versioned_policy {
369 name: "plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]370 base: ":pub_policy.cil",
371 target_policy: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]372 version: "vendor",
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]373 vendor: true,
374}
375
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]376// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
377// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
378// policy and the platform public policy files in order to use checkpolicy.
379se_policy_conf {
380 name: "vendor_sepolicy.conf",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]381 srcs: plat_public_policy +
382 system_ext_public_policy +
383 product_public_policy +
384 reqd_mask_policy + [
385 ":se_build_files{.plat_vendor}",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]386 ":se_build_files{.vendor}",
387 ],
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]388 vendor: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]389 installable: false,
390}
391
392se_policy_cil {
393 name: "vendor_sepolicy.cil.raw",
394 src: ":vendor_sepolicy.conf",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]395 filter_out: [":reqd_policy_mask.cil"],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]396 secilc_check: false, // will be done in se_versioned_policy module
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]397 vendor: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]398 installable: false,
399}
400
401se_versioned_policy {
402 name: "vendor_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]403 base: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]404 target_policy: ":vendor_sepolicy.cil.raw",
405 version: "vendor",
406 dependent_cils: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]407 ":plat_sepolicy.cil",
408 ":system_ext_sepolicy.cil",
409 ":product_sepolicy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]410 ":plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]411 ":plat_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]412 ],
413 filter_out: [":plat_pub_versioned.cil"],
414 vendor: true,
415}
416
417// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
418// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
419// policy and the platform public policy files in order to use checkpolicy.
420se_policy_conf {
421 name: "odm_sepolicy.conf",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]422 srcs: plat_public_policy +
423 system_ext_public_policy +
424 product_public_policy +
425 reqd_mask_policy + [
426 ":se_build_files{.plat_vendor}",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]427 ":se_build_files{.vendor}",
428 ":se_build_files{.odm}",
429 ],
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]430 device_specific: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]431 installable: false,
432}
433
434se_policy_cil {
435 name: "odm_sepolicy.cil.raw",
436 src: ":odm_sepolicy.conf",
437 filter_out: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]438 ":reqd_policy_mask.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]439 ":vendor_sepolicy.cil",
440 ],
441 secilc_check: false, // will be done in se_versioned_policy module
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]442 device_specific: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]443 installable: false,
444}
445
446se_versioned_policy {
447 name: "odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]448 base: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]449 target_policy: ":odm_sepolicy.cil.raw",
450 version: "vendor",
451 dependent_cils: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]452 ":plat_sepolicy.cil",
453 ":system_ext_sepolicy.cil",
454 ":product_sepolicy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]455 ":plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]456 ":plat_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]457 ":vendor_sepolicy.cil",
458 ],
459 filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
460 device_specific: true,
461}
462
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]463//////////////////////////////////
464// Precompiled sepolicy is loaded if and only if:
465// - plat_sepolicy_and_mapping.sha256 equals
466// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
467// AND
468// - system_ext_sepolicy_and_mapping.sha256 equals
469// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
470// AND
471// - product_sepolicy_and_mapping.sha256 equals
472// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]473// AND
474// - apex_sepolicy.sha256 equals
475// precompiled_sepolicy.apex_sepolicy.sha256
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]476// See system/core/init/selinux.cpp for details.
477//////////////////////////////////
478genrule {
479 name: "plat_sepolicy_and_mapping.sha256_gen",
480 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
481 out: ["plat_sepolicy_and_mapping.sha256"],
482 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
483}
484
485prebuilt_etc {
486 name: "plat_sepolicy_and_mapping.sha256",
487 filename: "plat_sepolicy_and_mapping.sha256",
488 src: ":plat_sepolicy_and_mapping.sha256_gen",
489 relative_install_path: "selinux",
490}
491
492genrule {
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]493 name: "apex_sepolicy.sha256_gen",
494 srcs: [":apex_sepolicy-33.cil"],
495 out: ["apex_sepolicy.sha256"],
496 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
497}
498
499prebuilt_etc {
500 name: "apex_sepolicy.sha256",
501 filename: "apex_sepolicy.sha256",
502 src: ":apex_sepolicy.sha256_gen",
503 installable: false,
504}
505
506genrule {
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]507 name: "system_ext_sepolicy_and_mapping.sha256_gen",
508 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
509 out: ["system_ext_sepolicy_and_mapping.sha256"],
510 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
511}
512
513prebuilt_etc {
514 name: "system_ext_sepolicy_and_mapping.sha256",
515 filename: "system_ext_sepolicy_and_mapping.sha256",
516 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
517 relative_install_path: "selinux",
518 system_ext_specific: true,
519}
520
521genrule {
522 name: "product_sepolicy_and_mapping.sha256_gen",
523 srcs: [":product_sepolicy.cil", ":product_mapping_file"],
524 out: ["product_sepolicy_and_mapping.sha256"],
525 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
526}
527
528prebuilt_etc {
529 name: "product_sepolicy_and_mapping.sha256",
530 filename: "product_sepolicy_and_mapping.sha256",
531 src: ":product_sepolicy_and_mapping.sha256_gen",
532 relative_install_path: "selinux",
533 product_specific: true,
534}
535
Inseob Kim1c056b12021-04-30 00:11:43 +0900[diff] [blame]536sepolicy_vers {
537 name: "plat_sepolicy_vers.txt",
538 version: "vendor",
539 vendor: true,
540}
541
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]542soong_config_module_type {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]543 name: "precompiled_sepolicy_prebuilts_defaults",
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]544 module_type: "prebuilt_defaults",
545 config_namespace: "ANDROID",
546 bool_variables: ["BOARD_USES_ODMIMAGE"],
547 properties: ["vendor", "device_specific"],
548}
549
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]550precompiled_sepolicy_prebuilts_defaults {
551 name: "precompiled_sepolicy_prebuilts",
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]552 soong_config_variables: {
553 BOARD_USES_ODMIMAGE: {
554 device_specific: true,
555 conditions_default: {
556 vendor: true,
557 },
558 },
559 },
560}
561
562//////////////////////////////////
563// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
564// which precompiled_policy was built.
565//////////////////////////////////
566prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]567 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]568 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
569 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
570 src: ":plat_sepolicy_and_mapping.sha256_gen",
571 relative_install_path: "selinux",
572}
573
574//////////////////////////////////
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]575// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
576// was built.
577//////////////////////////////////
578prebuilt_etc {
579 defaults: ["precompiled_sepolicy_prebuilts"],
580 name: "precompiled_sepolicy.apex_sepolicy.sha256",
581 filename: "precompiled_sepolicy.apex_sepolicy.sha256",
582 src: ":apex_sepolicy.sha256_gen",
583 relative_install_path: "selinux",
584}
585
586//////////////////////////////////
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]587// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
588// which precompiled_policy was built.
589//////////////////////////////////
590prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]591 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]592 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
593 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
594 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
595 relative_install_path: "selinux",
596}
597
598//////////////////////////////////
599// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
600// which precompiled_policy was built.
601//////////////////////////////////
602prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]603 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]604 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
605 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
606 src: ":product_sepolicy_and_mapping.sha256_gen",
607 relative_install_path: "selinux",
608}
609
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]610soong_config_module_type {
611 name: "precompiled_se_policy_binary",
612 module_type: "se_policy_binary",
613 config_namespace: "ANDROID",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]614 bool_variables: ["BOARD_USES_ODMIMAGE"],
615 properties: ["vendor", "device_specific"],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]616}
617
618precompiled_se_policy_binary {
619 name: "precompiled_sepolicy",
620 srcs: [
621 ":plat_sepolicy.cil",
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100[diff] [blame]622 ":apex_sepolicy-33.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]623 ":plat_pub_versioned.cil",
624 ":system_ext_sepolicy.cil",
625 ":product_sepolicy.cil",
626 ":vendor_sepolicy.cil",
627 ":odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]628 ":plat_mapping_file",
629 ":system_ext_mapping_file",
630 ":product_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]631 ],
632 soong_config_variables: {
633 BOARD_USES_ODMIMAGE: {
634 device_specific: true,
635 conditions_default: {
636 vendor: true,
637 },
638 },
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]639 },
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]640 required: [
641 "sepolicy_neverallows",
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]642 ],
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]643 dist: {
644 targets: ["base-sepolicy-files-for-mapping"],
645 },
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]646}
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]647
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]648precompiled_se_policy_binary {
649 name: "precompiled_sepolicy-without_apex",
650 srcs: [
651 ":plat_sepolicy.cil",
652 ":plat_pub_versioned.cil",
653 ":system_ext_sepolicy.cil",
654 ":product_sepolicy.cil",
655 ":vendor_sepolicy.cil",
656 ":odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]657 ":plat_mapping_file",
658 ":system_ext_mapping_file",
659 ":product_mapping_file",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]660 ],
661 soong_config_variables: {
662 BOARD_USES_ODMIMAGE: {
663 device_specific: true,
664 conditions_default: {
665 vendor: true,
666 },
667 },
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]668 },
669 required: [
670 "sepolicy_neverallows",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]671 ],
672 dist: {
673 targets: ["base-sepolicy-files-for-mapping"],
674 },
675}
676
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]677// policy for recovery
678se_policy_conf {
679 name: "recovery_sepolicy.conf",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]680 srcs: plat_public_policy +
681 plat_private_policy +
682 system_ext_public_policy +
683 system_ext_private_policy +
684 product_public_policy +
685 product_private_policy + [
686 ":se_build_files{.plat_vendor}",
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]687 ":se_build_files{.vendor}",
688 ":se_build_files{.odm}",
689 ],
690 target_recovery: true,
691 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]692 recovery: true,
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]693}
694
695se_policy_cil {
696 name: "recovery_sepolicy.cil",
697 src: ":recovery_sepolicy.conf",
698 secilc_check: false, // will be done in se_policy_binary module
699 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]700 recovery: true,
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]701}
702
703se_policy_binary {
704 name: "sepolicy.recovery",
705 srcs: [":recovery_sepolicy.cil"],
706 stem: "sepolicy",
707 recovery: true,
708}
709
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]710//////////////////////////////////
711// SELinux policy embedded into CTS.
712// CTS checks neverallow rules of this policy against the policy of the device under test.
713//////////////////////////////////
714se_policy_conf {
715 name: "general_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]716 srcs: plat_public_policy +
717 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]718 build_variant: "user",
719 cts: true,
720 exclude_build_test: true,
721}
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]722
723//////////////////////////////////
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]724// Base system policy for treble sepolicy tests.
725// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
726// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
727// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
728// See treble_sepolicy_tests_for_release.mk for more details.
729//////////////////////////////////
730se_policy_conf {
731 name: "base_plat_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]732 srcs: plat_public_policy +
733 plat_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]734 build_variant: "user",
735 installable: false,
736}
737
738se_policy_cil {
739 name: "base_plat_sepolicy.cil",
740 src: ":base_plat_sepolicy.conf",
741 additional_cil_files: ["private/technical_debt.cil"],
742 installable: false,
743 secilc_check: false, // done by se_policy_binary
744}
745
746se_policy_binary {
747 name: "base_plat_sepolicy",
748 srcs: [":base_plat_sepolicy.cil"],
749 installable: false,
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]750 dist: {
751 targets: ["base-sepolicy-files-for-mapping"],
752 },
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]753}
754
755se_policy_conf {
756 name: "base_system_ext_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]757 srcs: plat_public_policy +
758 plat_private_policy +
759 system_ext_public_policy +
760 system_ext_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]761 build_variant: "user",
762 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]763 system_ext_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]764}
765
766se_policy_cil {
767 name: "base_system_ext_sepolicy.cil",
768 src: ":base_system_ext_sepolicy.conf",
769 additional_cil_files: ["private/technical_debt.cil"],
770 system_ext_specific: true,
771 installable: false,
772 secilc_check: false, // done by se_policy_binary
773}
774
775se_policy_binary {
776 name: "base_system_ext_sepolicy",
777 srcs: [":base_system_ext_sepolicy.cil"],
778 system_ext_specific: true,
779 installable: false,
780}
781
782se_policy_conf {
783 name: "base_product_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]784 srcs: plat_public_policy +
785 plat_private_policy +
786 system_ext_public_policy +
787 system_ext_private_policy +
788 product_public_policy +
789 product_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]790 build_variant: "user",
791 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]792 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]793}
794
795se_policy_cil {
796 name: "base_product_sepolicy.cil",
797 src: ":base_product_sepolicy.conf",
798 additional_cil_files: ["private/technical_debt.cil"],
799 product_specific: true,
800 installable: false,
801 secilc_check: false, // done by se_policy_binary
802}
803
804se_policy_binary {
805 name: "base_product_sepolicy",
806 srcs: [":base_product_sepolicy.cil"],
807 product_specific: true,
808 installable: false,
809}
810
811se_policy_conf {
812 name: "base_plat_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]813 srcs: plat_public_policy +
814 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]815 build_variant: "user",
816 installable: false,
817}
818
819se_policy_cil {
820 name: "base_plat_pub_policy.cil",
821 src: ":base_plat_pub_policy.conf",
822 filter_out: [":reqd_policy_mask.cil"],
823 secilc_check: false,
824 installable: false,
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]825 dist: {
826 targets: ["base-sepolicy-files-for-mapping"],
827 },
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]828}
829
830se_policy_conf {
831 name: "base_system_ext_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]832 srcs: plat_public_policy +
833 system_ext_public_policy +
834 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]835 build_variant: "user",
836 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]837 system_ext_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]838}
839
840se_policy_cil {
841 name: "base_system_ext_pub_policy.cil",
842 src: ":base_system_ext_pub_policy.conf",
843 filter_out: [":reqd_policy_mask.cil"],
844 secilc_check: false,
845 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]846 system_ext_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]847}
848
849se_policy_conf {
850 name: "base_product_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]851 srcs: plat_public_policy +
852 system_ext_public_policy +
853 product_public_policy +
854 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]855 build_variant: "user",
856 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]857 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]858}
859
860se_policy_cil {
861 name: "base_product_pub_policy.cil",
862 src: ":base_product_pub_policy.conf",
863 filter_out: [":reqd_policy_mask.cil"],
864 secilc_check: false,
865 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]866 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]867}
868
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]869// bug_map - Bug tracking information for selinux denials loaded by auditd.
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]870se_build_files {
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]871 name: "bug_map_files",
872 srcs: ["bug_map"],
873}
874
875se_bug_map {
876 name: "plat_bug_map",
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]877 srcs: [":bug_map_files{.plat_private}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]878 stem: "bug_map",
879}
880
881se_bug_map {
882 name: "system_ext_bug_map",
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]883 srcs: [":bug_map_files{.system_ext_private}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]884 stem: "bug_map",
885 system_ext_specific: true,
886}
887
888se_bug_map {
889 name: "vendor_bug_map",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]890 srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]891 // Legacy file name of the vendor partition bug_map.
892 stem: "selinux_denial_metadata",
893 vendor: true,
894}
895
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]896se_neverallow_test {
897 name: "sepolicy_neverallows",
898 srcs: plat_public_policy +
899 plat_private_policy +
900 system_ext_public_policy +
901 system_ext_private_policy +
902 product_public_policy +
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame^]903 product_private_policy + [
904 ":se_build_files{.plat_vendor}",
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]905 ":se_build_files{.vendor}",
906 ":se_build_files{.odm}",
907 ],
908}
909
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]910//////////////////////////////////
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]911// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
912// Additional directories can be specified via Makefile variables:
913// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
914//////////////////////////////////
915se_freeze_test {
916 name: "sepolicy_freeze_test",
917}
Inseob Kim61257ca2022-02-25 11:26:16 +0900[diff] [blame]918
919//////////////////////////////////
920// sepolicy_test checks various types of violations, which can't be easily done
921// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
922//////////////////////////////////
923genrule {
924 name: "sepolicy_test",
925 srcs: [
926 ":plat_file_contexts",
927 ":vendor_file_contexts",
928 ":system_ext_file_contexts",
929 ":product_file_contexts",
930 ":odm_file_contexts",
931 ":precompiled_sepolicy",
932 ],
933 tools: ["sepolicy_tests"],
934 out: ["sepolicy_test"],
935 cmd: "$(location sepolicy_tests) " +
936 "-f $(location :plat_file_contexts) " +
937 "-f $(location :vendor_file_contexts) " +
938 "-f $(location :system_ext_file_contexts) " +
939 "-f $(location :product_file_contexts) " +
940 "-f $(location :odm_file_contexts) " +
941 "-p $(location :precompiled_sepolicy) && " +
942 "touch $(out)",
943}