Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ff2018fa8441c34adcfae1203591c9bec280bd1c / . / Android.bp
blob: b47d72f9d9199674e00a7bb114f4133b15c861a8 [file] [log] [blame]
Tri Voa5cfd3e2018-03-22 11:35:02 -0700[diff] [blame]1// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Bob Badour601ebb42021-02-03 23:07:40 -0800[diff] [blame]15package {
16 default_applicable_licenses: ["system_sepolicy_license"],
17}
18
19// Added automatically by a large-scale-change that took the approach of
20// 'apply every license found to every target'. While this makes sure we respect
21// every license restriction, it may not be entirely correct.
22//
23// e.g. GPL in an MIT project might only apply to the contrib/ directory.
24//
25// Please consider splitting the single license below into multiple licenses,
26// taking care not to lose any license_kind information, and overriding the
27// default license using the 'licenses: [...]' property on targets as needed.
28//
29// For unused files, consider creating a 'filegroup' with "//visibility:private"
30// to attach the license to, and including a comment whether the files may be
31// used in the current project.
32// http://go/android-license-faq
33license {
34 name: "system_sepolicy_license",
35 visibility: [":__subpackages__"],
36 license_kinds: [
37 "SPDX-license-identifier-Apache-2.0",
38 "legacy_unencumbered",
39 ],
40 license_text: [
41 "NOTICE",
42 ],
43}
44
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]45cc_defaults {
46 name: "selinux_policy_version",
47 cflags: ["-DSEPOLICY_VERSION=30"],
48}
Jeff Vander Stoepecd288f2019-02-15 12:18:15 -0800[diff] [blame]49
yangbill3e345372020-04-15 13:55:47 +0800[diff] [blame]50// For vts_treble_sys_prop_test
51filegroup {
52 name: "private_property_contexts",
53 srcs: ["private/property_contexts"],
54 visibility: [
55 "//test/vts-testcase/security/system_property",
56 ],
57}
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]58
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]59se_build_files {
60 name: "se_build_files",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]61 srcs: [
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]62 "security_classes",
63 "initial_sids",
64 "access_vectors",
65 "global_macros",
66 "neverallow_macros",
67 "mls_macros",
68 "mls_decl",
69 "mls",
70 "policy_capabilities",
71 "te_macros",
72 "attributes",
73 "ioctl_defines",
74 "ioctl_macros",
75 "*.te",
76 "roles_decl",
77 "roles",
78 "users",
79 "initial_sid_contexts",
80 "fs_use",
81 "genfs_contexts",
82 "port_contexts",
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]83 ],
84}
85
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]86se_build_files {
87 name: "sepolicy_technical_debt",
88 srcs: ["technical_debt.cil"],
89}
90
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]91reqd_mask_policy = [":se_build_files{.reqd_mask}"]
92plat_public_policy = [":se_build_files{.plat_public}"]
93plat_private_policy = [":se_build_files{.plat_private}"]
94system_ext_public_policy = [":se_build_files{.system_ext_public}"]
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]95system_ext_private_policy = [":se_build_files{.system_ext_private}"]
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]96product_public_policy = [":se_build_files{.product_public}"]
97product_private_policy = [":se_build_files{.product_private}"]
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]98
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]99// reqd_policy_mask - a policy.conf file which contains only the bare minimum
100// policy necessary to use checkpolicy.
101//
102// This bare-minimum policy needs to be present in all policy.conf files, but
103// should not necessarily be exported as part of the public policy.
104//
105// The rules generated by reqd_policy_mask will allow the compilation of public
106// policy and subsequent removal of CIL policy that should not be exported.
107se_policy_conf {
108 name: "reqd_policy_mask.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]109 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]110 srcs: reqd_mask_policy,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]111 installable: false,
112}
113
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]114se_policy_cil {
115 name: "reqd_policy_mask.cil",
116 src: ":reqd_policy_mask.conf",
117 secilc_check: false,
118 installable: false,
Inseob Kime35b49b2021-02-18 19:15:41 +0900[diff] [blame]119}
120
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]121// pub_policy - policy that will be exported to be a part of non-platform
122// policy corresponding to this platform version.
123//
124// This is a limited subset of policy that would not compile in checkpolicy on
125// its own.
126//
127// To get around this limitation, add only the required files from private
128// policy, which will generate CIL policy that will then be filtered out by the
129// reqd_policy_mask.
130//
131// There are three pub_policy.cil files below:
132// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
133// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
134// - plat_pub_policy.cil: exported 'system' policy.
135//
136// Those above files will in turn be used to generate the following versioned cil files:
137// - product_mapping_file: the versioned, exported 'product' policy in product partition.
138// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
139// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
140// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
141// in vendor partition.
142//
143se_policy_conf {
144 name: "pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]145 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]146 srcs: plat_public_policy +
147 system_ext_public_policy +
148 product_public_policy +
149 reqd_mask_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]150 vendor: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]151 installable: false,
152}
153
154se_policy_cil {
155 name: "pub_policy.cil",
156 src: ":pub_policy.conf",
157 filter_out: [":reqd_policy_mask.cil"],
158 secilc_check: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]159 vendor: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]160 installable: false,
161}
162
163se_policy_conf {
164 name: "system_ext_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]165 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]166 srcs: plat_public_policy +
167 system_ext_public_policy +
168 reqd_mask_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]169 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]170 installable: false,
171}
172
173se_policy_cil {
174 name: "system_ext_pub_policy.cil",
175 src: ":system_ext_pub_policy.conf",
176 filter_out: [":reqd_policy_mask.cil"],
177 secilc_check: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]178 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]179 installable: false,
180}
181
182se_policy_conf {
183 name: "plat_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]184 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]185 srcs: plat_public_policy +
186 reqd_mask_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]187 installable: false,
188}
189
190se_policy_cil {
191 name: "plat_pub_policy.cil",
192 src: ":plat_pub_policy.conf",
193 filter_out: [":reqd_policy_mask.cil"],
194 secilc_check: false,
195 installable: false,
196}
197
198// plat_policy.conf - A combination of the private and public platform policy
199// which will ship with the device.
200//
201// The platform will always reflect the most recent platform version and is not
202// currently being attributized.
203se_policy_conf {
204 name: "plat_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]205 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]206 srcs: plat_public_policy +
207 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]208 installable: false,
209}
210
211se_policy_cil {
212 name: "plat_sepolicy.cil",
213 src: ":plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]214 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kim4b9929e2024-03-28 17:52:32 +0900[diff] [blame]215 dist: {
216 targets: ["sepolicy_finalize"],
217 },
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]218}
219
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]220// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
221se_policy_conf {
222 name: "userdebug_plat_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]223 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]224 srcs: plat_public_policy +
225 plat_private_policy,
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]226 build_variant: "userdebug",
227 installable: false,
228}
229
230se_policy_cil {
231 name: "userdebug_plat_sepolicy.cil",
232 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]233 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]234 debug_ramdisk: true,
Yi-Yo Chiang68478b12021-10-16 03:23:05 +0800[diff] [blame]235 dist: {
236 targets: ["droidcore"],
237 },
Inseob Kim6cc75f42021-04-29 13:53:20 +0000[diff] [blame]238}
239
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000[diff] [blame]240// A copy of the userdebug_plat_policy in GSI.
241soong_config_module_type {
242 name: "gsi_se_policy_cil",
243 module_type: "se_policy_cil",
244 config_namespace: "ANDROID",
245 bool_variables: [
246 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
247 ],
248 properties: [
249 "enabled",
250 "installable",
251 ],
252}
253
254gsi_se_policy_cil {
255 name: "system_ext_userdebug_plat_sepolicy.cil",
256 stem: "userdebug_plat_sepolicy.cil",
257 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900[diff] [blame]258 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000[diff] [blame]259 system_ext_specific: true,
260 enabled: false,
261 installable: false,
262 soong_config_variables: {
263 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
264 enabled: true,
265 installable: true,
266 },
267 },
268}
269
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]270// system_ext_policy.conf - A combination of the private and public system_ext
271// policy which will ship with the device. System_ext policy is not attributized
272se_policy_conf {
273 name: "system_ext_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]274 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]275 srcs: plat_public_policy +
276 plat_private_policy +
277 system_ext_public_policy +
278 system_ext_private_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]279 system_ext_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]280 installable: false,
281}
282
283se_policy_cil {
284 name: "system_ext_sepolicy.cil",
285 src: ":system_ext_sepolicy.conf",
286 system_ext_specific: true,
287 filter_out: [":plat_sepolicy.cil"],
288 remove_line_marker: true,
289}
290
291// product_policy.conf - A combination of the private and public product policy
292// which will ship with the device. Product policy is not attributized
293se_policy_conf {
294 name: "product_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]295 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]296 srcs: plat_public_policy +
297 plat_private_policy +
298 system_ext_public_policy +
299 system_ext_private_policy +
300 product_public_policy +
301 product_private_policy,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]302 product_specific: true,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]303 installable: false,
304}
305
306se_policy_cil {
307 name: "product_sepolicy.cil",
308 src: ":product_sepolicy.conf",
309 product_specific: true,
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]310 filter_out: [
311 ":plat_sepolicy.cil",
312 ":system_ext_sepolicy.cil",
313 ],
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]314 remove_line_marker: true,
315}
316
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]317// policy mapping files
318// auto-generate the mapping file for current platform policy, since it needs to
319// track platform policy development
320se_versioned_policy {
321 name: "plat_mapping_file",
322 base: ":plat_pub_policy.cil",
323 mapping: true,
324 version: "current",
325 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
Inseob Kim4b9929e2024-03-28 17:52:32 +0900[diff] [blame]326 dist: {
327 targets: ["sepolicy_finalize"],
328 },
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]329}
330
331se_versioned_policy {
332 name: "system_ext_mapping_file",
333 base: ":system_ext_pub_policy.cil",
334 mapping: true,
335 version: "current",
336 filter_out: [":plat_mapping_file"],
337 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
338 system_ext_specific: true,
339}
340
341se_versioned_policy {
342 name: "product_mapping_file",
343 base: ":pub_policy.cil",
344 mapping: true,
345 version: "current",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]346 filter_out: [
347 ":plat_mapping_file",
348 ":system_ext_mapping_file",
349 ],
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]350 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
351 product_specific: true,
352}
353
Inseob Kime41e95e2024-02-13 02:19:24 +0000[diff] [blame]354// HACK to support vendor blobs using 1000000.0
355// TODO(b/314010177): remove after new ToT (202404) fully propagates
356se_versioned_policy {
357 name: "plat_mapping_file_1000000.0",
358 base: ":plat_pub_policy.cil",
359 mapping: true,
360 version: "1000000.0",
361 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
362}
363
364se_versioned_policy {
365 name: "system_ext_mapping_file_1000000.0",
366 base: ":system_ext_pub_policy.cil",
367 mapping: true,
368 version: "1000000.0",
369 filter_out: [":plat_mapping_file"],
370 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
371 system_ext_specific: true,
372}
373
374se_versioned_policy {
375 name: "product_mapping_file_1000000.0",
376 base: ":pub_policy.cil",
377 mapping: true,
378 version: "1000000.0",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]379 filter_out: [
380 ":plat_mapping_file",
381 ":system_ext_mapping_file",
382 ],
Inseob Kime41e95e2024-02-13 02:19:24 +0000[diff] [blame]383 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
384 product_specific: true,
385}
386
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]387//////////////////////////////////
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]388// vendor/odm sepolicy
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]389//////////////////////////////////
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]390
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]391// plat_pub_versioned.cil - the exported platform policy associated with the version
392// that non-platform policy targets.
393se_versioned_policy {
394 name: "plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]395 base: ":pub_policy.cil",
396 target_policy: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]397 version: "vendor",
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]398 vendor: true,
399}
400
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]401// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
402// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
403// policy and the platform public policy files in order to use checkpolicy.
404se_policy_conf {
405 name: "vendor_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]406 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]407 srcs: plat_public_policy +
408 system_ext_public_policy +
409 product_public_policy +
410 reqd_mask_policy + [
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]411 ":se_build_files{.plat_vendor}",
412 ":se_build_files{.vendor}",
413 ],
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]414 vendor: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]415 installable: false,
416}
417
418se_policy_cil {
419 name: "vendor_sepolicy.cil.raw",
420 src: ":vendor_sepolicy.conf",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]421 filter_out: [":reqd_policy_mask.cil"],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]422 secilc_check: false, // will be done in se_versioned_policy module
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]423 vendor: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]424 installable: false,
425}
426
427se_versioned_policy {
428 name: "vendor_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]429 base: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]430 target_policy: ":vendor_sepolicy.cil.raw",
431 version: "vendor",
432 dependent_cils: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]433 ":plat_sepolicy.cil",
434 ":system_ext_sepolicy.cil",
435 ":product_sepolicy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]436 ":plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]437 ":plat_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]438 ],
439 filter_out: [":plat_pub_versioned.cil"],
440 vendor: true,
441}
442
443// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
444// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
445// policy and the platform public policy files in order to use checkpolicy.
446se_policy_conf {
447 name: "odm_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]448 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]449 srcs: plat_public_policy +
450 system_ext_public_policy +
451 product_public_policy +
452 reqd_mask_policy + [
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]453 ":se_build_files{.plat_vendor}",
454 ":se_build_files{.vendor}",
455 ":se_build_files{.odm}",
456 ],
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]457 device_specific: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]458 installable: false,
459}
460
461se_policy_cil {
462 name: "odm_sepolicy.cil.raw",
463 src: ":odm_sepolicy.conf",
464 filter_out: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]465 ":reqd_policy_mask.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]466 ":vendor_sepolicy.cil",
467 ],
468 secilc_check: false, // will be done in se_versioned_policy module
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]469 device_specific: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]470 installable: false,
471}
472
473se_versioned_policy {
474 name: "odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]475 base: ":pub_policy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]476 target_policy: ":odm_sepolicy.cil.raw",
477 version: "vendor",
478 dependent_cils: [
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]479 ":plat_sepolicy.cil",
480 ":system_ext_sepolicy.cil",
481 ":product_sepolicy.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]482 ":plat_pub_versioned.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]483 ":plat_mapping_file",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]484 ":vendor_sepolicy.cil",
485 ],
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]486 filter_out: [
487 ":plat_pub_versioned.cil",
488 ":vendor_sepolicy.cil",
489 ],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]490 device_specific: true,
491}
492
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]493//////////////////////////////////
494// Precompiled sepolicy is loaded if and only if:
495// - plat_sepolicy_and_mapping.sha256 equals
496// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
497// AND
498// - system_ext_sepolicy_and_mapping.sha256 equals
499// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
500// AND
501// - product_sepolicy_and_mapping.sha256 equals
502// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
503// See system/core/init/selinux.cpp for details.
504//////////////////////////////////
505genrule {
506 name: "plat_sepolicy_and_mapping.sha256_gen",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]507 srcs: [
508 ":plat_sepolicy.cil",
509 ":plat_mapping_file",
510 ],
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]511 out: ["plat_sepolicy_and_mapping.sha256"],
512 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
513}
514
515prebuilt_etc {
516 name: "plat_sepolicy_and_mapping.sha256",
517 filename: "plat_sepolicy_and_mapping.sha256",
518 src: ":plat_sepolicy_and_mapping.sha256_gen",
519 relative_install_path: "selinux",
520}
521
522genrule {
523 name: "system_ext_sepolicy_and_mapping.sha256_gen",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]524 srcs: [
525 ":system_ext_sepolicy.cil",
526 ":system_ext_mapping_file",
527 ],
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]528 out: ["system_ext_sepolicy_and_mapping.sha256"],
529 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
530}
531
532prebuilt_etc {
533 name: "system_ext_sepolicy_and_mapping.sha256",
534 filename: "system_ext_sepolicy_and_mapping.sha256",
535 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
536 relative_install_path: "selinux",
537 system_ext_specific: true,
538}
539
540genrule {
541 name: "product_sepolicy_and_mapping.sha256_gen",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]542 srcs: [
543 ":product_sepolicy.cil",
544 ":product_mapping_file",
545 ],
Inseob Kim039175b2021-03-25 15:37:34 +0900[diff] [blame]546 out: ["product_sepolicy_and_mapping.sha256"],
547 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
548}
549
550prebuilt_etc {
551 name: "product_sepolicy_and_mapping.sha256",
552 filename: "product_sepolicy_and_mapping.sha256",
553 src: ":product_sepolicy_and_mapping.sha256_gen",
554 relative_install_path: "selinux",
555 product_specific: true,
556}
557
Inseob Kim1c056b12021-04-30 00:11:43 +0900[diff] [blame]558sepolicy_vers {
559 name: "plat_sepolicy_vers.txt",
560 version: "vendor",
561 vendor: true,
562}
563
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]564soong_config_module_type {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]565 name: "precompiled_sepolicy_prebuilts_defaults",
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]566 module_type: "prebuilt_defaults",
567 config_namespace: "ANDROID",
568 bool_variables: ["BOARD_USES_ODMIMAGE"],
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]569 properties: [
570 "vendor",
571 "device_specific",
572 ],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]573}
574
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]575precompiled_sepolicy_prebuilts_defaults {
576 name: "precompiled_sepolicy_prebuilts",
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]577 soong_config_variables: {
578 BOARD_USES_ODMIMAGE: {
579 device_specific: true,
580 conditions_default: {
581 vendor: true,
582 },
583 },
584 },
585}
586
587//////////////////////////////////
588// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
589// which precompiled_policy was built.
590//////////////////////////////////
591prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]592 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]593 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
594 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
595 src: ":plat_sepolicy_and_mapping.sha256_gen",
596 relative_install_path: "selinux",
597}
598
599//////////////////////////////////
600// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
601// which precompiled_policy was built.
602//////////////////////////////////
603prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]604 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]605 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
606 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
607 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
608 relative_install_path: "selinux",
609}
610
611//////////////////////////////////
612// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
613// which precompiled_policy was built.
614//////////////////////////////////
615prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]616 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000[diff] [blame]617 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
618 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
619 src: ":product_sepolicy_and_mapping.sha256_gen",
620 relative_install_path: "selinux",
621}
622
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]623soong_config_module_type {
624 name: "precompiled_se_policy_binary",
625 module_type: "se_policy_binary",
626 config_namespace: "ANDROID",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]627 bool_variables: ["BOARD_USES_ODMIMAGE"],
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]628 properties: [
629 "vendor",
630 "device_specific",
631 ],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]632}
633
Garfield Tand8c51f22023-10-02 14:17:04 -0700[diff] [blame]634filegroup {
635 name: "precompiled_sepolicy_srcs",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900[diff] [blame]636 srcs: [
637 ":plat_sepolicy.cil",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]638 ":plat_pub_versioned.cil",
639 ":system_ext_sepolicy.cil",
640 ":product_sepolicy.cil",
641 ":vendor_sepolicy.cil",
642 ":odm_sepolicy.cil",
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]643 ":plat_mapping_file",
644 ":system_ext_mapping_file",
645 ":product_mapping_file",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]646 ],
Garfield Tand8c51f22023-10-02 14:17:04 -0700[diff] [blame]647 // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
648 // Useful when some partitions need to be bind mounted across VM boundaries.
649 visibility: ["//visibility:public"],
650}
651
652precompiled_se_policy_binary {
653 name: "precompiled_sepolicy",
654 srcs: [
655 ":precompiled_sepolicy_srcs",
656 ],
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]657 soong_config_variables: {
658 BOARD_USES_ODMIMAGE: {
659 device_specific: true,
660 conditions_default: {
661 vendor: true,
662 },
663 },
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]664 },
665 required: [
666 "sepolicy_neverallows",
Sandro143988d2022-08-05 11:38:56 +0000[diff] [blame]667 ],
668 dist: {
669 targets: ["base-sepolicy-files-for-mapping"],
670 },
671}
672
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]673// policy for recovery
674se_policy_conf {
675 name: "recovery_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]676 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]677 srcs: plat_public_policy +
678 plat_private_policy +
679 system_ext_public_policy +
680 system_ext_private_policy +
681 product_public_policy +
682 product_private_policy + [
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]683 ":se_build_files{.plat_vendor}",
684 ":se_build_files{.vendor}",
685 ":se_build_files{.odm}",
686 ],
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]687 target_recovery: true,
688 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]689 recovery: true,
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]690}
691
692se_policy_cil {
693 name: "recovery_sepolicy.cil",
694 src: ":recovery_sepolicy.conf",
695 secilc_check: false, // will be done in se_policy_binary module
696 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]697 recovery: true,
Inseob Kim5bbcd682021-12-28 14:57:03 +0900[diff] [blame]698}
699
700se_policy_binary {
701 name: "sepolicy.recovery",
702 srcs: [":recovery_sepolicy.cil"],
703 stem: "sepolicy",
704 recovery: true,
705}
706
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]707//////////////////////////////////
708// SELinux policy embedded into CTS.
709// CTS checks neverallow rules of this policy against the policy of the device under test.
710//////////////////////////////////
711se_policy_conf {
712 name: "general_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]713 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]714 srcs: plat_public_policy +
715 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]716 build_variant: "user",
717 cts: true,
718 exclude_build_test: true,
Inseob Kim4b9929e2024-03-28 17:52:32 +0900[diff] [blame]719 dist: {
720 targets: ["sepolicy_finalize"],
721 },
Inseob Kima49e7242021-03-22 10:26:13 +0900[diff] [blame]722}
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]723
724//////////////////////////////////
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]725// Base system policy for treble sepolicy tests.
726// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
727// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
728// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
729// See treble_sepolicy_tests_for_release.mk for more details.
730//////////////////////////////////
731se_policy_conf {
732 name: "base_plat_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]733 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]734 srcs: plat_public_policy +
735 plat_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]736 build_variant: "user",
737 installable: false,
738}
739
740se_policy_cil {
741 name: "base_plat_sepolicy.cil",
742 src: ":base_plat_sepolicy.conf",
743 additional_cil_files: ["private/technical_debt.cil"],
744 installable: false,
745 secilc_check: false, // done by se_policy_binary
746}
747
748se_policy_binary {
749 name: "base_plat_sepolicy",
750 srcs: [":base_plat_sepolicy.cil"],
751 installable: false,
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]752 dist: {
753 targets: ["base-sepolicy-files-for-mapping"],
754 },
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]755}
756
757se_policy_conf {
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]758 name: "base_product_sepolicy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]759 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]760 srcs: plat_public_policy +
761 plat_private_policy +
762 system_ext_public_policy +
763 system_ext_private_policy +
764 product_public_policy +
765 product_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]766 build_variant: "user",
767 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]768 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]769}
770
771se_policy_cil {
772 name: "base_product_sepolicy.cil",
773 src: ":base_product_sepolicy.conf",
774 additional_cil_files: ["private/technical_debt.cil"],
775 product_specific: true,
776 installable: false,
777 secilc_check: false, // done by se_policy_binary
778}
779
780se_policy_binary {
781 name: "base_product_sepolicy",
782 srcs: [":base_product_sepolicy.cil"],
783 product_specific: true,
784 installable: false,
785}
786
787se_policy_conf {
788 name: "base_plat_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]789 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]790 srcs: plat_public_policy +
791 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]792 build_variant: "user",
793 installable: false,
794}
795
796se_policy_cil {
797 name: "base_plat_pub_policy.cil",
798 src: ":base_plat_pub_policy.conf",
799 filter_out: [":reqd_policy_mask.cil"],
800 secilc_check: false,
801 installable: false,
Inseob Kimeec39192022-01-21 11:47:54 +0900[diff] [blame]802 dist: {
803 targets: ["base-sepolicy-files-for-mapping"],
804 },
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]805}
806
807se_policy_conf {
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]808 name: "base_product_pub_policy.conf",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]809 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0a707fa2021-12-09 23:35:11 +0900[diff] [blame]810 srcs: plat_public_policy +
811 system_ext_public_policy +
812 product_public_policy +
813 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]814 build_variant: "user",
815 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]816 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]817}
818
819se_policy_cil {
820 name: "base_product_pub_policy.cil",
821 src: ":base_product_pub_policy.conf",
822 filter_out: [":reqd_policy_mask.cil"],
823 secilc_check: false,
824 installable: false,
Inseob Kim6c6f53b2023-04-26 11:03:35 +0900[diff] [blame]825 product_specific: true,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]826}
827
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]828// bug_map - Bug tracking information for selinux denials loaded by auditd.
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]829se_build_files {
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]830 name: "bug_map_files",
831 srcs: ["bug_map"],
832}
833
834se_bug_map {
835 name: "plat_bug_map",
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]836 srcs: [":bug_map_files{.plat_private}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]837 stem: "bug_map",
838}
839
840se_bug_map {
841 name: "system_ext_bug_map",
Inseob Kim41964032022-04-22 07:50:22 +0900[diff] [blame]842 srcs: [":bug_map_files{.system_ext_private}"],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]843 stem: "bug_map",
844 system_ext_specific: true,
845}
846
847se_bug_map {
848 name: "vendor_bug_map",
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]849 srcs: [
850 ":bug_map_files{.vendor}",
851 ":bug_map_files{.plat_vendor}",
852 ],
Yi-Yo Chiang2c189652021-11-08 19:30:04 +0800[diff] [blame]853 // Legacy file name of the vendor partition bug_map.
854 stem: "selinux_denial_metadata",
855 vendor: true,
856}
857
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]858se_neverallow_test {
859 name: "sepolicy_neverallows",
Inseob Kim085f22f2023-11-09 11:13:01 +0900[diff] [blame]860 defaults: ["se_policy_conf_flags_defaults"],
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]861 srcs: plat_public_policy +
862 plat_private_policy +
863 system_ext_public_policy +
864 system_ext_private_policy +
865 product_public_policy +
Inseob Kim6c6aa012023-08-31 16:47:38 +0900[diff] [blame]866 product_private_policy + [
Inseob Kimff2018f2024-04-17 09:48:43 +0900[diff] [blame^]867 ":se_build_files{.plat_vendor}",
868 ":se_build_files{.vendor}",
869 ":se_build_files{.odm}",
870 ],
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900[diff] [blame]871}
872
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000[diff] [blame]873//////////////////////////////////
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]874// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
875// Additional directories can be specified via Makefile variables:
876// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
877//////////////////////////////////
878se_freeze_test {
Inseob Kim36d9d392023-09-04 17:40:03 +0900[diff] [blame]879 name: "se_freeze_test",
Inseob Kimd5816612021-09-15 03:01:05 +0000[diff] [blame]880}
Inseob Kim61257ca2022-02-25 11:26:16 +0900[diff] [blame]881
882//////////////////////////////////
883// sepolicy_test checks various types of violations, which can't be easily done
884// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
885//////////////////////////////////
886genrule {
887 name: "sepolicy_test",
888 srcs: [
889 ":plat_file_contexts",
890 ":vendor_file_contexts",
891 ":system_ext_file_contexts",
892 ":product_file_contexts",
893 ":odm_file_contexts",
894 ":precompiled_sepolicy",
895 ],
896 tools: ["sepolicy_tests"],
897 out: ["sepolicy_test"],
898 cmd: "$(location sepolicy_tests) " +
899 "-f $(location :plat_file_contexts) " +
900 "-f $(location :vendor_file_contexts) " +
901 "-f $(location :system_ext_file_contexts) " +
902 "-f $(location :product_file_contexts) " +
903 "-f $(location :odm_file_contexts) " +
904 "-p $(location :precompiled_sepolicy) && " +
905 "touch $(out)",
906}
Inseob Kim3a9d91c2023-09-27 17:39:07 +0900[diff] [blame]907
908//////////////////////////////////
909// TestDevTypeViolations can't run on old devices (V or before)
910//////////////////////////////////
911
912soong_config_module_type {
913 name: "dev_type_test_genrule",
914 module_type: "genrule",
915 config_namespace: "ANDROID",
916 bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
917 properties: ["cmd"],
918}
919
920dev_type_test_genrule {
921 name: "sepolicy_dev_type_test",
922 srcs: [
923 ":plat_file_contexts",
924 ":vendor_file_contexts",
925 ":system_ext_file_contexts",
926 ":product_file_contexts",
927 ":odm_file_contexts",
928 ":precompiled_sepolicy",
929 ],
930 tools: ["sepolicy_tests"],
931 out: ["sepolicy_dev_type_test"],
932 soong_config_variables: {
933 CHECK_DEV_TYPE_VIOLATIONS: {
934 cmd: "$(location sepolicy_tests) " +
935 "-f $(location :plat_file_contexts) " +
936 "-f $(location :vendor_file_contexts) " +
937 "-f $(location :system_ext_file_contexts) " +
938 "-f $(location :product_file_contexts) " +
939 "-f $(location :odm_file_contexts) " +
940 "-p $(location :precompiled_sepolicy) " +
941 "-t TestDevTypeViolations && " +
942 "touch $(out)",
943 conditions_default: {
944 cmd: "touch $(out)",
945 },
946 },
947 },
948}