Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a86316e85215de0e8bcd9920035af1a2d1f5a4cc / . / Android.mk
blob: ea967e96a39bac8ab443e39655c89340b124b437 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1LOCAL_PATH:= $(call my-dir)
William Robertsf0e0a942012-08-27 15:41:15 -0700[diff] [blame]2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]3include $(CLEAR_VARS)
4
5# SELinux policy version.
Stephen Smalleyb4f17062015-03-13 10:03:52 -0400[diff] [blame]6# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]7# Must be within the compatibility range reported by checkpolicy -V.
Jeff Vander Stoep3a0ce492015-12-07 08:30:43 -0800[diff] [blame]8POLICYVERS ?= 30
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]9
10MLS_SENS=1
11MLS_CATS=1024
12
Stephen Smalleyb4f17062015-03-13 10:03:52 -0400[diff] [blame]13ifdef BOARD_SEPOLICY_REPLACE
14$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
15endif
16
17ifdef BOARD_SEPOLICY_IGNORE
18$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
19endif
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]20
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]21ifdef BOARD_SEPOLICY_UNION
22$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
23endif
Robert Craig6b0ff472014-01-29 13:10:58 -0500[diff] [blame]24
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]25ifdef BOARD_SEPOLICY_M4DEFS
26LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
27endif
28
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]29# sepolicy is now divided into multiple portions:
30# public - policy exported on which non-platform policy developers may write
31# additional policy. types and attributes are versioned and included in
32# delivered non-platform policy, which is to be combined with platform policy.
33# private - platform-only policy required for platform functionality but which
34# is not exported to vendor policy developers and as such may not be assumed
35# to exist.
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]36# mapping - This contains policy statements which map the attributes
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]37# exposed in the public policy of previous versions to the concrete types used
38# in this policy to ensure that policy targeting attributes from public
39# policy from an older platform version continues to work.
40
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]41# build process for device:
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]42# 1) convert policies to CIL:
43# - private + public platform policy to CIL
44# - mapping file to CIL (should already be in CIL form)
45# - non-platform public policy to CIL
46# - non-platform public + private policy to CIL
47# 2) attributize policy
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]48# - run script which takes non-platform public and non-platform combined
49# private + public policy and produces attributized and versioned
50# non-platform policy
51# 3) combine policy files
52# - combine mapping, platform and non-platform policy.
53# - compile output binary policy file
54
55PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
56PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]57REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
58
59# TODO: move to README when doing the README update and finalizing versioning.
60# BOARD_SEPOLICY_VERS should contain the platform version identifier
61# corresponding to the platform on which the non-platform policy is to be
62# based. If unspecified, this will build against the current public platform
63# policy in tree.
64# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
65# is associated with the given BOARD_SEPOLICY_VERS. The policy therein will be
66# versioned according to the BOARD_SEPOLICY_VERS identifier and included as
67# part of the non-platform policy to ensure removal of access in future
68# platform policy does not break non-platform policy.
69ifndef BOARD_SEPOLICY_VERS
70$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
71BOARD_SEPOLICY_VERS := current
72BOARD_SEPOLICY_VERS_DIR := $(PLAT_PUBLIC_POLICY)
73else
74ifndef BOARD_SEPOLICY_VERS_DIR
75$(error BOARD_SEPOLICY_VERS_DIR not specified for versioned sepolicy.)
76endif
77endif
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]78
79###########################################################
80# Compute policy files to be used in policy build.
81# $(1): files to include
82# $(2): directories in which to find files
83###########################################################
84
85define build_policy
86$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
87endef
William Roberts29d14682016-01-04 12:20:57 -0800[diff] [blame]88
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]89# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
90# $(1): the set of policy name paths to build
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]91build_device_policy = $(call build_policy, $(1), $(BOARD_SEPOLICY_DIRS))
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]92
Richard Hainesc8801fe2015-12-11 10:39:19 +0000[diff] [blame]93# Add a file containing only a newline in-between each policy configuration
94# 'contexts' file. This will allow OEM policy configuration files without a
95# final newline (0x0A) to be built correctly by the m4(1) macro processor.
96# $(1): the set of contexts file names.
97# $(2): the file containing only 0x0A.
98add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry)))
99
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]100sepolicy_build_files := security_classes \
101 initial_sids \
102 access_vectors \
103 global_macros \
Nick Kralevicha17a2662014-11-05 15:30:41 -0800[diff] [blame]104 neverallow_macros \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]105 mls_macros \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]106 mls_decl \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]107 mls \
108 policy_capabilities \
109 te_macros \
110 attributes \
Jeff Vander Stoepcbaa2b72015-12-22 10:39:34 -0800[diff] [blame]111 ioctl_defines \
Jeff Vander Stoepde9b5302015-06-05 15:28:55 -0700[diff] [blame]112 ioctl_macros \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]113 *.te \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]114 roles_decl \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]115 roles \
116 users \
117 initial_sid_contexts \
118 fs_use \
119 genfs_contexts \
120 port_contexts
121
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]122my_target_arch := $(TARGET_ARCH)
123ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
124 my_target_arch := mips
125endif
126
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]127##################################
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]128# reqd_policy_mask - a policy.conf file which contains only the bare minimum
129# policy necessary to use checkpolicy. This bare-minimum policy needs to be
130# present in all policy.conf files, but should not necessarily be exported as
131# part of the public policy. The rules generated by reqd_policy_mask will allow
132# the compilation of public policy and subsequent removal of CIL policy that
133# should not be exported.
134
135reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
136$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
137$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]138$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]139$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
140$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
141 @mkdir -p $(dir $@)
142 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
143 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
144 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]145 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]146 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]147 -s $^ > $@
148
149reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
150$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
151 @mkdir -p $(dir $@)
152 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c $(POLICYVERS) -o $@ $<
153
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]154reqd_policy_mask.conf :=
155
156##################################
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]157# plat_pub_policy - policy that will be exported to be a part of non-platform
158# policy corresponding to this platform version. This is a limited subset of
159# policy that would not compile in checkpolicy on its own. To get around this
160# limitation, add only the required files from private policy, which will
161# generate CIL policy that will then be filtered out by the reqd_policy_mask.
162plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
163$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
164$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]165$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]166$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
167$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
168$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
169 @mkdir -p $(dir $@)
170 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
171 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
172 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]173 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]174 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]175 -s $^ > $@
176
177plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]178$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
179$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
180$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]181 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]182 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
183 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]184
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]185plat_pub_policy.conf :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]186
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]187##################################
188include $(CLEAR_VARS)
189
190LOCAL_MODULE := sectxfile_nl
191LOCAL_MODULE_CLASS := ETC
192LOCAL_MODULE_TAGS := optional
193
194# Create a file containing newline only to add between context config files
195include $(BUILD_SYSTEM)/base_rules.mk
196$(LOCAL_BUILT_MODULE):
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]197 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]198 $(hide) echo > $@
199
200built_nl := $(LOCAL_BUILT_MODULE)
201
202#################################
203include $(CLEAR_VARS)
204
205LOCAL_MODULE := plat_sepolicy.cil
206LOCAL_MODULE_CLASS := ETC
207LOCAL_MODULE_TAGS := optional
208LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]209
210include $(BUILD_SYSTEM)/base_rules.mk
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]211
212# plat_policy.conf - A combination of the private and public platform policy
213# which will ship with the device. The platform will always reflect the most
214# recent platform version and is not currently being attributized.
215plat_policy.conf := $(intermediates)/plat_policy.conf
216$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
217$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]218$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]219$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
220$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]221$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
222 @mkdir -p $(dir $@)
223 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
224 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
225 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]226 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]227 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]228 -s $^ > $@
229 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
230
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]231plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
232$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]233 @mkdir -p $(dir $@)
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]234 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]235
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]236$(LOCAL_BUILT_MODULE): $(plat_policy_nvr)
237 @mkdir -p $(dir $@)
238 grep -v neverallow $< > $@
239
240plat_policy.conf :=
241
242#################################
243include $(CLEAR_VARS)
244
245LOCAL_MODULE := mapping_sepolicy.cil
246LOCAL_MODULE_CLASS := ETC
247LOCAL_MODULE_TAGS := optional
248LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]249
250include $(BUILD_SYSTEM)/base_rules.mk
251
252# auto-generate the mapping file for current platform policy, since it needs to
253# track platform policy development
254current_mapping.cil := $(intermediates)/mapping/current.cil
255$(current_mapping.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
256$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
257 @mkdir -p $(dir $@)
258 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
259
260ifeq ($(BOARD_SEPOLICY_VERS), current)
261mapping_policy_nvr := $(current_mapping.cil)
262else
263mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
264endif
265
266$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr)
267 grep -v neverallow $< > $@
268
269current_mapping.cil :=
270
271#################################
272include $(CLEAR_VARS)
273
274LOCAL_MODULE := nonplat_sepolicy.cil
275LOCAL_MODULE_CLASS := ETC
276LOCAL_MODULE_TAGS := optional
277LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]278
279include $(BUILD_SYSTEM)/base_rules.mk
280
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]281# nonplat_policy.conf - A combination of the non-platform private and the
282# exported platform policy associated with the version the non-platform policy
283# targets. This needs attributization and to be combined with the
284# platform-provided policy. Like plat_pub_policy.conf, this needs to make use
285# of the reqd_policy_mask files from private policy in order to use checkpolicy.
286nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
287$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
288$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]289$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]290$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
291$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
292$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(BOARD_SEPOLICY_DIRS))
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]293 @mkdir -p $(dir $@)
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]294 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
295 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
Nick Kralevich623975f2014-01-11 01:31:03 -0800[diff] [blame]296 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]297 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]298 -D target_arch=$(PRIVATE_TGT_ARCH) \
Nick Kralevich623975f2014-01-11 01:31:03 -0800[diff] [blame]299 -s $^ > $@
Robert Craig65d4f442013-03-27 06:30:25 -0400[diff] [blame]300 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]301
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]302nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
303$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
304$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
305$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
306$(reqd_policy_mask.cil)
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]307 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]308 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
309 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]310
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]311nonplat_policy_nvr := $(intermediates)/nonplat_policy_nvr.cil
312$(nonplat_policy_nvr) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
313$(nonplat_policy_nvr) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
314$(nonplat_policy_nvr) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]315$(HOST_OUT_EXECUTABLES)/version_policy
316 @mkdir -p $(dir $@)
317 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
318
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]319$(LOCAL_BUILT_MODULE): $(nonplat_policy_nvr)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]320 @mkdir -p $(dir $@)
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]321 grep -v neverallow $< > $@
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]322
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]323nonplat_policy.conf :=
324nonplat_policy_raw :=
325
326#################################
327include $(CLEAR_VARS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]328# build this target so that we can still perform neverallow checks
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]329
330LOCAL_MODULE := sepolicy
331LOCAL_MODULE_CLASS := ETC
332LOCAL_MODULE_TAGS := optional
Daniel Cashman65d01342016-12-17 00:53:26 +0000[diff] [blame]333LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]334
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]335include $(BUILD_SYSTEM)/base_rules.mk
336
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]337all_cil_files := \
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]338 $(plat_policy_nvr) \
339 $(mapping_policy_nvr) \
340 $(nonplat_policy_nvr) \
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]341
342$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
343$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
344 @mkdir -p $(dir $@)
345 $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp
Nick Kralevichbca98ef2016-02-26 20:06:52 -0800[diff] [blame]346 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
347 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
348 echo "==========" 1>&2; \
349 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
350 echo "List of invalid domains:" 1>&2; \
351 cat $@.permissivedomains 1>&2; \
352 exit 1; \
353 fi
354 $(hide) mv $@.tmp $@
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]355
Ying Wangd8b122c2012-10-25 19:01:31 -0700[diff] [blame]356built_sepolicy := $(LOCAL_BUILT_MODULE)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]357all_cil_files :=
Stephen Smalley01a58af2012-10-02 12:46:37 -0400[diff] [blame]358
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]359##################################
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]360plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf
361$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
362$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
363$(plat_pub_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
364$(plat_pub_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
365$(plat_pub_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
366$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]367 @mkdir -p $(dir $@)
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]368 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
369 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]370 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]371 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]372 -D target_arch=$(PRIVATE_TGT_ARCH) \
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]373 -D target_recovery=true \
374 -s $^ > $@
375
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]376plat_pub_policy.recovery.cil := $(intermediates)/plat_pub_policy.recovery.cil
377$(plat_pub_policy.recovery.cil): PRIVATE_POL_CONF := $(plat_pub_policy.recovery.conf)
378$(plat_pub_policy.recovery.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
379$(plat_pub_policy.recovery.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
380$(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]381 @mkdir -p $(dir $@)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]382 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
383 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
384
385plat_pub_policy.recovery.conf :=
386
387#################################
388include $(CLEAR_VARS)
389
390LOCAL_MODULE := plat_sepolicy.recovery.cil
391LOCAL_MODULE_CLASS := ETC
392LOCAL_MODULE_TAGS := optional
393LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
394
395include $(BUILD_SYSTEM)/base_rules.mk
396
397plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf
398$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
399$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
400$(plat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
401$(plat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
402$(plat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
403$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
404 @mkdir -p $(dir $@)
405 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
406 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
407 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]408 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]409 -D target_arch=$(PRIVATE_TGT_ARCH) \
410 -D target_recovery=true \
411 -s $^ > $@
412 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
413
414plat_policy_nvr.recovery := $(intermediates)/plat_policy_nvr.recovery.cil
415$(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
416 @mkdir -p $(dir $@)
417 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
418
419$(LOCAL_BUILT_MODULE): $(plat_policy_nvr.recovery)
420 @mkdir -p $(dir $@)
421 grep -v neverallow $< > $@
422
423plat_policy.recovery.conf :=
424
425#################################
426include $(CLEAR_VARS)
427
428LOCAL_MODULE := mapping_sepolicy.recovery.cil
429LOCAL_MODULE_CLASS := ETC
430LOCAL_MODULE_TAGS := optional
431LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
432
433include $(BUILD_SYSTEM)/base_rules.mk
434
435# auto-generate the mapping file for current platform policy, since it needs to
436# track platform policy development
437current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
438$(current_mapping.recovery.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
439$(current_mapping.recovery.cil) : $(plat_pub_policy.recovery.cil) $(HOST_OUT_EXECUTABLES)/version_policy
440 @mkdir -p $(dir $@)
441 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
442
443ifeq ($(BOARD_SEPOLICY_VERS), current)
444mapping_policy_nvr.recovery := $(current_mapping.recovery.cil)
445else
446mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil, \
447$(PLAT_PRIVATE_POLICY)/mapping)
448endif
449
450$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr.recovery)
451 grep -v neverallow $< > $@
452
453current_mapping.recovery.cil :=
454
455#################################
456include $(CLEAR_VARS)
457
458LOCAL_MODULE := nonplat_sepolicy.recovery.cil
459LOCAL_MODULE_CLASS := ETC
460LOCAL_MODULE_TAGS := optional
461LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
462
463include $(BUILD_SYSTEM)/base_rules.mk
464
465nonplat_policy.recovery.conf := $(intermediates)/nonplat_policy.recovery.conf
466$(nonplat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
467$(nonplat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
468$(nonplat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
469$(nonplat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
470$(nonplat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
471$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(BOARD_SEPOLICY_DIRS))
472 @mkdir -p $(dir $@)
473 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
474 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
475 -D target_build_variant=$(TARGET_BUILD_VARIANT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]476 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]477 -D target_arch=$(PRIVATE_TGT_ARCH) \
478 -D target_recovery=true \
479 -s $^ > $@
480 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
481
482nonplat_policy_raw.recovery := $(intermediates)/nonplat_policy_raw.recovery.cil
483$(nonplat_policy_raw.recovery): PRIVATE_POL_CONF := $(nonplat_policy.recovery.conf)
484$(nonplat_policy_raw.recovery): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
485$(nonplat_policy_raw.recovery): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.recovery.conf) \
486$(reqd_policy_mask.cil)
487 @mkdir -p $(dir $@)
488 $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
489 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
490
491nonplat_policy_nvr.recovery := $(intermediates)/nonplat_policy_nvr.recovery.cil
492$(nonplat_policy_nvr.recovery) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
493$(nonplat_policy_nvr.recovery) : PRIVATE_TGT_POL := $(nonplat_policy_raw.recovery)
494$(nonplat_policy_nvr.recovery) : $(plat_pub_policy.recovery.cil) $(nonplat_policy_raw.recovery) \
495$(HOST_OUT_EXECUTABLES)/version_policy
496 @mkdir -p $(dir $@)
497 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
498
499$(LOCAL_BUILT_MODULE): $(nonplat_policy_nvr.recovery)
500 @mkdir -p $(dir $@)
501 grep -v neverallow $< > $@
502
503nonplat_policy.recovery.conf :=
504nonplat_policy_raw.recovery :=
505
506##################################
507include $(CLEAR_VARS)
508
509# keep concrete sepolicy for neverallow checks
510
511LOCAL_MODULE := sepolicy.recovery
512LOCAL_MODULE_CLASS := ETC
513LOCAL_MODULE_TAGS := optional
Daniel Cashman65d01342016-12-17 00:53:26 +0000[diff] [blame]514LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]515
516include $(BUILD_SYSTEM)/base_rules.mk
517
518all_cil_files.recovery := \
519 $(plat_policy_nvr.recovery) \
520 $(mapping_policy_nvr.recovery) \
521 $(nonplat_policy_nvr.recovery) \
522
523$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files.recovery)
524$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files.recovery)
525 @mkdir -p $(dir $@)
526 $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp
Nick Kralevichbca98ef2016-02-26 20:06:52 -0800[diff] [blame]527 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
528 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
529 echo "==========" 1>&2; \
530 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
531 echo "List of invalid domains:" 1>&2; \
532 cat $@.permissivedomains 1>&2; \
533 exit 1; \
534 fi
535 $(hide) mv $@.tmp $@
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]536
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]537all_cil_files.recovery :=
Stephen Smalleye60723a2014-05-29 16:40:15 -0400[diff] [blame]538
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]539##################################
540include $(CLEAR_VARS)
541
542LOCAL_MODULE := general_sepolicy.conf
543LOCAL_MODULE_CLASS := ETC
544LOCAL_MODULE_TAGS := tests
545
546include $(BUILD_SYSTEM)/base_rules.mk
547
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]548$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
549$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]550$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]551$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
552$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]553 mkdir -p $(dir $@)
554 $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
555 -D target_build_variant=user \
Jorge Lucangeli Obes84db84e2016-11-18 08:42:35 -0500[diff] [blame]556 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]557 -D target_arch=$(PRIVATE_TGT_ARCH) \
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]558 -s $^ > $@
559 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
560
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]561built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
dcashman704741a2014-07-25 19:11:52 -0700[diff] [blame]562exp_sepolicy_build_files :=
563
564##################################
Stephen Smalley01a58af2012-10-02 12:46:37 -0400[diff] [blame]565include $(CLEAR_VARS)
566
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]567LOCAL_MODULE := sepolicy.general
568LOCAL_MODULE_CLASS := ETC
569LOCAL_MODULE_TAGS := tests
570
571include $(BUILD_SYSTEM)/base_rules.mk
572
573$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
574$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
575 @mkdir -p $(dir $@)
Nick Kralevich6ef10bd2016-02-29 16:59:33 -0800[diff] [blame]576 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]577
578built_general_sepolicy := $(LOCAL_BUILT_MODULE)
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]579
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]580##################################
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]581# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
582#
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]583include $(CLEAR_VARS)
584
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]585LOCAL_MODULE := file_contexts.bin
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]586LOCAL_MODULE_CLASS := ETC
587LOCAL_MODULE_TAGS := optional
588LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
589
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]590include $(BUILD_SYSTEM)/base_rules.mk
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]591
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]592# The file_contexts.bin is built in the following way:
593# 1. Collect all file_contexts files in THIS repository and process them with
594# m4 into a tmp file called file_contexts.local.tmp.
595# 2. Collect all device specific file_contexts files and process them with m4
596# into a tmp file called file_contexts.device.tmp.
597# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
598# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
599# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
600# file_contexts.concat.tmp.
601# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
602# file_contexts.bin.
603#
604# Note: That a newline file is placed between each file_context file found to
605# ensure a proper build when an fc file is missing an ending newline.
William Roberts29d14682016-01-04 12:20:57 -0800[diff] [blame]606
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]607local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]608ifneq ($(filter address,$(SANITIZE_TARGET)),)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]609 local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]610endif
611local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
612
613file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
614$(file_contexts.local.tmp): $(local_fcfiles_with_nl)
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]615 @mkdir -p $(dir $@)
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]616 $(hide) m4 -s $^ > $@
617
618device_fc_files := $(call build_device_policy, file_contexts)
619device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
620
621file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
622$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
623$(file_contexts.device.tmp): $(device_fcfiles_with_nl)
624 @mkdir -p $(dir $@)
625 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
626
627file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
628$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
629$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
630 @mkdir -p $(dir $@)
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]631 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]632 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
633
634file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
635$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
636 @mkdir -p $(dir $@)
637 $(hide) m4 -s $^ > $@
Stephen Smalley5b340be2012-03-06 11:12:41 -0500[diff] [blame]638
William Roberts3746a0a2015-09-25 10:18:44 -0700[diff] [blame]639$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]640$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]641 @mkdir -p $(dir $@)
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]642 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]643 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
644
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]645built_fc := $(LOCAL_BUILT_MODULE)
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]646local_fc_files :=
647local_fcfiles_with_nl :=
648device_fc_files :=
649device_fcfiles_with_nl :=
650file_contexts.concat.tmp :=
651file_contexts.device.sorted.tmp :=
652file_contexts.device.tmp :=
653file_contexts.local.tmp :=
William Roberts171a0622012-08-16 10:55:05 -0700[diff] [blame]654
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]655##################################
656include $(CLEAR_VARS)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]657
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]658LOCAL_MODULE := plat_file_contexts
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]659LOCAL_MODULE_CLASS := ETC
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]660LOCAL_MODULE_TAGS := optional
661LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]662
663include $(BUILD_SYSTEM)/base_rules.mk
664
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]665local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
666ifneq ($(filter address,$(SANITIZE_TARGET)),)
667 local_fc_files += $(PLAT_PRIVATE_POLICY)/file_contexts_asan
668endif
Alex Klyubine4665d72017-01-19 19:58:34 -0800[diff] [blame]669local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]670
Alex Klyubine4665d72017-01-19 19:58:34 -0800[diff] [blame]671$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]672$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Alex Klyubine4665d72017-01-19 19:58:34 -0800[diff] [blame]673$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
674$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
675$(local_fcfiles_with_nl) $(built_sepolicy)
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]676 @mkdir -p $(dir $@)
Alex Klyubine4665d72017-01-19 19:58:34 -0800[diff] [blame]677 $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp
678 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
679 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
Richard Hainesc2d01912015-08-06 17:43:52 +0100[diff] [blame]680
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]681built_plat_fc := $(LOCAL_BUILT_MODULE)
682local_fc_files :=
Alex Klyubine4665d72017-01-19 19:58:34 -0800[diff] [blame]683local_fcfiles_with_nl :=
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]684
685##################################
686include $(CLEAR_VARS)
687
688LOCAL_MODULE := nonplat_file_contexts
689LOCAL_MODULE_CLASS := ETC
690LOCAL_MODULE_TAGS := optional
691LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
692
693include $(BUILD_SYSTEM)/base_rules.mk
694
695nonplat_fc_files := $(call build_device_policy, file_contexts)
696nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
697
698$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
699$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
700$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
701$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
Alex Klyubine4665d72017-01-19 19:58:34 -0800[diff] [blame]702$(nonplat_fcfiles_with_nl) $(built_sepolicy)
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]703 @mkdir -p $(dir $@)
704 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
705 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
706 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
707
708built_nonplat_fc := $(LOCAL_BUILT_MODULE)
709nonplat_fc_files :=
710nonplat_fcfiles_with_nl :=
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]711
712##################################
713include $(CLEAR_VARS)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]714LOCAL_MODULE := plat_seapp_contexts
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]715LOCAL_MODULE_CLASS := ETC
716LOCAL_MODULE_TAGS := optional
717LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
718
William Roberts171a0622012-08-16 10:55:05 -0700[diff] [blame]719include $(BUILD_SYSTEM)/base_rules.mk
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]720
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]721plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
William Roberts171a0622012-08-16 10:55:05 -0700[diff] [blame]722
Ying Wangd8b122c2012-10-25 19:01:31 -0700[diff] [blame]723$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]724$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
725$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
William Robertsf0e0a942012-08-27 15:41:15 -0700[diff] [blame]726 @mkdir -p $(dir $@)
William Roberts99fe8df2015-06-30 13:53:51 -0700[diff] [blame]727 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]728
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]729built_plat_sc := $(LOCAL_BUILT_MODULE)
730plat_sc_files :=
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]731
Ying Wang02fb5f32012-01-17 17:51:09 -0800[diff] [blame]732##################################
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]733include $(CLEAR_VARS)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]734LOCAL_MODULE := nonplat_seapp_contexts
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]735LOCAL_MODULE_CLASS := ETC
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]736LOCAL_MODULE_TAGS := optional
737LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]738
739include $(BUILD_SYSTEM)/base_rules.mk
740
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]741nonplat_sc_files := $(call build_policy, seapp_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]742
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]743$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
744$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
745$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]746 @mkdir -p $(dir $@)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]747 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]748
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]749built_nonplat_sc := $(LOCAL_BUILT_MODULE)
750nonplat_sc_files :=
Stephen Smalley37712872015-03-12 15:46:36 -0400[diff] [blame]751
752##################################
753include $(CLEAR_VARS)
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]754LOCAL_MODULE := plat_seapp_neverallows
William Roberts4ee71312015-06-25 11:59:30 -0700[diff] [blame]755LOCAL_MODULE_CLASS := ETC
756LOCAL_MODULE_TAGS := tests
757
758include $(BUILD_SYSTEM)/base_rules.mk
759
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]760$(LOCAL_BUILT_MODULE): $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
William Roberts4ee71312015-06-25 11:59:30 -0700[diff] [blame]761 @mkdir -p $(dir $@)
762 - $(hide) grep -ie '^neverallow' $< > $@
763
William Roberts4ee71312015-06-25 11:59:30 -0700[diff] [blame]764
765##################################
766include $(CLEAR_VARS)
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]767
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]768LOCAL_MODULE := plat_property_contexts
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]769LOCAL_MODULE_CLASS := ETC
770LOCAL_MODULE_TAGS := optional
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]771# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]772LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
773
774include $(BUILD_SYSTEM)/base_rules.mk
775
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]776plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]777
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]778plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
779$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
780$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
781$(plat_property_contexts.tmp): $(plat_pcfiles)
William Roberts7f81b332015-09-29 13:52:37 -0700[diff] [blame]782 @mkdir -p $(dir $@)
Colin Cross9eb6c872015-10-01 21:25:09 +0000[diff] [blame]783 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]784
785
786$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]787$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]788 @mkdir -p $(dir $@)
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]789 $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]790 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]791
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]792built_plat_pc := $(LOCAL_BUILT_MODULE)
793plat_pcfiles :=
794plat_property_contexts.tmp :=
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]795
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]796##################################
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]797include $(CLEAR_VARS)
798
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]799LOCAL_MODULE := nonplat_property_contexts
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]800LOCAL_MODULE_CLASS := ETC
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]801LOCAL_MODULE_TAGS := optional
802# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
803LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]804
Stephen Smalleyc9361732015-03-13 09:36:57 -0400[diff] [blame]805include $(BUILD_SYSTEM)/base_rules.mk
806
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]807nonplat_pcfiles := $(call build_policy, property_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
Sandeep Patil262edc32016-12-27 16:08:44 -0800[diff] [blame]808
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]809nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
810$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
811$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
812$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]813 @mkdir -p $(dir $@)
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]814 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
815
816
817$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
818$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
819 @mkdir -p $(dir $@)
820 $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]821 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
William Robertsdcffd2b2015-09-29 13:52:37 -0700[diff] [blame]822
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]823built_nonplat_pc := $(LOCAL_BUILT_MODULE)
824nonplat_pcfiles :=
825nonplat_property_contexts.tmp :=
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]826
827##################################
828include $(CLEAR_VARS)
829
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]830LOCAL_MODULE := plat_service_contexts
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]831LOCAL_MODULE_CLASS := ETC
832LOCAL_MODULE_TAGS := optional
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]833# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]834LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
835
836include $(BUILD_SYSTEM)/base_rules.mk
837
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]838plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]839
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]840plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
841$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
842$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
843$(plat_service_contexts.tmp): $(plat_svcfiles)
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]844 @mkdir -p $(dir $@)
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]845 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]846
847$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]848$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]849 @mkdir -p $(dir $@)
William Robertsc9fce3f2016-04-06 11:53:04 -0700[diff] [blame]850 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]851 $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]852
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]853built_plat_svc := $(LOCAL_BUILT_MODULE)
854plat_svcfiles :=
855plat_service_contexts.tmp :=
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]856
857##################################
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]858include $(CLEAR_VARS)
859
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]860LOCAL_MODULE := nonplat_service_contexts
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]861LOCAL_MODULE_CLASS := ETC
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]862LOCAL_MODULE_TAGS := optional
863# TODO: Change module path to TARGET_VENDOR_OUT after b/27805372
864LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]865
866include $(BUILD_SYSTEM)/base_rules.mk
867
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]868nonplat_svcfiles := $(call build_policy, service_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]869
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]870nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
871$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
872$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
873$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
874 @mkdir -p $(dir $@)
875 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
876
877$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
878$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]879 @mkdir -p $(dir $@)
William Robertsc9fce3f2016-04-06 11:53:04 -0700[diff] [blame]880 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
dcashman07791552016-12-07 11:27:47 -0800[diff] [blame]881 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
William Roberts7fc865a2015-09-29 14:17:38 -0700[diff] [blame]882
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]883built_nonplat_svc := $(LOCAL_BUILT_MODULE)
884nonplat_svcfiles :=
885nonplat_service_contexts.tmp :=
Stephen Smalley2e0cd5a2015-03-12 17:45:03 -0400[diff] [blame]886
887##################################
888include $(CLEAR_VARS)
889
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]890LOCAL_MODULE := plat_mac_permissions.xml
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]891LOCAL_MODULE_CLASS := ETC
892LOCAL_MODULE_TAGS := optional
893LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
894
William Roberts2c8a55d2012-11-30 14:59:09 -0800[diff] [blame]895include $(BUILD_SYSTEM)/base_rules.mk
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]896
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]897# Build keys.conf
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]898plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
899$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
900$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY))
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]901 @mkdir -p $(dir $@)
William Robertsd2185582015-07-16 11:28:02 -0700[diff] [blame]902 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]903
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]904all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]905
Shinichiro Hamajief0c14d2016-05-13 16:04:58 +0900[diff] [blame]906# Should be synced with keys.conf.
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]907all_plat_keys := platform media shared testkey
908all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
Shinichiro Hamajief0c14d2016-05-13 16:04:58 +0900[diff] [blame]909
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]910$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
911$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
912$(all_plat_mac_perms_files) $(all_plat_keys)
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]913 @mkdir -p $(dir $@)
Nick Kralevichc3c90522013-10-25 12:25:36 -0700[diff] [blame]914 $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]915 $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
Geremy Condracd4104e2013-03-26 18:19:12 +0000[diff] [blame]916
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]917all_mac_perms_files :=
dcashman90b3b942016-12-14 13:47:55 -0800[diff] [blame]918all_plat_keys :=
919plat_mac_perms_keys.tmp :=
920
921##################################
922include $(CLEAR_VARS)
923
924LOCAL_MODULE := nonplat_mac_permissions.xml
925LOCAL_MODULE_CLASS := ETC
926LOCAL_MODULE_TAGS := optional
927LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
928
929include $(BUILD_SYSTEM)/base_rules.mk
930
931# Build keys.conf
932nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
933$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
934$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
935 @mkdir -p $(dir $@)
936 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
937
938all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
939
940$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
941$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
942$(all_nonplat_mac_perms_files)
943 @mkdir -p $(dir $@)
944 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
945
946nonplat_mac_perms_keys.tmp :=
947all_nonplat_mac_perms_files :=
William Roberts6aabc1c2015-07-30 11:44:26 -0700[diff] [blame]948
rpcraigb19665c2012-07-30 09:33:03 -0400[diff] [blame]949##################################
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]950include $(CLEAR_VARS)
951
952LOCAL_MODULE := selinux_version
953LOCAL_MODULE_CLASS := ETC
954LOCAL_MODULE_TAGS := optional
955LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
956
957include $(BUILD_SYSTEM)/base_rules.mk
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]958$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_plat_pc) $(built_nonplat_pc) $(built_plat_fc) \
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]959$(buit_nonplat_fc) $(built_plat_sc) $(built_nonplat_sc) $(built_plat_svc) $(built_nonplat_svc)
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]960 @mkdir -p $(dir $@)
Colin Cross29a463d2015-07-17 13:08:41 -0700[diff] [blame]961 $(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
Robert Craig8b7545b2014-03-20 09:35:08 -0400[diff] [blame]962
963##################################
rpcraig47cd3962012-10-17 21:09:52 -0400[diff] [blame]964
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]965add_nl :=
William Roberts49693f12016-01-04 12:20:57 -0800[diff] [blame]966build_device_policy :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]967build_policy :=
dcashmand225b692016-12-12 09:29:04 -0800[diff] [blame]968built_plat_fc :=
969built_nonplat_fc :=
William Robertsb8769932015-06-29 16:31:23 -0700[diff] [blame]970built_general_sepolicy :=
971built_general_sepolicy.conf :=
Richard Hainesc8801fe2015-12-11 10:39:19 +0000[diff] [blame]972built_nl :=
Sandeep Patila86316e2016-12-27 16:08:44 -0800[diff] [blame^]973built_plat_pc :=
974built_nonplat_pc :=
Dan Cashman9c038072016-12-22 07:15:18 -0800[diff] [blame]975built_nonplat_sc :=
976built_plat_sc :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]977built_sepolicy :=
Sandeep Patila058b562016-12-27 15:10:48 -0800[diff] [blame]978built_plat_svc :=
979built_nonplat_svc :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]980mapping_policy_nvr :=
981mapping_policy_nvr.recovery :=
982my_target_arch :=
983nonplat_policy_nvr :=
984nonplat_policy_nvr.recovery :=
985plat_policy_nvr :=
986plat_policy_nvr.recovery :=
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]987plat_pub_policy.cil :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]988plat_pub_policy.recovery.cil :=
dcashman1faa6442016-11-28 07:20:28 -0800[diff] [blame]989reqd_policy_mask.cil :=
Dan Cashman1c040272016-12-15 15:28:44 -0800[diff] [blame]990sepolicy_build_files :=
Alice Chucdfb06f2012-11-01 11:33:04 -0700[diff] [blame]991
992include $(call all-makefiles-under,$(LOCAL_PATH))