blob: fdd97ff1e711da1241cb46e53bafa7ec3b84f24d [file] [log] [blame]
Tri Voa5cfd3e2018-03-22 11:35:02 -07001// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Bob Badour601ebb42021-02-03 23:07:40 -080015package {
16 default_applicable_licenses: ["system_sepolicy_license"],
17}
18
19// Added automatically by a large-scale-change that took the approach of
20// 'apply every license found to every target'. While this makes sure we respect
21// every license restriction, it may not be entirely correct.
22//
23// e.g. GPL in an MIT project might only apply to the contrib/ directory.
24//
25// Please consider splitting the single license below into multiple licenses,
26// taking care not to lose any license_kind information, and overriding the
27// default license using the 'licenses: [...]' property on targets as needed.
28//
29// For unused files, consider creating a 'filegroup' with "//visibility:private"
30// to attach the license to, and including a comment whether the files may be
31// used in the current project.
32// http://go/android-license-faq
33license {
34 name: "system_sepolicy_license",
35 visibility: [":__subpackages__"],
36 license_kinds: [
37 "SPDX-license-identifier-Apache-2.0",
38 "legacy_unencumbered",
39 ],
40 license_text: [
41 "NOTICE",
42 ],
43}
44
Jeff Vander Stoepecd288f2019-02-15 12:18:15 -080045cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
46
Tri Vo84e247a2018-03-25 20:03:58 -070047se_filegroup {
Jae Shin1fa96342018-07-11 18:30:44 +090048 name: "28.0.board.compat.map",
49 srcs: [
50 "compat/28.0/28.0.cil",
51 ],
52}
53
Jinguang Donge0125692019-03-05 17:20:54 +080054se_filegroup {
Tri Vo50aa0292019-06-01 17:04:13 -070055 name: "29.0.board.compat.map",
56 srcs: [
57 "compat/29.0/29.0.cil",
58 ],
59}
60
61se_filegroup {
Inseob Kimace36ab2020-05-07 20:19:05 +090062 name: "30.0.board.compat.map",
63 srcs: [
64 "compat/30.0/30.0.cil",
65 ],
66}
67
68se_filegroup {
Inseob Kim4f20ff72021-06-15 21:05:39 +090069 name: "31.0.board.compat.map",
70 srcs: [
71 "compat/31.0/31.0.cil",
72 ],
73}
74
75se_filegroup {
Inseob Kimbee558e2021-11-30 14:58:10 +090076 name: "32.0.board.compat.map",
77 srcs: [
78 "compat/32.0/32.0.cil",
79 ],
80}
81
82se_filegroup {
Yi-Yo Chiang8be93c02021-04-13 02:49:29 +080083 name: "28.0.board.compat.cil",
84 srcs: [
85 "compat/28.0/28.0.compat.cil",
86 ],
87}
88
89se_filegroup {
90 name: "29.0.board.compat.cil",
91 srcs: [
92 "compat/29.0/29.0.compat.cil",
93 ],
94}
95
96se_filegroup {
97 name: "30.0.board.compat.cil",
98 srcs: [
99 "compat/30.0/30.0.compat.cil",
100 ],
101}
102
103se_filegroup {
Inseob Kim4f20ff72021-06-15 21:05:39 +0900104 name: "31.0.board.compat.cil",
105 srcs: [
106 "compat/31.0/31.0.compat.cil",
107 ],
108}
109
110se_filegroup {
Inseob Kimbee558e2021-11-30 14:58:10 +0900111 name: "32.0.board.compat.cil",
112 srcs: [
113 "compat/32.0/32.0.compat.cil",
114 ],
115}
116
117se_filegroup {
Jinguang Donge0125692019-03-05 17:20:54 +0800118 name: "28.0.board.ignore.map",
119 srcs: [
120 "compat/28.0/28.0.ignore.cil",
121 ],
122}
123
Tri Vo50aa0292019-06-01 17:04:13 -0700124se_filegroup {
125 name: "29.0.board.ignore.map",
126 srcs: [
127 "compat/29.0/29.0.ignore.cil",
128 ],
129}
130
Inseob Kimace36ab2020-05-07 20:19:05 +0900131se_filegroup {
132 name: "30.0.board.ignore.map",
133 srcs: [
134 "compat/30.0/30.0.ignore.cil",
135 ],
136}
137
Inseob Kim4f20ff72021-06-15 21:05:39 +0900138se_filegroup {
139 name: "31.0.board.ignore.map",
140 srcs: [
141 "compat/31.0/31.0.ignore.cil",
142 ],
143}
144
Inseob Kimbee558e2021-11-30 14:58:10 +0900145se_filegroup {
146 name: "32.0.board.ignore.map",
147 srcs: [
148 "compat/32.0/32.0.ignore.cil",
149 ],
150}
151
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900152se_build_files {
Inseob Kimb554e592019-04-15 20:10:46 +0900153 name: "file_contexts_files",
154 srcs: ["file_contexts"],
155}
156
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900157se_build_files {
Inseob Kimb554e592019-04-15 20:10:46 +0900158 name: "file_contexts_asan_files",
159 srcs: ["file_contexts_asan"],
160}
161
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900162se_build_files {
Inseob Kimb554e592019-04-15 20:10:46 +0900163 name: "file_contexts_overlayfs_files",
164 srcs: ["file_contexts_overlayfs"],
165}
166
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900167se_build_files {
Inseob Kimb554e592019-04-15 20:10:46 +0900168 name: "hwservice_contexts_files",
169 srcs: ["hwservice_contexts"],
170}
171
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900172se_build_files {
Inseob Kimb554e592019-04-15 20:10:46 +0900173 name: "property_contexts_files",
174 srcs: ["property_contexts"],
175}
176
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900177se_build_files {
Inseob Kimb554e592019-04-15 20:10:46 +0900178 name: "service_contexts_files",
179 srcs: ["service_contexts"],
180}
181
Inseob Kim6d3d5a62021-12-21 20:55:32 +0900182se_build_files {
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700183 name: "keystore2_key_contexts_files",
184 srcs: ["keystore2_key_contexts"],
185}
186
yangbill3e345372020-04-15 13:55:47 +0800187// For vts_treble_sys_prop_test
188filegroup {
189 name: "private_property_contexts",
190 srcs: ["private/property_contexts"],
191 visibility: [
192 "//test/vts-testcase/security/system_property",
193 ],
194}
Inseob Kime35b49b2021-02-18 19:15:41 +0900195
Inseob Kima49e7242021-03-22 10:26:13 +0900196se_build_files {
197 name: "se_build_files",
Inseob Kime35b49b2021-02-18 19:15:41 +0900198 srcs: [
Inseob Kima49e7242021-03-22 10:26:13 +0900199 "security_classes",
200 "initial_sids",
201 "access_vectors",
202 "global_macros",
203 "neverallow_macros",
204 "mls_macros",
205 "mls_decl",
206 "mls",
207 "policy_capabilities",
208 "te_macros",
209 "attributes",
210 "ioctl_defines",
211 "ioctl_macros",
212 "*.te",
213 "roles_decl",
214 "roles",
215 "users",
216 "initial_sid_contexts",
217 "fs_use",
218 "genfs_contexts",
219 "port_contexts",
Inseob Kime35b49b2021-02-18 19:15:41 +0900220 ],
221}
222
Inseob Kim7cb20812021-12-16 16:52:14 +0900223se_build_files {
224 name: "sepolicy_technical_debt",
225 srcs: ["technical_debt.cil"],
226}
227
Inseob Kim0a707fa2021-12-09 23:35:11 +0900228reqd_mask_policy = [":se_build_files{.reqd_mask}"]
229plat_public_policy = [":se_build_files{.plat_public}"]
230plat_private_policy = [":se_build_files{.plat_private}"]
231system_ext_public_policy = [":se_build_files{.system_ext_public}"]
232system_ext_private_policy = [":se_build_files{.system_ext_private}"]
233product_public_policy = [":se_build_files{.product_public}"]
234product_private_policy = [":se_build_files{.product_private}"]
235
Inseob Kima49e7242021-03-22 10:26:13 +0900236// reqd_policy_mask - a policy.conf file which contains only the bare minimum
237// policy necessary to use checkpolicy.
238//
239// This bare-minimum policy needs to be present in all policy.conf files, but
240// should not necessarily be exported as part of the public policy.
241//
242// The rules generated by reqd_policy_mask will allow the compilation of public
243// policy and subsequent removal of CIL policy that should not be exported.
244se_policy_conf {
245 name: "reqd_policy_mask.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900246 srcs: reqd_mask_policy,
Inseob Kime35b49b2021-02-18 19:15:41 +0900247 installable: false,
248}
249
Inseob Kima49e7242021-03-22 10:26:13 +0900250se_policy_cil {
251 name: "reqd_policy_mask.cil",
252 src: ":reqd_policy_mask.conf",
253 secilc_check: false,
254 installable: false,
Inseob Kime35b49b2021-02-18 19:15:41 +0900255}
256
Inseob Kima49e7242021-03-22 10:26:13 +0900257// pub_policy - policy that will be exported to be a part of non-platform
258// policy corresponding to this platform version.
259//
260// This is a limited subset of policy that would not compile in checkpolicy on
261// its own.
262//
263// To get around this limitation, add only the required files from private
264// policy, which will generate CIL policy that will then be filtered out by the
265// reqd_policy_mask.
266//
267// There are three pub_policy.cil files below:
268// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
269// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
270// - plat_pub_policy.cil: exported 'system' policy.
271//
272// Those above files will in turn be used to generate the following versioned cil files:
273// - product_mapping_file: the versioned, exported 'product' policy in product partition.
274// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
275// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
276// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
277// in vendor partition.
278//
279se_policy_conf {
280 name: "pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900281 srcs: plat_public_policy +
282 system_ext_public_policy +
283 product_public_policy +
284 reqd_mask_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900285 installable: false,
286}
287
288se_policy_cil {
289 name: "pub_policy.cil",
290 src: ":pub_policy.conf",
291 filter_out: [":reqd_policy_mask.cil"],
292 secilc_check: false,
293 installable: false,
294}
295
296se_policy_conf {
297 name: "system_ext_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900298 srcs: plat_public_policy +
299 system_ext_public_policy +
300 reqd_mask_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900301 installable: false,
302}
303
304se_policy_cil {
305 name: "system_ext_pub_policy.cil",
306 src: ":system_ext_pub_policy.conf",
307 filter_out: [":reqd_policy_mask.cil"],
308 secilc_check: false,
309 installable: false,
310}
311
312se_policy_conf {
313 name: "plat_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900314 srcs: plat_public_policy +
315 reqd_mask_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900316 installable: false,
317}
318
319se_policy_cil {
320 name: "plat_pub_policy.cil",
321 src: ":plat_pub_policy.conf",
322 filter_out: [":reqd_policy_mask.cil"],
323 secilc_check: false,
324 installable: false,
325}
326
327// plat_policy.conf - A combination of the private and public platform policy
328// which will ship with the device.
329//
330// The platform will always reflect the most recent platform version and is not
331// currently being attributized.
332se_policy_conf {
333 name: "plat_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900334 srcs: plat_public_policy +
335 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900336 installable: false,
337}
338
339se_policy_cil {
340 name: "plat_sepolicy.cil",
341 src: ":plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900342 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kima49e7242021-03-22 10:26:13 +0900343}
344
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100345
346se_policy_conf {
347 name: "apex_sepolicy-33.conf",
348 srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
349 installable: false,
350}
351
352se_policy_cil {
353 name: "apex_sepolicy-33.cil",
354 src: ":apex_sepolicy-33.conf",
355 filter_out: [":plat_sepolicy.cil"],
356 installable: false,
357 stem: "apex_sepolicy.cil",
358}
359
Inseob Kim6cc75f42021-04-29 13:53:20 +0000360// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
361se_policy_conf {
362 name: "userdebug_plat_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900363 srcs: plat_public_policy +
364 plat_private_policy,
Inseob Kim6cc75f42021-04-29 13:53:20 +0000365 build_variant: "userdebug",
366 installable: false,
367}
368
369se_policy_cil {
370 name: "userdebug_plat_sepolicy.cil",
371 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900372 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Inseob Kim6cc75f42021-04-29 13:53:20 +0000373 debug_ramdisk: true,
Yi-Yo Chiang68478b12021-10-16 03:23:05 +0800374 dist: {
375 targets: ["droidcore"],
376 },
Inseob Kim6cc75f42021-04-29 13:53:20 +0000377}
378
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000379// A copy of the userdebug_plat_policy in GSI.
380soong_config_module_type {
381 name: "gsi_se_policy_cil",
382 module_type: "se_policy_cil",
383 config_namespace: "ANDROID",
384 bool_variables: [
385 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
386 ],
387 properties: [
388 "enabled",
389 "installable",
390 ],
391}
392
393gsi_se_policy_cil {
394 name: "system_ext_userdebug_plat_sepolicy.cil",
395 stem: "userdebug_plat_sepolicy.cil",
396 src: ":userdebug_plat_sepolicy.conf",
Inseob Kim7cb20812021-12-16 16:52:14 +0900397 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
Yi-Yo Chiang857ffc42021-09-23 14:14:16 +0000398 system_ext_specific: true,
399 enabled: false,
400 installable: false,
401 soong_config_variables: {
402 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
403 enabled: true,
404 installable: true,
405 },
406 },
407}
408
Inseob Kima49e7242021-03-22 10:26:13 +0900409// system_ext_policy.conf - A combination of the private and public system_ext
410// policy which will ship with the device. System_ext policy is not attributized
411se_policy_conf {
412 name: "system_ext_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900413 srcs: plat_public_policy +
414 plat_private_policy +
415 system_ext_public_policy +
416 system_ext_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900417 installable: false,
418}
419
420se_policy_cil {
421 name: "system_ext_sepolicy.cil",
422 src: ":system_ext_sepolicy.conf",
423 system_ext_specific: true,
424 filter_out: [":plat_sepolicy.cil"],
425 remove_line_marker: true,
426}
427
428// product_policy.conf - A combination of the private and public product policy
429// which will ship with the device. Product policy is not attributized
430se_policy_conf {
431 name: "product_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900432 srcs: plat_public_policy +
433 plat_private_policy +
434 system_ext_public_policy +
435 system_ext_private_policy +
436 product_public_policy +
437 product_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900438 installable: false,
439}
440
441se_policy_cil {
442 name: "product_sepolicy.cil",
443 src: ":product_sepolicy.conf",
444 product_specific: true,
445 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
446 remove_line_marker: true,
447}
448
Inseob Kim039175b2021-03-25 15:37:34 +0900449// policy mapping files
450// auto-generate the mapping file for current platform policy, since it needs to
451// track platform policy development
452se_versioned_policy {
453 name: "plat_mapping_file",
454 base: ":plat_pub_policy.cil",
455 mapping: true,
456 version: "current",
457 relative_install_path: "mapping", // install to /system/etc/selinux/mapping
458}
459
460se_versioned_policy {
461 name: "system_ext_mapping_file",
462 base: ":system_ext_pub_policy.cil",
463 mapping: true,
464 version: "current",
465 filter_out: [":plat_mapping_file"],
466 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
467 system_ext_specific: true,
468}
469
470se_versioned_policy {
471 name: "product_mapping_file",
472 base: ":pub_policy.cil",
473 mapping: true,
474 version: "current",
475 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
476 relative_install_path: "mapping", // install to /product/etc/selinux/mapping
477 product_specific: true,
478}
479
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900480// vendor/odm sepolicy
481//
482// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
483// policy files of platform (system, system_ext, product) can't be mixed with
484// policy files of vendor (vendor, odm). If it's the case, platform policies and
485// vendor policies are separately built. More specifically,
486//
487// - Platform policy files needed to build vendor policies, such as plat_policy,
488// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
489// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
490//
491// - sepolicy_neverallows only checks platform policies, and a new module
492// sepolicy_neverallows_vendor checks vendor policies.
493//
494// - neverallow checks are turned off while compiling precompiled_sepolicy
495// module and sepolicy module.
496//
497// - Vendor policies are not checked on the compat test (compat.mk).
498//
499// In such scenario, we can grab platform policy files from the prebuilts/api
500// directory. But we need more than that: prebuilts of system_ext, product,
501// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
502// variables are introduced to specify such prebuilts.
503//
504// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
505// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
506// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
507// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
508// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
509// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
510//
511// Vendors are responsible for copying policy files from the old version of the
512// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
513// can be used to build vendor policies.
514//
515// To support both mixed build and normal build, platform policy files are
516// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
517// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
518// Otherwise, they will be equal to the Makefile variables above.
519
520plat_public_policies_for_vendor = [
521 ":se_build_files{.plat_public_for_vendor}",
522 ":se_build_files{.system_ext_public_for_vendor}",
523 ":se_build_files{.product_public_for_vendor}",
524 ":se_build_files{.reqd_mask_for_vendor}",
525]
526
527plat_policies_for_vendor = [
528 ":se_build_files{.plat_public_for_vendor}",
529 ":se_build_files{.plat_private_for_vendor}",
530 ":se_build_files{.system_ext_public_for_vendor}",
531 ":se_build_files{.system_ext_private_for_vendor}",
532 ":se_build_files{.product_public_for_vendor}",
533 ":se_build_files{.product_private_for_vendor}",
534]
535
536se_policy_conf {
537 name: "plat_policy_for_vendor.conf",
538 srcs: plat_policies_for_vendor,
539 installable: false,
540}
541
542se_policy_cil {
543 name: "plat_policy_for_vendor.cil",
544 src: ":plat_policy_for_vendor.conf",
545 additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
546 installable: false,
547}
548
549se_policy_conf {
550 name: "reqd_policy_mask_for_vendor.conf",
551 srcs: [":se_build_files{.reqd_mask_for_vendor}"],
552 installable: false,
553}
554
555se_policy_cil {
556 name: "reqd_policy_mask_for_vendor.cil",
557 src: ":reqd_policy_mask_for_vendor.conf",
558 secilc_check: false,
559 installable: false,
560}
561
562se_policy_conf {
563 name: "pub_policy_for_vendor.conf",
564 srcs: plat_public_policies_for_vendor,
565 installable: false,
566}
567
568se_policy_cil {
569 name: "pub_policy_for_vendor.cil",
570 src: ":pub_policy_for_vendor.conf",
571 filter_out: [":reqd_policy_mask_for_vendor.cil"],
572 secilc_check: false,
573 installable: false,
574}
575
576se_versioned_policy {
577 name: "plat_mapping_file_for_vendor",
578 base: ":pub_policy_for_vendor.cil",
579 mapping: true,
580 version: "vendor",
581 installable: false,
582}
583
Inseob Kim039175b2021-03-25 15:37:34 +0900584// plat_pub_versioned.cil - the exported platform policy associated with the version
585// that non-platform policy targets.
586se_versioned_policy {
587 name: "plat_pub_versioned.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900588 base: ":pub_policy_for_vendor.cil",
589 target_policy: ":pub_policy_for_vendor.cil",
590 version: "vendor",
Inseob Kim039175b2021-03-25 15:37:34 +0900591 vendor: true,
592}
593
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900594// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
595// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
596// policy and the platform public policy files in order to use checkpolicy.
597se_policy_conf {
598 name: "vendor_sepolicy.conf",
599 srcs: plat_public_policies_for_vendor + [
600 ":se_build_files{.plat_vendor_for_vendor}",
601 ":se_build_files{.vendor}",
602 ],
603 installable: false,
604}
605
606se_policy_cil {
607 name: "vendor_sepolicy.cil.raw",
608 src: ":vendor_sepolicy.conf",
609 filter_out: [":reqd_policy_mask_for_vendor.cil"],
610 secilc_check: false, // will be done in se_versioned_policy module
611 installable: false,
612}
613
614se_versioned_policy {
615 name: "vendor_sepolicy.cil",
616 base: ":pub_policy_for_vendor.cil",
617 target_policy: ":vendor_sepolicy.cil.raw",
618 version: "vendor",
619 dependent_cils: [
620 ":plat_policy_for_vendor.cil",
621 ":plat_pub_versioned.cil",
622 ":plat_mapping_file_for_vendor",
623 ],
624 filter_out: [":plat_pub_versioned.cil"],
625 vendor: true,
626}
627
628// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
629// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
630// policy and the platform public policy files in order to use checkpolicy.
631se_policy_conf {
632 name: "odm_sepolicy.conf",
633 srcs: plat_public_policies_for_vendor + [
634 ":se_build_files{.plat_vendor_for_vendor}",
635 ":se_build_files{.vendor}",
636 ":se_build_files{.odm}",
637 ],
638 installable: false,
639}
640
641se_policy_cil {
642 name: "odm_sepolicy.cil.raw",
643 src: ":odm_sepolicy.conf",
644 filter_out: [
645 ":reqd_policy_mask_for_vendor.cil",
646 ":vendor_sepolicy.cil",
647 ],
648 secilc_check: false, // will be done in se_versioned_policy module
649 installable: false,
650}
651
652se_versioned_policy {
653 name: "odm_sepolicy.cil",
654 base: ":pub_policy_for_vendor.cil",
655 target_policy: ":odm_sepolicy.cil.raw",
656 version: "vendor",
657 dependent_cils: [
658 ":plat_policy_for_vendor.cil",
659 ":plat_pub_versioned.cil",
660 ":plat_mapping_file_for_vendor",
661 ":vendor_sepolicy.cil",
662 ],
663 filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
664 device_specific: true,
665}
666
Inseob Kim039175b2021-03-25 15:37:34 +0900667//////////////////////////////////
668// Precompiled sepolicy is loaded if and only if:
669// - plat_sepolicy_and_mapping.sha256 equals
670// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
671// AND
672// - system_ext_sepolicy_and_mapping.sha256 equals
673// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
674// AND
675// - product_sepolicy_and_mapping.sha256 equals
676// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100677// AND
678// - apex_sepolicy.sha256 equals
679// precompiled_sepolicy.apex_sepolicy.sha256
Inseob Kim039175b2021-03-25 15:37:34 +0900680// See system/core/init/selinux.cpp for details.
681//////////////////////////////////
682genrule {
683 name: "plat_sepolicy_and_mapping.sha256_gen",
684 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
685 out: ["plat_sepolicy_and_mapping.sha256"],
686 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
687}
688
689prebuilt_etc {
690 name: "plat_sepolicy_and_mapping.sha256",
691 filename: "plat_sepolicy_and_mapping.sha256",
692 src: ":plat_sepolicy_and_mapping.sha256_gen",
693 relative_install_path: "selinux",
694}
695
696genrule {
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100697 name: "apex_sepolicy.sha256_gen",
698 srcs: [":apex_sepolicy-33.cil"],
699 out: ["apex_sepolicy.sha256"],
700 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
701}
702
703prebuilt_etc {
704 name: "apex_sepolicy.sha256",
705 filename: "apex_sepolicy.sha256",
706 src: ":apex_sepolicy.sha256_gen",
707 installable: false,
708}
709
710genrule {
Inseob Kim039175b2021-03-25 15:37:34 +0900711 name: "system_ext_sepolicy_and_mapping.sha256_gen",
712 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
713 out: ["system_ext_sepolicy_and_mapping.sha256"],
714 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
715}
716
717prebuilt_etc {
718 name: "system_ext_sepolicy_and_mapping.sha256",
719 filename: "system_ext_sepolicy_and_mapping.sha256",
720 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
721 relative_install_path: "selinux",
722 system_ext_specific: true,
723}
724
725genrule {
726 name: "product_sepolicy_and_mapping.sha256_gen",
727 srcs: [":product_sepolicy.cil", ":product_mapping_file"],
728 out: ["product_sepolicy_and_mapping.sha256"],
729 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
730}
731
732prebuilt_etc {
733 name: "product_sepolicy_and_mapping.sha256",
734 filename: "product_sepolicy_and_mapping.sha256",
735 src: ":product_sepolicy_and_mapping.sha256_gen",
736 relative_install_path: "selinux",
737 product_specific: true,
738}
739
Inseob Kim1c056b12021-04-30 00:11:43 +0900740sepolicy_vers {
741 name: "plat_sepolicy_vers.txt",
742 version: "vendor",
743 vendor: true,
744}
745
Inseob Kim731182a2021-05-06 11:44:37 +0000746soong_config_module_type {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900747 name: "precompiled_sepolicy_prebuilts_defaults",
Inseob Kim731182a2021-05-06 11:44:37 +0000748 module_type: "prebuilt_defaults",
749 config_namespace: "ANDROID",
750 bool_variables: ["BOARD_USES_ODMIMAGE"],
751 properties: ["vendor", "device_specific"],
752}
753
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900754precompiled_sepolicy_prebuilts_defaults {
755 name: "precompiled_sepolicy_prebuilts",
Inseob Kim731182a2021-05-06 11:44:37 +0000756 soong_config_variables: {
757 BOARD_USES_ODMIMAGE: {
758 device_specific: true,
759 conditions_default: {
760 vendor: true,
761 },
762 },
763 },
764}
765
766//////////////////////////////////
767// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
768// which precompiled_policy was built.
769//////////////////////////////////
770prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900771 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000772 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
773 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
774 src: ":plat_sepolicy_and_mapping.sha256_gen",
775 relative_install_path: "selinux",
776}
777
778//////////////////////////////////
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100779// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
780// was built.
781//////////////////////////////////
782prebuilt_etc {
783 defaults: ["precompiled_sepolicy_prebuilts"],
784 name: "precompiled_sepolicy.apex_sepolicy.sha256",
785 filename: "precompiled_sepolicy.apex_sepolicy.sha256",
786 src: ":apex_sepolicy.sha256_gen",
787 relative_install_path: "selinux",
788}
789
790//////////////////////////////////
Inseob Kim731182a2021-05-06 11:44:37 +0000791// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
792// which precompiled_policy was built.
793//////////////////////////////////
794prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900795 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000796 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
797 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
798 src: ":system_ext_sepolicy_and_mapping.sha256_gen",
799 relative_install_path: "selinux",
800}
801
802//////////////////////////////////
803// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
804// which precompiled_policy was built.
805//////////////////////////////////
806prebuilt_etc {
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900807 defaults: ["precompiled_sepolicy_prebuilts"],
Inseob Kim731182a2021-05-06 11:44:37 +0000808 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
809 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
810 src: ":product_sepolicy_and_mapping.sha256_gen",
811 relative_install_path: "selinux",
812}
813
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900814soong_config_module_type {
815 name: "precompiled_se_policy_binary",
816 module_type: "se_policy_binary",
817 config_namespace: "ANDROID",
818 bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
819 value_variables: ["MIXED_SEPOLICY_VERSION"],
820 properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
821}
822
823precompiled_se_policy_binary {
824 name: "precompiled_sepolicy",
825 srcs: [
826 ":plat_sepolicy.cil",
Jeff Vander Stoepf9348b52021-12-14 13:32:12 +0100827 ":apex_sepolicy-33.cil",
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900828 ":plat_pub_versioned.cil",
829 ":system_ext_sepolicy.cil",
830 ":product_sepolicy.cil",
831 ":vendor_sepolicy.cil",
832 ":odm_sepolicy.cil",
833 ],
834 soong_config_variables: {
835 BOARD_USES_ODMIMAGE: {
836 device_specific: true,
837 conditions_default: {
838 vendor: true,
839 },
840 },
841 IS_TARGET_MIXED_SEPOLICY: {
842 ignore_neverallow: true,
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900843 },
844 MIXED_SEPOLICY_VERSION: {
845 srcs: [
846 ":plat_%s.cil",
847 ":system_ext_%s.cil",
848 ":product_%s.cil",
849 ],
850 conditions_default: {
851 srcs: [
852 ":plat_mapping_file",
853 ":system_ext_mapping_file",
854 ":product_mapping_file",
855 ],
856 },
857 },
858 },
Inseob Kim0de7fcc2021-12-22 23:06:53 +0900859 required: [
860 "sepolicy_neverallows",
861 "sepolicy_neverallows_vendor",
862 ],
Inseob Kim3ac62fe2021-12-16 19:00:03 +0900863}
Inseob Kim731182a2021-05-06 11:44:37 +0000864
Inseob Kim5bbcd682021-12-28 14:57:03 +0900865// policy for recovery
866se_policy_conf {
867 name: "recovery_sepolicy.conf",
868 srcs: plat_policies_for_vendor + [
869 ":se_build_files{.plat_vendor_for_vendor}",
870 ":se_build_files{.vendor}",
871 ":se_build_files{.odm}",
872 ],
873 target_recovery: true,
874 installable: false,
875}
876
877se_policy_cil {
878 name: "recovery_sepolicy.cil",
879 src: ":recovery_sepolicy.conf",
880 secilc_check: false, // will be done in se_policy_binary module
881 installable: false,
882}
883
884se_policy_binary {
885 name: "sepolicy.recovery",
886 srcs: [":recovery_sepolicy.cil"],
887 stem: "sepolicy",
888 recovery: true,
889}
890
Inseob Kima49e7242021-03-22 10:26:13 +0900891//////////////////////////////////
892// SELinux policy embedded into CTS.
893// CTS checks neverallow rules of this policy against the policy of the device under test.
894//////////////////////////////////
895se_policy_conf {
896 name: "general_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900897 srcs: plat_public_policy +
898 plat_private_policy,
Inseob Kima49e7242021-03-22 10:26:13 +0900899 build_variant: "user",
900 cts: true,
901 exclude_build_test: true,
902}
Inseob Kimd5816612021-09-15 03:01:05 +0000903
904//////////////////////////////////
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000905// Base system policy for treble sepolicy tests.
906// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
907// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
908// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
909// See treble_sepolicy_tests_for_release.mk for more details.
910//////////////////////////////////
911se_policy_conf {
912 name: "base_plat_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900913 srcs: plat_public_policy +
914 plat_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000915 build_variant: "user",
916 installable: false,
917}
918
919se_policy_cil {
920 name: "base_plat_sepolicy.cil",
921 src: ":base_plat_sepolicy.conf",
922 additional_cil_files: ["private/technical_debt.cil"],
923 installable: false,
924 secilc_check: false, // done by se_policy_binary
925}
926
927se_policy_binary {
928 name: "base_plat_sepolicy",
929 srcs: [":base_plat_sepolicy.cil"],
930 installable: false,
931}
932
933se_policy_conf {
934 name: "base_system_ext_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900935 srcs: plat_public_policy +
936 plat_private_policy +
937 system_ext_public_policy +
938 system_ext_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000939 build_variant: "user",
940 installable: false,
941}
942
943se_policy_cil {
944 name: "base_system_ext_sepolicy.cil",
945 src: ":base_system_ext_sepolicy.conf",
946 additional_cil_files: ["private/technical_debt.cil"],
947 system_ext_specific: true,
948 installable: false,
949 secilc_check: false, // done by se_policy_binary
950}
951
952se_policy_binary {
953 name: "base_system_ext_sepolicy",
954 srcs: [":base_system_ext_sepolicy.cil"],
955 system_ext_specific: true,
956 installable: false,
957}
958
959se_policy_conf {
960 name: "base_product_sepolicy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900961 srcs: plat_public_policy +
962 plat_private_policy +
963 system_ext_public_policy +
964 system_ext_private_policy +
965 product_public_policy +
966 product_private_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000967 build_variant: "user",
968 installable: false,
969}
970
971se_policy_cil {
972 name: "base_product_sepolicy.cil",
973 src: ":base_product_sepolicy.conf",
974 additional_cil_files: ["private/technical_debt.cil"],
975 product_specific: true,
976 installable: false,
977 secilc_check: false, // done by se_policy_binary
978}
979
980se_policy_binary {
981 name: "base_product_sepolicy",
982 srcs: [":base_product_sepolicy.cil"],
983 product_specific: true,
984 installable: false,
985}
986
987se_policy_conf {
988 name: "base_plat_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +0900989 srcs: plat_public_policy +
990 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +0000991 build_variant: "user",
992 installable: false,
993}
994
995se_policy_cil {
996 name: "base_plat_pub_policy.cil",
997 src: ":base_plat_pub_policy.conf",
998 filter_out: [":reqd_policy_mask.cil"],
999 secilc_check: false,
1000 installable: false,
1001}
1002
1003se_policy_conf {
1004 name: "base_system_ext_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +09001005 srcs: plat_public_policy +
1006 system_ext_public_policy +
1007 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +00001008 build_variant: "user",
1009 installable: false,
1010}
1011
1012se_policy_cil {
1013 name: "base_system_ext_pub_policy.cil",
1014 src: ":base_system_ext_pub_policy.conf",
1015 filter_out: [":reqd_policy_mask.cil"],
1016 secilc_check: false,
1017 installable: false,
1018}
1019
1020se_policy_conf {
1021 name: "base_product_pub_policy.conf",
Inseob Kim0a707fa2021-12-09 23:35:11 +09001022 srcs: plat_public_policy +
1023 system_ext_public_policy +
1024 product_public_policy +
1025 reqd_mask_policy,
Inseob Kim4d90b7e2021-09-27 13:43:01 +00001026 build_variant: "user",
1027 installable: false,
1028}
1029
1030se_policy_cil {
1031 name: "base_product_pub_policy.cil",
1032 src: ":base_product_pub_policy.conf",
1033 filter_out: [":reqd_policy_mask.cil"],
1034 secilc_check: false,
1035 installable: false,
1036}
1037
Yi-Yo Chiang2c189652021-11-08 19:30:04 +08001038// bug_map - Bug tracking information for selinux denials loaded by auditd.
1039se_filegroup {
1040 name: "bug_map_files",
1041 srcs: ["bug_map"],
1042}
1043
1044se_bug_map {
1045 name: "plat_bug_map",
1046 srcs: [":bug_map_files"],
1047 stem: "bug_map",
1048}
1049
1050se_bug_map {
1051 name: "system_ext_bug_map",
1052 srcs: [":bug_map_files"],
1053 stem: "bug_map",
1054 system_ext_specific: true,
1055}
1056
1057se_bug_map {
1058 name: "vendor_bug_map",
1059 srcs: [":bug_map_files"],
1060 // Legacy file name of the vendor partition bug_map.
1061 stem: "selinux_denial_metadata",
1062 vendor: true,
1063}
1064
Inseob Kim0de7fcc2021-12-22 23:06:53 +09001065se_neverallow_test {
1066 name: "sepolicy_neverallows",
1067 srcs: plat_public_policy +
1068 plat_private_policy +
1069 system_ext_public_policy +
1070 system_ext_private_policy +
1071 product_public_policy +
1072 product_private_policy,
1073}
1074
1075se_neverallow_test {
1076 name: "sepolicy_neverallows_vendor",
1077 srcs: plat_policies_for_vendor + [
1078 ":se_build_files{.plat_vendor_for_vendor}",
1079 ":se_build_files{.vendor}",
1080 ":se_build_files{.odm}",
1081 ],
1082}
1083
Inseob Kim4d90b7e2021-09-27 13:43:01 +00001084//////////////////////////////////
Inseob Kimd5816612021-09-15 03:01:05 +00001085// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
1086// Additional directories can be specified via Makefile variables:
1087// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
1088//////////////////////////////////
1089se_freeze_test {
1090 name: "sepolicy_freeze_test",
1091}
Yuntao Xu42e732c2021-11-18 22:33:02 +00001092
1093//////////////////////////////////
1094// Makefile rules temporary imported to Soong
1095// TODO(b/33691272): remove these after migrating seapp to Soong
1096//////////////////////////////////
1097makefile_goal {
1098 name: "plat_seapp_contexts_rule",
1099 product_out_path: "obj/ETC/plat_seapp_contexts_intermediates/plat_seapp_contexts",
1100}
1101
1102makefile_goal {
1103 name: "plat_seapp_neverallows_rule",
1104 product_out_path: "obj/ETC/plat_seapp_neverallows_intermediates/plat_seapp_neverallows",
1105}