Tri Vo | a5cfd3e | 2018-03-22 11:35:02 -0700 | [diff] [blame] | 1 | // Copyright (C) 2018 The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
Bob Badour | 601ebb4 | 2021-02-03 23:07:40 -0800 | [diff] [blame] | 15 | package { |
| 16 | default_applicable_licenses: ["system_sepolicy_license"], |
| 17 | } |
| 18 | |
| 19 | // Added automatically by a large-scale-change that took the approach of |
| 20 | // 'apply every license found to every target'. While this makes sure we respect |
| 21 | // every license restriction, it may not be entirely correct. |
| 22 | // |
| 23 | // e.g. GPL in an MIT project might only apply to the contrib/ directory. |
| 24 | // |
| 25 | // Please consider splitting the single license below into multiple licenses, |
| 26 | // taking care not to lose any license_kind information, and overriding the |
| 27 | // default license using the 'licenses: [...]' property on targets as needed. |
| 28 | // |
| 29 | // For unused files, consider creating a 'filegroup' with "//visibility:private" |
| 30 | // to attach the license to, and including a comment whether the files may be |
| 31 | // used in the current project. |
| 32 | // http://go/android-license-faq |
| 33 | license { |
| 34 | name: "system_sepolicy_license", |
| 35 | visibility: [":__subpackages__"], |
| 36 | license_kinds: [ |
| 37 | "SPDX-license-identifier-Apache-2.0", |
| 38 | "legacy_unencumbered", |
| 39 | ], |
| 40 | license_text: [ |
| 41 | "NOTICE", |
| 42 | ], |
| 43 | } |
| 44 | |
Jeff Vander Stoep | ecd288f | 2019-02-15 12:18:15 -0800 | [diff] [blame] | 45 | cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } |
| 46 | |
Tri Vo | 84e247a | 2018-03-25 20:03:58 -0700 | [diff] [blame] | 47 | se_filegroup { |
Jae Shin | 1fa9634 | 2018-07-11 18:30:44 +0900 | [diff] [blame] | 48 | name: "28.0.board.compat.map", |
| 49 | srcs: [ |
| 50 | "compat/28.0/28.0.cil", |
| 51 | ], |
| 52 | } |
| 53 | |
Jinguang Dong | e012569 | 2019-03-05 17:20:54 +0800 | [diff] [blame] | 54 | se_filegroup { |
Tri Vo | 50aa029 | 2019-06-01 17:04:13 -0700 | [diff] [blame] | 55 | name: "29.0.board.compat.map", |
| 56 | srcs: [ |
| 57 | "compat/29.0/29.0.cil", |
| 58 | ], |
| 59 | } |
| 60 | |
| 61 | se_filegroup { |
Inseob Kim | ace36ab | 2020-05-07 20:19:05 +0900 | [diff] [blame] | 62 | name: "30.0.board.compat.map", |
| 63 | srcs: [ |
| 64 | "compat/30.0/30.0.cil", |
| 65 | ], |
| 66 | } |
| 67 | |
| 68 | se_filegroup { |
Inseob Kim | 4f20ff7 | 2021-06-15 21:05:39 +0900 | [diff] [blame] | 69 | name: "31.0.board.compat.map", |
| 70 | srcs: [ |
| 71 | "compat/31.0/31.0.cil", |
| 72 | ], |
| 73 | } |
| 74 | |
| 75 | se_filegroup { |
Inseob Kim | bee558e | 2021-11-30 14:58:10 +0900 | [diff] [blame] | 76 | name: "32.0.board.compat.map", |
| 77 | srcs: [ |
| 78 | "compat/32.0/32.0.cil", |
| 79 | ], |
| 80 | } |
| 81 | |
| 82 | se_filegroup { |
Yi-Yo Chiang | 8be93c0 | 2021-04-13 02:49:29 +0800 | [diff] [blame] | 83 | name: "28.0.board.compat.cil", |
| 84 | srcs: [ |
| 85 | "compat/28.0/28.0.compat.cil", |
| 86 | ], |
| 87 | } |
| 88 | |
| 89 | se_filegroup { |
| 90 | name: "29.0.board.compat.cil", |
| 91 | srcs: [ |
| 92 | "compat/29.0/29.0.compat.cil", |
| 93 | ], |
| 94 | } |
| 95 | |
| 96 | se_filegroup { |
| 97 | name: "30.0.board.compat.cil", |
| 98 | srcs: [ |
| 99 | "compat/30.0/30.0.compat.cil", |
| 100 | ], |
| 101 | } |
| 102 | |
| 103 | se_filegroup { |
Inseob Kim | 4f20ff7 | 2021-06-15 21:05:39 +0900 | [diff] [blame] | 104 | name: "31.0.board.compat.cil", |
| 105 | srcs: [ |
| 106 | "compat/31.0/31.0.compat.cil", |
| 107 | ], |
| 108 | } |
| 109 | |
| 110 | se_filegroup { |
Inseob Kim | bee558e | 2021-11-30 14:58:10 +0900 | [diff] [blame] | 111 | name: "32.0.board.compat.cil", |
| 112 | srcs: [ |
| 113 | "compat/32.0/32.0.compat.cil", |
| 114 | ], |
| 115 | } |
| 116 | |
| 117 | se_filegroup { |
Jinguang Dong | e012569 | 2019-03-05 17:20:54 +0800 | [diff] [blame] | 118 | name: "28.0.board.ignore.map", |
| 119 | srcs: [ |
| 120 | "compat/28.0/28.0.ignore.cil", |
| 121 | ], |
| 122 | } |
| 123 | |
Tri Vo | 50aa029 | 2019-06-01 17:04:13 -0700 | [diff] [blame] | 124 | se_filegroup { |
| 125 | name: "29.0.board.ignore.map", |
| 126 | srcs: [ |
| 127 | "compat/29.0/29.0.ignore.cil", |
| 128 | ], |
| 129 | } |
| 130 | |
Inseob Kim | ace36ab | 2020-05-07 20:19:05 +0900 | [diff] [blame] | 131 | se_filegroup { |
| 132 | name: "30.0.board.ignore.map", |
| 133 | srcs: [ |
| 134 | "compat/30.0/30.0.ignore.cil", |
| 135 | ], |
| 136 | } |
| 137 | |
Inseob Kim | 4f20ff7 | 2021-06-15 21:05:39 +0900 | [diff] [blame] | 138 | se_filegroup { |
| 139 | name: "31.0.board.ignore.map", |
| 140 | srcs: [ |
| 141 | "compat/31.0/31.0.ignore.cil", |
| 142 | ], |
| 143 | } |
| 144 | |
Inseob Kim | bee558e | 2021-11-30 14:58:10 +0900 | [diff] [blame] | 145 | se_filegroup { |
| 146 | name: "32.0.board.ignore.map", |
| 147 | srcs: [ |
| 148 | "compat/32.0/32.0.ignore.cil", |
| 149 | ], |
| 150 | } |
| 151 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 152 | se_build_files { |
Inseob Kim | b554e59 | 2019-04-15 20:10:46 +0900 | [diff] [blame] | 153 | name: "file_contexts_files", |
| 154 | srcs: ["file_contexts"], |
| 155 | } |
| 156 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 157 | se_build_files { |
Inseob Kim | b554e59 | 2019-04-15 20:10:46 +0900 | [diff] [blame] | 158 | name: "file_contexts_asan_files", |
| 159 | srcs: ["file_contexts_asan"], |
| 160 | } |
| 161 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 162 | se_build_files { |
Inseob Kim | b554e59 | 2019-04-15 20:10:46 +0900 | [diff] [blame] | 163 | name: "file_contexts_overlayfs_files", |
| 164 | srcs: ["file_contexts_overlayfs"], |
| 165 | } |
| 166 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 167 | se_build_files { |
Inseob Kim | b554e59 | 2019-04-15 20:10:46 +0900 | [diff] [blame] | 168 | name: "hwservice_contexts_files", |
| 169 | srcs: ["hwservice_contexts"], |
| 170 | } |
| 171 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 172 | se_build_files { |
Inseob Kim | b554e59 | 2019-04-15 20:10:46 +0900 | [diff] [blame] | 173 | name: "property_contexts_files", |
| 174 | srcs: ["property_contexts"], |
| 175 | } |
| 176 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 177 | se_build_files { |
Inseob Kim | b554e59 | 2019-04-15 20:10:46 +0900 | [diff] [blame] | 178 | name: "service_contexts_files", |
| 179 | srcs: ["service_contexts"], |
| 180 | } |
| 181 | |
Inseob Kim | 6d3d5a6 | 2021-12-21 20:55:32 +0900 | [diff] [blame] | 182 | se_build_files { |
Janis Danisevskis | c40681f | 2020-07-25 13:02:29 -0700 | [diff] [blame] | 183 | name: "keystore2_key_contexts_files", |
| 184 | srcs: ["keystore2_key_contexts"], |
| 185 | } |
| 186 | |
yangbill | 3e34537 | 2020-04-15 13:55:47 +0800 | [diff] [blame] | 187 | // For vts_treble_sys_prop_test |
| 188 | filegroup { |
| 189 | name: "private_property_contexts", |
| 190 | srcs: ["private/property_contexts"], |
| 191 | visibility: [ |
| 192 | "//test/vts-testcase/security/system_property", |
| 193 | ], |
| 194 | } |
Inseob Kim | e35b49b | 2021-02-18 19:15:41 +0900 | [diff] [blame] | 195 | |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 196 | se_build_files { |
| 197 | name: "se_build_files", |
Inseob Kim | e35b49b | 2021-02-18 19:15:41 +0900 | [diff] [blame] | 198 | srcs: [ |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 199 | "security_classes", |
| 200 | "initial_sids", |
| 201 | "access_vectors", |
| 202 | "global_macros", |
| 203 | "neverallow_macros", |
| 204 | "mls_macros", |
| 205 | "mls_decl", |
| 206 | "mls", |
| 207 | "policy_capabilities", |
| 208 | "te_macros", |
| 209 | "attributes", |
| 210 | "ioctl_defines", |
| 211 | "ioctl_macros", |
| 212 | "*.te", |
| 213 | "roles_decl", |
| 214 | "roles", |
| 215 | "users", |
| 216 | "initial_sid_contexts", |
| 217 | "fs_use", |
| 218 | "genfs_contexts", |
| 219 | "port_contexts", |
Inseob Kim | e35b49b | 2021-02-18 19:15:41 +0900 | [diff] [blame] | 220 | ], |
| 221 | } |
| 222 | |
Inseob Kim | 7cb2081 | 2021-12-16 16:52:14 +0900 | [diff] [blame] | 223 | se_build_files { |
| 224 | name: "sepolicy_technical_debt", |
| 225 | srcs: ["technical_debt.cil"], |
| 226 | } |
| 227 | |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 228 | reqd_mask_policy = [":se_build_files{.reqd_mask}"] |
| 229 | plat_public_policy = [":se_build_files{.plat_public}"] |
| 230 | plat_private_policy = [":se_build_files{.plat_private}"] |
| 231 | system_ext_public_policy = [":se_build_files{.system_ext_public}"] |
| 232 | system_ext_private_policy = [":se_build_files{.system_ext_private}"] |
| 233 | product_public_policy = [":se_build_files{.product_public}"] |
| 234 | product_private_policy = [":se_build_files{.product_private}"] |
| 235 | |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 236 | // reqd_policy_mask - a policy.conf file which contains only the bare minimum |
| 237 | // policy necessary to use checkpolicy. |
| 238 | // |
| 239 | // This bare-minimum policy needs to be present in all policy.conf files, but |
| 240 | // should not necessarily be exported as part of the public policy. |
| 241 | // |
| 242 | // The rules generated by reqd_policy_mask will allow the compilation of public |
| 243 | // policy and subsequent removal of CIL policy that should not be exported. |
| 244 | se_policy_conf { |
| 245 | name: "reqd_policy_mask.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 246 | srcs: reqd_mask_policy, |
Inseob Kim | e35b49b | 2021-02-18 19:15:41 +0900 | [diff] [blame] | 247 | installable: false, |
| 248 | } |
| 249 | |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 250 | se_policy_cil { |
| 251 | name: "reqd_policy_mask.cil", |
| 252 | src: ":reqd_policy_mask.conf", |
| 253 | secilc_check: false, |
| 254 | installable: false, |
Inseob Kim | e35b49b | 2021-02-18 19:15:41 +0900 | [diff] [blame] | 255 | } |
| 256 | |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 257 | // pub_policy - policy that will be exported to be a part of non-platform |
| 258 | // policy corresponding to this platform version. |
| 259 | // |
| 260 | // This is a limited subset of policy that would not compile in checkpolicy on |
| 261 | // its own. |
| 262 | // |
| 263 | // To get around this limitation, add only the required files from private |
| 264 | // policy, which will generate CIL policy that will then be filtered out by the |
| 265 | // reqd_policy_mask. |
| 266 | // |
| 267 | // There are three pub_policy.cil files below: |
| 268 | // - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. |
| 269 | // - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. |
| 270 | // - plat_pub_policy.cil: exported 'system' policy. |
| 271 | // |
| 272 | // Those above files will in turn be used to generate the following versioned cil files: |
| 273 | // - product_mapping_file: the versioned, exported 'product' policy in product partition. |
| 274 | // - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. |
| 275 | // - plat_mapping_file: the versioned, exported 'system' policy in system partition. |
| 276 | // - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy |
| 277 | // in vendor partition. |
| 278 | // |
| 279 | se_policy_conf { |
| 280 | name: "pub_policy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 281 | srcs: plat_public_policy + |
| 282 | system_ext_public_policy + |
| 283 | product_public_policy + |
| 284 | reqd_mask_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 285 | installable: false, |
| 286 | } |
| 287 | |
| 288 | se_policy_cil { |
| 289 | name: "pub_policy.cil", |
| 290 | src: ":pub_policy.conf", |
| 291 | filter_out: [":reqd_policy_mask.cil"], |
| 292 | secilc_check: false, |
| 293 | installable: false, |
| 294 | } |
| 295 | |
| 296 | se_policy_conf { |
| 297 | name: "system_ext_pub_policy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 298 | srcs: plat_public_policy + |
| 299 | system_ext_public_policy + |
| 300 | reqd_mask_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 301 | installable: false, |
| 302 | } |
| 303 | |
| 304 | se_policy_cil { |
| 305 | name: "system_ext_pub_policy.cil", |
| 306 | src: ":system_ext_pub_policy.conf", |
| 307 | filter_out: [":reqd_policy_mask.cil"], |
| 308 | secilc_check: false, |
| 309 | installable: false, |
| 310 | } |
| 311 | |
| 312 | se_policy_conf { |
| 313 | name: "plat_pub_policy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 314 | srcs: plat_public_policy + |
| 315 | reqd_mask_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 316 | installable: false, |
| 317 | } |
| 318 | |
| 319 | se_policy_cil { |
| 320 | name: "plat_pub_policy.cil", |
| 321 | src: ":plat_pub_policy.conf", |
| 322 | filter_out: [":reqd_policy_mask.cil"], |
| 323 | secilc_check: false, |
| 324 | installable: false, |
| 325 | } |
| 326 | |
| 327 | // plat_policy.conf - A combination of the private and public platform policy |
| 328 | // which will ship with the device. |
| 329 | // |
| 330 | // The platform will always reflect the most recent platform version and is not |
| 331 | // currently being attributized. |
| 332 | se_policy_conf { |
| 333 | name: "plat_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 334 | srcs: plat_public_policy + |
| 335 | plat_private_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 336 | installable: false, |
| 337 | } |
| 338 | |
| 339 | se_policy_cil { |
| 340 | name: "plat_sepolicy.cil", |
| 341 | src: ":plat_sepolicy.conf", |
Inseob Kim | 7cb2081 | 2021-12-16 16:52:14 +0900 | [diff] [blame] | 342 | additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 343 | } |
| 344 | |
Jeff Vander Stoep | f9348b5 | 2021-12-14 13:32:12 +0100 | [diff] [blame^] | 345 | |
| 346 | se_policy_conf { |
| 347 | name: "apex_sepolicy-33.conf", |
| 348 | srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"], |
| 349 | installable: false, |
| 350 | } |
| 351 | |
| 352 | se_policy_cil { |
| 353 | name: "apex_sepolicy-33.cil", |
| 354 | src: ":apex_sepolicy-33.conf", |
| 355 | filter_out: [":plat_sepolicy.cil"], |
| 356 | installable: false, |
| 357 | stem: "apex_sepolicy.cil", |
| 358 | } |
| 359 | |
Inseob Kim | 6cc75f4 | 2021-04-29 13:53:20 +0000 | [diff] [blame] | 360 | // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil |
| 361 | se_policy_conf { |
| 362 | name: "userdebug_plat_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 363 | srcs: plat_public_policy + |
| 364 | plat_private_policy, |
Inseob Kim | 6cc75f4 | 2021-04-29 13:53:20 +0000 | [diff] [blame] | 365 | build_variant: "userdebug", |
| 366 | installable: false, |
| 367 | } |
| 368 | |
| 369 | se_policy_cil { |
| 370 | name: "userdebug_plat_sepolicy.cil", |
| 371 | src: ":userdebug_plat_sepolicy.conf", |
Inseob Kim | 7cb2081 | 2021-12-16 16:52:14 +0900 | [diff] [blame] | 372 | additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], |
Inseob Kim | 6cc75f4 | 2021-04-29 13:53:20 +0000 | [diff] [blame] | 373 | debug_ramdisk: true, |
Yi-Yo Chiang | 68478b1 | 2021-10-16 03:23:05 +0800 | [diff] [blame] | 374 | dist: { |
| 375 | targets: ["droidcore"], |
| 376 | }, |
Inseob Kim | 6cc75f4 | 2021-04-29 13:53:20 +0000 | [diff] [blame] | 377 | } |
| 378 | |
Yi-Yo Chiang | 857ffc4 | 2021-09-23 14:14:16 +0000 | [diff] [blame] | 379 | // A copy of the userdebug_plat_policy in GSI. |
| 380 | soong_config_module_type { |
| 381 | name: "gsi_se_policy_cil", |
| 382 | module_type: "se_policy_cil", |
| 383 | config_namespace: "ANDROID", |
| 384 | bool_variables: [ |
| 385 | "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", |
| 386 | ], |
| 387 | properties: [ |
| 388 | "enabled", |
| 389 | "installable", |
| 390 | ], |
| 391 | } |
| 392 | |
| 393 | gsi_se_policy_cil { |
| 394 | name: "system_ext_userdebug_plat_sepolicy.cil", |
| 395 | stem: "userdebug_plat_sepolicy.cil", |
| 396 | src: ":userdebug_plat_sepolicy.conf", |
Inseob Kim | 7cb2081 | 2021-12-16 16:52:14 +0900 | [diff] [blame] | 397 | additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], |
Yi-Yo Chiang | 857ffc4 | 2021-09-23 14:14:16 +0000 | [diff] [blame] | 398 | system_ext_specific: true, |
| 399 | enabled: false, |
| 400 | installable: false, |
| 401 | soong_config_variables: { |
| 402 | PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { |
| 403 | enabled: true, |
| 404 | installable: true, |
| 405 | }, |
| 406 | }, |
| 407 | } |
| 408 | |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 409 | // system_ext_policy.conf - A combination of the private and public system_ext |
| 410 | // policy which will ship with the device. System_ext policy is not attributized |
| 411 | se_policy_conf { |
| 412 | name: "system_ext_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 413 | srcs: plat_public_policy + |
| 414 | plat_private_policy + |
| 415 | system_ext_public_policy + |
| 416 | system_ext_private_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 417 | installable: false, |
| 418 | } |
| 419 | |
| 420 | se_policy_cil { |
| 421 | name: "system_ext_sepolicy.cil", |
| 422 | src: ":system_ext_sepolicy.conf", |
| 423 | system_ext_specific: true, |
| 424 | filter_out: [":plat_sepolicy.cil"], |
| 425 | remove_line_marker: true, |
| 426 | } |
| 427 | |
| 428 | // product_policy.conf - A combination of the private and public product policy |
| 429 | // which will ship with the device. Product policy is not attributized |
| 430 | se_policy_conf { |
| 431 | name: "product_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 432 | srcs: plat_public_policy + |
| 433 | plat_private_policy + |
| 434 | system_ext_public_policy + |
| 435 | system_ext_private_policy + |
| 436 | product_public_policy + |
| 437 | product_private_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 438 | installable: false, |
| 439 | } |
| 440 | |
| 441 | se_policy_cil { |
| 442 | name: "product_sepolicy.cil", |
| 443 | src: ":product_sepolicy.conf", |
| 444 | product_specific: true, |
| 445 | filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"], |
| 446 | remove_line_marker: true, |
| 447 | } |
| 448 | |
Inseob Kim | 039175b | 2021-03-25 15:37:34 +0900 | [diff] [blame] | 449 | // policy mapping files |
| 450 | // auto-generate the mapping file for current platform policy, since it needs to |
| 451 | // track platform policy development |
| 452 | se_versioned_policy { |
| 453 | name: "plat_mapping_file", |
| 454 | base: ":plat_pub_policy.cil", |
| 455 | mapping: true, |
| 456 | version: "current", |
| 457 | relative_install_path: "mapping", // install to /system/etc/selinux/mapping |
| 458 | } |
| 459 | |
| 460 | se_versioned_policy { |
| 461 | name: "system_ext_mapping_file", |
| 462 | base: ":system_ext_pub_policy.cil", |
| 463 | mapping: true, |
| 464 | version: "current", |
| 465 | filter_out: [":plat_mapping_file"], |
| 466 | relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping |
| 467 | system_ext_specific: true, |
| 468 | } |
| 469 | |
| 470 | se_versioned_policy { |
| 471 | name: "product_mapping_file", |
| 472 | base: ":pub_policy.cil", |
| 473 | mapping: true, |
| 474 | version: "current", |
| 475 | filter_out: [":plat_mapping_file", ":system_ext_mapping_file"], |
| 476 | relative_install_path: "mapping", // install to /product/etc/selinux/mapping |
| 477 | product_specific: true, |
| 478 | } |
| 479 | |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 480 | // vendor/odm sepolicy |
| 481 | // |
| 482 | // If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION, |
| 483 | // policy files of platform (system, system_ext, product) can't be mixed with |
| 484 | // policy files of vendor (vendor, odm). If it's the case, platform policies and |
| 485 | // vendor policies are separately built. More specifically, |
| 486 | // |
| 487 | // - Platform policy files needed to build vendor policies, such as plat_policy, |
| 488 | // plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the |
| 489 | // prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS). |
| 490 | // |
| 491 | // - sepolicy_neverallows only checks platform policies, and a new module |
| 492 | // sepolicy_neverallows_vendor checks vendor policies. |
| 493 | // |
| 494 | // - neverallow checks are turned off while compiling precompiled_sepolicy |
| 495 | // module and sepolicy module. |
| 496 | // |
| 497 | // - Vendor policies are not checked on the compat test (compat.mk). |
| 498 | // |
| 499 | // In such scenario, we can grab platform policy files from the prebuilts/api |
| 500 | // directory. But we need more than that: prebuilts of system_ext, product, |
| 501 | // system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following |
| 502 | // variables are introduced to specify such prebuilts. |
| 503 | // |
| 504 | // - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask) |
| 505 | // - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor) |
| 506 | // - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public) |
| 507 | // - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private) |
| 508 | // - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public) |
| 509 | // - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private) |
| 510 | // |
| 511 | // Vendors are responsible for copying policy files from the old version of the |
| 512 | // source tree as prebuilts, and for setting BOARD_*_POLICY variables so they |
| 513 | // can be used to build vendor policies. |
| 514 | // |
| 515 | // To support both mixed build and normal build, platform policy files are |
| 516 | // indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal |
| 517 | // to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION. |
| 518 | // Otherwise, they will be equal to the Makefile variables above. |
| 519 | |
| 520 | plat_public_policies_for_vendor = [ |
| 521 | ":se_build_files{.plat_public_for_vendor}", |
| 522 | ":se_build_files{.system_ext_public_for_vendor}", |
| 523 | ":se_build_files{.product_public_for_vendor}", |
| 524 | ":se_build_files{.reqd_mask_for_vendor}", |
| 525 | ] |
| 526 | |
| 527 | plat_policies_for_vendor = [ |
| 528 | ":se_build_files{.plat_public_for_vendor}", |
| 529 | ":se_build_files{.plat_private_for_vendor}", |
| 530 | ":se_build_files{.system_ext_public_for_vendor}", |
| 531 | ":se_build_files{.system_ext_private_for_vendor}", |
| 532 | ":se_build_files{.product_public_for_vendor}", |
| 533 | ":se_build_files{.product_private_for_vendor}", |
| 534 | ] |
| 535 | |
| 536 | se_policy_conf { |
| 537 | name: "plat_policy_for_vendor.conf", |
| 538 | srcs: plat_policies_for_vendor, |
| 539 | installable: false, |
| 540 | } |
| 541 | |
| 542 | se_policy_cil { |
| 543 | name: "plat_policy_for_vendor.cil", |
| 544 | src: ":plat_policy_for_vendor.conf", |
| 545 | additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"], |
| 546 | installable: false, |
| 547 | } |
| 548 | |
| 549 | se_policy_conf { |
| 550 | name: "reqd_policy_mask_for_vendor.conf", |
| 551 | srcs: [":se_build_files{.reqd_mask_for_vendor}"], |
| 552 | installable: false, |
| 553 | } |
| 554 | |
| 555 | se_policy_cil { |
| 556 | name: "reqd_policy_mask_for_vendor.cil", |
| 557 | src: ":reqd_policy_mask_for_vendor.conf", |
| 558 | secilc_check: false, |
| 559 | installable: false, |
| 560 | } |
| 561 | |
| 562 | se_policy_conf { |
| 563 | name: "pub_policy_for_vendor.conf", |
| 564 | srcs: plat_public_policies_for_vendor, |
| 565 | installable: false, |
| 566 | } |
| 567 | |
| 568 | se_policy_cil { |
| 569 | name: "pub_policy_for_vendor.cil", |
| 570 | src: ":pub_policy_for_vendor.conf", |
| 571 | filter_out: [":reqd_policy_mask_for_vendor.cil"], |
| 572 | secilc_check: false, |
| 573 | installable: false, |
| 574 | } |
| 575 | |
| 576 | se_versioned_policy { |
| 577 | name: "plat_mapping_file_for_vendor", |
| 578 | base: ":pub_policy_for_vendor.cil", |
| 579 | mapping: true, |
| 580 | version: "vendor", |
| 581 | installable: false, |
| 582 | } |
| 583 | |
Inseob Kim | 039175b | 2021-03-25 15:37:34 +0900 | [diff] [blame] | 584 | // plat_pub_versioned.cil - the exported platform policy associated with the version |
| 585 | // that non-platform policy targets. |
| 586 | se_versioned_policy { |
| 587 | name: "plat_pub_versioned.cil", |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 588 | base: ":pub_policy_for_vendor.cil", |
| 589 | target_policy: ":pub_policy_for_vendor.cil", |
| 590 | version: "vendor", |
Inseob Kim | 039175b | 2021-03-25 15:37:34 +0900 | [diff] [blame] | 591 | vendor: true, |
| 592 | } |
| 593 | |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 594 | // vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined |
| 595 | // with the platform-provided policy. It makes use of the reqd_policy_mask files from private |
| 596 | // policy and the platform public policy files in order to use checkpolicy. |
| 597 | se_policy_conf { |
| 598 | name: "vendor_sepolicy.conf", |
| 599 | srcs: plat_public_policies_for_vendor + [ |
| 600 | ":se_build_files{.plat_vendor_for_vendor}", |
| 601 | ":se_build_files{.vendor}", |
| 602 | ], |
| 603 | installable: false, |
| 604 | } |
| 605 | |
| 606 | se_policy_cil { |
| 607 | name: "vendor_sepolicy.cil.raw", |
| 608 | src: ":vendor_sepolicy.conf", |
| 609 | filter_out: [":reqd_policy_mask_for_vendor.cil"], |
| 610 | secilc_check: false, // will be done in se_versioned_policy module |
| 611 | installable: false, |
| 612 | } |
| 613 | |
| 614 | se_versioned_policy { |
| 615 | name: "vendor_sepolicy.cil", |
| 616 | base: ":pub_policy_for_vendor.cil", |
| 617 | target_policy: ":vendor_sepolicy.cil.raw", |
| 618 | version: "vendor", |
| 619 | dependent_cils: [ |
| 620 | ":plat_policy_for_vendor.cil", |
| 621 | ":plat_pub_versioned.cil", |
| 622 | ":plat_mapping_file_for_vendor", |
| 623 | ], |
| 624 | filter_out: [":plat_pub_versioned.cil"], |
| 625 | vendor: true, |
| 626 | } |
| 627 | |
| 628 | // odm_policy.cil - the odl sepolicy. This needs attributization and to be combined |
| 629 | // with the platform-provided policy. It makes use of the reqd_policy_mask files from private |
| 630 | // policy and the platform public policy files in order to use checkpolicy. |
| 631 | se_policy_conf { |
| 632 | name: "odm_sepolicy.conf", |
| 633 | srcs: plat_public_policies_for_vendor + [ |
| 634 | ":se_build_files{.plat_vendor_for_vendor}", |
| 635 | ":se_build_files{.vendor}", |
| 636 | ":se_build_files{.odm}", |
| 637 | ], |
| 638 | installable: false, |
| 639 | } |
| 640 | |
| 641 | se_policy_cil { |
| 642 | name: "odm_sepolicy.cil.raw", |
| 643 | src: ":odm_sepolicy.conf", |
| 644 | filter_out: [ |
| 645 | ":reqd_policy_mask_for_vendor.cil", |
| 646 | ":vendor_sepolicy.cil", |
| 647 | ], |
| 648 | secilc_check: false, // will be done in se_versioned_policy module |
| 649 | installable: false, |
| 650 | } |
| 651 | |
| 652 | se_versioned_policy { |
| 653 | name: "odm_sepolicy.cil", |
| 654 | base: ":pub_policy_for_vendor.cil", |
| 655 | target_policy: ":odm_sepolicy.cil.raw", |
| 656 | version: "vendor", |
| 657 | dependent_cils: [ |
| 658 | ":plat_policy_for_vendor.cil", |
| 659 | ":plat_pub_versioned.cil", |
| 660 | ":plat_mapping_file_for_vendor", |
| 661 | ":vendor_sepolicy.cil", |
| 662 | ], |
| 663 | filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"], |
| 664 | device_specific: true, |
| 665 | } |
| 666 | |
Inseob Kim | 039175b | 2021-03-25 15:37:34 +0900 | [diff] [blame] | 667 | ////////////////////////////////// |
| 668 | // Precompiled sepolicy is loaded if and only if: |
| 669 | // - plat_sepolicy_and_mapping.sha256 equals |
| 670 | // precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 |
| 671 | // AND |
| 672 | // - system_ext_sepolicy_and_mapping.sha256 equals |
| 673 | // precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 |
| 674 | // AND |
| 675 | // - product_sepolicy_and_mapping.sha256 equals |
| 676 | // precompiled_sepolicy.product_sepolicy_and_mapping.sha256 |
Jeff Vander Stoep | f9348b5 | 2021-12-14 13:32:12 +0100 | [diff] [blame^] | 677 | // AND |
| 678 | // - apex_sepolicy.sha256 equals |
| 679 | // precompiled_sepolicy.apex_sepolicy.sha256 |
Inseob Kim | 039175b | 2021-03-25 15:37:34 +0900 | [diff] [blame] | 680 | // See system/core/init/selinux.cpp for details. |
| 681 | ////////////////////////////////// |
| 682 | genrule { |
| 683 | name: "plat_sepolicy_and_mapping.sha256_gen", |
| 684 | srcs: [":plat_sepolicy.cil", ":plat_mapping_file"], |
| 685 | out: ["plat_sepolicy_and_mapping.sha256"], |
| 686 | cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| 687 | } |
| 688 | |
| 689 | prebuilt_etc { |
| 690 | name: "plat_sepolicy_and_mapping.sha256", |
| 691 | filename: "plat_sepolicy_and_mapping.sha256", |
| 692 | src: ":plat_sepolicy_and_mapping.sha256_gen", |
| 693 | relative_install_path: "selinux", |
| 694 | } |
| 695 | |
| 696 | genrule { |
Jeff Vander Stoep | f9348b5 | 2021-12-14 13:32:12 +0100 | [diff] [blame^] | 697 | name: "apex_sepolicy.sha256_gen", |
| 698 | srcs: [":apex_sepolicy-33.cil"], |
| 699 | out: ["apex_sepolicy.sha256"], |
| 700 | cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| 701 | } |
| 702 | |
| 703 | prebuilt_etc { |
| 704 | name: "apex_sepolicy.sha256", |
| 705 | filename: "apex_sepolicy.sha256", |
| 706 | src: ":apex_sepolicy.sha256_gen", |
| 707 | installable: false, |
| 708 | } |
| 709 | |
| 710 | genrule { |
Inseob Kim | 039175b | 2021-03-25 15:37:34 +0900 | [diff] [blame] | 711 | name: "system_ext_sepolicy_and_mapping.sha256_gen", |
| 712 | srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"], |
| 713 | out: ["system_ext_sepolicy_and_mapping.sha256"], |
| 714 | cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| 715 | } |
| 716 | |
| 717 | prebuilt_etc { |
| 718 | name: "system_ext_sepolicy_and_mapping.sha256", |
| 719 | filename: "system_ext_sepolicy_and_mapping.sha256", |
| 720 | src: ":system_ext_sepolicy_and_mapping.sha256_gen", |
| 721 | relative_install_path: "selinux", |
| 722 | system_ext_specific: true, |
| 723 | } |
| 724 | |
| 725 | genrule { |
| 726 | name: "product_sepolicy_and_mapping.sha256_gen", |
| 727 | srcs: [":product_sepolicy.cil", ":product_mapping_file"], |
| 728 | out: ["product_sepolicy_and_mapping.sha256"], |
| 729 | cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", |
| 730 | } |
| 731 | |
| 732 | prebuilt_etc { |
| 733 | name: "product_sepolicy_and_mapping.sha256", |
| 734 | filename: "product_sepolicy_and_mapping.sha256", |
| 735 | src: ":product_sepolicy_and_mapping.sha256_gen", |
| 736 | relative_install_path: "selinux", |
| 737 | product_specific: true, |
| 738 | } |
| 739 | |
Inseob Kim | 1c056b1 | 2021-04-30 00:11:43 +0900 | [diff] [blame] | 740 | sepolicy_vers { |
| 741 | name: "plat_sepolicy_vers.txt", |
| 742 | version: "vendor", |
| 743 | vendor: true, |
| 744 | } |
| 745 | |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 746 | soong_config_module_type { |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 747 | name: "precompiled_sepolicy_prebuilts_defaults", |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 748 | module_type: "prebuilt_defaults", |
| 749 | config_namespace: "ANDROID", |
| 750 | bool_variables: ["BOARD_USES_ODMIMAGE"], |
| 751 | properties: ["vendor", "device_specific"], |
| 752 | } |
| 753 | |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 754 | precompiled_sepolicy_prebuilts_defaults { |
| 755 | name: "precompiled_sepolicy_prebuilts", |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 756 | soong_config_variables: { |
| 757 | BOARD_USES_ODMIMAGE: { |
| 758 | device_specific: true, |
| 759 | conditions_default: { |
| 760 | vendor: true, |
| 761 | }, |
| 762 | }, |
| 763 | }, |
| 764 | } |
| 765 | |
| 766 | ////////////////////////////////// |
| 767 | // SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against |
| 768 | // which precompiled_policy was built. |
| 769 | ////////////////////////////////// |
| 770 | prebuilt_etc { |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 771 | defaults: ["precompiled_sepolicy_prebuilts"], |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 772 | name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", |
| 773 | filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", |
| 774 | src: ":plat_sepolicy_and_mapping.sha256_gen", |
| 775 | relative_install_path: "selinux", |
| 776 | } |
| 777 | |
| 778 | ////////////////////////////////// |
Jeff Vander Stoep | f9348b5 | 2021-12-14 13:32:12 +0100 | [diff] [blame^] | 779 | // SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy |
| 780 | // was built. |
| 781 | ////////////////////////////////// |
| 782 | prebuilt_etc { |
| 783 | defaults: ["precompiled_sepolicy_prebuilts"], |
| 784 | name: "precompiled_sepolicy.apex_sepolicy.sha256", |
| 785 | filename: "precompiled_sepolicy.apex_sepolicy.sha256", |
| 786 | src: ":apex_sepolicy.sha256_gen", |
| 787 | relative_install_path: "selinux", |
| 788 | } |
| 789 | |
| 790 | ////////////////////////////////// |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 791 | // SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against |
| 792 | // which precompiled_policy was built. |
| 793 | ////////////////////////////////// |
| 794 | prebuilt_etc { |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 795 | defaults: ["precompiled_sepolicy_prebuilts"], |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 796 | name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", |
| 797 | filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", |
| 798 | src: ":system_ext_sepolicy_and_mapping.sha256_gen", |
| 799 | relative_install_path: "selinux", |
| 800 | } |
| 801 | |
| 802 | ////////////////////////////////// |
| 803 | // SHA-256 digest of the product_sepolicy.cil and product_mapping_file against |
| 804 | // which precompiled_policy was built. |
| 805 | ////////////////////////////////// |
| 806 | prebuilt_etc { |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 807 | defaults: ["precompiled_sepolicy_prebuilts"], |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 808 | name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", |
| 809 | filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", |
| 810 | src: ":product_sepolicy_and_mapping.sha256_gen", |
| 811 | relative_install_path: "selinux", |
| 812 | } |
| 813 | |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 814 | soong_config_module_type { |
| 815 | name: "precompiled_se_policy_binary", |
| 816 | module_type: "se_policy_binary", |
| 817 | config_namespace: "ANDROID", |
| 818 | bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"], |
| 819 | value_variables: ["MIXED_SEPOLICY_VERSION"], |
| 820 | properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"], |
| 821 | } |
| 822 | |
| 823 | precompiled_se_policy_binary { |
| 824 | name: "precompiled_sepolicy", |
| 825 | srcs: [ |
| 826 | ":plat_sepolicy.cil", |
Jeff Vander Stoep | f9348b5 | 2021-12-14 13:32:12 +0100 | [diff] [blame^] | 827 | ":apex_sepolicy-33.cil", |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 828 | ":plat_pub_versioned.cil", |
| 829 | ":system_ext_sepolicy.cil", |
| 830 | ":product_sepolicy.cil", |
| 831 | ":vendor_sepolicy.cil", |
| 832 | ":odm_sepolicy.cil", |
| 833 | ], |
| 834 | soong_config_variables: { |
| 835 | BOARD_USES_ODMIMAGE: { |
| 836 | device_specific: true, |
| 837 | conditions_default: { |
| 838 | vendor: true, |
| 839 | }, |
| 840 | }, |
| 841 | IS_TARGET_MIXED_SEPOLICY: { |
| 842 | ignore_neverallow: true, |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 843 | }, |
| 844 | MIXED_SEPOLICY_VERSION: { |
| 845 | srcs: [ |
| 846 | ":plat_%s.cil", |
| 847 | ":system_ext_%s.cil", |
| 848 | ":product_%s.cil", |
| 849 | ], |
| 850 | conditions_default: { |
| 851 | srcs: [ |
| 852 | ":plat_mapping_file", |
| 853 | ":system_ext_mapping_file", |
| 854 | ":product_mapping_file", |
| 855 | ], |
| 856 | }, |
| 857 | }, |
| 858 | }, |
Inseob Kim | 0de7fcc | 2021-12-22 23:06:53 +0900 | [diff] [blame] | 859 | required: [ |
| 860 | "sepolicy_neverallows", |
| 861 | "sepolicy_neverallows_vendor", |
| 862 | ], |
Inseob Kim | 3ac62fe | 2021-12-16 19:00:03 +0900 | [diff] [blame] | 863 | } |
Inseob Kim | 731182a | 2021-05-06 11:44:37 +0000 | [diff] [blame] | 864 | |
Inseob Kim | 5bbcd68 | 2021-12-28 14:57:03 +0900 | [diff] [blame] | 865 | // policy for recovery |
| 866 | se_policy_conf { |
| 867 | name: "recovery_sepolicy.conf", |
| 868 | srcs: plat_policies_for_vendor + [ |
| 869 | ":se_build_files{.plat_vendor_for_vendor}", |
| 870 | ":se_build_files{.vendor}", |
| 871 | ":se_build_files{.odm}", |
| 872 | ], |
| 873 | target_recovery: true, |
| 874 | installable: false, |
| 875 | } |
| 876 | |
| 877 | se_policy_cil { |
| 878 | name: "recovery_sepolicy.cil", |
| 879 | src: ":recovery_sepolicy.conf", |
| 880 | secilc_check: false, // will be done in se_policy_binary module |
| 881 | installable: false, |
| 882 | } |
| 883 | |
| 884 | se_policy_binary { |
| 885 | name: "sepolicy.recovery", |
| 886 | srcs: [":recovery_sepolicy.cil"], |
| 887 | stem: "sepolicy", |
| 888 | recovery: true, |
| 889 | } |
| 890 | |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 891 | ////////////////////////////////// |
| 892 | // SELinux policy embedded into CTS. |
| 893 | // CTS checks neverallow rules of this policy against the policy of the device under test. |
| 894 | ////////////////////////////////// |
| 895 | se_policy_conf { |
| 896 | name: "general_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 897 | srcs: plat_public_policy + |
| 898 | plat_private_policy, |
Inseob Kim | a49e724 | 2021-03-22 10:26:13 +0900 | [diff] [blame] | 899 | build_variant: "user", |
| 900 | cts: true, |
| 901 | exclude_build_test: true, |
| 902 | } |
Inseob Kim | d581661 | 2021-09-15 03:01:05 +0000 | [diff] [blame] | 903 | |
| 904 | ////////////////////////////////// |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 905 | // Base system policy for treble sepolicy tests. |
| 906 | // If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ |
| 907 | // with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case, |
| 908 | // BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil. |
| 909 | // See treble_sepolicy_tests_for_release.mk for more details. |
| 910 | ////////////////////////////////// |
| 911 | se_policy_conf { |
| 912 | name: "base_plat_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 913 | srcs: plat_public_policy + |
| 914 | plat_private_policy, |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 915 | build_variant: "user", |
| 916 | installable: false, |
| 917 | } |
| 918 | |
| 919 | se_policy_cil { |
| 920 | name: "base_plat_sepolicy.cil", |
| 921 | src: ":base_plat_sepolicy.conf", |
| 922 | additional_cil_files: ["private/technical_debt.cil"], |
| 923 | installable: false, |
| 924 | secilc_check: false, // done by se_policy_binary |
| 925 | } |
| 926 | |
| 927 | se_policy_binary { |
| 928 | name: "base_plat_sepolicy", |
| 929 | srcs: [":base_plat_sepolicy.cil"], |
| 930 | installable: false, |
| 931 | } |
| 932 | |
| 933 | se_policy_conf { |
| 934 | name: "base_system_ext_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 935 | srcs: plat_public_policy + |
| 936 | plat_private_policy + |
| 937 | system_ext_public_policy + |
| 938 | system_ext_private_policy, |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 939 | build_variant: "user", |
| 940 | installable: false, |
| 941 | } |
| 942 | |
| 943 | se_policy_cil { |
| 944 | name: "base_system_ext_sepolicy.cil", |
| 945 | src: ":base_system_ext_sepolicy.conf", |
| 946 | additional_cil_files: ["private/technical_debt.cil"], |
| 947 | system_ext_specific: true, |
| 948 | installable: false, |
| 949 | secilc_check: false, // done by se_policy_binary |
| 950 | } |
| 951 | |
| 952 | se_policy_binary { |
| 953 | name: "base_system_ext_sepolicy", |
| 954 | srcs: [":base_system_ext_sepolicy.cil"], |
| 955 | system_ext_specific: true, |
| 956 | installable: false, |
| 957 | } |
| 958 | |
| 959 | se_policy_conf { |
| 960 | name: "base_product_sepolicy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 961 | srcs: plat_public_policy + |
| 962 | plat_private_policy + |
| 963 | system_ext_public_policy + |
| 964 | system_ext_private_policy + |
| 965 | product_public_policy + |
| 966 | product_private_policy, |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 967 | build_variant: "user", |
| 968 | installable: false, |
| 969 | } |
| 970 | |
| 971 | se_policy_cil { |
| 972 | name: "base_product_sepolicy.cil", |
| 973 | src: ":base_product_sepolicy.conf", |
| 974 | additional_cil_files: ["private/technical_debt.cil"], |
| 975 | product_specific: true, |
| 976 | installable: false, |
| 977 | secilc_check: false, // done by se_policy_binary |
| 978 | } |
| 979 | |
| 980 | se_policy_binary { |
| 981 | name: "base_product_sepolicy", |
| 982 | srcs: [":base_product_sepolicy.cil"], |
| 983 | product_specific: true, |
| 984 | installable: false, |
| 985 | } |
| 986 | |
| 987 | se_policy_conf { |
| 988 | name: "base_plat_pub_policy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 989 | srcs: plat_public_policy + |
| 990 | reqd_mask_policy, |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 991 | build_variant: "user", |
| 992 | installable: false, |
| 993 | } |
| 994 | |
| 995 | se_policy_cil { |
| 996 | name: "base_plat_pub_policy.cil", |
| 997 | src: ":base_plat_pub_policy.conf", |
| 998 | filter_out: [":reqd_policy_mask.cil"], |
| 999 | secilc_check: false, |
| 1000 | installable: false, |
| 1001 | } |
| 1002 | |
| 1003 | se_policy_conf { |
| 1004 | name: "base_system_ext_pub_policy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 1005 | srcs: plat_public_policy + |
| 1006 | system_ext_public_policy + |
| 1007 | reqd_mask_policy, |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 1008 | build_variant: "user", |
| 1009 | installable: false, |
| 1010 | } |
| 1011 | |
| 1012 | se_policy_cil { |
| 1013 | name: "base_system_ext_pub_policy.cil", |
| 1014 | src: ":base_system_ext_pub_policy.conf", |
| 1015 | filter_out: [":reqd_policy_mask.cil"], |
| 1016 | secilc_check: false, |
| 1017 | installable: false, |
| 1018 | } |
| 1019 | |
| 1020 | se_policy_conf { |
| 1021 | name: "base_product_pub_policy.conf", |
Inseob Kim | 0a707fa | 2021-12-09 23:35:11 +0900 | [diff] [blame] | 1022 | srcs: plat_public_policy + |
| 1023 | system_ext_public_policy + |
| 1024 | product_public_policy + |
| 1025 | reqd_mask_policy, |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 1026 | build_variant: "user", |
| 1027 | installable: false, |
| 1028 | } |
| 1029 | |
| 1030 | se_policy_cil { |
| 1031 | name: "base_product_pub_policy.cil", |
| 1032 | src: ":base_product_pub_policy.conf", |
| 1033 | filter_out: [":reqd_policy_mask.cil"], |
| 1034 | secilc_check: false, |
| 1035 | installable: false, |
| 1036 | } |
| 1037 | |
Yi-Yo Chiang | 2c18965 | 2021-11-08 19:30:04 +0800 | [diff] [blame] | 1038 | // bug_map - Bug tracking information for selinux denials loaded by auditd. |
| 1039 | se_filegroup { |
| 1040 | name: "bug_map_files", |
| 1041 | srcs: ["bug_map"], |
| 1042 | } |
| 1043 | |
| 1044 | se_bug_map { |
| 1045 | name: "plat_bug_map", |
| 1046 | srcs: [":bug_map_files"], |
| 1047 | stem: "bug_map", |
| 1048 | } |
| 1049 | |
| 1050 | se_bug_map { |
| 1051 | name: "system_ext_bug_map", |
| 1052 | srcs: [":bug_map_files"], |
| 1053 | stem: "bug_map", |
| 1054 | system_ext_specific: true, |
| 1055 | } |
| 1056 | |
| 1057 | se_bug_map { |
| 1058 | name: "vendor_bug_map", |
| 1059 | srcs: [":bug_map_files"], |
| 1060 | // Legacy file name of the vendor partition bug_map. |
| 1061 | stem: "selinux_denial_metadata", |
| 1062 | vendor: true, |
| 1063 | } |
| 1064 | |
Inseob Kim | 0de7fcc | 2021-12-22 23:06:53 +0900 | [diff] [blame] | 1065 | se_neverallow_test { |
| 1066 | name: "sepolicy_neverallows", |
| 1067 | srcs: plat_public_policy + |
| 1068 | plat_private_policy + |
| 1069 | system_ext_public_policy + |
| 1070 | system_ext_private_policy + |
| 1071 | product_public_policy + |
| 1072 | product_private_policy, |
| 1073 | } |
| 1074 | |
| 1075 | se_neverallow_test { |
| 1076 | name: "sepolicy_neverallows_vendor", |
| 1077 | srcs: plat_policies_for_vendor + [ |
| 1078 | ":se_build_files{.plat_vendor_for_vendor}", |
| 1079 | ":se_build_files{.vendor}", |
| 1080 | ":se_build_files{.odm}", |
| 1081 | ], |
| 1082 | } |
| 1083 | |
Inseob Kim | 4d90b7e | 2021-09-27 13:43:01 +0000 | [diff] [blame] | 1084 | ////////////////////////////////// |
Inseob Kim | d581661 | 2021-09-15 03:01:05 +0000 | [diff] [blame] | 1085 | // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy |
| 1086 | // Additional directories can be specified via Makefile variables: |
| 1087 | // SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS. |
| 1088 | ////////////////////////////////// |
| 1089 | se_freeze_test { |
| 1090 | name: "sepolicy_freeze_test", |
| 1091 | } |
Yuntao Xu | 42e732c | 2021-11-18 22:33:02 +0000 | [diff] [blame] | 1092 | |
| 1093 | ////////////////////////////////// |
| 1094 | // Makefile rules temporary imported to Soong |
| 1095 | // TODO(b/33691272): remove these after migrating seapp to Soong |
| 1096 | ////////////////////////////////// |
| 1097 | makefile_goal { |
| 1098 | name: "plat_seapp_contexts_rule", |
| 1099 | product_out_path: "obj/ETC/plat_seapp_contexts_intermediates/plat_seapp_contexts", |
| 1100 | } |
| 1101 | |
| 1102 | makefile_goal { |
| 1103 | name: "plat_seapp_neverallows_rule", |
| 1104 | product_out_path: "obj/ETC/plat_seapp_neverallows_intermediates/plat_seapp_neverallows", |
| 1105 | } |