1 LOCAL_PATH:= $(call my-dir) 2 3 include $(CLEAR_VARS) 4 5 # Force permissive domains to be unconfined+enforcing? 6 # 7 # During development, this should be set to false. 8 # Permissive means permissive. 9 # 10 # When we're close to a release and SELinux new policy development 11 # is frozen, we should flip this to true. This forces any currently 12 # permissive domains into unconfined+enforcing. 13 # 14 FORCE_PERMISSIVE_TO_UNCONFINED:=true 15 16 ifeq ($(TARGET_BUILD_VARIANT),user) 17 # User builds are always forced unconfined+enforcing 18 FORCE_PERMISSIVE_TO_UNCONFINED:=true 19 endif 20 21 # SELinux policy version. 22 # Must be <= /selinux/policyvers reported by the Android kernel. 23 # Must be within the compatibility range reported by checkpolicy -V. 24 POLICYVERS ?= 26 25 26 MLS_SENS=1 27 MLS_CATS=1024 28 29 # Quick edge case error detection for BOARD_SEPOLICY_REPLACE. 30 # Builds the singular path for each replace file. 31 sepolicy_replace_paths := 32 $(foreach pf, $(BOARD_SEPOLICY_REPLACE), \ 33 $(if $(filter $(pf), $(BOARD_SEPOLICY_UNION)), \ 34 $(error Ambiguous request for sepolicy $(pf). Appears in both \ 35 BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION), \ 36 ) \ 37 $(eval _paths := $(filter-out $(BOARD_SEPOLICY_IGNORE), \ 38 $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))) \ 39 $(eval _occurrences := $(words $(_paths))) \ 40 $(if $(filter 0,$(_occurrences)), \ 41 $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \ 42 ) \ 43 $(if $(filter 1, $(_occurrences)), \ 44 $(eval sepolicy_replace_paths += $(_paths)), \ 45 $(error Multiple occurrences of replace file $(pf) in $(_paths)) \ 46 ) \ 47 $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(LOCAL_PATH))))), \ 48 $(error Specified the sepolicy file $(pf) in BOARD_SEPOLICY_REPLACE, \ 49 but none found in $(LOCAL_PATH)), \ 50 ) \ 51 ) 52 53 # Quick edge case error detection for BOARD_SEPOLICY_UNION. 54 # This ensures that a requested union file exists somewhere 55 # in one of the listed BOARD_SEPOLICY_DIRS. 56 $(foreach pf, $(BOARD_SEPOLICY_UNION), \ 57 $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \ 58 $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \ 59 ) \ 60 ) 61 62 # Builds paths for all requested policy files w.r.t 63 # both BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION 64 # product variables. 65 # $(1): the set of policy name paths to build 66 build_policy = $(foreach type, $(1), \ 67 $(filter-out $(BOARD_SEPOLICY_IGNORE), \ 68 $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \ 69 $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \ 70 $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \ 71 $(LOCAL_PATH)/$(expanded_type) \ 72 ) \ 73 ) \ 74 $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \ 75 $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \ 76 $(union_policy), \ 77 ) \ 78 ) \ 79 ) \ 80 ) 81 82 sepolicy_build_files := security_classes \ 83 initial_sids \ 84 access_vectors \ 85 global_macros \ 86 mls_macros \ 87 mls \ 88 policy_capabilities \ 89 te_macros \ 90 attributes \ 91 *.te \ 92 roles \ 93 users \ 94 initial_sid_contexts \ 95 fs_use \ 96 genfs_contexts \ 97 port_contexts 98 99 ################################## 100 include $(CLEAR_VARS) 101 102 LOCAL_MODULE := sepolicy 103 LOCAL_MODULE_CLASS := ETC 104 LOCAL_MODULE_TAGS := optional 105 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 106 107 include $(BUILD_SYSTEM)/base_rules.mk 108 109 sepolicy_policy.conf := $(intermediates)/policy.conf 110 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 111 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 112 $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files)) 113 @mkdir -p $(dir $@) 114 $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 115 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 116 -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ 117 -s $^ > $@ 118 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 119 120 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 121 @mkdir -p $(dir $@) 122 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $< 123 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit 124 125 built_sepolicy := $(LOCAL_BUILT_MODULE) 126 sepolicy_policy.conf := 127 128 ################################## 129 include $(CLEAR_VARS) 130 131 LOCAL_MODULE := sepolicy.recovery 132 LOCAL_MODULE_CLASS := ETC 133 LOCAL_MODULE_TAGS := eng 134 135 include $(BUILD_SYSTEM)/base_rules.mk 136 137 sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf 138 $(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 139 $(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 140 $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files)) 141 @mkdir -p $(dir $@) 142 $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 143 -D target_build_variant=$(TARGET_BUILD_VARIANT) \ 144 -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ 145 -D target_recovery=true \ 146 -s $^ > $@ 147 148 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 149 @mkdir -p $(dir $@) 150 $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $< 151 152 built_sepolicy_recovery := $(LOCAL_BUILT_MODULE) 153 sepolicy_policy_recovery.conf := 154 155 ################################## 156 include $(CLEAR_VARS) 157 158 LOCAL_MODULE := general_sepolicy.conf 159 LOCAL_MODULE_CLASS := ETC 160 LOCAL_MODULE_TAGS := tests 161 162 include $(BUILD_SYSTEM)/base_rules.mk 163 164 exp_sepolicy_build_files :=\ 165 $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files))) 166 167 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) 168 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) 169 $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files) 170 mkdir -p $(dir $@) 171 $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ 172 -D target_build_variant=user \ 173 -D force_permissive_to_unconfined=true \ 174 -s $^ > $@ 175 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 176 177 GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE) 178 179 exp_sepolicy_build_files := 180 181 ################################## 182 include $(CLEAR_VARS) 183 184 LOCAL_MODULE := file_contexts 185 LOCAL_MODULE_CLASS := ETC 186 LOCAL_MODULE_TAGS := optional 187 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 188 189 include $(BUILD_SYSTEM)/base_rules.mk 190 191 ALL_FC_FILES := $(call build_policy, file_contexts) 192 193 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 194 $(LOCAL_BUILT_MODULE): $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc 195 @mkdir -p $(dir $@) 196 $(hide) m4 -s $(ALL_FC_FILES) > $@ 197 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@ 198 199 built_fc := $(LOCAL_BUILT_MODULE) 200 201 ################################## 202 include $(CLEAR_VARS) 203 LOCAL_MODULE := seapp_contexts 204 LOCAL_MODULE_CLASS := ETC 205 LOCAL_MODULE_TAGS := optional 206 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 207 208 include $(BUILD_SYSTEM)/base_rules.mk 209 210 seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp 211 $(seapp_contexts.tmp): $(call build_policy, seapp_contexts) 212 @mkdir -p $(dir $@) 213 $(hide) m4 -s $^ > $@ 214 215 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 216 $(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp 217 @mkdir -p $(dir $@) 218 $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $< 219 220 built_sc := $(LOCAL_BUILT_MODULE) 221 seapp_contexts.tmp := 222 223 ################################## 224 include $(CLEAR_VARS) 225 226 LOCAL_MODULE := property_contexts 227 LOCAL_MODULE_CLASS := ETC 228 LOCAL_MODULE_TAGS := optional 229 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 230 231 include $(BUILD_SYSTEM)/base_rules.mk 232 233 ALL_PC_FILES := $(call build_policy, property_contexts) 234 235 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 236 $(LOCAL_BUILT_MODULE): $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc 237 @mkdir -p $(dir $@) 238 $(hide) m4 -s $(ALL_PC_FILES) > $@ 239 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@ 240 241 built_pc := $(LOCAL_BUILT_MODULE) 242 243 ################################## 244 include $(CLEAR_VARS) 245 246 LOCAL_MODULE := service_contexts 247 LOCAL_MODULE_CLASS := ETC 248 LOCAL_MODULE_TAGS := optional 249 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 250 251 include $(BUILD_SYSTEM)/base_rules.mk 252 253 ALL_SVC_FILES := $(call build_policy, service_contexts) 254 255 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 256 $(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc 257 @mkdir -p $(dir $@) 258 $(hide) m4 -s $(ALL_SVC_FILES) > $@ 259 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@ 260 261 built_svc := $(LOCAL_BUILT_MODULE) 262 263 ################################## 264 265 ################################## 266 include $(CLEAR_VARS) 267 268 LOCAL_MODULE := selinux-network.sh 269 LOCAL_SRC_FILES := $(LOCAL_MODULE) 270 LOCAL_MODULE_CLASS := EXECUTABLES 271 LOCAL_MODULE_TAGS := optional 272 LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES) 273 274 include $(BUILD_PREBUILT) 275 276 ################################## 277 include $(CLEAR_VARS) 278 279 LOCAL_MODULE := mac_permissions.xml 280 LOCAL_MODULE_CLASS := ETC 281 LOCAL_MODULE_TAGS := optional 282 LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security 283 284 include $(BUILD_SYSTEM)/base_rules.mk 285 286 # Build keys.conf 287 mac_perms_keys.tmp := $(intermediates)/keys.tmp 288 $(mac_perms_keys.tmp) : $(call build_policy, keys.conf) 289 @mkdir -p $(dir $@) 290 $(hide) m4 -s $^ > $@ 291 292 ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE)) 293 294 $(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES) 295 @mkdir -p $(dir $@) 296 $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \ 297 $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES) 298 299 mac_perms_keys.tmp := 300 ################################## 301 include $(CLEAR_VARS) 302 303 LOCAL_MODULE := selinux_version 304 LOCAL_MODULE_CLASS := ETC 305 LOCAL_MODULE_TAGS := optional 306 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 307 308 include $(BUILD_SYSTEM)/base_rules.mk 309 $(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc) 310 @mkdir -p $(dir $@) 311 $(hide) echo -n $(BUILD_FINGERPRINT) > $@ 312 313 ################################## 314 315 build_policy := 316 sepolicy_build_files := 317 sepolicy_replace_paths := 318 built_sepolicy := 319 built_sc := 320 built_fc := 321 built_pc := 322 built_svc := 323 324 include $(call all-makefiles-under,$(LOCAL_PATH)) 325