Home | History | Annotate | Download | only in sepolicy 
      1 LOCAL_PATH:= $(call my-dir)
      2 
      3 include $(CLEAR_VARS)
      4 
      5 # Force permissive domains to be unconfined+enforcing?
      6 #
      7 # During development, this should be set to false.
      8 # Permissive means permissive.
      9 #
     10 # When we're close to a release and SELinux new policy development
     11 # is frozen, we should flip this to true. This forces any currently
     12 # permissive domains into unconfined+enforcing.
     13 #
     14 FORCE_PERMISSIVE_TO_UNCONFINED:=true
     15 
     16 ifeq ($(TARGET_BUILD_VARIANT),user)
     17   # User builds are always forced unconfined+enforcing
     18   FORCE_PERMISSIVE_TO_UNCONFINED:=true
     19 endif
     20 
     21 # SELinux policy version.
     22 # Must be <= /selinux/policyvers reported by the Android kernel.
     23 # Must be within the compatibility range reported by checkpolicy -V.
     24 POLICYVERS ?= 26
     25 
     26 MLS_SENS=1
     27 MLS_CATS=1024
     28 
     29 # Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
     30 # Builds the singular path for each replace file.
     31 sepolicy_replace_paths :=
     32 $(foreach pf, $(BOARD_SEPOLICY_REPLACE), \
     33   $(if $(filter $(pf), $(BOARD_SEPOLICY_UNION)), \
     34     $(error Ambiguous request for sepolicy $(pf). Appears in both \
     35       BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION), \
     36   ) \
     37   $(eval _paths := $(filter-out $(BOARD_SEPOLICY_IGNORE), \
     38   $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))) \
     39   $(eval _occurrences := $(words $(_paths))) \
     40   $(if $(filter 0,$(_occurrences)), \
     41     $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
     42   ) \
     43   $(if $(filter 1, $(_occurrences)), \
     44     $(eval sepolicy_replace_paths += $(_paths)), \
     45     $(error Multiple occurrences of replace file $(pf) in $(_paths)) \
     46   ) \
     47   $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(LOCAL_PATH))))), \
     48     $(error Specified the sepolicy file $(pf) in BOARD_SEPOLICY_REPLACE, \
     49       but none found in $(LOCAL_PATH)), \
     50   ) \
     51 )
     52 
     53 # Quick edge case error detection for BOARD_SEPOLICY_UNION.
     54 # This ensures that a requested union file exists somewhere
     55 # in one of the listed BOARD_SEPOLICY_DIRS.
     56 $(foreach pf, $(BOARD_SEPOLICY_UNION), \
     57   $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \
     58     $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
     59   ) \
     60 )
     61 
     62 # Builds paths for all requested policy files w.r.t
     63 # both BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
     64 # product variables.
     65 # $(1): the set of policy name paths to build
     66 build_policy = $(foreach type, $(1), \
     67   $(filter-out $(BOARD_SEPOLICY_IGNORE), \
     68     $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \
     69       $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \
     70         $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \
     71         $(LOCAL_PATH)/$(expanded_type) \
     72       ) \
     73     ) \
     74     $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \
     75       $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \
     76         $(union_policy), \
     77       ) \
     78     ) \
     79   ) \
     80 )
     81 
     82 sepolicy_build_files := security_classes \
     83                         initial_sids \
     84                         access_vectors \
     85                         global_macros \
     86                         mls_macros \
     87                         mls \
     88                         policy_capabilities \
     89                         te_macros \
     90                         attributes \
     91                         *.te \
     92                         roles \
     93                         users \
     94                         initial_sid_contexts \
     95                         fs_use \
     96                         genfs_contexts \
     97                         port_contexts
     98 
     99 ##################################
    100 include $(CLEAR_VARS)
    101 
    102 LOCAL_MODULE := sepolicy
    103 LOCAL_MODULE_CLASS := ETC
    104 LOCAL_MODULE_TAGS := optional
    105 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
    106 
    107 include $(BUILD_SYSTEM)/base_rules.mk
    108 
    109 sepolicy_policy.conf := $(intermediates)/policy.conf
    110 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
    111 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
    112 $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
    113 	@mkdir -p $(dir $@)
    114 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
    115 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
    116 		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
    117 		-s $^ > $@
    118 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
    119 
    120 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
    121 	@mkdir -p $(dir $@)
    122 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
    123 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
    124 
    125 built_sepolicy := $(LOCAL_BUILT_MODULE)
    126 sepolicy_policy.conf :=
    127 
    128 ##################################
    129 include $(CLEAR_VARS)
    130 
    131 LOCAL_MODULE := sepolicy.recovery
    132 LOCAL_MODULE_CLASS := ETC
    133 LOCAL_MODULE_TAGS := eng
    134 
    135 include $(BUILD_SYSTEM)/base_rules.mk
    136 
    137 sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
    138 $(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
    139 $(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
    140 $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
    141 	@mkdir -p $(dir $@)
    142 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
    143 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
    144 		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
    145 		-D target_recovery=true \
    146 		-s $^ > $@
    147 
    148 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
    149 	@mkdir -p $(dir $@)
    150 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
    151 
    152 built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
    153 sepolicy_policy_recovery.conf :=
    154 
    155 ##################################
    156 include $(CLEAR_VARS)
    157 
    158 LOCAL_MODULE := general_sepolicy.conf
    159 LOCAL_MODULE_CLASS := ETC
    160 LOCAL_MODULE_TAGS := tests
    161 
    162 include $(BUILD_SYSTEM)/base_rules.mk
    163 
    164 exp_sepolicy_build_files :=\
    165   $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))
    166 
    167 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
    168 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
    169 $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
    170 	mkdir -p $(dir $@)
    171 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
    172 		-D target_build_variant=user \
    173 		-D force_permissive_to_unconfined=true \
    174 		-s $^ > $@
    175 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
    176 
    177 GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)
    178 
    179 exp_sepolicy_build_files :=
    180 
    181 ##################################
    182 include $(CLEAR_VARS)
    183 
    184 LOCAL_MODULE := file_contexts
    185 LOCAL_MODULE_CLASS := ETC
    186 LOCAL_MODULE_TAGS := optional
    187 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
    188 
    189 include $(BUILD_SYSTEM)/base_rules.mk
    190 
    191 ALL_FC_FILES := $(call build_policy, file_contexts)
    192 
    193 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
    194 $(LOCAL_BUILT_MODULE):  $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
    195 	@mkdir -p $(dir $@)
    196 	$(hide) m4 -s $(ALL_FC_FILES) > $@
    197 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
    198 
    199 built_fc := $(LOCAL_BUILT_MODULE)
    200 
    201 ##################################
    202 include $(CLEAR_VARS)
    203 LOCAL_MODULE := seapp_contexts
    204 LOCAL_MODULE_CLASS := ETC
    205 LOCAL_MODULE_TAGS := optional
    206 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
    207 
    208 include $(BUILD_SYSTEM)/base_rules.mk
    209 
    210 seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
    211 $(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
    212 	@mkdir -p $(dir $@)
    213 	$(hide) m4 -s $^ > $@
    214 
    215 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
    216 $(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
    217 	@mkdir -p $(dir $@)
    218 	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
    219 
    220 built_sc := $(LOCAL_BUILT_MODULE)
    221 seapp_contexts.tmp :=
    222 
    223 ##################################
    224 include $(CLEAR_VARS)
    225 
    226 LOCAL_MODULE := property_contexts
    227 LOCAL_MODULE_CLASS := ETC
    228 LOCAL_MODULE_TAGS := optional
    229 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
    230 
    231 include $(BUILD_SYSTEM)/base_rules.mk
    232 
    233 ALL_PC_FILES := $(call build_policy, property_contexts)
    234 
    235 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
    236 $(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
    237 	@mkdir -p $(dir $@)
    238 	$(hide) m4 -s $(ALL_PC_FILES) > $@
    239 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
    240 
    241 built_pc := $(LOCAL_BUILT_MODULE)
    242 
    243 ##################################
    244 include $(CLEAR_VARS)
    245 
    246 LOCAL_MODULE := service_contexts
    247 LOCAL_MODULE_CLASS := ETC
    248 LOCAL_MODULE_TAGS := optional
    249 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
    250 
    251 include $(BUILD_SYSTEM)/base_rules.mk
    252 
    253 ALL_SVC_FILES := $(call build_policy, service_contexts)
    254 
    255 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
    256 $(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
    257 	@mkdir -p $(dir $@)
    258 	$(hide) m4 -s $(ALL_SVC_FILES) > $@
    259 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
    260 
    261 built_svc := $(LOCAL_BUILT_MODULE)
    262 
    263 ##################################
    264 
    265 ##################################
    266 include $(CLEAR_VARS)
    267 
    268 LOCAL_MODULE := selinux-network.sh
    269 LOCAL_SRC_FILES := $(LOCAL_MODULE)
    270 LOCAL_MODULE_CLASS := EXECUTABLES
    271 LOCAL_MODULE_TAGS := optional
    272 LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
    273 
    274 include $(BUILD_PREBUILT)
    275 
    276 ##################################
    277 include $(CLEAR_VARS)
    278 
    279 LOCAL_MODULE := mac_permissions.xml
    280 LOCAL_MODULE_CLASS := ETC
    281 LOCAL_MODULE_TAGS := optional
    282 LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
    283 
    284 include $(BUILD_SYSTEM)/base_rules.mk
    285 
    286 # Build keys.conf
    287 mac_perms_keys.tmp := $(intermediates)/keys.tmp
    288 $(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
    289 	@mkdir -p $(dir $@)
    290 	$(hide) m4 -s $^ > $@
    291 
    292 ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
    293 
    294 $(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
    295 	@mkdir -p $(dir $@)
    296 	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
    297 		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
    298 
    299 mac_perms_keys.tmp :=
    300 ##################################
    301 include $(CLEAR_VARS)
    302 
    303 LOCAL_MODULE := selinux_version
    304 LOCAL_MODULE_CLASS := ETC
    305 LOCAL_MODULE_TAGS := optional
    306 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
    307 
    308 include $(BUILD_SYSTEM)/base_rules.mk
    309 $(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
    310 	@mkdir -p $(dir $@)
    311 	$(hide) echo -n $(BUILD_FINGERPRINT) > $@
    312 
    313 ##################################
    314 
    315 build_policy :=
    316 sepolicy_build_files :=
    317 sepolicy_replace_paths :=
    318 built_sepolicy :=
    319 built_sc :=
    320 built_fc :=
    321 built_pc :=
    322 built_svc :=
    323 
    324 include $(call all-makefiles-under,$(LOCAL_PATH))
    325