1 LOCAL_PATH:= $(call my-dir) 2 3 include $(LOCAL_PATH)/definitions.mk 4 5 include $(CLEAR_VARS) 6 # SELinux policy version. 7 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. 8 # Must be within the compatibility range reported by checkpolicy -V. 9 POLICYVERS ?= 30 10 11 MLS_SENS=1 12 MLS_CATS=1024 13 14 ifdef BOARD_SEPOLICY_REPLACE 15 $(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) 16 endif 17 18 ifdef BOARD_SEPOLICY_IGNORE 19 $(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) 20 endif 21 22 ifdef BOARD_SEPOLICY_UNION 23 $(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 24 endif 25 26 ifdef BOARD_SEPOLICY_M4DEFS 27 LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 28 else 29 LOCAL_ADDITIONAL_M4DEFS := 30 endif 31 32 # sepolicy is now divided into multiple portions: 33 # public - policy exported on which non-platform policy developers may write 34 # additional policy. types and attributes are versioned and included in 35 # delivered non-platform policy, which is to be combined with platform policy. 36 # private - platform-only policy required for platform functionality but which 37 # is not exported to vendor policy developers and as such may not be assumed 38 # to exist. 39 # vendor - vendor-only policy required for vendor functionality. This policy can 40 # reference the public policy but cannot reference the private policy. This 41 # policy is for components which are produced from the core/non-vendor tree and 42 # placed into a vendor partition. 43 # mapping - This contains policy statements which map the attributes 44 # exposed in the public policy of previous versions to the concrete types used 45 # in this policy to ensure that policy targeting attributes from public 46 # policy from an older platform version continues to work. 47 48 # build process for device: 49 # 1) convert policies to CIL: 50 # - private + public platform policy to CIL 51 # - mapping file to CIL (should already be in CIL form) 52 # - non-platform public policy to CIL 53 # - non-platform public + private policy to CIL 54 # 2) attributize policy 55 # - run script which takes non-platform public and non-platform combined 56 # private + public policy and produces attributized and versioned 57 # non-platform policy 58 # 3) combine policy files 59 # - combine mapping, platform and non-platform policy. 60 # - compile output binary policy file 61 62 PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 63 ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)) 64 PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) 65 endif 66 PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 67 ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)) 68 PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) 69 endif 70 PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 71 REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 72 73 # TODO: move to README when doing the README update and finalizing versioning. 74 # BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy 75 # version identifier corresponding to the sepolicy on which the non-platform 76 # policy is to be based. If unspecified, this will build against the current 77 # public platform policy in tree 78 ifndef BOARD_SEPOLICY_VERS 79 $(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version) 80 # The default platform policy version. 81 BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION) 82 endif 83 84 NEVERALLOW_ARG := 85 ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 86 ifeq ($(TARGET_BUILD_VARIANT),user) 87 $(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) 88 endif 89 $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ 90 It does not work in user builds and using it will \ 91 not stop you from failing CTS.) 92 NEVERALLOW_ARG := -N 93 endif 94 95 # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. 96 # It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and 97 # BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for 98 # backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. 99 ifdef BOARD_SEPOLICY_DIRS 100 BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) 101 endif 102 103 ifdef BOARD_ODM_SEPOLICY_DIRS 104 ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 105 $(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) 106 endif 107 endif 108 109 platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil 110 111 ########################################################### 112 # Compute policy files to be used in policy build. 113 # $(1): files to include 114 # $(2): directories in which to find files 115 ########################################################### 116 117 define build_policy 118 $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))) 119 endef 120 121 # Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. 122 # $(1): the set of policy name paths to build 123 build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 124 125 # Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. 126 build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) 127 128 # Add a file containing only a newline in-between each policy configuration 129 # 'contexts' file. This will allow OEM policy configuration files without a 130 # final newline (0x0A) to be built correctly by the m4(1) macro processor. 131 # $(1): the set of contexts file names. 132 # $(2): the file containing only 0x0A. 133 add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry))) 134 135 sepolicy_build_files := security_classes \ 136 initial_sids \ 137 access_vectors \ 138 global_macros \ 139 neverallow_macros \ 140 mls_macros \ 141 mls_decl \ 142 mls \ 143 policy_capabilities \ 144 te_macros \ 145 attributes \ 146 ioctl_defines \ 147 ioctl_macros \ 148 *.te \ 149 roles_decl \ 150 roles \ 151 users \ 152 initial_sid_contexts \ 153 fs_use \ 154 genfs_contexts \ 155 port_contexts 156 157 # CIL files which contain workarounds for current limitation of human-readable 158 # module policy language. These files are appended to the CIL files produced 159 # from module language files. 160 sepolicy_build_cil_workaround_files := technical_debt.cil 161 162 my_target_arch := $(TARGET_ARCH) 163 ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 164 my_target_arch := mips 165 endif 166 167 intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 168 169 with_asan := false 170 ifneq (,$(filter address,$(SANITIZE_TARGET))) 171 with_asan := true 172 endif 173 174 # Library extension for host-side tests 175 ifeq ($(HOST_OS),darwin) 176 SHAREDLIB_EXT=dylib 177 else 178 SHAREDLIB_EXT=so 179 endif 180 181 include $(CLEAR_VARS) 182 LOCAL_MODULE := selinux_policy 183 LOCAL_MODULE_TAGS := optional 184 # Include SELinux policy. We do this here because different modules 185 # need to be included based on the value of PRODUCT_SEPOLICY_SPLIT. This 186 # type of conditional inclusion cannot be done in top-level files such 187 # as build/target/product/embedded.mk. 188 # This conditional inclusion closely mimics the conditional logic 189 # inside init/init.cpp for loading SELinux policy from files. 190 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 191 192 # Use split SELinux policy 193 LOCAL_REQUIRED_MODULES += \ 194 $(platform_mapping_file) \ 195 $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 196 plat_pub_versioned.cil \ 197 vendor_sepolicy.cil \ 198 plat_sepolicy.cil \ 199 plat_and_mapping_sepolicy.cil.sha256 \ 200 secilc \ 201 plat_sepolicy_vers.txt \ 202 203 # Include precompiled policy, unless told otherwise 204 ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 205 LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256 206 endif 207 else 208 # The following files are only allowed for non-Treble devices. 209 LOCAL_REQUIRED_MODULES += \ 210 sepolicy \ 211 vendor_service_contexts 212 endif 213 214 LOCAL_REQUIRED_MODULES += \ 215 build_sepolicy \ 216 vendor_file_contexts \ 217 vendor_mac_permissions.xml \ 218 vendor_property_contexts \ 219 vendor_seapp_contexts \ 220 vendor_hwservice_contexts \ 221 plat_file_contexts \ 222 plat_mac_permissions.xml \ 223 plat_property_contexts \ 224 plat_seapp_contexts \ 225 plat_service_contexts \ 226 plat_hwservice_contexts \ 227 searchpolicy \ 228 vndservice_contexts \ 229 230 ifneq ($(TARGET_BUILD_VARIANT), user) 231 LOCAL_REQUIRED_MODULES += \ 232 selinux_denial_metadata \ 233 234 endif 235 236 ifneq ($(with_asan),true) 237 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 238 LOCAL_REQUIRED_MODULES += \ 239 sepolicy_tests \ 240 treble_sepolicy_tests_26.0 \ 241 treble_sepolicy_tests_27.0 \ 242 243 endif 244 endif 245 246 ifdef BOARD_ODM_SEPOLICY_DIRS 247 LOCAL_REQUIRED_MODULES += \ 248 odm_sepolicy.cil \ 249 odm_file_contexts \ 250 odm_seapp_contexts \ 251 odm_property_contexts \ 252 odm_hwservice_contexts \ 253 odm_mac_permissions.xml 254 endif 255 256 ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 257 LOCAL_REQUIRED_MODULES += \ 258 sepolicy_freeze_test \ 259 260 endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 261 262 include $(BUILD_PHONY_PACKAGE) 263 264 ################################# 265 include $(CLEAR_VARS) 266 267 LOCAL_MODULE := sepolicy_neverallows 268 LOCAL_MODULE_CLASS := ETC 269 LOCAL_MODULE_TAGS := optional 270 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 271 272 include $(BUILD_SYSTEM)/base_rules.mk 273 274 # sepolicy_policy.conf - All of the policy for the device. This is only used to 275 # check neverallow rules. 276 sepolicy_policy.conf := $(intermediates)/policy.conf 277 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 278 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 279 $(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 280 $(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 281 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 282 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 283 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 284 $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 285 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS)) 286 $(transform-policy-to-conf) 287 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 288 289 $(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 290 rm -f $@ 291 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 292 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 293 $(POLICYVERS) -o $@ $< 294 else # ($(SELINUX_IGNORE_NEVERALLOWS),true) 295 $(hide) touch $@ 296 endif # ($(SELINUX_IGNORE_NEVERALLOWS),true) 297 298 sepolicy_policy.conf := 299 built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE) 300 301 ################################## 302 # reqd_policy_mask - a policy.conf file which contains only the bare minimum 303 # policy necessary to use checkpolicy. This bare-minimum policy needs to be 304 # present in all policy.conf files, but should not necessarily be exported as 305 # part of the public policy. The rules generated by reqd_policy_mask will allow 306 # the compilation of public policy and subsequent removal of CIL policy that 307 # should not be exported. 308 309 reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf 310 $(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 311 $(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 312 $(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 313 $(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 314 $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 315 $(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 316 $(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 317 $(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 318 $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) 319 $(transform-policy-to-conf) 320 # b/37755687 321 CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 322 323 reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil 324 $(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 325 @mkdir -p $(dir $@) 326 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ 327 $(POLICYVERS) -o $@ $< 328 329 reqd_policy_mask.conf := 330 331 ################################## 332 # plat_pub_policy - policy that will be exported to be a part of non-platform 333 # policy corresponding to this platform version. This is a limited subset of 334 # policy that would not compile in checkpolicy on its own. To get around this 335 # limitation, add only the required files from private policy, which will 336 # generate CIL policy that will then be filtered out by the reqd_policy_mask. 337 plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf 338 $(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 339 $(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 340 $(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 341 $(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 342 $(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 343 $(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 344 $(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 345 $(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 346 $(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 347 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 348 $(transform-policy-to-conf) 349 plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil 350 $(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) 351 $(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 352 $(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) 353 @mkdir -p $(dir $@) 354 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF) 355 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@ 356 357 plat_pub_policy.conf := 358 359 ################################## 360 include $(CLEAR_VARS) 361 362 LOCAL_MODULE := sectxfile_nl 363 LOCAL_MODULE_CLASS := ETC 364 LOCAL_MODULE_TAGS := optional 365 366 # Create a file containing newline only to add between context config files 367 include $(BUILD_SYSTEM)/base_rules.mk 368 $(LOCAL_BUILT_MODULE): 369 @mkdir -p $(dir $@) 370 $(hide) echo > $@ 371 372 built_nl := $(LOCAL_BUILT_MODULE) 373 374 ################################# 375 include $(CLEAR_VARS) 376 377 LOCAL_MODULE := plat_sepolicy.cil 378 LOCAL_MODULE_CLASS := ETC 379 LOCAL_MODULE_TAGS := optional 380 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 381 382 include $(BUILD_SYSTEM)/base_rules.mk 383 384 # plat_policy.conf - A combination of the private and public platform policy 385 # which will ship with the device. The platform will always reflect the most 386 # recent platform version and is not currently being attributized. 387 plat_policy.conf := $(intermediates)/plat_policy.conf 388 $(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 389 $(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 390 $(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 391 $(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 392 $(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 393 $(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 394 $(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 395 $(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 396 $(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 397 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 398 $(transform-policy-to-conf) 399 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 400 401 $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 402 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 403 $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 404 $(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 405 $(HOST_OUT_EXECUTABLES)/secilc \ 406 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 407 $(built_sepolicy_neverallows) 408 @mkdir -p $(dir $@) 409 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 410 $(POLICYVERS) -o $@ $< 411 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 412 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null 413 414 built_plat_cil := $(LOCAL_BUILT_MODULE) 415 plat_policy.conf := 416 417 ################################# 418 include $(CLEAR_VARS) 419 420 LOCAL_MODULE := plat_sepolicy_vers.txt 421 LOCAL_MODULE_CLASS := ETC 422 LOCAL_MODULE_TAGS := optional 423 LOCAL_PROPRIETARY_MODULE := true 424 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 425 426 include $(BUILD_SYSTEM)/base_rules.mk 427 428 $(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS) 429 $(LOCAL_BUILT_MODULE) : 430 mkdir -p $(dir $@) 431 echo $(PRIVATE_PLAT_SEPOL_VERS) > $@ 432 433 ################################# 434 include $(CLEAR_VARS) 435 436 LOCAL_MODULE := $(platform_mapping_file) 437 LOCAL_MODULE_CLASS := ETC 438 LOCAL_MODULE_TAGS := optional 439 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 440 441 include $(BUILD_SYSTEM)/base_rules.mk 442 443 current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil 444 ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION)) 445 # auto-generate the mapping file for current platform policy, since it needs to 446 # track platform policy development 447 $(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 448 $(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy 449 @mkdir -p $(dir $@) 450 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 451 452 else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION)) 453 prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY))) 454 $(current_mapping.cil) : $(prebuilt_mapping_files) 455 @mkdir -p $(dir $@) 456 cat $^ > $@ 457 458 prebuilt_mapping_files := 459 endif 460 461 $(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP) 462 $(hide) $(ACP) $< $@ 463 464 built_mapping_cil := $(LOCAL_BUILT_MODULE) 465 current_mapping.cil := 466 467 ################################# 468 include $(CLEAR_VARS) 469 470 LOCAL_MODULE := 27.0.cil 471 LOCAL_SRC_FILES := private/compat/27.0/27.0.cil 472 LOCAL_MODULE_CLASS := ETC 473 LOCAL_MODULE_TAGS := optional 474 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 475 476 include $(BUILD_PREBUILT) 477 ################################# 478 include $(CLEAR_VARS) 479 480 LOCAL_MODULE := 26.0.cil 481 LOCAL_SRC_FILES := private/compat/26.0/26.0.cil 482 LOCAL_MODULE_CLASS := ETC 483 LOCAL_MODULE_TAGS := optional 484 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 485 486 include $(BUILD_PREBUILT) 487 ################################# 488 include $(CLEAR_VARS) 489 490 LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256 491 LOCAL_MODULE_CLASS := ETC 492 LOCAL_MODULE_TAGS := optional 493 LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux 494 495 include $(BUILD_SYSTEM)/base_rules.mk 496 497 $(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil) 498 cat $^ | sha256sum | cut -d' ' -f1 > $@ 499 500 ################################# 501 include $(CLEAR_VARS) 502 503 # plat_pub_versioned.cil - the exported platform policy associated with the version 504 # that non-platform policy targets. 505 LOCAL_MODULE := plat_pub_versioned.cil 506 LOCAL_MODULE_CLASS := ETC 507 LOCAL_MODULE_TAGS := optional 508 LOCAL_PROPRIETARY_MODULE := true 509 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 510 511 include $(BUILD_SYSTEM)/base_rules.mk 512 513 $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 514 $(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil) 515 $(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) 516 $(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 517 $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil) 518 @mkdir -p $(dir $@) 519 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ 520 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ 521 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null 522 523 built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE) 524 525 ################################# 526 include $(CLEAR_VARS) 527 528 # vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 529 # with the platform-provided policy. It makes use of the reqd_policy_mask files from private 530 # policy and the platform public policy files in order to use checkpolicy. 531 LOCAL_MODULE := vendor_sepolicy.cil 532 LOCAL_MODULE_CLASS := ETC 533 LOCAL_MODULE_TAGS := optional 534 LOCAL_PROPRIETARY_MODULE := true 535 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 536 537 include $(BUILD_SYSTEM)/base_rules.mk 538 539 vendor_policy.conf := $(intermediates)/vendor_policy.conf 540 $(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 541 $(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 542 $(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 543 $(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 544 $(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 545 $(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 546 $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 547 $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 548 $(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 549 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 550 $(transform-policy-to-conf) 551 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 552 553 $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) 554 $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 555 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) 556 $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 557 $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) 558 $(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil) 559 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 560 $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ 561 $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) 562 @mkdir -p $(dir $@) 563 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 564 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 565 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ 566 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 567 568 built_vendor_cil := $(LOCAL_BUILT_MODULE) 569 vendor_policy.conf := 570 571 ################################# 572 include $(CLEAR_VARS) 573 574 # odm_policy.cil - the odm sepolicy. This needs attributization and to be combined 575 # with the platform-provided policy. It makes use of the reqd_policy_mask files from private 576 # policy and the platform public policy files in order to use checkpolicy. 577 LOCAL_MODULE := odm_sepolicy.cil 578 LOCAL_MODULE_CLASS := ETC 579 LOCAL_MODULE_TAGS := optional 580 LOCAL_PROPRIETARY_MODULE := true 581 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 582 583 include $(BUILD_SYSTEM)/base_rules.mk 584 585 odm_policy.conf := $(intermediates)/odm_policy.conf 586 $(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 587 $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 588 $(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 589 $(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 590 $(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 591 $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 592 $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 593 $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 594 $(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 595 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ 596 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 597 $(transform-policy-to-conf) 598 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 599 600 $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf) 601 $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 602 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) 603 $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 604 $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) \ 605 $(built_mapping_cil) $(built_vendor_cil) 606 $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_pub_vers_cil) $(built_vendor_cil) 607 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 608 $(odm_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ 609 $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil) 610 @mkdir -p $(dir $@) 611 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 612 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 613 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \ 614 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 615 616 built_odm_cil := $(LOCAL_BUILT_MODULE) 617 odm_policy.conf := 618 odm_policy_raw := 619 620 ################################# 621 include $(CLEAR_VARS) 622 623 LOCAL_MODULE := precompiled_sepolicy 624 LOCAL_MODULE_CLASS := ETC 625 LOCAL_MODULE_TAGS := optional 626 LOCAL_PROPRIETARY_MODULE := true 627 628 ifeq ($(BOARD_USES_ODMIMAGE),true) 629 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 630 else 631 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 632 endif 633 634 include $(BUILD_SYSTEM)/base_rules.mk 635 636 all_cil_files := \ 637 $(built_plat_cil) \ 638 $(built_mapping_cil) \ 639 $(built_plat_pub_vers_cil) \ 640 $(built_vendor_cil) 641 642 ifdef BOARD_ODM_SEPOLICY_DIRS 643 all_cil_files += $(built_odm_cil) 644 endif 645 646 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 647 $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 648 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) 649 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \ 650 $(PRIVATE_CIL_FILES) -o $@ -f /dev/null 651 652 built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE) 653 all_cil_files := 654 655 ################################# 656 # SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against 657 # which precompiled_policy was built. 658 ################################# 659 include $(CLEAR_VARS) 660 LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256 661 LOCAL_MODULE_CLASS := ETC 662 LOCAL_MODULE_TAGS := optional 663 LOCAL_PROPRIETARY_MODULE := true 664 665 ifeq ($(BOARD_USES_ODMIMAGE),true) 666 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 667 else 668 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 669 endif 670 671 include $(BUILD_SYSTEM)/base_rules.mk 672 673 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) 674 $(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil) 675 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 676 677 ################################# 678 include $(CLEAR_VARS) 679 # build this target so that we can still perform neverallow checks 680 681 LOCAL_MODULE := sepolicy 682 LOCAL_MODULE_CLASS := ETC 683 LOCAL_MODULE_TAGS := optional 684 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 685 686 include $(BUILD_SYSTEM)/base_rules.mk 687 688 all_cil_files := \ 689 $(built_plat_cil) \ 690 $(built_mapping_cil) \ 691 $(built_plat_pub_vers_cil) \ 692 $(built_vendor_cil) 693 694 ifdef BOARD_ODM_SEPOLICY_DIRS 695 all_cil_files += $(built_odm_cil) 696 endif 697 698 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 699 $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 700 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ 701 $(built_sepolicy_neverallows) 702 @mkdir -p $(dir $@) 703 $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null 704 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 705 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 706 echo "==========" 1>&2; \ 707 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 708 echo "List of invalid domains:" 1>&2; \ 709 cat $@.permissivedomains 1>&2; \ 710 exit 1; \ 711 fi 712 $(hide) mv $@.tmp $@ 713 714 built_sepolicy := $(LOCAL_BUILT_MODULE) 715 all_cil_files := 716 717 ################################# 718 include $(CLEAR_VARS) 719 720 # keep concrete sepolicy for neverallow checks 721 # If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling. 722 723 LOCAL_MODULE := sepolicy.recovery 724 LOCAL_MODULE_STEM := sepolicy 725 LOCAL_MODULE_CLASS := ETC 726 LOCAL_MODULE_TAGS := optional 727 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 728 729 include $(BUILD_SYSTEM)/base_rules.mk 730 731 sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf 732 $(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 733 $(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 734 $(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 735 $(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 736 $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 737 $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 738 $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true 739 $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ 740 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 741 $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ 742 $(BOARD_ODM_SEPOLICY_DIRS)) 743 $(transform-policy-to-conf) 744 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 745 ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 746 $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow 747 $(hide) mv $@.neverallow $@ 748 endif 749 750 $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 751 $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 752 @mkdir -p $(dir $@) 753 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 754 $(POLICYVERS) -o $@.tmp $< 755 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 756 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 757 echo "==========" 1>&2; \ 758 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 759 echo "List of invalid domains:" 1>&2; \ 760 cat $@.permissivedomains 1>&2; \ 761 exit 1; \ 762 fi 763 $(hide) mv $@.tmp $@ 764 765 sepolicy.recovery.conf := 766 767 ################################## 768 # SELinux policy embedded into CTS. 769 # CTS checks neverallow rules of this policy against the policy of the device under test. 770 ################################## 771 include $(CLEAR_VARS) 772 773 LOCAL_MODULE := general_sepolicy.conf 774 LOCAL_MODULE_CLASS := ETC 775 LOCAL_MODULE_TAGS := tests 776 777 include $(BUILD_SYSTEM)/base_rules.mk 778 779 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) 780 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) 781 $(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user 782 $(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) 783 $(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false 784 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts 785 $(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts 786 $(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \ 787 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 788 $(transform-policy-to-conf) 789 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 790 791 ################################## 792 # TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 793 # 794 include $(CLEAR_VARS) 795 796 LOCAL_MODULE := file_contexts.bin 797 LOCAL_MODULE_CLASS := ETC 798 LOCAL_MODULE_TAGS := optional 799 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 800 801 include $(BUILD_SYSTEM)/base_rules.mk 802 803 # The file_contexts.bin is built in the following way: 804 # 1. Collect all file_contexts files in THIS repository and process them with 805 # m4 into a tmp file called file_contexts.local.tmp. 806 # 2. Collect all device specific file_contexts files and process them with m4 807 # into a tmp file called file_contexts.device.tmp. 808 # 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 809 # file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 810 # 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into 811 # file_contexts.concat.tmp. 812 # 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 813 # file_contexts.bin. 814 # 815 # Note: That a newline file is placed between each file_context file found to 816 # ensure a proper build when an fc file is missing an ending newline. 817 818 local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 819 820 ifneq ($(filter address,$(SANITIZE_TARGET)),) 821 local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 822 endif 823 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) 824 825 file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 826 $(file_contexts.local.tmp): $(local_fcfiles_with_nl) 827 @mkdir -p $(dir $@) 828 $(hide) m4 -s $^ > $@ 829 830 device_fc_files := $(call build_vendor_policy, file_contexts) 831 832 ifdef BOARD_ODM_SEPOLICY_DIRS 833 device_fc_files += $(call build_odm_policy, file_contexts) 834 endif 835 836 device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl)) 837 838 file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 839 $(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 840 $(file_contexts.device.tmp): $(device_fcfiles_with_nl) 841 @mkdir -p $(dir $@) 842 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 843 844 file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 845 $(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 846 $(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ 847 $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 848 @mkdir -p $(dir $@) 849 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 850 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@ 851 852 file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 853 $(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) 854 @mkdir -p $(dir $@) 855 $(hide) m4 -s $^ > $@ 856 857 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 858 $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 859 @mkdir -p $(dir $@) 860 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 861 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 862 863 built_fc := $(LOCAL_BUILT_MODULE) 864 local_fc_files := 865 local_fcfiles_with_nl := 866 device_fc_files := 867 device_fcfiles_with_nl := 868 file_contexts.concat.tmp := 869 file_contexts.device.sorted.tmp := 870 file_contexts.device.tmp := 871 file_contexts.local.tmp := 872 873 ################################## 874 ifneq ($(TARGET_BUILD_VARIANT), user) 875 include $(CLEAR_VARS) 876 877 LOCAL_MODULE := selinux_denial_metadata 878 LOCAL_MODULE_CLASS := ETC 879 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 880 881 include $(BUILD_SYSTEM)/base_rules.mk 882 883 bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY)) 884 885 $(LOCAL_BUILT_MODULE) : $(bug_files) 886 @mkdir -p $(dir $@) 887 cat $^ > $@ 888 889 bug_files := 890 endif 891 ################################## 892 include $(CLEAR_VARS) 893 894 LOCAL_MODULE := plat_file_contexts 895 LOCAL_MODULE_CLASS := ETC 896 LOCAL_MODULE_TAGS := optional 897 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 898 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 899 else 900 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 901 endif 902 903 include $(BUILD_SYSTEM)/base_rules.mk 904 905 local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 906 ifneq ($(filter address,$(SANITIZE_TARGET)),) 907 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 908 endif 909 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) 910 911 $(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl) 912 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 913 $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 914 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 915 $(local_fcfiles_with_nl) $(built_sepolicy) 916 @mkdir -p $(dir $@) 917 $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp 918 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 919 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 920 921 built_plat_fc := $(LOCAL_BUILT_MODULE) 922 local_fc_files := 923 local_fcfiles_with_nl := 924 925 ################################## 926 include $(CLEAR_VARS) 927 928 LOCAL_MODULE := vendor_file_contexts 929 LOCAL_MODULE_CLASS := ETC 930 LOCAL_MODULE_TAGS := optional 931 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 932 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 933 else 934 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 935 endif 936 937 include $(BUILD_SYSTEM)/base_rules.mk 938 939 vendor_fc_files := $(call build_vendor_policy, file_contexts) 940 vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl)) 941 942 $(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl) 943 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 944 $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 945 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 946 $(vendor_fcfiles_with_nl) $(built_sepolicy) 947 @mkdir -p $(dir $@) 948 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp 949 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 950 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 951 952 built_vendor_fc := $(LOCAL_BUILT_MODULE) 953 vendor_fc_files := 954 vendor_fcfiles_with_nl := 955 956 ################################## 957 include $(CLEAR_VARS) 958 959 LOCAL_MODULE := odm_file_contexts 960 LOCAL_MODULE_CLASS := ETC 961 LOCAL_MODULE_TAGS := optional 962 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 963 964 include $(BUILD_SYSTEM)/base_rules.mk 965 966 odm_fc_files := $(call build_odm_policy, file_contexts) 967 odm_fcfiles_with_nl := $(call add_nl, $(odm_fc_files), $(built_nl)) 968 969 $(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl) 970 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 971 $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 972 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 973 $(odm_fcfiles_with_nl) $(built_sepolicy) 974 @mkdir -p $(dir $@) 975 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp 976 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 977 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 978 979 built_odm_fc := $(LOCAL_BUILT_MODULE) 980 odm_fc_files := 981 odm_fcfiles_with_nl := 982 983 ################################## 984 include $(CLEAR_VARS) 985 986 LOCAL_MODULE := plat_file_contexts.recovery 987 LOCAL_MODULE_STEM := plat_file_contexts 988 LOCAL_MODULE_CLASS := ETC 989 LOCAL_MODULE_TAGS := optional 990 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 991 992 include $(BUILD_SYSTEM)/base_rules.mk 993 994 $(LOCAL_BUILT_MODULE): $(built_plat_fc) 995 $(hide) cp -f $< $@ 996 997 ################################## 998 include $(CLEAR_VARS) 999 LOCAL_MODULE := vendor_file_contexts.recovery 1000 LOCAL_MODULE_STEM := vendor_file_contexts 1001 LOCAL_MODULE_CLASS := ETC 1002 LOCAL_MODULE_TAGS := optional 1003 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1004 1005 include $(BUILD_SYSTEM)/base_rules.mk 1006 1007 $(LOCAL_BUILT_MODULE): $(built_vendor_fc) 1008 $(hide) cp -f $< $@ 1009 1010 ################################## 1011 include $(CLEAR_VARS) 1012 LOCAL_MODULE := odm_file_contexts.recovery 1013 LOCAL_MODULE_STEM := odm_file_contexts 1014 LOCAL_MODULE_CLASS := ETC 1015 LOCAL_MODULE_TAGS := optional 1016 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1017 1018 include $(BUILD_SYSTEM)/base_rules.mk 1019 1020 $(LOCAL_BUILT_MODULE): $(built_odm_fc) 1021 $(hide) cp -f $< $@ 1022 1023 ################################## 1024 include $(CLEAR_VARS) 1025 LOCAL_MODULE := plat_seapp_contexts 1026 LOCAL_MODULE_CLASS := ETC 1027 LOCAL_MODULE_TAGS := optional 1028 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1029 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1030 else 1031 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1032 endif 1033 1034 include $(BUILD_SYSTEM)/base_rules.mk 1035 1036 plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 1037 1038 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1039 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files) 1040 $(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp 1041 @mkdir -p $(dir $@) 1042 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) 1043 1044 built_plat_sc := $(LOCAL_BUILT_MODULE) 1045 plat_sc_files := 1046 1047 ################################## 1048 include $(CLEAR_VARS) 1049 LOCAL_MODULE := vendor_seapp_contexts 1050 LOCAL_MODULE_CLASS := ETC 1051 LOCAL_MODULE_TAGS := optional 1052 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1053 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1054 else 1055 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1056 endif 1057 1058 include $(BUILD_SYSTEM)/base_rules.mk 1059 1060 vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1061 plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 1062 1063 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1064 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files) 1065 $(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files) 1066 $(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files) 1067 @mkdir -p $(dir $@) 1068 $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp 1069 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp 1070 1071 built_vendor_sc := $(LOCAL_BUILT_MODULE) 1072 vendor_sc_files := 1073 1074 ################################## 1075 include $(CLEAR_VARS) 1076 LOCAL_MODULE := odm_seapp_contexts 1077 LOCAL_MODULE_CLASS := ETC 1078 LOCAL_MODULE_TAGS := optional 1079 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1080 1081 include $(BUILD_SYSTEM)/base_rules.mk 1082 1083 odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS)) 1084 plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 1085 1086 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1087 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files) 1088 $(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files) 1089 $(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files) 1090 @mkdir -p $(dir $@) 1091 $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp 1092 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp 1093 1094 built_odm_sc := $(LOCAL_BUILT_MODULE) 1095 odm_sc_files := 1096 1097 ################################## 1098 include $(CLEAR_VARS) 1099 LOCAL_MODULE := plat_seapp_neverallows 1100 LOCAL_MODULE_CLASS := ETC 1101 LOCAL_MODULE_TAGS := tests 1102 1103 include $(BUILD_SYSTEM)/base_rules.mk 1104 1105 $(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files) 1106 @mkdir -p $(dir $@) 1107 - $(hide) grep -ihe '^neverallow' $< > $@ 1108 1109 plat_sc_neverallow_files := 1110 1111 ################################## 1112 include $(CLEAR_VARS) 1113 1114 LOCAL_MODULE := plat_property_contexts 1115 LOCAL_MODULE_CLASS := ETC 1116 LOCAL_MODULE_TAGS := optional 1117 1118 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1119 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1120 else 1121 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1122 endif 1123 1124 include $(BUILD_SYSTEM)/base_rules.mk 1125 1126 plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY)) 1127 ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true) 1128 plat_pcfiles += $(LOCAL_PATH)/public/property_contexts 1129 endif 1130 1131 plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp 1132 $(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles) 1133 $(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1134 $(plat_property_contexts.tmp): $(plat_pcfiles) 1135 @mkdir -p $(dir $@) 1136 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 1137 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1138 $(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker 1139 @mkdir -p $(dir $@) 1140 $(hide) cp -f $< $@ 1141 $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@ 1142 1143 built_plat_pc := $(LOCAL_BUILT_MODULE) 1144 plat_pcfiles := 1145 plat_property_contexts.tmp := 1146 1147 ################################## 1148 include $(CLEAR_VARS) 1149 LOCAL_MODULE := vendor_property_contexts 1150 LOCAL_MODULE_CLASS := ETC 1151 LOCAL_MODULE_TAGS := optional 1152 1153 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1154 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1155 else 1156 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1157 endif 1158 1159 include $(BUILD_SYSTEM)/base_rules.mk 1160 1161 vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1162 1163 vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp 1164 $(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles) 1165 $(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1166 $(vendor_property_contexts.tmp): $(vendor_pcfiles) 1167 @mkdir -p $(dir $@) 1168 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 1169 1170 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1171 $(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc) 1172 $(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker 1173 @mkdir -p $(dir $@) 1174 $(hide) cp -f $< $@ 1175 $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $@ 1176 1177 built_vendor_pc := $(LOCAL_BUILT_MODULE) 1178 vendor_pcfiles := 1179 vendor_property_contexts.tmp := 1180 1181 ################################## 1182 include $(CLEAR_VARS) 1183 LOCAL_MODULE := odm_property_contexts 1184 LOCAL_MODULE_CLASS := ETC 1185 LOCAL_MODULE_TAGS := optional 1186 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1187 1188 include $(BUILD_SYSTEM)/base_rules.mk 1189 1190 odm_pcfiles := $(call build_policy, property_contexts, $(BOARD_ODM_SEPOLICY_DIRS)) 1191 1192 odm_property_contexts.tmp := $(intermediates)/odm_property_contexts.tmp 1193 $(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles) 1194 $(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1195 $(odm_property_contexts.tmp): $(odm_pcfiles) 1196 @mkdir -p $(dir $@) 1197 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 1198 1199 1200 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1201 $(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc) 1202 $(LOCAL_BUILT_MODULE): PRIVATE_BUILT_VENDOR_PC := $(built_vendor_pc) 1203 $(LOCAL_BUILT_MODULE): $(odm_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(built_vendor_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker 1204 @mkdir -p $(dir $@) 1205 $(hide) cp -f $< $@ 1206 $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $(PRIVATE_BUILT_VENDOR_PC) $@ 1207 1208 built_odm_pc := $(LOCAL_BUILT_MODULE) 1209 odm_pcfiles := 1210 odm_property_contexts.tmp := 1211 1212 ################################## 1213 include $(CLEAR_VARS) 1214 1215 LOCAL_MODULE := plat_property_contexts.recovery 1216 LOCAL_MODULE_STEM := plat_property_contexts 1217 LOCAL_MODULE_CLASS := ETC 1218 LOCAL_MODULE_TAGS := optional 1219 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1220 1221 include $(BUILD_SYSTEM)/base_rules.mk 1222 1223 $(LOCAL_BUILT_MODULE): $(built_plat_pc) 1224 $(hide) cp -f $< $@ 1225 1226 ################################## 1227 include $(CLEAR_VARS) 1228 LOCAL_MODULE := vendor_property_contexts.recovery 1229 LOCAL_MODULE_STEM := vendor_property_contexts 1230 LOCAL_MODULE_CLASS := ETC 1231 LOCAL_MODULE_TAGS := optional 1232 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1233 1234 include $(BUILD_SYSTEM)/base_rules.mk 1235 1236 $(LOCAL_BUILT_MODULE): $(built_vendor_pc) 1237 $(hide) cp -f $< $@ 1238 1239 ################################## 1240 include $(CLEAR_VARS) 1241 LOCAL_MODULE := odm_property_contexts.recovery 1242 LOCAL_MODULE_STEM := odm_property_contexts 1243 LOCAL_MODULE_CLASS := ETC 1244 LOCAL_MODULE_TAGS := optional 1245 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1246 1247 include $(BUILD_SYSTEM)/base_rules.mk 1248 1249 $(LOCAL_BUILT_MODULE): $(built_odm_pc) 1250 $(hide) cp -f $< $@ 1251 1252 ################################## 1253 include $(CLEAR_VARS) 1254 1255 LOCAL_MODULE := plat_service_contexts 1256 LOCAL_MODULE_CLASS := ETC 1257 LOCAL_MODULE_TAGS := optional 1258 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1259 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1260 else 1261 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1262 endif 1263 1264 include $(BUILD_SYSTEM)/base_rules.mk 1265 1266 plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY)) 1267 1268 plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp 1269 $(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles) 1270 $(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1271 $(plat_service_contexts.tmp): $(plat_svcfiles) 1272 @mkdir -p $(dir $@) 1273 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1274 1275 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1276 $(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1277 @mkdir -p $(dir $@) 1278 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1279 $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ 1280 1281 built_plat_svc := $(LOCAL_BUILT_MODULE) 1282 plat_svcfiles := 1283 plat_service_contexts.tmp := 1284 1285 ################################## 1286 # nonplat_service_contexts is only allowed on non-full-treble devices 1287 ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 1288 1289 include $(CLEAR_VARS) 1290 1291 LOCAL_MODULE := vendor_service_contexts 1292 LOCAL_MODULE_CLASS := ETC 1293 LOCAL_MODULE_TAGS := optional 1294 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1295 1296 include $(BUILD_SYSTEM)/base_rules.mk 1297 1298 vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1299 1300 vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp 1301 $(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles) 1302 $(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1303 $(vendor_service_contexts.tmp): $(vendor_svcfiles) 1304 @mkdir -p $(dir $@) 1305 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1306 1307 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1308 $(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1309 @mkdir -p $(dir $@) 1310 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1311 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ 1312 1313 built_vendor_svc := $(LOCAL_BUILT_MODULE) 1314 vendor_svcfiles := 1315 vendor_service_contexts.tmp := 1316 1317 endif 1318 1319 ################################## 1320 include $(CLEAR_VARS) 1321 1322 LOCAL_MODULE := plat_hwservice_contexts 1323 LOCAL_MODULE_CLASS := ETC 1324 LOCAL_MODULE_TAGS := optional 1325 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1326 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1327 else 1328 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1329 endif 1330 1331 include $(BUILD_SYSTEM)/base_rules.mk 1332 1333 plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY)) 1334 1335 plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp 1336 $(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles) 1337 $(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1338 $(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles) 1339 @mkdir -p $(dir $@) 1340 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1341 1342 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1343 $(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1344 @mkdir -p $(dir $@) 1345 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1346 $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1347 1348 plat_hwsvcfiles := 1349 plat_hwservice_contexts.tmp := 1350 1351 ################################## 1352 include $(CLEAR_VARS) 1353 1354 LOCAL_MODULE := vendor_hwservice_contexts 1355 LOCAL_MODULE_CLASS := ETC 1356 LOCAL_MODULE_TAGS := optional 1357 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1358 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1359 else 1360 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1361 endif 1362 1363 include $(BUILD_SYSTEM)/base_rules.mk 1364 1365 vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1366 1367 vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp 1368 $(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles) 1369 $(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1370 $(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles) 1371 @mkdir -p $(dir $@) 1372 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1373 1374 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1375 $(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1376 @mkdir -p $(dir $@) 1377 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1378 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1379 1380 vendor_hwsvcfiles := 1381 vendor_hwservice_contexts.tmp := 1382 1383 ################################## 1384 include $(CLEAR_VARS) 1385 1386 LOCAL_MODULE := odm_hwservice_contexts 1387 LOCAL_MODULE_CLASS := ETC 1388 LOCAL_MODULE_TAGS := optional 1389 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1390 1391 include $(BUILD_SYSTEM)/base_rules.mk 1392 1393 odm_hwsvcfiles := $(call build_policy, hwservice_contexts, $(BOARD_ODM_SEPOLICY_DIRS)) 1394 1395 odm_hwservice_contexts.tmp := $(intermediates)/odm_hwservice_contexts.tmp 1396 $(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles) 1397 $(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1398 $(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles) 1399 @mkdir -p $(dir $@) 1400 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1401 1402 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1403 $(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1404 @mkdir -p $(dir $@) 1405 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1406 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1407 1408 odm_hwsvcfiles := 1409 odm_hwservice_contexts.tmp := 1410 1411 ################################## 1412 include $(CLEAR_VARS) 1413 1414 LOCAL_MODULE := vndservice_contexts 1415 LOCAL_MODULE_CLASS := ETC 1416 LOCAL_MODULE_TAGS := optional 1417 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1418 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1419 else 1420 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1421 endif 1422 1423 include $(BUILD_SYSTEM)/base_rules.mk 1424 1425 vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1426 1427 vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp 1428 $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) 1429 $(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1430 $(vndservice_contexts.tmp): $(vnd_svcfiles) 1431 @mkdir -p $(dir $@) 1432 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1433 1434 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1435 $(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1436 @mkdir -p $(dir $@) 1437 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1438 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@ 1439 1440 vnd_svcfiles := 1441 vndservice_contexts.tmp := 1442 ################################## 1443 include $(CLEAR_VARS) 1444 1445 LOCAL_MODULE := plat_mac_permissions.xml 1446 LOCAL_MODULE_CLASS := ETC 1447 LOCAL_MODULE_TAGS := optional 1448 LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1449 1450 include $(BUILD_SYSTEM)/base_rules.mk 1451 1452 # Build keys.conf 1453 plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp 1454 $(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1455 $(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY)) 1456 @mkdir -p $(dir $@) 1457 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1458 1459 all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY)) 1460 1461 # Should be synced with keys.conf. 1462 all_plat_keys := platform media shared testkey 1463 all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem) 1464 1465 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files) 1466 $(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1467 $(all_plat_mac_perms_files) $(all_plat_keys) 1468 @mkdir -p $(dir $@) 1469 $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \ 1470 $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1471 1472 all_mac_perms_files := 1473 all_plat_keys := 1474 plat_mac_perms_keys.tmp := 1475 1476 ################################## 1477 include $(CLEAR_VARS) 1478 1479 LOCAL_MODULE := vendor_mac_permissions.xml 1480 LOCAL_MODULE_CLASS := ETC 1481 LOCAL_MODULE_TAGS := optional 1482 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1483 1484 include $(BUILD_SYSTEM)/base_rules.mk 1485 1486 # Build keys.conf 1487 vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp 1488 $(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1489 $(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1490 @mkdir -p $(dir $@) 1491 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1492 1493 all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1494 1495 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files) 1496 $(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1497 $(all_vendor_mac_perms_files) 1498 @mkdir -p $(dir $@) 1499 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1500 1501 vendor_mac_perms_keys.tmp := 1502 all_vendor_mac_perms_files := 1503 1504 ################################## 1505 include $(CLEAR_VARS) 1506 1507 LOCAL_MODULE := odm_mac_permissions.xml 1508 LOCAL_MODULE_CLASS := ETC 1509 LOCAL_MODULE_TAGS := optional 1510 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1511 1512 include $(BUILD_SYSTEM)/base_rules.mk 1513 1514 # Build keys.conf 1515 odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp 1516 $(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1517 $(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1518 @mkdir -p $(dir $@) 1519 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1520 1521 all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1522 1523 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files) 1524 $(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1525 $(all_odm_mac_perms_files) 1526 @mkdir -p $(dir $@) 1527 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1528 1529 odm_mac_perms_keys.tmp := 1530 all_odm_mac_perms_files := 1531 1532 ################################# 1533 include $(CLEAR_VARS) 1534 LOCAL_MODULE := sepolicy_tests 1535 LOCAL_MODULE_CLASS := ETC 1536 LOCAL_MODULE_TAGS := tests 1537 1538 include $(BUILD_SYSTEM)/base_rules.mk 1539 1540 all_fc_files := $(built_plat_fc) $(built_vendor_fc) 1541 ifdef BOARD_ODM_SEPOLICY_DIRS 1542 all_fc_files += $(built_odm_fc) 1543 endif 1544 all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 1545 1546 sepolicy_tests := $(intermediates)/sepolicy_tests 1547 $(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args) 1548 $(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy) 1549 $(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy) 1550 @mkdir -p $(dir $@) 1551 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \ 1552 $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY) 1553 $(hide) touch $@ 1554 1555 ################################## 1556 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1557 1558 intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,) 1559 1560 # plat_sepolicy - the current platform policy only, built into a policy binary. 1561 # TODO - this currently excludes partner extensions, but support should be added 1562 # to enable partners to add their own compatibility mapping 1563 BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY)) 1564 BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY)) 1565 base_plat_policy.conf := $(intermediates)/base_plat_policy.conf 1566 $(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1567 $(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1568 $(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 1569 $(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1570 $(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1571 $(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1572 $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 1573 $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1574 $(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 1575 $(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY)) 1576 $(transform-policy-to-conf) 1577 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 1578 1579 built_plat_sepolicy := $(intermediates)/built_plat_sepolicy 1580 $(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ 1581 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) 1582 $(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1583 $(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1584 $(HOST_OUT_EXECUTABLES)/secilc \ 1585 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) \ 1586 $(built_sepolicy_neverallows) 1587 @mkdir -p $(dir $@) 1588 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 1589 $(POLICYVERS) -o $@ $< 1590 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 1591 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null 1592 1593 all_fc_files := $(built_plat_fc) $(built_vendor_fc) 1594 ifdef BOARD_ODM_SEPOLICY_DIRS 1595 all_fc_files += $(built_odm_fc) 1596 endif 1597 all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 1598 1599 # Tests for Treble compatibility of current platform policy and vendor policy of 1600 # given release version. 1601 version_under_treble_tests := 26.0 1602 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1603 1604 version_under_treble_tests := 27.0 1605 include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1606 1607 BASE_PLAT_PUBLIC_POLICY := 1608 BASE_PLAT_PRIVATE_POLICY := 1609 base_plat_policy.conf := 1610 plat_sepolicy := 1611 1612 endif # ($(PRODUCT_SEPOLICY_SPLIT),true) 1613 1614 ################################# 1615 include $(CLEAR_VARS) 1616 LOCAL_MODULE := sepolicy_freeze_test 1617 LOCAL_MODULE_CLASS := ETC 1618 LOCAL_MODULE_TAGS := tests 1619 1620 include $(BUILD_SYSTEM)/base_rules.mk 1621 1622 base_plat_public := $(LOCAL_PATH)/public 1623 base_plat_private := $(LOCAL_PATH)/private 1624 base_plat_public_prebuilt := \ 1625 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public 1626 base_plat_private_prebuilt := \ 1627 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private 1628 1629 all_frozen_files := $(call build_policy,$(sepolicy_build_files), \ 1630 $(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt)) 1631 1632 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public) 1633 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private) 1634 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt) 1635 $(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt) 1636 $(LOCAL_BUILT_MODULE): $(all_frozen_files) 1637 ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1638 @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC) 1639 @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE) 1640 endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1641 $(hide) touch $@ 1642 1643 base_plat_public := 1644 base_plat_private := 1645 base_plat_public_prebuilt := 1646 base_plat_private_prebuilt := 1647 all_frozen_files := 1648 1649 ################################# 1650 1651 1652 add_nl := 1653 build_vendor_policy := 1654 build_odm_policy := 1655 build_policy := 1656 built_plat_fc := 1657 built_vendor_fc := 1658 built_odm_fc := 1659 built_nl := 1660 built_plat_cil := 1661 built_plat_pub_vers_cil := 1662 built_mapping_cil := 1663 built_plat_pc := 1664 built_vendor_cil := 1665 built_vendor_pc := 1666 built_vendor_sc := 1667 built_odm_cil := 1668 built_odm_pc := 1669 built_odm_sc := 1670 built_plat_sc := 1671 built_precompiled_sepolicy := 1672 built_sepolicy := 1673 built_sepolicy_neverallows := 1674 built_plat_svc := 1675 built_vendor_svc := 1676 built_plat_sepolicy := 1677 mapping_policy := 1678 my_target_arch := 1679 plat_pub_policy.cil := 1680 reqd_policy_mask.cil := 1681 sepolicy_build_files := 1682 sepolicy_build_cil_workaround_files := 1683 with_asan := 1684 1685 include $(call all-makefiles-under,$(LOCAL_PATH)) 1686
