1// Copyright (C) 2018 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package { 16 default_applicable_licenses: ["system_sepolicy_license"], 17} 18 19// Added automatically by a large-scale-change that took the approach of 20// 'apply every license found to every target'. While this makes sure we respect 21// every license restriction, it may not be entirely correct. 22// 23// e.g. GPL in an MIT project might only apply to the contrib/ directory. 24// 25// Please consider splitting the single license below into multiple licenses, 26// taking care not to lose any license_kind information, and overriding the 27// default license using the 'licenses: [...]' property on targets as needed. 28// 29// For unused files, consider creating a 'filegroup' with "//visibility:private" 30// to attach the license to, and including a comment whether the files may be 31// used in the current project. 32// http://go/android-license-faq 33license { 34 name: "system_sepolicy_license", 35 visibility: [":__subpackages__"], 36 license_kinds: [ 37 "SPDX-license-identifier-Apache-2.0", 38 "legacy_unencumbered", 39 ], 40 license_text: [ 41 "NOTICE", 42 ], 43} 44 45cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } 46 47se_filegroup { 48 name: "26.0.board.compat.map", 49 srcs: [ 50 "compat/26.0/26.0.cil", 51 ], 52} 53 54se_filegroup { 55 name: "27.0.board.compat.map", 56 srcs: [ 57 "compat/27.0/27.0.cil", 58 ], 59} 60 61se_filegroup { 62 name: "28.0.board.compat.map", 63 srcs: [ 64 "compat/28.0/28.0.cil", 65 ], 66} 67 68se_filegroup { 69 name: "29.0.board.compat.map", 70 srcs: [ 71 "compat/29.0/29.0.cil", 72 ], 73} 74 75se_filegroup { 76 name: "30.0.board.compat.map", 77 srcs: [ 78 "compat/30.0/30.0.cil", 79 ], 80} 81 82se_filegroup { 83 name: "26.0.board.compat.cil", 84 srcs: [ 85 "compat/26.0/26.0.compat.cil", 86 ], 87} 88 89se_filegroup { 90 name: "27.0.board.compat.cil", 91 srcs: [ 92 "compat/27.0/27.0.compat.cil", 93 ], 94} 95 96se_filegroup { 97 name: "28.0.board.compat.cil", 98 srcs: [ 99 "compat/28.0/28.0.compat.cil", 100 ], 101} 102 103se_filegroup { 104 name: "29.0.board.compat.cil", 105 srcs: [ 106 "compat/29.0/29.0.compat.cil", 107 ], 108} 109 110se_filegroup { 111 name: "30.0.board.compat.cil", 112 srcs: [ 113 "compat/30.0/30.0.compat.cil", 114 ], 115} 116 117se_filegroup { 118 name: "26.0.board.ignore.map", 119 srcs: [ 120 "compat/26.0/26.0.ignore.cil", 121 ], 122} 123 124se_filegroup { 125 name: "27.0.board.ignore.map", 126 srcs: [ 127 "compat/27.0/27.0.ignore.cil", 128 ], 129} 130 131se_filegroup { 132 name: "28.0.board.ignore.map", 133 srcs: [ 134 "compat/28.0/28.0.ignore.cil", 135 ], 136} 137 138se_filegroup { 139 name: "29.0.board.ignore.map", 140 srcs: [ 141 "compat/29.0/29.0.ignore.cil", 142 ], 143} 144 145se_filegroup { 146 name: "30.0.board.ignore.map", 147 srcs: [ 148 "compat/30.0/30.0.ignore.cil", 149 ], 150} 151 152se_cil_compat_map { 153 name: "plat_26.0.cil", 154 stem: "26.0.cil", 155 bottom_half: [":26.0.board.compat.map"], 156 top_half: "plat_27.0.cil", 157} 158 159se_cil_compat_map { 160 name: "plat_27.0.cil", 161 stem: "27.0.cil", 162 bottom_half: [":27.0.board.compat.map"], 163 top_half: "plat_28.0.cil", 164} 165 166se_cil_compat_map { 167 name: "plat_28.0.cil", 168 stem: "28.0.cil", 169 bottom_half: [":28.0.board.compat.map"], 170 top_half: "plat_29.0.cil", 171} 172 173se_cil_compat_map { 174 name: "plat_29.0.cil", 175 stem: "29.0.cil", 176 bottom_half: [":29.0.board.compat.map"], 177 top_half: "plat_30.0.cil", 178} 179 180se_cil_compat_map { 181 name: "plat_30.0.cil", 182 stem: "30.0.cil", 183 bottom_half: [":30.0.board.compat.map"], 184 // top_half: "plat_31.0.cil", 185} 186 187se_cil_compat_map { 188 name: "system_ext_26.0.cil", 189 stem: "26.0.cil", 190 bottom_half: [":26.0.board.compat.map"], 191 top_half: "system_ext_27.0.cil", 192 system_ext_specific: true, 193} 194 195se_cil_compat_map { 196 name: "system_ext_27.0.cil", 197 stem: "27.0.cil", 198 bottom_half: [":27.0.board.compat.map"], 199 top_half: "system_ext_28.0.cil", 200 system_ext_specific: true, 201} 202 203se_cil_compat_map { 204 name: "system_ext_28.0.cil", 205 stem: "28.0.cil", 206 bottom_half: [":28.0.board.compat.map"], 207 top_half: "system_ext_29.0.cil", 208 system_ext_specific: true, 209} 210 211se_cil_compat_map { 212 name: "system_ext_29.0.cil", 213 stem: "29.0.cil", 214 bottom_half: [":29.0.board.compat.map"], 215 top_half: "system_ext_30.0.cil", 216 system_ext_specific: true, 217} 218 219se_cil_compat_map { 220 name: "system_ext_30.0.cil", 221 stem: "30.0.cil", 222 bottom_half: [":30.0.board.compat.map"], 223 // top_half: "system_ext_31.0.cil", 224 system_ext_specific: true, 225} 226 227se_cil_compat_map { 228 name: "product_26.0.cil", 229 stem: "26.0.cil", 230 bottom_half: [":26.0.board.compat.map"], 231 top_half: "product_27.0.cil", 232 product_specific: true, 233} 234 235se_cil_compat_map { 236 name: "product_27.0.cil", 237 stem: "27.0.cil", 238 bottom_half: [":27.0.board.compat.map"], 239 top_half: "product_28.0.cil", 240 product_specific: true, 241} 242 243se_cil_compat_map { 244 name: "product_28.0.cil", 245 stem: "28.0.cil", 246 bottom_half: [":28.0.board.compat.map"], 247 top_half: "product_29.0.cil", 248 product_specific: true, 249} 250 251se_cil_compat_map { 252 name: "product_29.0.cil", 253 stem: "29.0.cil", 254 bottom_half: [":29.0.board.compat.map"], 255 top_half: "product_30.0.cil", 256 product_specific: true, 257} 258 259se_cil_compat_map { 260 name: "product_30.0.cil", 261 stem: "30.0.cil", 262 bottom_half: [":30.0.board.compat.map"], 263 // top_half: "product_31.0.cil", 264 product_specific: true, 265} 266 267se_cil_compat_map { 268 name: "26.0.ignore.cil", 269 bottom_half: [":26.0.board.ignore.map"], 270 top_half: "27.0.ignore.cil", 271} 272 273se_cil_compat_map { 274 name: "27.0.ignore.cil", 275 bottom_half: [":27.0.board.ignore.map"], 276 top_half: "28.0.ignore.cil", 277} 278 279se_cil_compat_map { 280 name: "28.0.ignore.cil", 281 bottom_half: [":28.0.board.ignore.map"], 282 top_half: "29.0.ignore.cil", 283} 284 285se_cil_compat_map { 286 name: "29.0.ignore.cil", 287 bottom_half: [":29.0.board.ignore.map"], 288 top_half: "30.0.ignore.cil", 289} 290 291se_cil_compat_map { 292 name: "30.0.ignore.cil", 293 bottom_half: [":30.0.board.ignore.map"], 294 // top_half: "31.0.ignore.cil", 295} 296 297se_cil_compat_map { 298 name: "system_ext_30.0.ignore.cil", 299 bottom_half: [":30.0.board.ignore.map"], 300 // top_half: "system_ext_31.0.ignore.cil", 301 system_ext_specific: true, 302} 303 304se_cil_compat_map { 305 name: "product_30.0.ignore.cil", 306 bottom_half: [":30.0.board.ignore.map"], 307 // top_half: "product_31.0.ignore.cil", 308 product_specific: true, 309} 310 311se_compat_cil { 312 name: "26.0.compat.cil", 313 srcs: [":26.0.board.compat.cil"], 314} 315 316se_compat_cil { 317 name: "27.0.compat.cil", 318 srcs: [":27.0.board.compat.cil"], 319} 320 321se_compat_cil { 322 name: "28.0.compat.cil", 323 srcs: [":28.0.board.compat.cil"], 324} 325 326se_compat_cil { 327 name: "29.0.compat.cil", 328 srcs: [":29.0.board.compat.cil"], 329} 330 331se_compat_cil { 332 name: "30.0.compat.cil", 333 srcs: [":30.0.board.compat.cil"], 334} 335 336se_compat_cil { 337 name: "system_ext_26.0.compat.cil", 338 srcs: [":26.0.board.compat.cil"], 339 stem: "26.0.compat.cil", 340 system_ext_specific: true, 341} 342 343se_compat_cil { 344 name: "system_ext_27.0.compat.cil", 345 srcs: [":27.0.board.compat.cil"], 346 stem: "27.0.compat.cil", 347 system_ext_specific: true, 348} 349 350se_compat_cil { 351 name: "system_ext_28.0.compat.cil", 352 srcs: [":28.0.board.compat.cil"], 353 stem: "28.0.compat.cil", 354 system_ext_specific: true, 355} 356 357se_compat_cil { 358 name: "system_ext_29.0.compat.cil", 359 srcs: [":29.0.board.compat.cil"], 360 stem: "29.0.compat.cil", 361 system_ext_specific: true, 362} 363 364se_compat_cil { 365 name: "system_ext_30.0.compat.cil", 366 srcs: [":30.0.board.compat.cil"], 367 stem: "30.0.compat.cil", 368 system_ext_specific: true, 369} 370 371se_filegroup { 372 name: "file_contexts_files", 373 srcs: ["file_contexts"], 374} 375 376se_filegroup { 377 name: "file_contexts_asan_files", 378 srcs: ["file_contexts_asan"], 379} 380 381se_filegroup { 382 name: "file_contexts_overlayfs_files", 383 srcs: ["file_contexts_overlayfs"], 384} 385 386se_filegroup { 387 name: "hwservice_contexts_files", 388 srcs: ["hwservice_contexts"], 389} 390 391se_filegroup { 392 name: "property_contexts_files", 393 srcs: ["property_contexts"], 394} 395 396se_filegroup { 397 name: "service_contexts_files", 398 srcs: ["service_contexts"], 399} 400 401se_filegroup { 402 name: "keystore2_key_contexts_files", 403 srcs: ["keystore2_key_contexts"], 404} 405 406file_contexts { 407 name: "plat_file_contexts", 408 srcs: [":file_contexts_files"], 409 product_variables: { 410 address_sanitize: { 411 srcs: [":file_contexts_asan_files"], 412 }, 413 debuggable: { 414 srcs: [":file_contexts_overlayfs_files"], 415 }, 416 }, 417 418 flatten_apex: { 419 srcs: ["apex/*-file_contexts"], 420 }, 421 422 recovery_available: true, 423} 424 425file_contexts { 426 name: "vendor_file_contexts", 427 srcs: [":file_contexts_files"], 428 soc_specific: true, 429 recovery_available: true, 430} 431 432file_contexts { 433 name: "system_ext_file_contexts", 434 srcs: [":file_contexts_files"], 435 system_ext_specific: true, 436 recovery_available: true, 437} 438 439file_contexts { 440 name: "product_file_contexts", 441 srcs: [":file_contexts_files"], 442 product_specific: true, 443 recovery_available: true, 444} 445 446file_contexts { 447 name: "odm_file_contexts", 448 srcs: [":file_contexts_files"], 449 device_specific: true, 450 recovery_available: true, 451} 452 453hwservice_contexts { 454 name: "plat_hwservice_contexts", 455 srcs: [":hwservice_contexts_files"], 456} 457 458hwservice_contexts { 459 name: "system_ext_hwservice_contexts", 460 srcs: [":hwservice_contexts_files"], 461 system_ext_specific: true, 462} 463 464hwservice_contexts { 465 name: "product_hwservice_contexts", 466 srcs: [":hwservice_contexts_files"], 467 product_specific: true, 468} 469 470hwservice_contexts { 471 name: "vendor_hwservice_contexts", 472 srcs: [":hwservice_contexts_files"], 473 reqd_mask: true, 474 soc_specific: true, 475} 476 477hwservice_contexts { 478 name: "odm_hwservice_contexts", 479 srcs: [":hwservice_contexts_files"], 480 device_specific: true, 481} 482 483property_contexts { 484 name: "plat_property_contexts", 485 srcs: [":property_contexts_files"], 486 recovery_available: true, 487} 488 489property_contexts { 490 name: "system_ext_property_contexts", 491 srcs: [":property_contexts_files"], 492 system_ext_specific: true, 493 recovery_available: true, 494} 495 496property_contexts { 497 name: "product_property_contexts", 498 srcs: [":property_contexts_files"], 499 product_specific: true, 500 recovery_available: true, 501} 502 503property_contexts { 504 name: "vendor_property_contexts", 505 srcs: [":property_contexts_files"], 506 reqd_mask: true, 507 soc_specific: true, 508 recovery_available: true, 509} 510 511property_contexts { 512 name: "odm_property_contexts", 513 srcs: [":property_contexts_files"], 514 device_specific: true, 515 recovery_available: true, 516} 517 518service_contexts { 519 name: "plat_service_contexts", 520 srcs: [":service_contexts_files"], 521} 522 523service_contexts { 524 name: "system_ext_service_contexts", 525 srcs: [":service_contexts_files"], 526 system_ext_specific: true, 527} 528 529service_contexts { 530 name: "product_service_contexts", 531 srcs: [":service_contexts_files"], 532 product_specific: true, 533} 534 535service_contexts { 536 name: "vendor_service_contexts", 537 srcs: [":service_contexts_files"], 538 reqd_mask: true, 539 soc_specific: true, 540} 541 542keystore2_key_contexts { 543 name: "plat_keystore2_key_contexts", 544 srcs: [":keystore2_key_contexts_files"], 545} 546 547keystore2_key_contexts { 548 name: "system_keystore2_key_contexts", 549 srcs: [":keystore2_key_contexts_files"], 550 system_ext_specific: true, 551} 552 553keystore2_key_contexts { 554 name: "product_keystore2_key_contexts", 555 srcs: [":keystore2_key_contexts_files"], 556 product_specific: true, 557} 558 559keystore2_key_contexts { 560 name: "vendor_keystore2_key_contexts", 561 srcs: [":keystore2_key_contexts_files"], 562 reqd_mask: true, 563 soc_specific: true, 564} 565 566// For vts_treble_sys_prop_test 567filegroup { 568 name: "private_property_contexts", 569 srcs: ["private/property_contexts"], 570 visibility: [ 571 "//test/vts-testcase/security/system_property", 572 ], 573} 574 575se_build_files { 576 name: "se_build_files", 577 srcs: [ 578 "security_classes", 579 "initial_sids", 580 "access_vectors", 581 "global_macros", 582 "neverallow_macros", 583 "mls_macros", 584 "mls_decl", 585 "mls", 586 "policy_capabilities", 587 "te_macros", 588 "attributes", 589 "ioctl_defines", 590 "ioctl_macros", 591 "*.te", 592 "roles_decl", 593 "roles", 594 "users", 595 "initial_sid_contexts", 596 "fs_use", 597 "genfs_contexts", 598 "port_contexts", 599 ], 600} 601 602// reqd_policy_mask - a policy.conf file which contains only the bare minimum 603// policy necessary to use checkpolicy. 604// 605// This bare-minimum policy needs to be present in all policy.conf files, but 606// should not necessarily be exported as part of the public policy. 607// 608// The rules generated by reqd_policy_mask will allow the compilation of public 609// policy and subsequent removal of CIL policy that should not be exported. 610se_policy_conf { 611 name: "reqd_policy_mask.conf", 612 srcs: [":se_build_files{.reqd_mask}"], 613 installable: false, 614} 615 616se_policy_cil { 617 name: "reqd_policy_mask.cil", 618 src: ":reqd_policy_mask.conf", 619 secilc_check: false, 620 installable: false, 621} 622 623// pub_policy - policy that will be exported to be a part of non-platform 624// policy corresponding to this platform version. 625// 626// This is a limited subset of policy that would not compile in checkpolicy on 627// its own. 628// 629// To get around this limitation, add only the required files from private 630// policy, which will generate CIL policy that will then be filtered out by the 631// reqd_policy_mask. 632// 633// There are three pub_policy.cil files below: 634// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 635// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 636// - plat_pub_policy.cil: exported 'system' policy. 637// 638// Those above files will in turn be used to generate the following versioned cil files: 639// - product_mapping_file: the versioned, exported 'product' policy in product partition. 640// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 641// - plat_mapping_file: the versioned, exported 'system' policy in system partition. 642// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy 643// in vendor partition. 644// 645se_policy_conf { 646 name: "pub_policy.conf", 647 srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext 648 installable: false, 649} 650 651se_policy_cil { 652 name: "pub_policy.cil", 653 src: ":pub_policy.conf", 654 filter_out: [":reqd_policy_mask.cil"], 655 secilc_check: false, 656 installable: false, 657} 658 659se_policy_conf { 660 name: "system_ext_pub_policy.conf", 661 srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system 662 installable: false, 663} 664 665se_policy_cil { 666 name: "system_ext_pub_policy.cil", 667 src: ":system_ext_pub_policy.conf", 668 filter_out: [":reqd_policy_mask.cil"], 669 secilc_check: false, 670 installable: false, 671} 672 673se_policy_conf { 674 name: "plat_pub_policy.conf", 675 srcs: [":se_build_files{.plat_public}"], 676 installable: false, 677} 678 679se_policy_cil { 680 name: "plat_pub_policy.cil", 681 src: ":plat_pub_policy.conf", 682 filter_out: [":reqd_policy_mask.cil"], 683 secilc_check: false, 684 installable: false, 685} 686 687// plat_policy.conf - A combination of the private and public platform policy 688// which will ship with the device. 689// 690// The platform will always reflect the most recent platform version and is not 691// currently being attributized. 692se_policy_conf { 693 name: "plat_sepolicy.conf", 694 srcs: [":se_build_files{.plat}"], 695 installable: false, 696} 697 698se_policy_cil { 699 name: "plat_sepolicy.cil", 700 src: ":plat_sepolicy.conf", 701 additional_cil_files: ["private/technical_debt.cil"], 702} 703 704// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 705se_policy_conf { 706 name: "userdebug_plat_sepolicy.conf", 707 srcs: [":se_build_files{.plat}"], 708 build_variant: "userdebug", 709 installable: false, 710} 711 712se_policy_cil { 713 name: "userdebug_plat_sepolicy.cil", 714 src: ":userdebug_plat_sepolicy.conf", 715 additional_cil_files: ["private/technical_debt.cil"], 716 debug_ramdisk: true, 717} 718 719// system_ext_policy.conf - A combination of the private and public system_ext 720// policy which will ship with the device. System_ext policy is not attributized 721se_policy_conf { 722 name: "system_ext_sepolicy.conf", 723 srcs: [":se_build_files{.system_ext}"], 724 installable: false, 725} 726 727se_policy_cil { 728 name: "system_ext_sepolicy.cil", 729 src: ":system_ext_sepolicy.conf", 730 system_ext_specific: true, 731 filter_out: [":plat_sepolicy.cil"], 732 remove_line_marker: true, 733} 734 735// product_policy.conf - A combination of the private and public product policy 736// which will ship with the device. Product policy is not attributized 737se_policy_conf { 738 name: "product_sepolicy.conf", 739 srcs: [":se_build_files{.product}"], 740 installable: false, 741} 742 743se_policy_cil { 744 name: "product_sepolicy.cil", 745 src: ":product_sepolicy.conf", 746 product_specific: true, 747 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"], 748 remove_line_marker: true, 749} 750 751// policy mapping files 752// auto-generate the mapping file for current platform policy, since it needs to 753// track platform policy development 754se_versioned_policy { 755 name: "plat_mapping_file", 756 base: ":plat_pub_policy.cil", 757 mapping: true, 758 version: "current", 759 relative_install_path: "mapping", // install to /system/etc/selinux/mapping 760} 761 762se_versioned_policy { 763 name: "system_ext_mapping_file", 764 base: ":system_ext_pub_policy.cil", 765 mapping: true, 766 version: "current", 767 filter_out: [":plat_mapping_file"], 768 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping 769 system_ext_specific: true, 770} 771 772se_versioned_policy { 773 name: "product_mapping_file", 774 base: ":pub_policy.cil", 775 mapping: true, 776 version: "current", 777 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"], 778 relative_install_path: "mapping", // install to /product/etc/selinux/mapping 779 product_specific: true, 780} 781 782// plat_pub_versioned.cil - the exported platform policy associated with the version 783// that non-platform policy targets. 784se_versioned_policy { 785 name: "plat_pub_versioned.cil", 786 base: ":pub_policy.cil", 787 target_policy: ":pub_policy.cil", 788 version: "current", 789 dependent_cils: [ 790 ":plat_sepolicy.cil", 791 ":system_ext_sepolicy.cil", 792 ":product_sepolicy.cil", 793 ":plat_mapping_file", 794 ":system_ext_mapping_file", 795 ":product_mapping_file", 796 ], 797 vendor: true, 798} 799 800////////////////////////////////// 801// Precompiled sepolicy is loaded if and only if: 802// - plat_sepolicy_and_mapping.sha256 equals 803// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 804// AND 805// - system_ext_sepolicy_and_mapping.sha256 equals 806// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 807// AND 808// - product_sepolicy_and_mapping.sha256 equals 809// precompiled_sepolicy.product_sepolicy_and_mapping.sha256 810// See system/core/init/selinux.cpp for details. 811////////////////////////////////// 812genrule { 813 name: "plat_sepolicy_and_mapping.sha256_gen", 814 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"], 815 out: ["plat_sepolicy_and_mapping.sha256"], 816 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 817} 818 819prebuilt_etc { 820 name: "plat_sepolicy_and_mapping.sha256", 821 filename: "plat_sepolicy_and_mapping.sha256", 822 src: ":plat_sepolicy_and_mapping.sha256_gen", 823 relative_install_path: "selinux", 824} 825 826genrule { 827 name: "system_ext_sepolicy_and_mapping.sha256_gen", 828 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"], 829 out: ["system_ext_sepolicy_and_mapping.sha256"], 830 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 831} 832 833prebuilt_etc { 834 name: "system_ext_sepolicy_and_mapping.sha256", 835 filename: "system_ext_sepolicy_and_mapping.sha256", 836 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 837 relative_install_path: "selinux", 838 system_ext_specific: true, 839} 840 841genrule { 842 name: "product_sepolicy_and_mapping.sha256_gen", 843 srcs: [":product_sepolicy.cil", ":product_mapping_file"], 844 out: ["product_sepolicy_and_mapping.sha256"], 845 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 846} 847 848prebuilt_etc { 849 name: "product_sepolicy_and_mapping.sha256", 850 filename: "product_sepolicy_and_mapping.sha256", 851 src: ":product_sepolicy_and_mapping.sha256_gen", 852 relative_install_path: "selinux", 853 product_specific: true, 854} 855 856sepolicy_vers { 857 name: "plat_sepolicy_vers.txt", 858 version: "vendor", 859 vendor: true, 860} 861 862soong_config_module_type { 863 name: "precompiled_sepolicy_defaults", 864 module_type: "prebuilt_defaults", 865 config_namespace: "ANDROID", 866 bool_variables: ["BOARD_USES_ODMIMAGE"], 867 properties: ["vendor", "device_specific"], 868} 869 870precompiled_sepolicy_defaults { 871 name: "precompiled_sepolicy", 872 soong_config_variables: { 873 BOARD_USES_ODMIMAGE: { 874 device_specific: true, 875 conditions_default: { 876 vendor: true, 877 }, 878 }, 879 }, 880} 881 882////////////////////////////////// 883// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 884// which precompiled_policy was built. 885////////////////////////////////// 886prebuilt_etc { 887 defaults: ["precompiled_sepolicy"], 888 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 889 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 890 src: ":plat_sepolicy_and_mapping.sha256_gen", 891 relative_install_path: "selinux", 892} 893 894////////////////////////////////// 895// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 896// which precompiled_policy was built. 897////////////////////////////////// 898prebuilt_etc { 899 defaults: ["precompiled_sepolicy"], 900 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 901 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 902 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 903 relative_install_path: "selinux", 904} 905 906////////////////////////////////// 907// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 908// which precompiled_policy was built. 909////////////////////////////////// 910prebuilt_etc { 911 defaults: ["precompiled_sepolicy"], 912 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 913 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 914 src: ":product_sepolicy_and_mapping.sha256_gen", 915 relative_install_path: "selinux", 916} 917 918 919////////////////////////////////// 920// SELinux policy embedded into CTS. 921// CTS checks neverallow rules of this policy against the policy of the device under test. 922////////////////////////////////// 923se_policy_conf { 924 name: "general_sepolicy.conf", 925 srcs: [":se_build_files{.plat}"], 926 build_variant: "user", 927 cts: true, 928 exclude_build_test: true, 929} 930 931////////////////////////////////// 932// modules for microdroid 933////////////////////////////////// 934 935// microdroid's system sepolicy is almost identical to host's system sepolicy, except that 936// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is 937// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system + 938// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from 939// host's files. 940se_versioned_policy { 941 name: "microdroid_plat_pub_versioned.cil", 942 stem: "plat_pub_versioned.cil", 943 base: ":plat_pub_policy.cil", 944 target_policy: ":plat_pub_policy.cil", 945 version: "current", 946 dependent_cils: [ 947 ":plat_sepolicy.cil", 948 ":plat_mapping_file", 949 ], 950 installable: false, 951} 952 953// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just 954// contains system/sepolicy/public and system/sepolicy/vendor. 955se_policy_conf { 956 name: "microdroid_vendor_sepolicy.conf", 957 srcs: [":se_build_files{.plat_vendor}"], 958 installable: false, 959} 960 961se_policy_cil { 962 name: "microdroid_vendor_sepolicy.cil.raw", 963 src: ":microdroid_vendor_sepolicy.conf", 964 filter_out: [":reqd_policy_mask.cil"], 965 secilc_check: false, // will be done in se_versioned_policy module 966 installable: false, 967} 968 969se_versioned_policy { 970 name: "microdroid_vendor_sepolicy.cil", 971 stem: "vendor_sepolicy.cil", 972 base: ":plat_pub_policy.cil", 973 target_policy: ":microdroid_vendor_sepolicy.cil.raw", 974 version: "current", // microdroid is bundled to system 975 dependent_cils: [ 976 ":plat_sepolicy.cil", 977 ":microdroid_plat_pub_versioned.cil", 978 ":plat_mapping_file", 979 ], 980 filter_out: [":microdroid_plat_pub_versioned.cil"], 981 installable: false, 982} 983 984sepolicy_vers { 985 name: "microdroid_plat_sepolicy_vers.txt", 986 version: "platform", 987 stem: "plat_sepolicy_vers.txt", 988 installable: false, 989} 990