1# Copyright (C) 2020 The Android Open Source Project 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS. 16# The policy files will only be used to compile vendor and odm policies. 17# 18# Specifically, the following prebuilts are used... 19# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS} 20# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release) 21# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release) 22# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release) 23# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release) 24# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release) 25# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release) 26# 27# ... to generate following policy files. 28# 29# - reqd policy mask 30# - plat, system_ext, product public policy 31# - plat, system_ext, product policy 32# - plat, system_ext, product versioned policy 33# 34# These generated policy files will be used only when building vendor policies. 35# They are not installed to system, system_ext, or product partition. 36ver := $(BOARD_SEPOLICY_VERS) 37prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver) 38plat_public_policy_$(ver) := $(prebuilt_dir)/public 39plat_private_policy_$(ver) := $(prebuilt_dir)/private 40system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS) 41system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS) 42product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS) 43product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS) 44 45################################## 46# policy-to-conf-rule: a helper macro to transform policy files to conf file. 47# 48# This expands to a set of rules which assign variables for transform-policy-to-conf and then call 49# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro. 50# 51# $(1): output path (.conf file) 52define policy-to-conf-rule 53$(1): PRIVATE_MLS_SENS := $$(MLS_SENS) 54$(1): PRIVATE_MLS_CATS := $$(MLS_CATS) 55$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT) 56$(1): PRIVATE_TGT_ARCH := $$(my_target_arch) 57$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan) 58$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage) 59$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS) 60$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT) 61$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY) 62$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow) 63$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner) 64$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction) 65$(1): PRIVATE_POLICY_FILES := $$(policy_files) 66$(1): $$(policy_files) $$(M4) 67 $$(transform-policy-to-conf) 68endef 69 70################################## 71# reqd_policy_mask_$(ver).cil 72# 73policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY)) 74reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf 75$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf))) 76 77# b/37755687 78CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 79 80reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil 81$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 82 @mkdir -p $(dir $@) 83 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ 84 $(POLICYVERS) -o $@ $< 85 86reqd_policy_mask_$(ver).conf := 87 88reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY) 89 90################################## 91# plat_pub_policy_$(ver).cil: exported plat policies 92# 93policy_files := $(call build_policy, $(sepolicy_build_files), \ 94 $(plat_public_policy_$(ver)) $(reqd_policy_$(ver))) 95plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf 96$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf))) 97 98plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil 99$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf) 100$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil) 101$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 102$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil) 103 @mkdir -p $(dir $@) 104 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 105 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 106 -f $(PRIVATE_REQD_MASK) -t $@ 107 108plat_pub_policy_$(ver).conf := 109 110################################## 111# plat_mapping_cil_$(ver).cil: versioned exported system policy 112# 113plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil 114$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver) 115$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy 116 @mkdir -p $(dir $@) 117 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 118built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver)) 119 120################################## 121# plat_policy_$(ver).cil: system policy 122# 123policy_files := $(call build_policy, $(sepolicy_build_files), \ 124 $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) ) 125plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf 126$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf))) 127 128plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil 129$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \ 130 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver))) 131$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 132$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 133 $(HOST_OUT_EXECUTABLES)/secilc \ 134 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver))) 135 @mkdir -p $(dir $@) 136 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 137 $(POLICYVERS) -o $@.tmp $< 138 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp 139 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null 140 $(hide) mv $@.tmp $@ 141 142plat_policy_$(ver).conf := 143 144built_plat_cil_$(ver) := $(plat_policy_$(ver).cil) 145 146ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 147 148################################## 149# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy 150# 151policy_files := $(call build_policy, $(sepolicy_build_files), \ 152 $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver))) 153system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf 154$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf))) 155 156system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil 157$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf) 158$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil) 159$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 160$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil) 161 @mkdir -p $(dir $@) 162 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 163 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 164 -f $(PRIVATE_REQD_MASK) -t $@ 165 166system_ext_pub_policy_$(ver).conf := 167 168################################## 169# system_ext_policy_$(ver).cil: system_ext policy 170# 171policy_files := $(call build_policy, $(sepolicy_build_files), \ 172 $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \ 173 $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) ) 174system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf 175$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf))) 176 177system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil 178$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 179$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver)) 180$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 181$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) 182 @mkdir -p $(dir $@) 183 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 184 $(POLICYVERS) -o $@ $< 185 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 186 -f $(PRIVATE_PLAT_CIL) -t $@ 187 # Line markers (denoted by ;;) are malformed after above cmd. They are only 188 # used for debugging, so we remove them. 189 $(hide) grep -v ';;' $@ > $@.tmp 190 $(hide) mv $@.tmp $@ 191 # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the 192 # latter doesn't accidentally depend on vendor/odm policies. 193 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ 194 $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null 195 196system_ext_policy_$(ver).conf := 197 198built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil) 199 200################################## 201# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy 202# 203system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil 204$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver) 205$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver)) 206$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy 207$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy 208$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver)) 209$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil) 210 @mkdir -p $(dir $@) 211 # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext' 212 # sepolicy minus plat_mapping_file. 213 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 214 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 215 -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@ 216 217built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver)) 218 219endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR 220 221ifdef HAS_PRODUCT_SEPOLICY_DIR 222 223################################## 224# product_policy_$(ver).cil: product policy 225# 226policy_files := $(call build_policy, $(sepolicy_build_files), \ 227 $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \ 228 $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \ 229 $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) ) 230product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf 231$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf))) 232 233product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil 234$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 235$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) 236$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 237$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \ 238$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) 239 @mkdir -p $(dir $@) 240 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 241 $(POLICYVERS) -o $@ $< 242 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 243 -f $(PRIVATE_PLAT_CIL_FILES) -t $@ 244 # Line markers (denoted by ;;) are malformed after above cmd. They are only 245 # used for debugging, so we remove them. 246 $(hide) grep -v ';;' $@ > $@.tmp 247 $(hide) mv $@.tmp $@ 248 # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to 249 # make sure that the latter doesn't accidentally depend on vendor/odm policies. 250 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \ 251 $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null 252 253product_policy_$(ver).conf := 254 255built_product_cil_$(ver) := $(product_policy_$(ver).cil) 256 257endif # ifdef HAS_PRODUCT_SEPOLICY_DIR 258 259################################## 260# pub_policy_$(ver).cil: exported plat, system_ext, and product policies 261# 262policy_files := $(call build_policy, $(sepolicy_build_files), \ 263 $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \ 264 $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) ) 265pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf 266$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf))) 267 268pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil 269$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf) 270$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil) 271$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \ 272$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil) 273 @mkdir -p $(dir $@) 274 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF) 275 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 276 -f $(PRIVATE_REQD_MASK) -t $@ 277 278pub_policy_$(ver).conf := 279 280ifdef HAS_PRODUCT_SEPOLICY_DIR 281 282################################## 283# product_mapping_cil_$(ver).cil: versioned exported product policy 284# 285product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil 286$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver) 287$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) 288$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil) 289$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy 290$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy 291$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver)) 292$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver)) 293 @mkdir -p $(dir $@) 294 # Generate product mapping file as mapping file of all public sepolicy minus 295 # plat_mapping_file and system_ext_mapping_file. 296 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 297 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \ 298 -f $(PRIVATE_FILTER_CIL_FILES) -t $@ 299 300built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver)) 301 302endif # ifdef HAS_PRODUCT_SEPOLICY_DIR 303 304################################## 305# plat_pub_versioned_$(ver).cil - the exported platform policy 306# 307plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil 308$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver) 309$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil) 310$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \ 311$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \ 312$(built_product_mapping_cil_$(ver)) 313$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 314 $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \ 315 $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver)) 316 @mkdir -p $(dir $@) 317 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ 318 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ 319 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null 320 321built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil) 322