1// Copyright (C) 2018 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package { 16 default_applicable_licenses: ["system_sepolicy_license"], 17} 18 19// Added automatically by a large-scale-change that took the approach of 20// 'apply every license found to every target'. While this makes sure we respect 21// every license restriction, it may not be entirely correct. 22// 23// e.g. GPL in an MIT project might only apply to the contrib/ directory. 24// 25// Please consider splitting the single license below into multiple licenses, 26// taking care not to lose any license_kind information, and overriding the 27// default license using the 'licenses: [...]' property on targets as needed. 28// 29// For unused files, consider creating a 'filegroup' with "//visibility:private" 30// to attach the license to, and including a comment whether the files may be 31// used in the current project. 32// http://go/android-license-faq 33license { 34 name: "system_sepolicy_license", 35 visibility: [":__subpackages__"], 36 license_kinds: [ 37 "SPDX-license-identifier-Apache-2.0", 38 "legacy_unencumbered", 39 ], 40 license_text: [ 41 "NOTICE", 42 ], 43} 44 45cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } 46 47se_filegroup { 48 name: "26.0.board.compat.map", 49 srcs: [ 50 "compat/26.0/26.0.cil", 51 ], 52} 53 54se_filegroup { 55 name: "27.0.board.compat.map", 56 srcs: [ 57 "compat/27.0/27.0.cil", 58 ], 59} 60 61se_filegroup { 62 name: "28.0.board.compat.map", 63 srcs: [ 64 "compat/28.0/28.0.cil", 65 ], 66} 67 68se_filegroup { 69 name: "29.0.board.compat.map", 70 srcs: [ 71 "compat/29.0/29.0.cil", 72 ], 73} 74 75se_filegroup { 76 name: "30.0.board.compat.map", 77 srcs: [ 78 "compat/30.0/30.0.cil", 79 ], 80} 81 82se_filegroup { 83 name: "31.0.board.compat.map", 84 srcs: [ 85 "compat/31.0/31.0.cil", 86 ], 87} 88 89se_filegroup { 90 name: "26.0.board.compat.cil", 91 srcs: [ 92 "compat/26.0/26.0.compat.cil", 93 ], 94} 95 96se_filegroup { 97 name: "27.0.board.compat.cil", 98 srcs: [ 99 "compat/27.0/27.0.compat.cil", 100 ], 101} 102 103se_filegroup { 104 name: "28.0.board.compat.cil", 105 srcs: [ 106 "compat/28.0/28.0.compat.cil", 107 ], 108} 109 110se_filegroup { 111 name: "29.0.board.compat.cil", 112 srcs: [ 113 "compat/29.0/29.0.compat.cil", 114 ], 115} 116 117se_filegroup { 118 name: "30.0.board.compat.cil", 119 srcs: [ 120 "compat/30.0/30.0.compat.cil", 121 ], 122} 123 124se_filegroup { 125 name: "31.0.board.compat.cil", 126 srcs: [ 127 "compat/31.0/31.0.compat.cil", 128 ], 129} 130 131se_filegroup { 132 name: "26.0.board.ignore.map", 133 srcs: [ 134 "compat/26.0/26.0.ignore.cil", 135 ], 136} 137 138se_filegroup { 139 name: "27.0.board.ignore.map", 140 srcs: [ 141 "compat/27.0/27.0.ignore.cil", 142 ], 143} 144 145se_filegroup { 146 name: "28.0.board.ignore.map", 147 srcs: [ 148 "compat/28.0/28.0.ignore.cil", 149 ], 150} 151 152se_filegroup { 153 name: "29.0.board.ignore.map", 154 srcs: [ 155 "compat/29.0/29.0.ignore.cil", 156 ], 157} 158 159se_filegroup { 160 name: "30.0.board.ignore.map", 161 srcs: [ 162 "compat/30.0/30.0.ignore.cil", 163 ], 164} 165 166se_filegroup { 167 name: "31.0.board.ignore.map", 168 srcs: [ 169 "compat/31.0/31.0.ignore.cil", 170 ], 171} 172 173se_cil_compat_map { 174 name: "plat_26.0.cil", 175 stem: "26.0.cil", 176 bottom_half: [":26.0.board.compat.map"], 177 top_half: "plat_27.0.cil", 178} 179 180se_cil_compat_map { 181 name: "plat_27.0.cil", 182 stem: "27.0.cil", 183 bottom_half: [":27.0.board.compat.map"], 184 top_half: "plat_28.0.cil", 185} 186 187se_cil_compat_map { 188 name: "plat_28.0.cil", 189 stem: "28.0.cil", 190 bottom_half: [":28.0.board.compat.map"], 191 top_half: "plat_29.0.cil", 192} 193 194se_cil_compat_map { 195 name: "plat_29.0.cil", 196 stem: "29.0.cil", 197 bottom_half: [":29.0.board.compat.map"], 198 top_half: "plat_30.0.cil", 199} 200 201se_cil_compat_map { 202 name: "plat_30.0.cil", 203 stem: "30.0.cil", 204 bottom_half: [":30.0.board.compat.map"], 205 top_half: "plat_31.0.cil", 206} 207 208se_cil_compat_map { 209 name: "plat_31.0.cil", 210 stem: "31.0.cil", 211 bottom_half: [":31.0.board.compat.map"], 212 // top_half: "plat_32.0.cil", 213} 214 215se_cil_compat_map { 216 name: "system_ext_26.0.cil", 217 stem: "26.0.cil", 218 bottom_half: [":26.0.board.compat.map"], 219 top_half: "system_ext_27.0.cil", 220 system_ext_specific: true, 221} 222 223se_cil_compat_map { 224 name: "system_ext_27.0.cil", 225 stem: "27.0.cil", 226 bottom_half: [":27.0.board.compat.map"], 227 top_half: "system_ext_28.0.cil", 228 system_ext_specific: true, 229} 230 231se_cil_compat_map { 232 name: "system_ext_28.0.cil", 233 stem: "28.0.cil", 234 bottom_half: [":28.0.board.compat.map"], 235 top_half: "system_ext_29.0.cil", 236 system_ext_specific: true, 237} 238 239se_cil_compat_map { 240 name: "system_ext_29.0.cil", 241 stem: "29.0.cil", 242 bottom_half: [":29.0.board.compat.map"], 243 top_half: "system_ext_30.0.cil", 244 system_ext_specific: true, 245} 246 247se_cil_compat_map { 248 name: "system_ext_30.0.cil", 249 stem: "30.0.cil", 250 bottom_half: [":30.0.board.compat.map"], 251 top_half: "system_ext_31.0.cil", 252 system_ext_specific: true, 253} 254 255se_cil_compat_map { 256 name: "system_ext_31.0.cil", 257 stem: "31.0.cil", 258 bottom_half: [":31.0.board.compat.map"], 259 // top_half: "system_ext_32.0.cil", 260 system_ext_specific: true, 261} 262 263se_cil_compat_map { 264 name: "product_26.0.cil", 265 stem: "26.0.cil", 266 bottom_half: [":26.0.board.compat.map"], 267 top_half: "product_27.0.cil", 268 product_specific: true, 269} 270 271se_cil_compat_map { 272 name: "product_27.0.cil", 273 stem: "27.0.cil", 274 bottom_half: [":27.0.board.compat.map"], 275 top_half: "product_28.0.cil", 276 product_specific: true, 277} 278 279se_cil_compat_map { 280 name: "product_28.0.cil", 281 stem: "28.0.cil", 282 bottom_half: [":28.0.board.compat.map"], 283 top_half: "product_29.0.cil", 284 product_specific: true, 285} 286 287se_cil_compat_map { 288 name: "product_29.0.cil", 289 stem: "29.0.cil", 290 bottom_half: [":29.0.board.compat.map"], 291 top_half: "product_30.0.cil", 292 product_specific: true, 293} 294 295se_cil_compat_map { 296 name: "product_30.0.cil", 297 stem: "30.0.cil", 298 bottom_half: [":30.0.board.compat.map"], 299 top_half: "product_31.0.cil", 300 product_specific: true, 301} 302 303se_cil_compat_map { 304 name: "product_31.0.cil", 305 stem: "31.0.cil", 306 bottom_half: [":31.0.board.compat.map"], 307 // top_half: "product_32.0.cil", 308 product_specific: true, 309} 310 311se_cil_compat_map { 312 name: "26.0.ignore.cil", 313 bottom_half: [":26.0.board.ignore.map"], 314 top_half: "27.0.ignore.cil", 315} 316 317se_cil_compat_map { 318 name: "27.0.ignore.cil", 319 bottom_half: [":27.0.board.ignore.map"], 320 top_half: "28.0.ignore.cil", 321} 322 323se_cil_compat_map { 324 name: "28.0.ignore.cil", 325 bottom_half: [":28.0.board.ignore.map"], 326 top_half: "29.0.ignore.cil", 327} 328 329se_cil_compat_map { 330 name: "29.0.ignore.cil", 331 bottom_half: [":29.0.board.ignore.map"], 332 top_half: "30.0.ignore.cil", 333} 334 335se_cil_compat_map { 336 name: "30.0.ignore.cil", 337 bottom_half: [":30.0.board.ignore.map"], 338 top_half: "31.0.ignore.cil", 339} 340 341se_cil_compat_map { 342 name: "31.0.ignore.cil", 343 bottom_half: [":31.0.board.ignore.map"], 344 // top_half: "32.0.ignore.cil", 345} 346 347se_cil_compat_map { 348 name: "system_ext_30.0.ignore.cil", 349 bottom_half: [":30.0.board.ignore.map"], 350 top_half: "system_ext_31.0.ignore.cil", 351 system_ext_specific: true, 352} 353 354se_cil_compat_map { 355 name: "system_ext_31.0.ignore.cil", 356 bottom_half: [":31.0.board.ignore.map"], 357 // top_half: "system_ext_32.0.ignore.cil", 358 system_ext_specific: true, 359} 360 361se_cil_compat_map { 362 name: "product_30.0.ignore.cil", 363 bottom_half: [":30.0.board.ignore.map"], 364 top_half: "product_31.0.ignore.cil", 365 product_specific: true, 366} 367 368se_cil_compat_map { 369 name: "product_31.0.ignore.cil", 370 bottom_half: [":31.0.board.ignore.map"], 371 // top_half: "product_32.0.ignore.cil", 372 product_specific: true, 373} 374 375se_compat_cil { 376 name: "26.0.compat.cil", 377 srcs: [":26.0.board.compat.cil"], 378} 379 380se_compat_cil { 381 name: "27.0.compat.cil", 382 srcs: [":27.0.board.compat.cil"], 383} 384 385se_compat_cil { 386 name: "28.0.compat.cil", 387 srcs: [":28.0.board.compat.cil"], 388} 389 390se_compat_cil { 391 name: "29.0.compat.cil", 392 srcs: [":29.0.board.compat.cil"], 393} 394 395se_compat_cil { 396 name: "30.0.compat.cil", 397 srcs: [":30.0.board.compat.cil"], 398} 399 400se_compat_cil { 401 name: "31.0.compat.cil", 402 srcs: [":31.0.board.compat.cil"], 403} 404 405se_compat_cil { 406 name: "system_ext_26.0.compat.cil", 407 srcs: [":26.0.board.compat.cil"], 408 stem: "26.0.compat.cil", 409 system_ext_specific: true, 410} 411 412se_compat_cil { 413 name: "system_ext_27.0.compat.cil", 414 srcs: [":27.0.board.compat.cil"], 415 stem: "27.0.compat.cil", 416 system_ext_specific: true, 417} 418 419se_compat_cil { 420 name: "system_ext_28.0.compat.cil", 421 srcs: [":28.0.board.compat.cil"], 422 stem: "28.0.compat.cil", 423 system_ext_specific: true, 424} 425 426se_compat_cil { 427 name: "system_ext_29.0.compat.cil", 428 srcs: [":29.0.board.compat.cil"], 429 stem: "29.0.compat.cil", 430 system_ext_specific: true, 431} 432 433se_compat_cil { 434 name: "system_ext_30.0.compat.cil", 435 srcs: [":30.0.board.compat.cil"], 436 stem: "30.0.compat.cil", 437 system_ext_specific: true, 438} 439 440se_compat_cil { 441 name: "system_ext_31.0.compat.cil", 442 srcs: [":31.0.board.compat.cil"], 443 stem: "31.0.compat.cil", 444 system_ext_specific: true, 445} 446 447se_filegroup { 448 name: "file_contexts_files", 449 srcs: ["file_contexts"], 450} 451 452se_filegroup { 453 name: "file_contexts_asan_files", 454 srcs: ["file_contexts_asan"], 455} 456 457se_filegroup { 458 name: "file_contexts_overlayfs_files", 459 srcs: ["file_contexts_overlayfs"], 460} 461 462se_filegroup { 463 name: "hwservice_contexts_files", 464 srcs: ["hwservice_contexts"], 465} 466 467se_filegroup { 468 name: "property_contexts_files", 469 srcs: ["property_contexts"], 470} 471 472se_filegroup { 473 name: "service_contexts_files", 474 srcs: ["service_contexts"], 475} 476 477se_filegroup { 478 name: "keystore2_key_contexts_files", 479 srcs: ["keystore2_key_contexts"], 480} 481 482file_contexts { 483 name: "plat_file_contexts", 484 srcs: [":file_contexts_files"], 485 product_variables: { 486 address_sanitize: { 487 srcs: [":file_contexts_asan_files"], 488 }, 489 debuggable: { 490 srcs: [":file_contexts_overlayfs_files"], 491 }, 492 }, 493 494 flatten_apex: { 495 srcs: ["apex/*-file_contexts"], 496 }, 497 498 recovery_available: true, 499} 500 501file_contexts { 502 name: "vendor_file_contexts", 503 srcs: [":file_contexts_files"], 504 soc_specific: true, 505 recovery_available: true, 506} 507 508file_contexts { 509 name: "system_ext_file_contexts", 510 srcs: [":file_contexts_files"], 511 system_ext_specific: true, 512 recovery_available: true, 513} 514 515file_contexts { 516 name: "product_file_contexts", 517 srcs: [":file_contexts_files"], 518 product_specific: true, 519 recovery_available: true, 520} 521 522file_contexts { 523 name: "odm_file_contexts", 524 srcs: [":file_contexts_files"], 525 device_specific: true, 526 recovery_available: true, 527} 528 529hwservice_contexts { 530 name: "plat_hwservice_contexts", 531 srcs: [":hwservice_contexts_files"], 532} 533 534hwservice_contexts { 535 name: "system_ext_hwservice_contexts", 536 srcs: [":hwservice_contexts_files"], 537 system_ext_specific: true, 538} 539 540hwservice_contexts { 541 name: "product_hwservice_contexts", 542 srcs: [":hwservice_contexts_files"], 543 product_specific: true, 544} 545 546hwservice_contexts { 547 name: "vendor_hwservice_contexts", 548 srcs: [":hwservice_contexts_files"], 549 reqd_mask: true, 550 soc_specific: true, 551} 552 553hwservice_contexts { 554 name: "odm_hwservice_contexts", 555 srcs: [":hwservice_contexts_files"], 556 device_specific: true, 557} 558 559property_contexts { 560 name: "plat_property_contexts", 561 srcs: [":property_contexts_files"], 562 recovery_available: true, 563} 564 565property_contexts { 566 name: "system_ext_property_contexts", 567 srcs: [":property_contexts_files"], 568 system_ext_specific: true, 569 recovery_available: true, 570} 571 572property_contexts { 573 name: "product_property_contexts", 574 srcs: [":property_contexts_files"], 575 product_specific: true, 576 recovery_available: true, 577} 578 579property_contexts { 580 name: "vendor_property_contexts", 581 srcs: [":property_contexts_files"], 582 reqd_mask: true, 583 soc_specific: true, 584 recovery_available: true, 585} 586 587property_contexts { 588 name: "odm_property_contexts", 589 srcs: [":property_contexts_files"], 590 device_specific: true, 591 recovery_available: true, 592} 593 594service_contexts { 595 name: "plat_service_contexts", 596 srcs: [":service_contexts_files"], 597} 598 599service_contexts { 600 name: "system_ext_service_contexts", 601 srcs: [":service_contexts_files"], 602 system_ext_specific: true, 603} 604 605service_contexts { 606 name: "product_service_contexts", 607 srcs: [":service_contexts_files"], 608 product_specific: true, 609} 610 611service_contexts { 612 name: "vendor_service_contexts", 613 srcs: [":service_contexts_files"], 614 reqd_mask: true, 615 soc_specific: true, 616} 617 618keystore2_key_contexts { 619 name: "plat_keystore2_key_contexts", 620 srcs: [":keystore2_key_contexts_files"], 621} 622 623keystore2_key_contexts { 624 name: "system_keystore2_key_contexts", 625 srcs: [":keystore2_key_contexts_files"], 626 system_ext_specific: true, 627} 628 629keystore2_key_contexts { 630 name: "product_keystore2_key_contexts", 631 srcs: [":keystore2_key_contexts_files"], 632 product_specific: true, 633} 634 635keystore2_key_contexts { 636 name: "vendor_keystore2_key_contexts", 637 srcs: [":keystore2_key_contexts_files"], 638 reqd_mask: true, 639 soc_specific: true, 640} 641 642// For vts_treble_sys_prop_test 643filegroup { 644 name: "private_property_contexts", 645 srcs: ["private/property_contexts"], 646 visibility: [ 647 "//test/vts-testcase/security/system_property", 648 ], 649} 650 651se_build_files { 652 name: "se_build_files", 653 srcs: [ 654 "security_classes", 655 "initial_sids", 656 "access_vectors", 657 "global_macros", 658 "neverallow_macros", 659 "mls_macros", 660 "mls_decl", 661 "mls", 662 "policy_capabilities", 663 "te_macros", 664 "attributes", 665 "ioctl_defines", 666 "ioctl_macros", 667 "*.te", 668 "roles_decl", 669 "roles", 670 "users", 671 "initial_sid_contexts", 672 "fs_use", 673 "genfs_contexts", 674 "port_contexts", 675 ], 676} 677 678// reqd_policy_mask - a policy.conf file which contains only the bare minimum 679// policy necessary to use checkpolicy. 680// 681// This bare-minimum policy needs to be present in all policy.conf files, but 682// should not necessarily be exported as part of the public policy. 683// 684// The rules generated by reqd_policy_mask will allow the compilation of public 685// policy and subsequent removal of CIL policy that should not be exported. 686se_policy_conf { 687 name: "reqd_policy_mask.conf", 688 srcs: [":se_build_files{.reqd_mask}"], 689 installable: false, 690} 691 692se_policy_cil { 693 name: "reqd_policy_mask.cil", 694 src: ":reqd_policy_mask.conf", 695 secilc_check: false, 696 installable: false, 697} 698 699// pub_policy - policy that will be exported to be a part of non-platform 700// policy corresponding to this platform version. 701// 702// This is a limited subset of policy that would not compile in checkpolicy on 703// its own. 704// 705// To get around this limitation, add only the required files from private 706// policy, which will generate CIL policy that will then be filtered out by the 707// reqd_policy_mask. 708// 709// There are three pub_policy.cil files below: 710// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 711// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 712// - plat_pub_policy.cil: exported 'system' policy. 713// 714// Those above files will in turn be used to generate the following versioned cil files: 715// - product_mapping_file: the versioned, exported 'product' policy in product partition. 716// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 717// - plat_mapping_file: the versioned, exported 'system' policy in system partition. 718// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy 719// in vendor partition. 720// 721se_policy_conf { 722 name: "pub_policy.conf", 723 srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext 724 installable: false, 725} 726 727se_policy_cil { 728 name: "pub_policy.cil", 729 src: ":pub_policy.conf", 730 filter_out: [":reqd_policy_mask.cil"], 731 secilc_check: false, 732 installable: false, 733} 734 735se_policy_conf { 736 name: "system_ext_pub_policy.conf", 737 srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system 738 installable: false, 739} 740 741se_policy_cil { 742 name: "system_ext_pub_policy.cil", 743 src: ":system_ext_pub_policy.conf", 744 filter_out: [":reqd_policy_mask.cil"], 745 secilc_check: false, 746 installable: false, 747} 748 749se_policy_conf { 750 name: "plat_pub_policy.conf", 751 srcs: [":se_build_files{.plat_public}"], 752 installable: false, 753} 754 755se_policy_cil { 756 name: "plat_pub_policy.cil", 757 src: ":plat_pub_policy.conf", 758 filter_out: [":reqd_policy_mask.cil"], 759 secilc_check: false, 760 installable: false, 761} 762 763// plat_policy.conf - A combination of the private and public platform policy 764// which will ship with the device. 765// 766// The platform will always reflect the most recent platform version and is not 767// currently being attributized. 768se_policy_conf { 769 name: "plat_sepolicy.conf", 770 srcs: [":se_build_files{.plat}"], 771 installable: false, 772} 773 774se_policy_cil { 775 name: "plat_sepolicy.cil", 776 src: ":plat_sepolicy.conf", 777 additional_cil_files: ["private/technical_debt.cil"], 778} 779 780// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 781se_policy_conf { 782 name: "userdebug_plat_sepolicy.conf", 783 srcs: [":se_build_files{.plat}"], 784 build_variant: "userdebug", 785 installable: false, 786} 787 788se_policy_cil { 789 name: "userdebug_plat_sepolicy.cil", 790 src: ":userdebug_plat_sepolicy.conf", 791 additional_cil_files: ["private/technical_debt.cil"], 792 debug_ramdisk: true, 793 dist: { 794 targets: ["droidcore"], 795 }, 796} 797 798// A copy of the userdebug_plat_policy in GSI. 799soong_config_module_type { 800 name: "gsi_se_policy_cil", 801 module_type: "se_policy_cil", 802 config_namespace: "ANDROID", 803 bool_variables: [ 804 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", 805 ], 806 properties: [ 807 "enabled", 808 "installable", 809 ], 810} 811 812gsi_se_policy_cil { 813 name: "system_ext_userdebug_plat_sepolicy.cil", 814 stem: "userdebug_plat_sepolicy.cil", 815 src: ":userdebug_plat_sepolicy.conf", 816 additional_cil_files: ["private/technical_debt.cil"], 817 system_ext_specific: true, 818 enabled: false, 819 installable: false, 820 soong_config_variables: { 821 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { 822 enabled: true, 823 installable: true, 824 }, 825 }, 826} 827 828// system_ext_policy.conf - A combination of the private and public system_ext 829// policy which will ship with the device. System_ext policy is not attributized 830se_policy_conf { 831 name: "system_ext_sepolicy.conf", 832 srcs: [":se_build_files{.system_ext}"], 833 installable: false, 834} 835 836se_policy_cil { 837 name: "system_ext_sepolicy.cil", 838 src: ":system_ext_sepolicy.conf", 839 system_ext_specific: true, 840 filter_out: [":plat_sepolicy.cil"], 841 remove_line_marker: true, 842} 843 844// product_policy.conf - A combination of the private and public product policy 845// which will ship with the device. Product policy is not attributized 846se_policy_conf { 847 name: "product_sepolicy.conf", 848 srcs: [":se_build_files{.product}"], 849 installable: false, 850} 851 852se_policy_cil { 853 name: "product_sepolicy.cil", 854 src: ":product_sepolicy.conf", 855 product_specific: true, 856 filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"], 857 remove_line_marker: true, 858} 859 860// policy mapping files 861// auto-generate the mapping file for current platform policy, since it needs to 862// track platform policy development 863se_versioned_policy { 864 name: "plat_mapping_file", 865 base: ":plat_pub_policy.cil", 866 mapping: true, 867 version: "current", 868 relative_install_path: "mapping", // install to /system/etc/selinux/mapping 869} 870 871se_versioned_policy { 872 name: "system_ext_mapping_file", 873 base: ":system_ext_pub_policy.cil", 874 mapping: true, 875 version: "current", 876 filter_out: [":plat_mapping_file"], 877 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping 878 system_ext_specific: true, 879} 880 881se_versioned_policy { 882 name: "product_mapping_file", 883 base: ":pub_policy.cil", 884 mapping: true, 885 version: "current", 886 filter_out: [":plat_mapping_file", ":system_ext_mapping_file"], 887 relative_install_path: "mapping", // install to /product/etc/selinux/mapping 888 product_specific: true, 889} 890 891// plat_pub_versioned.cil - the exported platform policy associated with the version 892// that non-platform policy targets. 893se_versioned_policy { 894 name: "plat_pub_versioned.cil", 895 base: ":pub_policy.cil", 896 target_policy: ":pub_policy.cil", 897 version: "current", 898 dependent_cils: [ 899 ":plat_sepolicy.cil", 900 ":system_ext_sepolicy.cil", 901 ":product_sepolicy.cil", 902 ":plat_mapping_file", 903 ":system_ext_mapping_file", 904 ":product_mapping_file", 905 ], 906 vendor: true, 907} 908 909////////////////////////////////// 910// Precompiled sepolicy is loaded if and only if: 911// - plat_sepolicy_and_mapping.sha256 equals 912// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 913// AND 914// - system_ext_sepolicy_and_mapping.sha256 equals 915// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 916// AND 917// - product_sepolicy_and_mapping.sha256 equals 918// precompiled_sepolicy.product_sepolicy_and_mapping.sha256 919// See system/core/init/selinux.cpp for details. 920////////////////////////////////// 921genrule { 922 name: "plat_sepolicy_and_mapping.sha256_gen", 923 srcs: [":plat_sepolicy.cil", ":plat_mapping_file"], 924 out: ["plat_sepolicy_and_mapping.sha256"], 925 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 926} 927 928prebuilt_etc { 929 name: "plat_sepolicy_and_mapping.sha256", 930 filename: "plat_sepolicy_and_mapping.sha256", 931 src: ":plat_sepolicy_and_mapping.sha256_gen", 932 relative_install_path: "selinux", 933} 934 935genrule { 936 name: "system_ext_sepolicy_and_mapping.sha256_gen", 937 srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"], 938 out: ["system_ext_sepolicy_and_mapping.sha256"], 939 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 940} 941 942prebuilt_etc { 943 name: "system_ext_sepolicy_and_mapping.sha256", 944 filename: "system_ext_sepolicy_and_mapping.sha256", 945 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 946 relative_install_path: "selinux", 947 system_ext_specific: true, 948} 949 950genrule { 951 name: "product_sepolicy_and_mapping.sha256_gen", 952 srcs: [":product_sepolicy.cil", ":product_mapping_file"], 953 out: ["product_sepolicy_and_mapping.sha256"], 954 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 955} 956 957prebuilt_etc { 958 name: "product_sepolicy_and_mapping.sha256", 959 filename: "product_sepolicy_and_mapping.sha256", 960 src: ":product_sepolicy_and_mapping.sha256_gen", 961 relative_install_path: "selinux", 962 product_specific: true, 963} 964 965sepolicy_vers { 966 name: "plat_sepolicy_vers.txt", 967 version: "vendor", 968 vendor: true, 969} 970 971soong_config_module_type { 972 name: "precompiled_sepolicy_defaults", 973 module_type: "prebuilt_defaults", 974 config_namespace: "ANDROID", 975 bool_variables: ["BOARD_USES_ODMIMAGE"], 976 properties: ["vendor", "device_specific"], 977} 978 979precompiled_sepolicy_defaults { 980 name: "precompiled_sepolicy", 981 soong_config_variables: { 982 BOARD_USES_ODMIMAGE: { 983 device_specific: true, 984 conditions_default: { 985 vendor: true, 986 }, 987 }, 988 }, 989} 990 991////////////////////////////////// 992// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 993// which precompiled_policy was built. 994////////////////////////////////// 995prebuilt_etc { 996 defaults: ["precompiled_sepolicy"], 997 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 998 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 999 src: ":plat_sepolicy_and_mapping.sha256_gen", 1000 relative_install_path: "selinux", 1001} 1002 1003////////////////////////////////// 1004// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 1005// which precompiled_policy was built. 1006////////////////////////////////// 1007prebuilt_etc { 1008 defaults: ["precompiled_sepolicy"], 1009 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 1010 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 1011 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 1012 relative_install_path: "selinux", 1013} 1014 1015////////////////////////////////// 1016// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 1017// which precompiled_policy was built. 1018////////////////////////////////// 1019prebuilt_etc { 1020 defaults: ["precompiled_sepolicy"], 1021 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 1022 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 1023 src: ":product_sepolicy_and_mapping.sha256_gen", 1024 relative_install_path: "selinux", 1025} 1026 1027 1028////////////////////////////////// 1029// SELinux policy embedded into CTS. 1030// CTS checks neverallow rules of this policy against the policy of the device under test. 1031////////////////////////////////// 1032se_policy_conf { 1033 name: "general_sepolicy.conf", 1034 srcs: [":se_build_files{.plat}"], 1035 build_variant: "user", 1036 cts: true, 1037 exclude_build_test: true, 1038} 1039 1040////////////////////////////////// 1041// modules for microdroid 1042////////////////////////////////// 1043 1044// microdroid's system sepolicy is almost identical to host's system sepolicy, except that 1045// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is 1046// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system + 1047// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from 1048// host's files. 1049se_versioned_policy { 1050 name: "microdroid_plat_pub_versioned.cil", 1051 stem: "plat_pub_versioned.cil", 1052 base: ":plat_pub_policy.cil", 1053 target_policy: ":plat_pub_policy.cil", 1054 version: "current", 1055 dependent_cils: [ 1056 ":plat_sepolicy.cil", 1057 ":plat_mapping_file", 1058 ], 1059 installable: false, 1060} 1061 1062// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just 1063// contains system/sepolicy/public and system/sepolicy/vendor. 1064se_policy_conf { 1065 name: "microdroid_vendor_sepolicy.conf", 1066 srcs: [":se_build_files{.plat_vendor}"], 1067 installable: false, 1068} 1069 1070se_policy_cil { 1071 name: "microdroid_vendor_sepolicy.cil.raw", 1072 src: ":microdroid_vendor_sepolicy.conf", 1073 filter_out: [":reqd_policy_mask.cil"], 1074 secilc_check: false, // will be done in se_versioned_policy module 1075 installable: false, 1076} 1077 1078se_versioned_policy { 1079 name: "microdroid_vendor_sepolicy.cil", 1080 stem: "vendor_sepolicy.cil", 1081 base: ":plat_pub_policy.cil", 1082 target_policy: ":microdroid_vendor_sepolicy.cil.raw", 1083 version: "current", // microdroid is bundled to system 1084 dependent_cils: [ 1085 ":plat_sepolicy.cil", 1086 ":microdroid_plat_pub_versioned.cil", 1087 ":plat_mapping_file", 1088 ], 1089 filter_out: [":microdroid_plat_pub_versioned.cil"], 1090 installable: false, 1091} 1092 1093sepolicy_vers { 1094 name: "microdroid_plat_sepolicy_vers.txt", 1095 version: "platform", 1096 stem: "plat_sepolicy_vers.txt", 1097 installable: false, 1098} 1099