1version := $(version_under_treble_tests) 2 3include $(CLEAR_VARS) 4# For Treble builds run tests verifying that processes are properly labeled and 5# permissions granted do not violate the treble model. Also ensure that treble 6# compatibility guarantees are upheld between SELinux version bumps. 7LOCAL_MODULE := treble_sepolicy_tests_$(version) 8LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered 9LOCAL_LICENSE_CONDITIONS := notice unencumbered 10LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE 11LOCAL_MODULE_CLASS := FAKE 12LOCAL_MODULE_TAGS := optional 13 14# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy 15# make file of the system_ext partition. 16SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR) 17# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy 18# make file of the product partition. 19PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR) 20# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor 21# plat_pub_versioned.cil should be in 22# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir. 23# plat_pub_versioned.cil should have platform, system_ext and product sepolicies 24# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file. 25# In order to enable treble sepolicy tests for platform, system_ext and product 26# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and 27# BOARD_PLAT_PUB_VERSIONED_POLICY should be set. 28IS_TREBLE_TEST_ENABLED_PARTNER := false 29ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),) 30ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY)) 31IS_TREBLE_TEST_ENABLED_PARTNER := true 32endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY)) 33endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),) 34 35include $(BUILD_SYSTEM)/base_rules.mk 36 37# $(version)_plat - the platform policy shipped as part of the $(version) release. This is 38# built to enable us to determine the diff between the current policy and the 39# $(version) policy, which will be used in tests to make sure that compatibility has 40# been maintained by our mapping files. 41$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public 42$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private 43ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 44ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)) 45$(version)_PLAT_PUBLIC_POLICY += \ 46 $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public 47$(version)_PLAT_PRIVATE_POLICY += \ 48 $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private 49endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)) 50ifneq (,$(PRODUCT_PREBUILT_POLICY)) 51$(version)_PLAT_PUBLIC_POLICY += \ 52 $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public 53$(version)_PLAT_PRIVATE_POLICY += \ 54 $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private 55endif # (,$(PRODUCT_PREBUILT_POLICY)) 56endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 57policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY)) 58$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf 59$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 60$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 61$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 62$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 63$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 64$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) 65$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 66$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 67$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) 68$($(version)_plat_policy.conf): $(policy_files) $(M4) 69 $(transform-policy-to-conf) 70 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 71 72policy_files := 73 74built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy 75$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ 76 $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY)) 77$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 78$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 79 $(HOST_OUT_EXECUTABLES)/secilc \ 80 $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \ 81 $(built_sepolicy_neverallows) 82 @mkdir -p $(dir $@) 83 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 84 $(POLICYVERS) -o $@ $< 85 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 86 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null 87 88$(version)_plat_policy.conf := 89 90# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file 91# targeting the $(version) SELinux release. This ensures that our policy will build 92# when used on a device that has non-platform policy targetting the $(version) release. 93$(version)_compat := $(intermediates)/$(version)_compat 94$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil 95$(version)_mapping.ignore.cil := \ 96 $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil 97$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version) 98ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 99ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)) 100$(version)_mapping.cil += \ 101 $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil 102$(version)_mapping.ignore.cil += \ 103 $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil 104endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)) 105ifneq (,$(PRODUCT_PREBUILT_POLICY)) 106$(version)_mapping.cil += \ 107 $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil 108$(version)_mapping.ignore.cil += \ 109 $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil 110endif # (,$(PRODUCT_PREBUILT_POLICY)) 111$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) 112endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 113 114# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace 115# nonplat_sepolicy.cil. 116$(version)_nonplat := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \ 117$($(version)_prebuilts_dir)/plat_pub_versioned.cil 118ifeq (,$(wildcard $($(version)_nonplat))) 119$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil 120endif 121 122cil_files := $(built_plat_cil) 123ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 124ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY) 125cil_files += $(built_system_ext_cil) 126endif # (,$(SYSTEM_EXT_PREBUILT_POLICY) 127ifneq (,$(PRODUCT_PREBUILT_POLICY) 128cil_files += $(built_product_cil) 129endif # (,$(PRODUCT_PREBUILT_POLICY) 130endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 131cil_files += $($(version)_mapping.cil) $($(version)_nonplat) 132$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files) 133$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files) 134 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ 135 $(PRIVATE_CIL_FILES) -o $@ -f /dev/null 136 137# $(version)_mapping.combined.cil - a combination of the mapping file used when 138# combining the current platform policy with nonplatform policy based on the 139# $(version) policy release and also a special ignored file that exists purely for 140# these tests. 141$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil 142$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil) 143 mkdir -p $(dir $@) 144 cat $^ > $@ 145 146ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 147built_sepolicy_files := $(built_product_sepolicy) 148public_cil_files := $(base_product_pub_policy.cil) 149else 150built_sepolicy_files := $(built_plat_sepolicy) 151public_cil_files := $(base_plat_pub_policy.cil) 152endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true) 153$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args) 154$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 155$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy) 156$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil) 157$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files) 158$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files) 159$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := 160ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true) 161# TODO(b/113124961): remove fake-treble 162$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble 163endif # PRODUCT_FULL_TREBLE_OVERRIDE = true 164$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \ 165 $(all_fc_files) $(built_sepolicy) \ 166 $(built_sepolicy_files) \ 167 $(public_cil_files) \ 168 $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil) 169 @mkdir -p $(dir $@) 170 $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \ 171 $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \ 172 -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \ 173 -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \ 174 -u $(PRIVATE_PLAT_PUB_SEPOLICY) \ 175 $(PRIVATE_FAKE_TREBLE) 176 $(hide) touch $@ 177 178$(version)_SYSTEM_EXT_PUBLIC_POLICY := 179$(version)_SYSTEM_EXT_PRIVATE_POLICY := 180$(version)_PRODUCT_PUBLIC_POLICY := 181$(version)_PRODUCT_PRIVATE_POLICY := 182$(version)_PLAT_PUBLIC_POLICY := 183$(version)_PLAT_PRIVATE_POLICY := 184built_sepolicy_files := 185public_cil_files := 186cil_files := 187$(version)_compat := 188$(version)_mapping.cil := 189$(version)_mapping.combined.cil := 190$(version)_mapping.ignore.cil := 191$(version)_nonplat := 192$(version)_prebuilts_dir := 193built_$(version)_plat_sepolicy := 194version := 195version_under_treble_tests := 196