1LOCAL_PATH:= $(call my-dir)
2
3include $(CLEAR_VARS)
4
5# Force permissive domains to be unconfined+enforcing?
6#
7# During development, this should be set to false.
8# Permissive means permissive.
9#
10# When we're close to a release and SELinux new policy development
11# is frozen, we should flip this to true. This forces any currently
12# permissive domains into unconfined+enforcing.
13#
14FORCE_PERMISSIVE_TO_UNCONFINED:=true
15
16ifeq ($(TARGET_BUILD_VARIANT),user)
17  # User builds are always forced unconfined+enforcing
18  FORCE_PERMISSIVE_TO_UNCONFINED:=true
19endif
20
21# SELinux policy version.
22# Must be <= /selinux/policyvers reported by the Android kernel.
23# Must be within the compatibility range reported by checkpolicy -V.
24POLICYVERS ?= 26
25
26MLS_SENS=1
27MLS_CATS=1024
28
29# Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
30# Builds the singular path for each replace file.
31sepolicy_replace_paths :=
32$(foreach pf, $(BOARD_SEPOLICY_REPLACE), \
33  $(if $(filter $(pf), $(BOARD_SEPOLICY_UNION)), \
34    $(error Ambiguous request for sepolicy $(pf). Appears in both \
35      BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION), \
36  ) \
37  $(eval _paths := $(filter-out $(BOARD_SEPOLICY_IGNORE), \
38  $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))) \
39  $(eval _occurrences := $(words $(_paths))) \
40  $(if $(filter 0,$(_occurrences)), \
41    $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
42  ) \
43  $(if $(filter 1, $(_occurrences)), \
44    $(eval sepolicy_replace_paths += $(_paths)), \
45    $(error Multiple occurrences of replace file $(pf) in $(_paths)) \
46  ) \
47  $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(LOCAL_PATH))))), \
48    $(error Specified the sepolicy file $(pf) in BOARD_SEPOLICY_REPLACE, \
49      but none found in $(LOCAL_PATH)), \
50  ) \
51)
52
53# Quick edge case error detection for BOARD_SEPOLICY_UNION.
54# This ensures that a requested union file exists somewhere
55# in one of the listed BOARD_SEPOLICY_DIRS.
56$(foreach pf, $(BOARD_SEPOLICY_UNION), \
57  $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \
58    $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
59  ) \
60)
61
62# Builds paths for all requested policy files w.r.t
63# both BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
64# product variables.
65# $(1): the set of policy name paths to build
66build_policy = $(foreach type, $(1), \
67  $(filter-out $(BOARD_SEPOLICY_IGNORE), \
68    $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \
69      $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \
70        $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \
71        $(LOCAL_PATH)/$(expanded_type) \
72      ) \
73    ) \
74    $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \
75      $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \
76        $(union_policy), \
77      ) \
78    ) \
79  ) \
80)
81
82sepolicy_build_files := security_classes \
83                        initial_sids \
84                        access_vectors \
85                        global_macros \
86                        mls_macros \
87                        mls \
88                        policy_capabilities \
89                        te_macros \
90                        attributes \
91                        *.te \
92                        roles \
93                        users \
94                        initial_sid_contexts \
95                        fs_use \
96                        genfs_contexts \
97                        port_contexts
98
99##################################
100include $(CLEAR_VARS)
101
102LOCAL_MODULE := sepolicy
103LOCAL_MODULE_CLASS := ETC
104LOCAL_MODULE_TAGS := optional
105LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
106
107include $(BUILD_SYSTEM)/base_rules.mk
108
109sepolicy_policy.conf := $(intermediates)/policy.conf
110$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
111$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
112$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
113	@mkdir -p $(dir $@)
114	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
115		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
116		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
117		-s $^ > $@
118	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
119
120$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
121	@mkdir -p $(dir $@)
122	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
123	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
124
125built_sepolicy := $(LOCAL_BUILT_MODULE)
126sepolicy_policy.conf :=
127
128##################################
129include $(CLEAR_VARS)
130
131LOCAL_MODULE := sepolicy.recovery
132LOCAL_MODULE_CLASS := ETC
133LOCAL_MODULE_TAGS := eng
134
135include $(BUILD_SYSTEM)/base_rules.mk
136
137sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
138$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
139$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
140$(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
141	@mkdir -p $(dir $@)
142	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
143		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
144		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
145		-D target_recovery=true \
146		-s $^ > $@
147
148$(LOCAL_BUILT_MODULE) : $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
149	@mkdir -p $(dir $@)
150	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
151
152built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
153sepolicy_policy_recovery.conf :=
154
155##################################
156include $(CLEAR_VARS)
157
158LOCAL_MODULE := general_sepolicy.conf
159LOCAL_MODULE_CLASS := ETC
160LOCAL_MODULE_TAGS := tests
161
162include $(BUILD_SYSTEM)/base_rules.mk
163
164exp_sepolicy_build_files :=\
165  $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))
166
167$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
168$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
169$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
170	mkdir -p $(dir $@)
171	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
172		-D target_build_variant=user \
173		-D force_permissive_to_unconfined=true \
174		-s $^ > $@
175	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
176
177GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)
178
179exp_sepolicy_build_files :=
180
181##################################
182include $(CLEAR_VARS)
183
184LOCAL_MODULE := file_contexts
185LOCAL_MODULE_CLASS := ETC
186LOCAL_MODULE_TAGS := optional
187LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
188
189include $(BUILD_SYSTEM)/base_rules.mk
190
191ALL_FC_FILES := $(call build_policy, file_contexts)
192
193$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
194$(LOCAL_BUILT_MODULE):  $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
195	@mkdir -p $(dir $@)
196	$(hide) m4 -s $(ALL_FC_FILES) > $@
197	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
198
199built_fc := $(LOCAL_BUILT_MODULE)
200
201##################################
202include $(CLEAR_VARS)
203LOCAL_MODULE := seapp_contexts
204LOCAL_MODULE_CLASS := ETC
205LOCAL_MODULE_TAGS := optional
206LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
207
208include $(BUILD_SYSTEM)/base_rules.mk
209
210seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
211$(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
212	@mkdir -p $(dir $@)
213	$(hide) m4 -s $^ > $@
214
215$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
216$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
217	@mkdir -p $(dir $@)
218	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
219
220built_sc := $(LOCAL_BUILT_MODULE)
221seapp_contexts.tmp :=
222
223##################################
224include $(CLEAR_VARS)
225
226LOCAL_MODULE := property_contexts
227LOCAL_MODULE_CLASS := ETC
228LOCAL_MODULE_TAGS := optional
229LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
230
231include $(BUILD_SYSTEM)/base_rules.mk
232
233ALL_PC_FILES := $(call build_policy, property_contexts)
234
235$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
236$(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
237	@mkdir -p $(dir $@)
238	$(hide) m4 -s $(ALL_PC_FILES) > $@
239	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
240
241built_pc := $(LOCAL_BUILT_MODULE)
242
243##################################
244include $(CLEAR_VARS)
245
246LOCAL_MODULE := service_contexts
247LOCAL_MODULE_CLASS := ETC
248LOCAL_MODULE_TAGS := optional
249LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
250
251include $(BUILD_SYSTEM)/base_rules.mk
252
253ALL_SVC_FILES := $(call build_policy, service_contexts)
254
255$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
256$(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
257	@mkdir -p $(dir $@)
258	$(hide) m4 -s $(ALL_SVC_FILES) > $@
259	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
260
261built_svc := $(LOCAL_BUILT_MODULE)
262
263##################################
264
265##################################
266include $(CLEAR_VARS)
267
268LOCAL_MODULE := selinux-network.sh
269LOCAL_SRC_FILES := $(LOCAL_MODULE)
270LOCAL_MODULE_CLASS := EXECUTABLES
271LOCAL_MODULE_TAGS := optional
272LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
273
274include $(BUILD_PREBUILT)
275
276##################################
277include $(CLEAR_VARS)
278
279LOCAL_MODULE := mac_permissions.xml
280LOCAL_MODULE_CLASS := ETC
281LOCAL_MODULE_TAGS := optional
282LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
283
284include $(BUILD_SYSTEM)/base_rules.mk
285
286# Build keys.conf
287mac_perms_keys.tmp := $(intermediates)/keys.tmp
288$(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
289	@mkdir -p $(dir $@)
290	$(hide) m4 -s $^ > $@
291
292ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
293
294$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
295	@mkdir -p $(dir $@)
296	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
297		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
298
299mac_perms_keys.tmp :=
300##################################
301include $(CLEAR_VARS)
302
303LOCAL_MODULE := selinux_version
304LOCAL_MODULE_CLASS := ETC
305LOCAL_MODULE_TAGS := optional
306LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
307
308include $(BUILD_SYSTEM)/base_rules.mk
309$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
310	@mkdir -p $(dir $@)
311	$(hide) echo -n $(BUILD_FINGERPRINT) > $@
312
313##################################
314
315build_policy :=
316sepolicy_build_files :=
317sepolicy_replace_paths :=
318built_sepolicy :=
319built_sc :=
320built_fc :=
321built_pc :=
322built_svc :=
323
324include $(call all-makefiles-under,$(LOCAL_PATH))
325