1LOCAL_PATH:= $(call my-dir)
2
3include $(CLEAR_VARS)
4
5# SELinux policy version.
6# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
7# Must be within the compatibility range reported by checkpolicy -V.
8POLICYVERS ?= 30
9
10MLS_SENS=1
11MLS_CATS=1024
12
13ifdef BOARD_SEPOLICY_REPLACE
14$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
15endif
16
17ifdef BOARD_SEPOLICY_IGNORE
18$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
19endif
20
21ifdef BOARD_SEPOLICY_UNION
22$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
23endif
24
25# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
26# $(1): the set of policy name paths to build
27build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS))))
28
29sepolicy_build_files := security_classes \
30                        initial_sids \
31                        access_vectors \
32                        global_macros \
33                        neverallow_macros \
34                        mls_macros \
35                        mls \
36                        policy_capabilities \
37                        te_macros \
38                        attributes \
39                        ioctl_macros \
40                        *.te \
41                        roles \
42                        users \
43                        initial_sid_contexts \
44                        fs_use \
45                        genfs_contexts \
46                        port_contexts
47
48##################################
49include $(CLEAR_VARS)
50
51LOCAL_MODULE := sepolicy
52LOCAL_MODULE_CLASS := ETC
53LOCAL_MODULE_TAGS := optional
54LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
55
56include $(BUILD_SYSTEM)/base_rules.mk
57
58sepolicy_policy.conf := $(intermediates)/policy.conf
59$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
60$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
61$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
62	@mkdir -p $(dir $@)
63	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
64		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
65		-s $^ > $@
66	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
67
68$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
69	@mkdir -p $(dir $@)
70	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
71	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
72
73built_sepolicy := $(LOCAL_BUILT_MODULE)
74sepolicy_policy.conf :=
75
76##################################
77include $(CLEAR_VARS)
78
79LOCAL_MODULE := sepolicy.recovery
80LOCAL_MODULE_CLASS := ETC
81LOCAL_MODULE_TAGS := eng
82
83include $(BUILD_SYSTEM)/base_rules.mk
84
85sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
86$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
87$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
88$(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
89	@mkdir -p $(dir $@)
90	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
91		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
92		-D target_recovery=true \
93		-s $^ > $@
94
95$(LOCAL_BUILT_MODULE) : $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
96	@mkdir -p $(dir $@)
97	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
98
99built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
100sepolicy_policy_recovery.conf :=
101
102##################################
103include $(CLEAR_VARS)
104
105LOCAL_MODULE := general_sepolicy.conf
106LOCAL_MODULE_CLASS := ETC
107LOCAL_MODULE_TAGS := tests
108
109include $(BUILD_SYSTEM)/base_rules.mk
110
111exp_sepolicy_build_files :=\
112  $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))
113
114$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
115$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
116$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
117	mkdir -p $(dir $@)
118	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
119		-D target_build_variant=user \
120		-s $^ > $@
121	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
122
123GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)
124
125exp_sepolicy_build_files :=
126
127##################################
128include $(CLEAR_VARS)
129
130LOCAL_MODULE := file_contexts
131LOCAL_MODULE_CLASS := ETC
132LOCAL_MODULE_TAGS := optional
133LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
134
135include $(BUILD_SYSTEM)/base_rules.mk
136
137ALL_FC_FILES := $(call build_policy, file_contexts)
138
139$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
140$(LOCAL_BUILT_MODULE):  $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
141	@mkdir -p $(dir $@)
142	$(hide) m4 -s $(ALL_FC_FILES) > $@
143	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
144
145built_fc := $(LOCAL_BUILT_MODULE)
146
147##################################
148include $(CLEAR_VARS)
149
150LOCAL_MODULE := general_file_contexts
151LOCAL_MODULE_CLASS := ETC
152LOCAL_MODULE_TAGS := tests
153
154include $(BUILD_SYSTEM)/base_rules.mk
155
156$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
157$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, file_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
158	@mkdir -p $(dir $@)
159	$(hide) m4 -s $< > $@
160	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
161
162GENERAL_FILE_CONTEXTS := $(LOCAL_BUILT_MODULE)
163
164##################################
165include $(CLEAR_VARS)
166LOCAL_MODULE := seapp_contexts
167LOCAL_MODULE_CLASS := ETC
168LOCAL_MODULE_TAGS := optional
169LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
170
171include $(BUILD_SYSTEM)/base_rules.mk
172
173seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
174$(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
175	@mkdir -p $(dir $@)
176	$(hide) m4 -s $^ > $@
177
178$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
179$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
180	@mkdir -p $(dir $@)
181	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
182
183built_sc := $(LOCAL_BUILT_MODULE)
184seapp_contexts.tmp :=
185
186##################################
187include $(CLEAR_VARS)
188LOCAL_MODULE := general_seapp_contexts
189LOCAL_MODULE_CLASS := ETC
190LOCAL_MODULE_TAGS := tests
191
192include $(BUILD_SYSTEM)/base_rules.mk
193
194general_seapp_contexts.tmp := $(intermediates)/general_seapp_contexts.tmp
195$(general_seapp_contexts.tmp): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
196	@mkdir -p $(dir $@)
197	$(hide) m4 -s $^ > $@
198
199$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
200$(LOCAL_BUILT_MODULE) : $(general_seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
201	@mkdir -p $(dir $@)
202	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
203
204GENERAL_SEAPP_CONTEXTS := $(LOCAL_BUILT_MODULE)
205general_seapp_contexts.tmp :=
206
207##################################
208include $(CLEAR_VARS)
209
210LOCAL_MODULE := property_contexts
211LOCAL_MODULE_CLASS := ETC
212LOCAL_MODULE_TAGS := optional
213LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
214
215include $(BUILD_SYSTEM)/base_rules.mk
216
217ALL_PC_FILES := $(call build_policy, property_contexts)
218
219$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
220$(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
221	@mkdir -p $(dir $@)
222	$(hide) m4 -s $(ALL_PC_FILES) > $@
223	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
224
225built_pc := $(LOCAL_BUILT_MODULE)
226
227##################################
228include $(CLEAR_VARS)
229
230LOCAL_MODULE := general_property_contexts
231LOCAL_MODULE_CLASS := ETC
232LOCAL_MODULE_TAGS := tests
233
234include $(BUILD_SYSTEM)/base_rules.mk
235
236$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
237$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, property_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
238	@mkdir -p $(dir $@)
239	$(hide) m4 -s $< > $@
240	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
241
242GENERAL_PROPERTY_CONTEXTS := $(LOCAL_BUILT_MODULE)
243
244##################################
245include $(CLEAR_VARS)
246
247LOCAL_MODULE := service_contexts
248LOCAL_MODULE_CLASS := ETC
249LOCAL_MODULE_TAGS := optional
250LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
251
252include $(BUILD_SYSTEM)/base_rules.mk
253
254ALL_SVC_FILES := $(call build_policy, service_contexts)
255
256$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
257$(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
258	@mkdir -p $(dir $@)
259	$(hide) m4 -s $(ALL_SVC_FILES) > $@
260	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
261
262built_svc := $(LOCAL_BUILT_MODULE)
263
264##################################
265include $(CLEAR_VARS)
266
267LOCAL_MODULE := general_service_contexts
268LOCAL_MODULE_CLASS := ETC
269LOCAL_MODULE_TAGS := tests
270
271include $(BUILD_SYSTEM)/base_rules.mk
272
273$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
274$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, service_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
275	@mkdir -p $(dir $@)
276	$(hide) m4 -s $< > $@
277	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
278
279GENERAL_SERVICE_CONTEXTS := $(LOCAL_BUILT_MODULE)
280
281##################################
282include $(CLEAR_VARS)
283
284LOCAL_MODULE := mac_permissions.xml
285LOCAL_MODULE_CLASS := ETC
286LOCAL_MODULE_TAGS := optional
287LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
288
289include $(BUILD_SYSTEM)/base_rules.mk
290
291# Build keys.conf
292mac_perms_keys.tmp := $(intermediates)/keys.tmp
293$(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
294	@mkdir -p $(dir $@)
295	$(hide) m4 -s $^ > $@
296
297ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
298
299$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
300	@mkdir -p $(dir $@)
301	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
302		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
303
304mac_perms_keys.tmp :=
305##################################
306include $(CLEAR_VARS)
307
308LOCAL_MODULE := selinux_version
309LOCAL_MODULE_CLASS := ETC
310LOCAL_MODULE_TAGS := optional
311LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
312
313include $(BUILD_SYSTEM)/base_rules.mk
314$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
315	@mkdir -p $(dir $@)
316	$(hide) echo -n $(BUILD_FINGERPRINT) > $@
317
318##################################
319
320build_policy :=
321sepolicy_build_files :=
322built_sepolicy :=
323built_sc :=
324built_fc :=
325built_pc :=
326built_svc :=
327
328include $(call all-makefiles-under,$(LOCAL_PATH))
329