// Copyright (C) 2018 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package { default_applicable_licenses: ["system_sepolicy_license"], } // Added automatically by a large-scale-change that took the approach of // 'apply every license found to every target'. While this makes sure we respect // every license restriction, it may not be entirely correct. // // e.g. GPL in an MIT project might only apply to the contrib/ directory. // // Please consider splitting the single license below into multiple licenses, // taking care not to lose any license_kind information, and overriding the // default license using the 'licenses: [...]' property on targets as needed. // // For unused files, consider creating a 'filegroup' with "//visibility:private" // to attach the license to, and including a comment whether the files may be // used in the current project. // http://go/android-license-faq license { name: "system_sepolicy_license", visibility: [":__subpackages__"], license_kinds: [ "SPDX-license-identifier-Apache-2.0", "legacy_unencumbered", ], license_text: [ "NOTICE", ], } cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], } // For vts_treble_sys_prop_test filegroup { name: "private_property_contexts", srcs: ["private/property_contexts"], visibility: [ "//test/vts-testcase/security/system_property", ], } se_build_files { name: "se_build_files", srcs: [ "security_classes", "initial_sids", "access_vectors", "global_macros", "neverallow_macros", "mls_macros", "mls_decl", "mls", "policy_capabilities", "te_macros", "attributes", "ioctl_defines", "ioctl_macros", "nlmsg_defines", "nlmsg_macros", "*.te", "roles_decl", "roles", "users", "initial_sid_contexts", "fs_use", "genfs_contexts", "port_contexts", ], } se_build_files { name: "sepolicy_technical_debt", srcs: ["technical_debt.cil"], } phony { // Currently used only for aosp_cf_system_x86_64 // TODO(b/329208946): migrate selinux_policy_system to Soong name: "selinux_policy_system_soong", required: [ "plat_bug_map", "plat_file_contexts", "plat_hwservice_contexts", "plat_keystore2_key_contexts", "plat_mac_permissions.xml", "plat_mapping_file", "plat_property_contexts", "plat_seapp_contexts", "plat_sepolicy.cil", "plat_sepolicy_genfs_202504.cil", "plat_service_contexts", "secilc", "plat_29.0.cil", "29.0.compat.cil", "plat_30.0.cil", "30.0.compat.cil", "plat_31.0.cil", "31.0.compat.cil", "plat_32.0.cil", "32.0.compat.cil", "plat_33.0.cil", "33.0.compat.cil", "plat_34.0.cil", "34.0.compat.cil", ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { "202404": [], default: [ "plat_202404.cil", "202404.compat.cil", ], }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { true: ["plat_sepolicy_and_mapping.sha256"], default: [], }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { true: ["plat_tee_service_contexts"], default: [], }), } reqd_mask_policy = [":se_build_files{.reqd_mask}"] plat_public_policy = [":se_build_files{.plat_public}"] plat_private_policy = [":se_build_files{.plat_private}"] system_ext_public_policy = [":se_build_files{.system_ext_public}"] system_ext_private_policy = [":se_build_files{.system_ext_private}"] product_public_policy = [":se_build_files{.product_public}"] product_private_policy = [":se_build_files{.product_private}"] // reqd_policy_mask - a policy.conf file which contains only the bare minimum // policy necessary to use checkpolicy. // // This bare-minimum policy needs to be present in all policy.conf files, but // should not necessarily be exported as part of the public policy. // // The rules generated by reqd_policy_mask will allow the compilation of public // policy and subsequent removal of CIL policy that should not be exported. se_policy_conf { name: "reqd_policy_mask.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: reqd_mask_policy, installable: false, } se_policy_cil { name: "reqd_policy_mask.cil", src: ":reqd_policy_mask.conf", secilc_check: false, installable: false, } // pub_policy - policy that will be exported to be a part of non-platform // policy corresponding to this platform version. // // This is a limited subset of policy that would not compile in checkpolicy on // its own. // // To get around this limitation, add only the required files from private // policy, which will generate CIL policy that will then be filtered out by the // reqd_policy_mask. // // There are three pub_policy.cil files below: // - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. // - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. // - plat_pub_policy.cil: exported 'system' policy. // // Those above files will in turn be used to generate the following versioned cil files: // - product_mapping_file: the versioned, exported 'product' policy in product partition. // - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. // - plat_mapping_file: the versioned, exported 'system' policy in system partition. // - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy // in vendor partition. // se_policy_conf { name: "pub_policy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + system_ext_public_policy + product_public_policy + reqd_mask_policy, vendor: true, installable: false, } se_policy_cil { name: "pub_policy.cil", src: ":pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, vendor: true, installable: false, } se_policy_conf { name: "system_ext_pub_policy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + system_ext_public_policy + reqd_mask_policy, system_ext_specific: true, installable: false, } se_policy_cil { name: "system_ext_pub_policy.cil", src: ":system_ext_pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, system_ext_specific: true, installable: false, } se_policy_conf { name: "plat_pub_policy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + reqd_mask_policy, installable: false, } se_policy_cil { name: "plat_pub_policy.cil", src: ":plat_pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, installable: false, } // plat_policy.conf - A combination of the private and public platform policy // which will ship with the device. // // The platform will always reflect the most recent platform version and is not // currently being attributized. se_policy_conf { name: "plat_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy, installable: false, } se_policy_cil { name: "plat_sepolicy.cil", src: ":plat_sepolicy.conf", additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], dist: { targets: ["sepolicy_finalize"], }, } // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil se_policy_conf { name: "userdebug_plat_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy, build_variant: "userdebug", installable: false, } se_policy_cil { name: "userdebug_plat_sepolicy.cil", src: ":userdebug_plat_sepolicy.conf", additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], debug_ramdisk: true, dist: { targets: ["droidcore"], }, } // A copy of the userdebug_plat_policy in GSI. soong_config_module_type { name: "gsi_se_policy_cil", module_type: "se_policy_cil", config_namespace: "ANDROID", bool_variables: [ "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", ], properties: [ "enabled", "installable", ], } gsi_se_policy_cil { name: "system_ext_userdebug_plat_sepolicy.cil", stem: "userdebug_plat_sepolicy.cil", src: ":userdebug_plat_sepolicy.conf", additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], system_ext_specific: true, enabled: false, installable: false, soong_config_variables: { PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { enabled: true, installable: true, }, }, } // system_ext_policy.conf - A combination of the private and public system_ext // policy which will ship with the device. System_ext policy is not attributized se_policy_conf { name: "system_ext_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy + system_ext_public_policy + system_ext_private_policy, system_ext_specific: true, installable: false, } se_policy_cil { name: "system_ext_sepolicy.cil", src: ":system_ext_sepolicy.conf", system_ext_specific: true, filter_out: [":plat_sepolicy.cil"], remove_line_marker: true, } // product_policy.conf - A combination of the private and public product policy // which will ship with the device. Product policy is not attributized se_policy_conf { name: "product_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy + system_ext_public_policy + system_ext_private_policy + product_public_policy + product_private_policy, product_specific: true, installable: false, } se_policy_cil { name: "product_sepolicy.cil", src: ":product_sepolicy.conf", product_specific: true, filter_out: [ ":plat_sepolicy.cil", ":system_ext_sepolicy.cil", ], remove_line_marker: true, } // policy mapping files // auto-generate the mapping file for current platform policy, since it needs to // track platform policy development se_versioned_policy { name: "plat_mapping_file", base: ":plat_pub_policy.cil", mapping: true, version: "current", relative_install_path: "mapping", // install to /system/etc/selinux/mapping dist: { targets: ["sepolicy_finalize"], }, } se_versioned_policy { name: "system_ext_mapping_file", base: ":system_ext_pub_policy.cil", mapping: true, version: "current", filter_out: [":plat_mapping_file"], relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping system_ext_specific: true, } se_versioned_policy { name: "product_mapping_file", base: ":pub_policy.cil", mapping: true, version: "current", filter_out: [ ":plat_mapping_file", ":system_ext_mapping_file", ], relative_install_path: "mapping", // install to /product/etc/selinux/mapping product_specific: true, } ////////////////////////////////// // vendor/odm sepolicy ////////////////////////////////// // plat_pub_versioned.cil - the exported platform policy associated with the version // that non-platform policy targets. se_versioned_policy { name: "plat_pub_versioned.cil", base: ":pub_policy.cil", target_policy: ":pub_policy.cil", version: "vendor", vendor: true, } // vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined // with the platform-provided policy. It makes use of the reqd_policy_mask files from private // policy and the platform public policy files in order to use checkpolicy. se_policy_conf { name: "vendor_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + system_ext_public_policy + product_public_policy + reqd_mask_policy + [ ":se_build_files{.plat_vendor}", ":se_build_files{.vendor}", ], vendor: true, installable: false, } se_policy_cil { name: "vendor_sepolicy.cil.raw", src: ":vendor_sepolicy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, // will be done in se_versioned_policy module vendor: true, installable: false, } se_versioned_policy { name: "vendor_sepolicy.cil", base: ":pub_policy.cil", target_policy: ":vendor_sepolicy.cil.raw", version: "vendor", dependent_cils: [ ":plat_sepolicy.cil", ":system_ext_sepolicy.cil", ":product_sepolicy.cil", ":plat_pub_versioned.cil", ":plat_mapping_file", ], filter_out: [":plat_pub_versioned.cil"], vendor: true, } // odm_policy.cil - the odl sepolicy. This needs attributization and to be combined // with the platform-provided policy. It makes use of the reqd_policy_mask files from private // policy and the platform public policy files in order to use checkpolicy. se_policy_conf { name: "odm_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + system_ext_public_policy + product_public_policy + reqd_mask_policy + [ ":se_build_files{.plat_vendor}", ":se_build_files{.vendor}", ":se_build_files{.odm}", ], device_specific: true, installable: false, } se_policy_cil { name: "odm_sepolicy.cil.raw", src: ":odm_sepolicy.conf", filter_out: [ ":reqd_policy_mask.cil", ":vendor_sepolicy.cil", ], secilc_check: false, // will be done in se_versioned_policy module device_specific: true, installable: false, } se_versioned_policy { name: "odm_sepolicy.cil", base: ":pub_policy.cil", target_policy: ":odm_sepolicy.cil.raw", version: "vendor", dependent_cils: [ ":plat_sepolicy.cil", ":system_ext_sepolicy.cil", ":product_sepolicy.cil", ":plat_pub_versioned.cil", ":plat_mapping_file", ":vendor_sepolicy.cil", ], filter_out: [ ":plat_pub_versioned.cil", ":vendor_sepolicy.cil", ], device_specific: true, } ////////////////////////////////// // Precompiled sepolicy is loaded if and only if: // - plat_sepolicy_and_mapping.sha256 equals // precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 // AND // - system_ext_sepolicy_and_mapping.sha256 equals // precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 // AND // - product_sepolicy_and_mapping.sha256 equals // precompiled_sepolicy.product_sepolicy_and_mapping.sha256 // See system/core/init/selinux.cpp for details. ////////////////////////////////// java_genrule { name: "plat_sepolicy_and_mapping.sha256_gen", srcs: [ ":plat_sepolicy.cil", ":plat_mapping_file", ], out: ["plat_sepolicy_and_mapping.sha256"], cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", } prebuilt_etc { name: "plat_sepolicy_and_mapping.sha256", filename: "plat_sepolicy_and_mapping.sha256", src: ":plat_sepolicy_and_mapping.sha256_gen", relative_install_path: "selinux", } java_genrule { name: "system_ext_sepolicy_and_mapping.sha256_gen", srcs: [ ":system_ext_sepolicy.cil", ":system_ext_mapping_file", ], out: ["system_ext_sepolicy_and_mapping.sha256"], cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", } prebuilt_etc { name: "system_ext_sepolicy_and_mapping.sha256", filename: "system_ext_sepolicy_and_mapping.sha256", src: ":system_ext_sepolicy_and_mapping.sha256_gen", relative_install_path: "selinux", system_ext_specific: true, } java_genrule { name: "product_sepolicy_and_mapping.sha256_gen", srcs: [ ":product_sepolicy.cil", ":product_mapping_file", ], out: ["product_sepolicy_and_mapping.sha256"], cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", } prebuilt_etc { name: "product_sepolicy_and_mapping.sha256", filename: "product_sepolicy_and_mapping.sha256", src: ":product_sepolicy_and_mapping.sha256_gen", relative_install_path: "selinux", product_specific: true, } sepolicy_vers { name: "plat_sepolicy_vers.txt", version: "vendor", vendor: true, } genrule { name: "genfs_labels_version.txt.gen", out: ["genfs_labels_version.txt"], cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), { any @ value: "echo " + value + " > $(out)", default: "echo > $(out)", }), } prebuilt_etc { name: "genfs_labels_version.txt", src: ":genfs_labels_version.txt.gen", relative_install_path: "selinux", vendor: true, } soong_config_module_type { name: "precompiled_sepolicy_prebuilts_defaults", module_type: "prebuilt_defaults", config_namespace: "ANDROID", bool_variables: ["BOARD_USES_ODMIMAGE"], properties: [ "vendor", "device_specific", ], } precompiled_sepolicy_prebuilts_defaults { name: "precompiled_sepolicy_prebuilts", soong_config_variables: { BOARD_USES_ODMIMAGE: { device_specific: true, conditions_default: { vendor: true, }, }, }, } ////////////////////////////////// // SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against // which precompiled_policy was built. ////////////////////////////////// prebuilt_etc { defaults: ["precompiled_sepolicy_prebuilts"], name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", src: ":plat_sepolicy_and_mapping.sha256_gen", relative_install_path: "selinux", } ////////////////////////////////// // SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against // which precompiled_policy was built. ////////////////////////////////// prebuilt_etc { defaults: ["precompiled_sepolicy_prebuilts"], name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", src: ":system_ext_sepolicy_and_mapping.sha256_gen", relative_install_path: "selinux", } ////////////////////////////////// // SHA-256 digest of the product_sepolicy.cil and product_mapping_file against // which precompiled_policy was built. ////////////////////////////////// prebuilt_etc { defaults: ["precompiled_sepolicy_prebuilts"], name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", src: ":product_sepolicy_and_mapping.sha256_gen", relative_install_path: "selinux", } soong_config_module_type { name: "precompiled_se_policy_binary", module_type: "se_policy_binary", config_namespace: "ANDROID", bool_variables: ["BOARD_USES_ODMIMAGE"], properties: [ "vendor", "device_specific", ], } filegroup { name: "precompiled_sepolicy_srcs", device_common_srcs: [ ":plat_sepolicy.cil", ":plat_pub_versioned.cil", ":system_ext_sepolicy.cil", ":product_sepolicy.cil", ":vendor_sepolicy.cil", ":odm_sepolicy.cil", ":plat_mapping_file", ":system_ext_mapping_file", ":product_mapping_file", ], device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), { "202504": [":plat_sepolicy_genfs_202504.cil"], default: [], }), // Make precompiled_sepolicy_srcs as public so that OEMs have access to them. // Useful when some partitions need to be bind mounted across VM boundaries. visibility: ["//visibility:public"], } precompiled_se_policy_binary { name: "precompiled_sepolicy", srcs: [ ":precompiled_sepolicy_srcs", ], soong_config_variables: { BOARD_USES_ODMIMAGE: { device_specific: true, conditions_default: { vendor: true, }, }, }, required: [ "sepolicy_neverallows", ], dist: { targets: ["base-sepolicy-files-for-mapping"], }, } // policy for recovery se_policy_conf { name: "recovery_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy + system_ext_public_policy + system_ext_private_policy + product_public_policy + product_private_policy + [ ":se_build_files{.plat_vendor}", ":se_build_files{.vendor}", ":se_build_files{.odm}", ], target_recovery: true, installable: false, recovery: true, } se_policy_cil { name: "recovery_sepolicy.cil", src: ":recovery_sepolicy.conf", secilc_check: false, // will be done in se_policy_binary module installable: false, recovery: true, } se_policy_binary { name: "sepolicy.recovery", srcs: [":recovery_sepolicy.cil"], stem: "sepolicy", recovery: true, } ////////////////////////////////// // SELinux policy embedded into CTS. // CTS checks neverallow rules of this policy against the policy of the device under test. ////////////////////////////////// se_policy_conf { name: "general_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy, build_variant: "user", cts: true, exclude_build_test: true, dist: { targets: ["sepolicy_finalize"], }, } ////////////////////////////////// // Base system policy for treble sepolicy tests. // If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ // with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case, // BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil. // See treble_sepolicy_tests_for_release.mk for more details. ////////////////////////////////// se_policy_conf { name: "base_plat_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy, build_variant: "user", installable: false, } se_policy_cil { name: "base_plat_sepolicy.cil", src: ":base_plat_sepolicy.conf", additional_cil_files: ["private/technical_debt.cil"], installable: false, secilc_check: false, // done by se_policy_binary } se_policy_binary { name: "base_plat_sepolicy", srcs: [":base_plat_sepolicy.cil"], installable: false, dist: { targets: ["base-sepolicy-files-for-mapping"], }, } se_policy_conf { name: "base_product_sepolicy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy + system_ext_public_policy + system_ext_private_policy + product_public_policy + product_private_policy, build_variant: "user", installable: false, product_specific: true, } se_policy_cil { name: "base_product_sepolicy.cil", src: ":base_product_sepolicy.conf", additional_cil_files: ["private/technical_debt.cil"], product_specific: true, installable: false, secilc_check: false, // done by se_policy_binary } se_policy_binary { name: "base_product_sepolicy", srcs: [":base_product_sepolicy.cil"], product_specific: true, installable: false, } se_policy_conf { name: "base_plat_pub_policy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + reqd_mask_policy, build_variant: "user", installable: false, } se_policy_cil { name: "base_plat_pub_policy.cil", src: ":base_plat_pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, installable: false, dist: { targets: ["base-sepolicy-files-for-mapping"], }, } se_policy_conf { name: "base_product_pub_policy.conf", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + system_ext_public_policy + product_public_policy + reqd_mask_policy, build_variant: "user", installable: false, product_specific: true, } se_policy_cil { name: "base_product_pub_policy.cil", src: ":base_product_pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, installable: false, product_specific: true, } // bug_map - Bug tracking information for selinux denials loaded by auditd. se_build_files { name: "bug_map_files", srcs: ["bug_map"], } se_bug_map { name: "plat_bug_map", srcs: [":bug_map_files{.plat_private}"], stem: "bug_map", } se_bug_map { name: "system_ext_bug_map", srcs: [":bug_map_files{.system_ext_private}"], stem: "bug_map", system_ext_specific: true, } se_bug_map { name: "vendor_bug_map", srcs: [ ":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}", ], // Legacy file name of the vendor partition bug_map. stem: "selinux_denial_metadata", vendor: true, } se_neverallow_test { name: "sepolicy_neverallows", defaults: ["se_policy_conf_flags_defaults"], srcs: plat_public_policy + plat_private_policy + system_ext_public_policy + system_ext_private_policy + product_public_policy + product_private_policy + [ ":se_build_files{.plat_vendor}", ":se_build_files{.vendor}", ":se_build_files{.odm}", ], } ////////////////////////////////// // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy // Additional directories can be specified via Makefile variables: // SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS. ////////////////////////////////// se_freeze_test { name: "se_freeze_test", } ////////////////////////////////// // sepolicy_test checks various types of violations, which can't be easily done // by CIL itself. Refer tests/sepolicy_tests.py for more detail. ////////////////////////////////// java_genrule { name: "sepolicy_test", srcs: [ ":plat_file_contexts", ":vendor_file_contexts", ":system_ext_file_contexts", ":product_file_contexts", ":odm_file_contexts", ":precompiled_sepolicy", ], tools: ["sepolicy_tests"], out: ["sepolicy_test"], cmd: "$(location sepolicy_tests) " + "-f $(location :plat_file_contexts) " + "-f $(location :vendor_file_contexts) " + "-f $(location :system_ext_file_contexts) " + "-f $(location :product_file_contexts) " + "-f $(location :odm_file_contexts) " + "-p $(location :precompiled_sepolicy) && " + "touch $(out)", } ////////////////////////////////// // TestDevTypeViolations can't run on old devices (V or before) ////////////////////////////////// soong_config_module_type { name: "dev_type_test_genrule", module_type: "java_genrule", config_namespace: "ANDROID", bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"], properties: ["cmd"], } dev_type_test_genrule { name: "sepolicy_dev_type_test", srcs: [ ":plat_file_contexts", ":vendor_file_contexts", ":system_ext_file_contexts", ":product_file_contexts", ":odm_file_contexts", ":precompiled_sepolicy", ], tools: ["sepolicy_tests"], out: ["sepolicy_dev_type_test"], soong_config_variables: { CHECK_DEV_TYPE_VIOLATIONS: { cmd: "$(location sepolicy_tests) " + "-f $(location :plat_file_contexts) " + "-f $(location :vendor_file_contexts) " + "-f $(location :system_ext_file_contexts) " + "-f $(location :product_file_contexts) " + "-f $(location :odm_file_contexts) " + "-p $(location :precompiled_sepolicy) " + "-t TestDevTypeViolations && " + "touch $(out)", conditions_default: { cmd: "touch $(out)", }, }, }, } phony { name: "selinux_policy_system_ext", required: [ //"ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY" check included in system_ext_pub_policy.cil "system_ext_mapping_file", //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil "system_ext_sepolicy.cil", ] + [ //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil "system_ext_29.0.cil", "system_ext_30.0.cil", "system_ext_31.0.cil", "system_ext_32.0.cil", "system_ext_33.0.cil", "system_ext_34.0.cil", ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { "202404": [], default: [ "system_ext_202404.cil", ], }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { true: ["system_ext_sepolicy_and_mapping.sha256"], default: [], }) + [ "system_ext_file_contexts", "system_ext_file_contexts_test", "system_ext_keystore2_key_contexts", "system_ext_hwservice_contexts", "system_ext_hwservice_contexts_test", "system_ext_property_contexts", "system_ext_property_contexts_test", "system_ext_seapp_contexts", "system_ext_service_contexts", "system_ext_service_contexts_test", "system_ext_mac_permissions.xml", "system_ext_bug_map", // $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ "system_ext_29.0.compat.cil", "system_ext_30.0.compat.cil", "system_ext_31.0.compat.cil", "system_ext_32.0.compat.cil", "system_ext_33.0.compat.cil", "system_ext_34.0.compat.cil", ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { "202404": [], default: [ "system_ext_202404.compat.cil", ], }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { true: ["system_ext_tee_service_contexts"], default: [], }), system_ext_specific: true, } phony { name: "selinux_policy_product", required: [ "product_mapping_file", "product_sepolicy.cil", // "ifdef HAS_PRODUCT_PUBLIC_SEPOLICY" check included in .cil "product_29.0.cil", "product_30.0.cil", "product_31.0.cil", "product_32.0.cil", "product_33.0.cil", "product_34.0.cil", "product_file_contexts", // "ifdef HAS_PRODUCT_SEPOLICY_DIR" in Android.mk can be ignored. "product_file_contexts_test", "product_keystore2_key_contexts", "product_hwservice_contexts", "product_hwservice_contexts_test", "product_property_contexts", "product_property_contexts_test", "product_seapp_contexts", "product_service_contexts", "product_service_contexts_test", "product_mac_permissions.xml", ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { true: ["product_sepolicy_and_mapping.sha256"], default: [], }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { "202404": [], default: [ "product_202404.cil", ], }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { true: ["product_tee_service_contexts"], default: [], }), product_specific: true, } phony { name: "selinux_policy_nonsystem", required: [ "selinux_policy_system_ext", "selinux_policy_product", "selinux_policy_vendor", "selinux_policy_odm", // Builds an additional userdebug sepolicy into the debug ramdisk. "userdebug_plat_sepolicy.cil", ], } phony { name: "selinux_policy_vendor", required: [ "genfs_labels_version.txt", "plat_pub_versioned.cil", "vendor_sepolicy.cil", "plat_sepolicy_vers.txt", "vendor_file_contexts", "vendor_file_contexts_test", "vendor_keystore2_key_contexts", "vendor_mac_permissions.xml", "vendor_property_contexts", "vendor_property_contexts_test", "vendor_seapp_contexts", "vendor_service_contexts", "vendor_service_contexts_test", "vendor_hwservice_contexts", "vendor_hwservice_contexts_test", "vendor_bug_map", "vndservice_contexts", "vndservice_contexts_test", ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { true: ["vendor_tee_service_contexts"], default: [], }), vendor: true, } phony { name: "selinux_policy_odm", required: [ "odm_sepolicy.cil", "odm_file_contexts", "odm_file_contexts_test", "odm_seapp_contexts", "odm_property_contexts", "odm_property_contexts_test", "odm_service_contexts", "odm_service_contexts_test", "odm_hwservice_contexts", "odm_hwservice_contexts_test", "odm_mac_permissions.xml", ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { true: [ "precompiled_sepolicy", "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", ], default: [], }), device_specific: true, } phony { name: "selinux_policy_system", required: [ "29.0.compat.cil", "30.0.compat.cil", "31.0.compat.cil", "32.0.compat.cil", "33.0.compat.cil", "34.0.compat.cil", "build_sepolicy", "fuzzer_bindings_test", "plat_29.0.cil", "plat_30.0.cil", "plat_31.0.cil", "plat_32.0.cil", "plat_33.0.cil", "plat_34.0.cil", "plat_bug_map", "plat_file_contexts", "plat_file_contexts_data_test", "plat_file_contexts_test", "plat_hwservice_contexts", "plat_hwservice_contexts_test", "plat_keystore2_key_contexts", "plat_mac_permissions.xml", "plat_mapping_file", "plat_property_contexts", "plat_property_contexts_test", "plat_seapp_contexts", "plat_sepolicy.cil", "plat_sepolicy_genfs_202504.cil", "plat_service_contexts", "plat_service_contexts_test", "searchpolicy", "secilc", ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { "202404": [], default: [ "202404.compat.cil", "plat_202404.cil", ], }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { true: ["plat_sepolicy_and_mapping.sha256"], default: [], }) + select(( soong_config_variable("ANDROID", "ASAN_ENABLED"), product_variable("selinux_ignore_neverallows"), ), { (true, true): [ ], (default, default): [ "sepolicy_compat_test", "sepolicy_test", "sepolicy_dev_type_test", "treble_sepolicy_tests_29.0", "treble_sepolicy_tests_30.0", "treble_sepolicy_tests_31.0", "treble_sepolicy_tests_32.0", "treble_sepolicy_tests_33.0", "treble_sepolicy_tests_34.0", ], }) + select(( soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), soong_config_variable("ANDROID", "ASAN_ENABLED"), product_variable("selinux_ignore_neverallows"), ), { ("202404", true, true): [], (default, true, true): [], (default, default, default): [ "treble_sepolicy_tests_202404", ], }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), { true: ["se_freeze_test"], default: [], }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { true: ["plat_tee_service_contexts"], default: [], }), } phony { name: "selinux_policy", required: [ // Runs checkfc against merged service_contexts files "merged_hwservice_contexts_test", "merged_service_contexts_test", "selinux_policy_nonsystem", "selinux_policy_system", ], } // selinux_policy is a main goal and triggers lots of tests. // Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') // By setting as droidcore's dependency, tests will run on normal builds. phony_rule { name: "droidcore", phony_deps: ["selinux_policy"], } //----------------------------------------------------------------------------- // TODO - remove this. Keep around until we get the filesystem creation stuff // taken care of. // // The file_contexts.bin is built in the following way: // 1. Collect all file_contexts files in THIS repository and process them with // m4 into a tmp file called file_contexts.local.tmp. // 2. Collect all device specific file_contexts files and process them with m4 // into a tmp file called file_contexts.device.tmp. // 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on // file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. // 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp // into file_contexts.concat.tmp. // 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce // file_contexts.bin. // // Note: That a newline file is placed between each file_context file found to // ensure a proper build when an fc file is missing an ending newline. //--- // 1. Collect all file_contexts files in THIS repository and process them with // m4 into a tmp file called file_contexts.local.tmp. java_genrule { name: "file_contexts.local.tmp", srcs: [ ":plat_file_contexts", ":system_ext_file_contexts", ":product_file_contexts", ], tools: [ "m4", ], out: ["file_contexts.local.tmp"], cmd: "$(location m4) --fatal-warnings " + "-s $(in) > $(out)", } // 2. Collect all device specific file_contexts files and process them with m4 // into a tmp file called file_contexts.device.tmp. PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), { any @ m4defs: m4defs, default: "", }) java_genrule { name: "file_contexts.device.tmp", srcs: [ ":vendor_file_contexts", ":odm_file_contexts", ], tools: [ "m4", ], out: ["file_contexts.device.tmp"], cmd: "$(location m4) --fatal-warnings " + "-s " + PRIVATE_ADDITIONAL_M4DEFS + " $(in) > $(out)", } // 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on // file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. java_genrule { name: "file_contexts.device.sorted.tmp", srcs: [ ":file_contexts.device.tmp", ":precompiled_sepolicy", ], tools: [ "checkfc", "fc_sort", ], out: ["file_contexts.device.sorted.tmp"], cmd: "$(location checkfc) " + "-e $(location :precompiled_sepolicy) " + "$(location :file_contexts.device.tmp) && " + "$(location fc_sort) " + "-i $(location :file_contexts.device.tmp) " + "-o $(out)", } // 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp // into file_contexts.concat.tmp. java_genrule { name: "file_contexts.concat.tmp", srcs: [ ":file_contexts.local.tmp", ":file_contexts.device.sorted.tmp", ], tools: [ "m4", ], out: ["file_contexts.concat.tmp"], cmd: "$(location m4) --fatal-warnings " + "-s $(location :file_contexts.local.tmp) " + "$(location :file_contexts.device.sorted.tmp) > $(out)", } // 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce // file_contexts.bin. java_genrule { name: "file_contexts_bin_gen", srcs: [ ":file_contexts.concat.tmp", ":precompiled_sepolicy", ], tools: [ "checkfc", "sefcontext_compile", ], out: ["file_contexts.bin"], cmd: "$(location checkfc) " + "$(location :precompiled_sepolicy) " + "$(location :file_contexts.concat.tmp) && " + "$(location sefcontext_compile) " + "-o $(out) $(location :file_contexts.concat.tmp)", } prebuilt_etc { name: "file_contexts.bin", src: ":file_contexts_bin_gen", }