1// Copyright (C) 2018 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package { 16 default_applicable_licenses: ["system_sepolicy_license"], 17} 18 19// Added automatically by a large-scale-change that took the approach of 20// 'apply every license found to every target'. While this makes sure we respect 21// every license restriction, it may not be entirely correct. 22// 23// e.g. GPL in an MIT project might only apply to the contrib/ directory. 24// 25// Please consider splitting the single license below into multiple licenses, 26// taking care not to lose any license_kind information, and overriding the 27// default license using the 'licenses: [...]' property on targets as needed. 28// 29// For unused files, consider creating a 'filegroup' with "//visibility:private" 30// to attach the license to, and including a comment whether the files may be 31// used in the current project. 32// http://go/android-license-faq 33license { 34 name: "system_sepolicy_license", 35 visibility: [":__subpackages__"], 36 license_kinds: [ 37 "SPDX-license-identifier-Apache-2.0", 38 "legacy_unencumbered", 39 ], 40 license_text: [ 41 "NOTICE", 42 ], 43} 44 45cc_defaults { 46 name: "selinux_policy_version", 47 cflags: ["-DSEPOLICY_VERSION=30"], 48} 49 50// For vts_treble_sys_prop_test 51filegroup { 52 name: "private_property_contexts", 53 srcs: ["private/property_contexts"], 54 visibility: [ 55 "//test/vts-testcase/security/system_property", 56 ], 57} 58 59se_build_files { 60 name: "se_build_files", 61 srcs: [ 62 "security_classes", 63 "initial_sids", 64 "access_vectors", 65 "global_macros", 66 "neverallow_macros", 67 "mls_macros", 68 "mls_decl", 69 "mls", 70 "policy_capabilities", 71 "te_macros", 72 "attributes", 73 "ioctl_defines", 74 "ioctl_macros", 75 "*.te", 76 "roles_decl", 77 "roles", 78 "users", 79 "initial_sid_contexts", 80 "fs_use", 81 "genfs_contexts", 82 "port_contexts", 83 ], 84} 85 86se_build_files { 87 name: "sepolicy_technical_debt", 88 srcs: ["technical_debt.cil"], 89} 90 91phony { 92 // Currently used only for aosp_cf_system_x86_64 93 // TODO(b/329208946): migrate selinux_policy_system to Soong 94 name: "selinux_policy_system_soong", 95 required: [ 96 "plat_bug_map", 97 "plat_file_contexts", 98 "plat_hwservice_contexts", 99 "plat_keystore2_key_contexts", 100 "plat_mac_permissions.xml", 101 "plat_mapping_file", 102 "plat_property_contexts", 103 "plat_seapp_contexts", 104 "plat_sepolicy.cil", 105 "plat_sepolicy_genfs_202504.cil", 106 "plat_service_contexts", 107 "secilc", 108 "plat_29.0.cil", 109 "29.0.compat.cil", 110 "plat_30.0.cil", 111 "30.0.compat.cil", 112 "plat_31.0.cil", 113 "31.0.compat.cil", 114 "plat_32.0.cil", 115 "32.0.compat.cil", 116 "plat_33.0.cil", 117 "33.0.compat.cil", 118 "plat_34.0.cil", 119 "34.0.compat.cil", 120 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 121 "202404": [], 122 default: [ 123 "plat_202404.cil", 124 "202404.compat.cil", 125 ], 126 }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 127 true: ["plat_sepolicy_and_mapping.sha256"], 128 default: [], 129 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 130 true: ["plat_tee_service_contexts"], 131 default: [], 132 }), 133} 134 135reqd_mask_policy = [":se_build_files{.reqd_mask}"] 136plat_public_policy = [":se_build_files{.plat_public}"] 137plat_private_policy = [":se_build_files{.plat_private}"] 138system_ext_public_policy = [":se_build_files{.system_ext_public}"] 139system_ext_private_policy = [":se_build_files{.system_ext_private}"] 140product_public_policy = [":se_build_files{.product_public}"] 141product_private_policy = [":se_build_files{.product_private}"] 142 143// reqd_policy_mask - a policy.conf file which contains only the bare minimum 144// policy necessary to use checkpolicy. 145// 146// This bare-minimum policy needs to be present in all policy.conf files, but 147// should not necessarily be exported as part of the public policy. 148// 149// The rules generated by reqd_policy_mask will allow the compilation of public 150// policy and subsequent removal of CIL policy that should not be exported. 151se_policy_conf { 152 name: "reqd_policy_mask.conf", 153 defaults: ["se_policy_conf_flags_defaults"], 154 srcs: reqd_mask_policy, 155 installable: false, 156} 157 158se_policy_cil { 159 name: "reqd_policy_mask.cil", 160 src: ":reqd_policy_mask.conf", 161 secilc_check: false, 162 installable: false, 163} 164 165// pub_policy - policy that will be exported to be a part of non-platform 166// policy corresponding to this platform version. 167// 168// This is a limited subset of policy that would not compile in checkpolicy on 169// its own. 170// 171// To get around this limitation, add only the required files from private 172// policy, which will generate CIL policy that will then be filtered out by the 173// reqd_policy_mask. 174// 175// There are three pub_policy.cil files below: 176// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy. 177// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy. 178// - plat_pub_policy.cil: exported 'system' policy. 179// 180// Those above files will in turn be used to generate the following versioned cil files: 181// - product_mapping_file: the versioned, exported 'product' policy in product partition. 182// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition. 183// - plat_mapping_file: the versioned, exported 'system' policy in system partition. 184// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy 185// in vendor partition. 186// 187se_policy_conf { 188 name: "pub_policy.conf", 189 defaults: ["se_policy_conf_flags_defaults"], 190 srcs: plat_public_policy + 191 system_ext_public_policy + 192 product_public_policy + 193 reqd_mask_policy, 194 vendor: true, 195 installable: false, 196} 197 198se_policy_cil { 199 name: "pub_policy.cil", 200 src: ":pub_policy.conf", 201 filter_out: [":reqd_policy_mask.cil"], 202 secilc_check: false, 203 vendor: true, 204 installable: false, 205} 206 207se_policy_conf { 208 name: "system_ext_pub_policy.conf", 209 defaults: ["se_policy_conf_flags_defaults"], 210 srcs: plat_public_policy + 211 system_ext_public_policy + 212 reqd_mask_policy, 213 system_ext_specific: true, 214 installable: false, 215} 216 217se_policy_cil { 218 name: "system_ext_pub_policy.cil", 219 src: ":system_ext_pub_policy.conf", 220 filter_out: [":reqd_policy_mask.cil"], 221 secilc_check: false, 222 system_ext_specific: true, 223 installable: false, 224} 225 226se_policy_conf { 227 name: "plat_pub_policy.conf", 228 defaults: ["se_policy_conf_flags_defaults"], 229 srcs: plat_public_policy + 230 reqd_mask_policy, 231 installable: false, 232} 233 234se_policy_cil { 235 name: "plat_pub_policy.cil", 236 src: ":plat_pub_policy.conf", 237 filter_out: [":reqd_policy_mask.cil"], 238 secilc_check: false, 239 installable: false, 240} 241 242// plat_policy.conf - A combination of the private and public platform policy 243// which will ship with the device. 244// 245// The platform will always reflect the most recent platform version and is not 246// currently being attributized. 247se_policy_conf { 248 name: "plat_sepolicy.conf", 249 defaults: ["se_policy_conf_flags_defaults"], 250 srcs: plat_public_policy + 251 plat_private_policy, 252 installable: false, 253} 254 255se_policy_cil { 256 name: "plat_sepolicy.cil", 257 src: ":plat_sepolicy.conf", 258 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 259 dist: { 260 targets: ["sepolicy_finalize"], 261 }, 262} 263 264// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil 265se_policy_conf { 266 name: "userdebug_plat_sepolicy.conf", 267 defaults: ["se_policy_conf_flags_defaults"], 268 srcs: plat_public_policy + 269 plat_private_policy, 270 build_variant: "userdebug", 271 installable: false, 272} 273 274se_policy_cil { 275 name: "userdebug_plat_sepolicy.cil", 276 src: ":userdebug_plat_sepolicy.conf", 277 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 278 debug_ramdisk: true, 279 dist: { 280 targets: ["droidcore"], 281 }, 282} 283 284// A copy of the userdebug_plat_policy in GSI. 285soong_config_module_type { 286 name: "gsi_se_policy_cil", 287 module_type: "se_policy_cil", 288 config_namespace: "ANDROID", 289 bool_variables: [ 290 "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", 291 ], 292 properties: [ 293 "enabled", 294 "installable", 295 ], 296} 297 298gsi_se_policy_cil { 299 name: "system_ext_userdebug_plat_sepolicy.cil", 300 stem: "userdebug_plat_sepolicy.cil", 301 src: ":userdebug_plat_sepolicy.conf", 302 additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], 303 system_ext_specific: true, 304 enabled: false, 305 installable: false, 306 soong_config_variables: { 307 PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { 308 enabled: true, 309 installable: true, 310 }, 311 }, 312} 313 314// system_ext_policy.conf - A combination of the private and public system_ext 315// policy which will ship with the device. System_ext policy is not attributized 316se_policy_conf { 317 name: "system_ext_sepolicy.conf", 318 defaults: ["se_policy_conf_flags_defaults"], 319 srcs: plat_public_policy + 320 plat_private_policy + 321 system_ext_public_policy + 322 system_ext_private_policy, 323 system_ext_specific: true, 324 installable: false, 325} 326 327se_policy_cil { 328 name: "system_ext_sepolicy.cil", 329 src: ":system_ext_sepolicy.conf", 330 system_ext_specific: true, 331 filter_out: [":plat_sepolicy.cil"], 332 remove_line_marker: true, 333} 334 335// product_policy.conf - A combination of the private and public product policy 336// which will ship with the device. Product policy is not attributized 337se_policy_conf { 338 name: "product_sepolicy.conf", 339 defaults: ["se_policy_conf_flags_defaults"], 340 srcs: plat_public_policy + 341 plat_private_policy + 342 system_ext_public_policy + 343 system_ext_private_policy + 344 product_public_policy + 345 product_private_policy, 346 product_specific: true, 347 installable: false, 348} 349 350se_policy_cil { 351 name: "product_sepolicy.cil", 352 src: ":product_sepolicy.conf", 353 product_specific: true, 354 filter_out: [ 355 ":plat_sepolicy.cil", 356 ":system_ext_sepolicy.cil", 357 ], 358 remove_line_marker: true, 359} 360 361// policy mapping files 362// auto-generate the mapping file for current platform policy, since it needs to 363// track platform policy development 364se_versioned_policy { 365 name: "plat_mapping_file", 366 base: ":plat_pub_policy.cil", 367 mapping: true, 368 version: "current", 369 relative_install_path: "mapping", // install to /system/etc/selinux/mapping 370 dist: { 371 targets: ["sepolicy_finalize"], 372 }, 373} 374 375se_versioned_policy { 376 name: "system_ext_mapping_file", 377 base: ":system_ext_pub_policy.cil", 378 mapping: true, 379 version: "current", 380 filter_out: [":plat_mapping_file"], 381 relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping 382 system_ext_specific: true, 383} 384 385se_versioned_policy { 386 name: "product_mapping_file", 387 base: ":pub_policy.cil", 388 mapping: true, 389 version: "current", 390 filter_out: [ 391 ":plat_mapping_file", 392 ":system_ext_mapping_file", 393 ], 394 relative_install_path: "mapping", // install to /product/etc/selinux/mapping 395 product_specific: true, 396} 397 398////////////////////////////////// 399// vendor/odm sepolicy 400////////////////////////////////// 401 402// plat_pub_versioned.cil - the exported platform policy associated with the version 403// that non-platform policy targets. 404se_versioned_policy { 405 name: "plat_pub_versioned.cil", 406 base: ":pub_policy.cil", 407 target_policy: ":pub_policy.cil", 408 version: "vendor", 409 vendor: true, 410} 411 412// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 413// with the platform-provided policy. It makes use of the reqd_policy_mask files from private 414// policy and the platform public policy files in order to use checkpolicy. 415se_policy_conf { 416 name: "vendor_sepolicy.conf", 417 defaults: ["se_policy_conf_flags_defaults"], 418 srcs: plat_public_policy + 419 system_ext_public_policy + 420 product_public_policy + 421 reqd_mask_policy + [ 422 ":se_build_files{.plat_vendor}", 423 ":se_build_files{.vendor}", 424 ], 425 vendor: true, 426 installable: false, 427} 428 429se_policy_cil { 430 name: "vendor_sepolicy.cil.raw", 431 src: ":vendor_sepolicy.conf", 432 filter_out: [":reqd_policy_mask.cil"], 433 secilc_check: false, // will be done in se_versioned_policy module 434 vendor: true, 435 installable: false, 436} 437 438se_versioned_policy { 439 name: "vendor_sepolicy.cil", 440 base: ":pub_policy.cil", 441 target_policy: ":vendor_sepolicy.cil.raw", 442 version: "vendor", 443 dependent_cils: [ 444 ":plat_sepolicy.cil", 445 ":system_ext_sepolicy.cil", 446 ":product_sepolicy.cil", 447 ":plat_pub_versioned.cil", 448 ":plat_mapping_file", 449 ], 450 filter_out: [":plat_pub_versioned.cil"], 451 vendor: true, 452} 453 454// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined 455// with the platform-provided policy. It makes use of the reqd_policy_mask files from private 456// policy and the platform public policy files in order to use checkpolicy. 457se_policy_conf { 458 name: "odm_sepolicy.conf", 459 defaults: ["se_policy_conf_flags_defaults"], 460 srcs: plat_public_policy + 461 system_ext_public_policy + 462 product_public_policy + 463 reqd_mask_policy + [ 464 ":se_build_files{.plat_vendor}", 465 ":se_build_files{.vendor}", 466 ":se_build_files{.odm}", 467 ], 468 device_specific: true, 469 installable: false, 470} 471 472se_policy_cil { 473 name: "odm_sepolicy.cil.raw", 474 src: ":odm_sepolicy.conf", 475 filter_out: [ 476 ":reqd_policy_mask.cil", 477 ":vendor_sepolicy.cil", 478 ], 479 secilc_check: false, // will be done in se_versioned_policy module 480 device_specific: true, 481 installable: false, 482} 483 484se_versioned_policy { 485 name: "odm_sepolicy.cil", 486 base: ":pub_policy.cil", 487 target_policy: ":odm_sepolicy.cil.raw", 488 version: "vendor", 489 dependent_cils: [ 490 ":plat_sepolicy.cil", 491 ":system_ext_sepolicy.cil", 492 ":product_sepolicy.cil", 493 ":plat_pub_versioned.cil", 494 ":plat_mapping_file", 495 ":vendor_sepolicy.cil", 496 ], 497 filter_out: [ 498 ":plat_pub_versioned.cil", 499 ":vendor_sepolicy.cil", 500 ], 501 device_specific: true, 502} 503 504////////////////////////////////// 505// Precompiled sepolicy is loaded if and only if: 506// - plat_sepolicy_and_mapping.sha256 equals 507// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 508// AND 509// - system_ext_sepolicy_and_mapping.sha256 equals 510// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 511// AND 512// - product_sepolicy_and_mapping.sha256 equals 513// precompiled_sepolicy.product_sepolicy_and_mapping.sha256 514// See system/core/init/selinux.cpp for details. 515////////////////////////////////// 516java_genrule { 517 name: "plat_sepolicy_and_mapping.sha256_gen", 518 srcs: [ 519 ":plat_sepolicy.cil", 520 ":plat_mapping_file", 521 ], 522 out: ["plat_sepolicy_and_mapping.sha256"], 523 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 524} 525 526prebuilt_etc { 527 name: "plat_sepolicy_and_mapping.sha256", 528 filename: "plat_sepolicy_and_mapping.sha256", 529 src: ":plat_sepolicy_and_mapping.sha256_gen", 530 relative_install_path: "selinux", 531} 532 533java_genrule { 534 name: "system_ext_sepolicy_and_mapping.sha256_gen", 535 srcs: [ 536 ":system_ext_sepolicy.cil", 537 ":system_ext_mapping_file", 538 ], 539 out: ["system_ext_sepolicy_and_mapping.sha256"], 540 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 541} 542 543prebuilt_etc { 544 name: "system_ext_sepolicy_and_mapping.sha256", 545 filename: "system_ext_sepolicy_and_mapping.sha256", 546 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 547 relative_install_path: "selinux", 548 system_ext_specific: true, 549} 550 551java_genrule { 552 name: "product_sepolicy_and_mapping.sha256_gen", 553 srcs: [ 554 ":product_sepolicy.cil", 555 ":product_mapping_file", 556 ], 557 out: ["product_sepolicy_and_mapping.sha256"], 558 cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", 559} 560 561prebuilt_etc { 562 name: "product_sepolicy_and_mapping.sha256", 563 filename: "product_sepolicy_and_mapping.sha256", 564 src: ":product_sepolicy_and_mapping.sha256_gen", 565 relative_install_path: "selinux", 566 product_specific: true, 567} 568 569sepolicy_vers { 570 name: "plat_sepolicy_vers.txt", 571 version: "vendor", 572 vendor: true, 573} 574 575genrule { 576 name: "genfs_labels_version.txt.gen", 577 out: ["genfs_labels_version.txt"], 578 cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), { 579 any @ value: "echo " + value + " > $(out)", 580 default: "echo > $(out)", 581 }), 582} 583 584prebuilt_etc { 585 name: "genfs_labels_version.txt", 586 src: ":genfs_labels_version.txt.gen", 587 relative_install_path: "selinux", 588 vendor: true, 589} 590 591soong_config_module_type { 592 name: "precompiled_sepolicy_prebuilts_defaults", 593 module_type: "prebuilt_defaults", 594 config_namespace: "ANDROID", 595 bool_variables: ["BOARD_USES_ODMIMAGE"], 596 properties: [ 597 "vendor", 598 "device_specific", 599 ], 600} 601 602precompiled_sepolicy_prebuilts_defaults { 603 name: "precompiled_sepolicy_prebuilts", 604 soong_config_variables: { 605 BOARD_USES_ODMIMAGE: { 606 device_specific: true, 607 conditions_default: { 608 vendor: true, 609 }, 610 }, 611 }, 612} 613 614////////////////////////////////// 615// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against 616// which precompiled_policy was built. 617////////////////////////////////// 618prebuilt_etc { 619 defaults: ["precompiled_sepolicy_prebuilts"], 620 name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 621 filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 622 src: ":plat_sepolicy_and_mapping.sha256_gen", 623 relative_install_path: "selinux", 624} 625 626////////////////////////////////// 627// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against 628// which precompiled_policy was built. 629////////////////////////////////// 630prebuilt_etc { 631 defaults: ["precompiled_sepolicy_prebuilts"], 632 name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 633 filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 634 src: ":system_ext_sepolicy_and_mapping.sha256_gen", 635 relative_install_path: "selinux", 636} 637 638////////////////////////////////// 639// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against 640// which precompiled_policy was built. 641////////////////////////////////// 642prebuilt_etc { 643 defaults: ["precompiled_sepolicy_prebuilts"], 644 name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 645 filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 646 src: ":product_sepolicy_and_mapping.sha256_gen", 647 relative_install_path: "selinux", 648} 649 650soong_config_module_type { 651 name: "precompiled_se_policy_binary", 652 module_type: "se_policy_binary", 653 config_namespace: "ANDROID", 654 bool_variables: ["BOARD_USES_ODMIMAGE"], 655 properties: [ 656 "vendor", 657 "device_specific", 658 ], 659} 660 661filegroup { 662 name: "precompiled_sepolicy_srcs", 663 device_common_srcs: [ 664 ":plat_sepolicy.cil", 665 ":plat_pub_versioned.cil", 666 ":system_ext_sepolicy.cil", 667 ":product_sepolicy.cil", 668 ":vendor_sepolicy.cil", 669 ":odm_sepolicy.cil", 670 ":plat_mapping_file", 671 ":system_ext_mapping_file", 672 ":product_mapping_file", 673 ], 674 device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), { 675 "202504": [":plat_sepolicy_genfs_202504.cil"], 676 default: [], 677 }), 678 // Make precompiled_sepolicy_srcs as public so that OEMs have access to them. 679 // Useful when some partitions need to be bind mounted across VM boundaries. 680 visibility: ["//visibility:public"], 681} 682 683precompiled_se_policy_binary { 684 name: "precompiled_sepolicy", 685 srcs: [ 686 ":precompiled_sepolicy_srcs", 687 ], 688 soong_config_variables: { 689 BOARD_USES_ODMIMAGE: { 690 device_specific: true, 691 conditions_default: { 692 vendor: true, 693 }, 694 }, 695 }, 696 required: [ 697 "sepolicy_neverallows", 698 ], 699 dist: { 700 targets: ["base-sepolicy-files-for-mapping"], 701 }, 702} 703 704// policy for recovery 705se_policy_conf { 706 name: "recovery_sepolicy.conf", 707 defaults: ["se_policy_conf_flags_defaults"], 708 srcs: plat_public_policy + 709 plat_private_policy + 710 system_ext_public_policy + 711 system_ext_private_policy + 712 product_public_policy + 713 product_private_policy + [ 714 ":se_build_files{.plat_vendor}", 715 ":se_build_files{.vendor}", 716 ":se_build_files{.odm}", 717 ], 718 target_recovery: true, 719 installable: false, 720 recovery: true, 721} 722 723se_policy_cil { 724 name: "recovery_sepolicy.cil", 725 src: ":recovery_sepolicy.conf", 726 secilc_check: false, // will be done in se_policy_binary module 727 installable: false, 728 recovery: true, 729} 730 731se_policy_binary { 732 name: "sepolicy.recovery", 733 srcs: [":recovery_sepolicy.cil"], 734 stem: "sepolicy", 735 recovery: true, 736} 737 738////////////////////////////////// 739// SELinux policy embedded into CTS. 740// CTS checks neverallow rules of this policy against the policy of the device under test. 741////////////////////////////////// 742se_policy_conf { 743 name: "general_sepolicy.conf", 744 defaults: ["se_policy_conf_flags_defaults"], 745 srcs: plat_public_policy + 746 plat_private_policy, 747 build_variant: "user", 748 cts: true, 749 exclude_build_test: true, 750 dist: { 751 targets: ["sepolicy_finalize"], 752 }, 753} 754 755////////////////////////////////// 756// Base system policy for treble sepolicy tests. 757// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ 758// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case, 759// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil. 760// See treble_sepolicy_tests_for_release.mk for more details. 761////////////////////////////////// 762se_policy_conf { 763 name: "base_plat_sepolicy.conf", 764 defaults: ["se_policy_conf_flags_defaults"], 765 srcs: plat_public_policy + 766 plat_private_policy, 767 build_variant: "user", 768 installable: false, 769} 770 771se_policy_cil { 772 name: "base_plat_sepolicy.cil", 773 src: ":base_plat_sepolicy.conf", 774 additional_cil_files: ["private/technical_debt.cil"], 775 installable: false, 776 secilc_check: false, // done by se_policy_binary 777} 778 779se_policy_binary { 780 name: "base_plat_sepolicy", 781 srcs: [":base_plat_sepolicy.cil"], 782 installable: false, 783 dist: { 784 targets: ["base-sepolicy-files-for-mapping"], 785 }, 786} 787 788se_policy_conf { 789 name: "base_product_sepolicy.conf", 790 defaults: ["se_policy_conf_flags_defaults"], 791 srcs: plat_public_policy + 792 plat_private_policy + 793 system_ext_public_policy + 794 system_ext_private_policy + 795 product_public_policy + 796 product_private_policy, 797 build_variant: "user", 798 installable: false, 799 product_specific: true, 800} 801 802se_policy_cil { 803 name: "base_product_sepolicy.cil", 804 src: ":base_product_sepolicy.conf", 805 additional_cil_files: ["private/technical_debt.cil"], 806 product_specific: true, 807 installable: false, 808 secilc_check: false, // done by se_policy_binary 809} 810 811se_policy_binary { 812 name: "base_product_sepolicy", 813 srcs: [":base_product_sepolicy.cil"], 814 product_specific: true, 815 installable: false, 816} 817 818se_policy_conf { 819 name: "base_plat_pub_policy.conf", 820 defaults: ["se_policy_conf_flags_defaults"], 821 srcs: plat_public_policy + 822 reqd_mask_policy, 823 build_variant: "user", 824 installable: false, 825} 826 827se_policy_cil { 828 name: "base_plat_pub_policy.cil", 829 src: ":base_plat_pub_policy.conf", 830 filter_out: [":reqd_policy_mask.cil"], 831 secilc_check: false, 832 installable: false, 833 dist: { 834 targets: ["base-sepolicy-files-for-mapping"], 835 }, 836} 837 838se_policy_conf { 839 name: "base_product_pub_policy.conf", 840 defaults: ["se_policy_conf_flags_defaults"], 841 srcs: plat_public_policy + 842 system_ext_public_policy + 843 product_public_policy + 844 reqd_mask_policy, 845 build_variant: "user", 846 installable: false, 847 product_specific: true, 848} 849 850se_policy_cil { 851 name: "base_product_pub_policy.cil", 852 src: ":base_product_pub_policy.conf", 853 filter_out: [":reqd_policy_mask.cil"], 854 secilc_check: false, 855 installable: false, 856 product_specific: true, 857} 858 859// bug_map - Bug tracking information for selinux denials loaded by auditd. 860se_build_files { 861 name: "bug_map_files", 862 srcs: ["bug_map"], 863} 864 865se_bug_map { 866 name: "plat_bug_map", 867 srcs: [":bug_map_files{.plat_private}"], 868 stem: "bug_map", 869} 870 871se_bug_map { 872 name: "system_ext_bug_map", 873 srcs: [":bug_map_files{.system_ext_private}"], 874 stem: "bug_map", 875 system_ext_specific: true, 876} 877 878se_bug_map { 879 name: "vendor_bug_map", 880 srcs: [ 881 ":bug_map_files{.vendor}", 882 ":bug_map_files{.plat_vendor}", 883 ], 884 // Legacy file name of the vendor partition bug_map. 885 stem: "selinux_denial_metadata", 886 vendor: true, 887} 888 889se_neverallow_test { 890 name: "sepolicy_neverallows", 891 defaults: ["se_policy_conf_flags_defaults"], 892 srcs: plat_public_policy + 893 plat_private_policy + 894 system_ext_public_policy + 895 system_ext_private_policy + 896 product_public_policy + 897 product_private_policy + [ 898 ":se_build_files{.plat_vendor}", 899 ":se_build_files{.vendor}", 900 ":se_build_files{.odm}", 901 ], 902} 903 904////////////////////////////////// 905// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy 906// Additional directories can be specified via Makefile variables: 907// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS. 908////////////////////////////////// 909se_freeze_test { 910 name: "se_freeze_test", 911} 912 913////////////////////////////////// 914// sepolicy_test checks various types of violations, which can't be easily done 915// by CIL itself. Refer tests/sepolicy_tests.py for more detail. 916////////////////////////////////// 917java_genrule { 918 name: "sepolicy_test", 919 srcs: [ 920 ":plat_file_contexts", 921 ":vendor_file_contexts", 922 ":system_ext_file_contexts", 923 ":product_file_contexts", 924 ":odm_file_contexts", 925 ":precompiled_sepolicy", 926 ], 927 tools: ["sepolicy_tests"], 928 out: ["sepolicy_test"], 929 cmd: "$(location sepolicy_tests) " + 930 "-f $(location :plat_file_contexts) " + 931 "-f $(location :vendor_file_contexts) " + 932 "-f $(location :system_ext_file_contexts) " + 933 "-f $(location :product_file_contexts) " + 934 "-f $(location :odm_file_contexts) " + 935 "-p $(location :precompiled_sepolicy) && " + 936 "touch $(out)", 937} 938 939////////////////////////////////// 940// TestDevTypeViolations can't run on old devices (V or before) 941////////////////////////////////// 942 943soong_config_module_type { 944 name: "dev_type_test_genrule", 945 module_type: "java_genrule", 946 config_namespace: "ANDROID", 947 bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"], 948 properties: ["cmd"], 949} 950 951dev_type_test_genrule { 952 name: "sepolicy_dev_type_test", 953 srcs: [ 954 ":plat_file_contexts", 955 ":vendor_file_contexts", 956 ":system_ext_file_contexts", 957 ":product_file_contexts", 958 ":odm_file_contexts", 959 ":precompiled_sepolicy", 960 ], 961 tools: ["sepolicy_tests"], 962 out: ["sepolicy_dev_type_test"], 963 soong_config_variables: { 964 CHECK_DEV_TYPE_VIOLATIONS: { 965 cmd: "$(location sepolicy_tests) " + 966 "-f $(location :plat_file_contexts) " + 967 "-f $(location :vendor_file_contexts) " + 968 "-f $(location :system_ext_file_contexts) " + 969 "-f $(location :product_file_contexts) " + 970 "-f $(location :odm_file_contexts) " + 971 "-p $(location :precompiled_sepolicy) " + 972 "-t TestDevTypeViolations && " + 973 "touch $(out)", 974 conditions_default: { 975 cmd: "touch $(out)", 976 }, 977 }, 978 }, 979} 980 981phony { 982 name: "selinux_policy_system_ext", 983 required: [ 984 //"ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY" check included in system_ext_pub_policy.cil 985 "system_ext_mapping_file", 986 //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil 987 "system_ext_sepolicy.cil", 988 ] + [ 989 //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil 990 "system_ext_29.0.cil", 991 "system_ext_30.0.cil", 992 "system_ext_31.0.cil", 993 "system_ext_32.0.cil", 994 "system_ext_33.0.cil", 995 "system_ext_34.0.cil", 996 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 997 "202404": [], 998 default: [ 999 "system_ext_202404.cil", 1000 ], 1001 }) + 1002 select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1003 true: ["system_ext_sepolicy_and_mapping.sha256"], 1004 default: [], 1005 }) + [ 1006 "system_ext_file_contexts", 1007 "system_ext_file_contexts_test", 1008 "system_ext_keystore2_key_contexts", 1009 "system_ext_hwservice_contexts", 1010 "system_ext_hwservice_contexts_test", 1011 "system_ext_property_contexts", 1012 "system_ext_property_contexts_test", 1013 "system_ext_seapp_contexts", 1014 "system_ext_service_contexts", 1015 "system_ext_service_contexts_test", 1016 "system_ext_mac_permissions.xml", 1017 "system_ext_bug_map", 1018 // $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \ 1019 "system_ext_29.0.compat.cil", 1020 "system_ext_30.0.compat.cil", 1021 "system_ext_31.0.compat.cil", 1022 "system_ext_32.0.compat.cil", 1023 "system_ext_33.0.compat.cil", 1024 "system_ext_34.0.compat.cil", 1025 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1026 "202404": [], 1027 default: [ 1028 "system_ext_202404.compat.cil", 1029 ], 1030 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1031 true: ["system_ext_tee_service_contexts"], 1032 default: [], 1033 }), 1034 system_ext_specific: true, 1035} 1036 1037phony { 1038 name: "selinux_policy_product", 1039 required: [ 1040 "product_mapping_file", 1041 "product_sepolicy.cil", 1042 // "ifdef HAS_PRODUCT_PUBLIC_SEPOLICY" check included in .cil 1043 "product_29.0.cil", 1044 "product_30.0.cil", 1045 "product_31.0.cil", 1046 "product_32.0.cil", 1047 "product_33.0.cil", 1048 "product_34.0.cil", 1049 "product_file_contexts", 1050 // "ifdef HAS_PRODUCT_SEPOLICY_DIR" in Android.mk can be ignored. 1051 "product_file_contexts_test", 1052 "product_keystore2_key_contexts", 1053 "product_hwservice_contexts", 1054 "product_hwservice_contexts_test", 1055 "product_property_contexts", 1056 "product_property_contexts_test", 1057 "product_seapp_contexts", 1058 "product_service_contexts", 1059 "product_service_contexts_test", 1060 "product_mac_permissions.xml", 1061 ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1062 true: ["product_sepolicy_and_mapping.sha256"], 1063 default: [], 1064 }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1065 "202404": [], 1066 default: [ 1067 "product_202404.cil", 1068 ], 1069 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1070 true: ["product_tee_service_contexts"], 1071 default: [], 1072 }), 1073 product_specific: true, 1074} 1075 1076phony { 1077 name: "selinux_policy_nonsystem", 1078 required: [ 1079 "selinux_policy_system_ext", 1080 "selinux_policy_product", 1081 "selinux_policy_vendor", 1082 "selinux_policy_odm", 1083 // Builds an additional userdebug sepolicy into the debug ramdisk. 1084 "userdebug_plat_sepolicy.cil", 1085 ], 1086} 1087 1088phony { 1089 name: "selinux_policy_vendor", 1090 required: [ 1091 "genfs_labels_version.txt", 1092 "plat_pub_versioned.cil", 1093 "vendor_sepolicy.cil", 1094 "plat_sepolicy_vers.txt", 1095 "vendor_file_contexts", 1096 "vendor_file_contexts_test", 1097 "vendor_keystore2_key_contexts", 1098 "vendor_mac_permissions.xml", 1099 "vendor_property_contexts", 1100 "vendor_property_contexts_test", 1101 "vendor_seapp_contexts", 1102 "vendor_service_contexts", 1103 "vendor_service_contexts_test", 1104 "vendor_hwservice_contexts", 1105 "vendor_hwservice_contexts_test", 1106 "vendor_bug_map", 1107 "vndservice_contexts", 1108 "vndservice_contexts_test", 1109 ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1110 true: ["vendor_tee_service_contexts"], 1111 default: [], 1112 }), 1113 vendor: true, 1114} 1115 1116phony { 1117 name: "selinux_policy_odm", 1118 required: [ 1119 "odm_sepolicy.cil", 1120 "odm_file_contexts", 1121 "odm_file_contexts_test", 1122 "odm_seapp_contexts", 1123 "odm_property_contexts", 1124 "odm_property_contexts_test", 1125 "odm_service_contexts", 1126 "odm_service_contexts_test", 1127 "odm_hwservice_contexts", 1128 "odm_hwservice_contexts_test", 1129 "odm_mac_permissions.xml", 1130 ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1131 true: [ 1132 "precompiled_sepolicy", 1133 "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", 1134 "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256", 1135 "precompiled_sepolicy.product_sepolicy_and_mapping.sha256", 1136 ], 1137 default: [], 1138 }), 1139 device_specific: true, 1140} 1141 1142phony { 1143 name: "selinux_policy_system", 1144 required: [ 1145 "29.0.compat.cil", 1146 "30.0.compat.cil", 1147 "31.0.compat.cil", 1148 "32.0.compat.cil", 1149 "33.0.compat.cil", 1150 "34.0.compat.cil", 1151 "build_sepolicy", 1152 "fuzzer_bindings_test", 1153 "plat_29.0.cil", 1154 "plat_30.0.cil", 1155 "plat_31.0.cil", 1156 "plat_32.0.cil", 1157 "plat_33.0.cil", 1158 "plat_34.0.cil", 1159 "plat_bug_map", 1160 "plat_file_contexts", 1161 "plat_file_contexts_data_test", 1162 "plat_file_contexts_test", 1163 "plat_hwservice_contexts", 1164 "plat_hwservice_contexts_test", 1165 "plat_keystore2_key_contexts", 1166 "plat_mac_permissions.xml", 1167 "plat_mapping_file", 1168 "plat_property_contexts", 1169 "plat_property_contexts_test", 1170 "plat_seapp_contexts", 1171 "plat_sepolicy.cil", 1172 "plat_sepolicy_genfs_202504.cil", 1173 "plat_service_contexts", 1174 "plat_service_contexts_test", 1175 "searchpolicy", 1176 "secilc", 1177 ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), { 1178 "202404": [], 1179 default: [ 1180 "202404.compat.cil", 1181 "plat_202404.cil", 1182 ], 1183 }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), { 1184 true: ["plat_sepolicy_and_mapping.sha256"], 1185 default: [], 1186 }) + select(( 1187 soong_config_variable("ANDROID", "ASAN_ENABLED"), 1188 product_variable("selinux_ignore_neverallows"), 1189 ), { 1190 (true, true): [ 1191 ], 1192 (default, default): [ 1193 "sepolicy_compat_test", 1194 "sepolicy_test", 1195 "sepolicy_dev_type_test", 1196 "treble_sepolicy_tests_29.0", 1197 "treble_sepolicy_tests_30.0", 1198 "treble_sepolicy_tests_31.0", 1199 "treble_sepolicy_tests_32.0", 1200 "treble_sepolicy_tests_33.0", 1201 "treble_sepolicy_tests_34.0", 1202 ], 1203 }) + select(( 1204 soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), 1205 soong_config_variable("ANDROID", "ASAN_ENABLED"), 1206 product_variable("selinux_ignore_neverallows"), 1207 ), { 1208 ("202404", true, true): [], 1209 (default, true, true): [], 1210 (default, default, default): [ 1211 "treble_sepolicy_tests_202404", 1212 ], 1213 }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), { 1214 true: ["se_freeze_test"], 1215 default: [], 1216 }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), { 1217 true: ["plat_tee_service_contexts"], 1218 default: [], 1219 }), 1220} 1221 1222phony { 1223 name: "selinux_policy", 1224 required: [ 1225 // Runs checkfc against merged service_contexts files 1226 "merged_hwservice_contexts_test", 1227 "merged_service_contexts_test", 1228 "selinux_policy_nonsystem", 1229 "selinux_policy_system", 1230 ], 1231} 1232 1233// selinux_policy is a main goal and triggers lots of tests. 1234// Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm') 1235// By setting as droidcore's dependency, tests will run on normal builds. 1236phony_rule { 1237 name: "droidcore", 1238 phony_deps: ["selinux_policy"], 1239} 1240 1241//----------------------------------------------------------------------------- 1242// TODO - remove this. Keep around until we get the filesystem creation stuff 1243// taken care of. 1244// 1245// The file_contexts.bin is built in the following way: 1246// 1. Collect all file_contexts files in THIS repository and process them with 1247// m4 into a tmp file called file_contexts.local.tmp. 1248// 2. Collect all device specific file_contexts files and process them with m4 1249// into a tmp file called file_contexts.device.tmp. 1250// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 1251// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 1252// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp 1253// into file_contexts.concat.tmp. 1254// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 1255// file_contexts.bin. 1256// 1257// Note: That a newline file is placed between each file_context file found to 1258// ensure a proper build when an fc file is missing an ending newline. 1259//--- 1260// 1. Collect all file_contexts files in THIS repository and process them with 1261// m4 into a tmp file called file_contexts.local.tmp. 1262java_genrule { 1263 name: "file_contexts.local.tmp", 1264 srcs: [ 1265 ":plat_file_contexts", 1266 ":system_ext_file_contexts", 1267 ":product_file_contexts", 1268 ], 1269 tools: [ 1270 "m4", 1271 ], 1272 out: ["file_contexts.local.tmp"], 1273 cmd: "$(location m4) --fatal-warnings " + 1274 "-s $(in) > $(out)", 1275} 1276 1277// 2. Collect all device specific file_contexts files and process them with m4 1278// into a tmp file called file_contexts.device.tmp. 1279PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), { 1280 any @ m4defs: m4defs, 1281 default: "", 1282}) 1283java_genrule { 1284 name: "file_contexts.device.tmp", 1285 srcs: [ 1286 ":vendor_file_contexts", 1287 ":odm_file_contexts", 1288 ], 1289 tools: [ 1290 "m4", 1291 ], 1292 out: ["file_contexts.device.tmp"], 1293 cmd: "$(location m4) --fatal-warnings " + 1294 "-s " + PRIVATE_ADDITIONAL_M4DEFS + 1295 " $(in) > $(out)", 1296} 1297 1298// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 1299// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 1300java_genrule { 1301 name: "file_contexts.device.sorted.tmp", 1302 srcs: [ 1303 ":file_contexts.device.tmp", 1304 ":precompiled_sepolicy", 1305 ], 1306 tools: [ 1307 "checkfc", 1308 "fc_sort", 1309 ], 1310 out: ["file_contexts.device.sorted.tmp"], 1311 cmd: "$(location checkfc) " + 1312 "-e $(location :precompiled_sepolicy) " + 1313 "$(location :file_contexts.device.tmp) && " + 1314 "$(location fc_sort) " + 1315 "-i $(location :file_contexts.device.tmp) " + 1316 "-o $(out)", 1317} 1318 1319// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp 1320// into file_contexts.concat.tmp. 1321java_genrule { 1322 name: "file_contexts.concat.tmp", 1323 srcs: [ 1324 ":file_contexts.local.tmp", 1325 ":file_contexts.device.sorted.tmp", 1326 ], 1327 tools: [ 1328 "m4", 1329 ], 1330 out: ["file_contexts.concat.tmp"], 1331 cmd: "$(location m4) --fatal-warnings " + 1332 "-s $(location :file_contexts.local.tmp) " + 1333 "$(location :file_contexts.device.sorted.tmp) > $(out)", 1334} 1335 1336// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 1337// file_contexts.bin. 1338java_genrule { 1339 name: "file_contexts_bin_gen", 1340 srcs: [ 1341 ":file_contexts.concat.tmp", 1342 ":precompiled_sepolicy", 1343 ], 1344 tools: [ 1345 "checkfc", 1346 "sefcontext_compile", 1347 ], 1348 out: ["file_contexts.bin"], 1349 cmd: "$(location checkfc) " + 1350 "$(location :precompiled_sepolicy) " + 1351 "$(location :file_contexts.concat.tmp) && " + 1352 "$(location sefcontext_compile) " + 1353 "-o $(out) $(location :file_contexts.concat.tmp)", 1354} 1355 1356prebuilt_etc { 1357 name: "file_contexts.bin", 1358 src: ":file_contexts_bin_gen", 1359} 1360