xref: /aosp_15_r20/system/sepolicy/Android.bp (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

// Copyright (C) 2018 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package {
    default_applicable_licenses: ["system_sepolicy_license"],
}

// Added automatically by a large-scale-change that took the approach of
// 'apply every license found to every target'. While this makes sure we respect
// every license restriction, it may not be entirely correct.
//
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
//
// Please consider splitting the single license below into multiple licenses,
// taking care not to lose any license_kind information, and overriding the
// default license using the 'licenses: [...]' property on targets as needed.
//
// For unused files, consider creating a 'filegroup' with "//visibility:private"
// to attach the license to, and including a comment whether the files may be
// used in the current project.
// http://go/android-license-faq
license {
    name: "system_sepolicy_license",
    visibility: [":__subpackages__"],
    license_kinds: [
        "SPDX-license-identifier-Apache-2.0",
        "legacy_unencumbered",
    ],
    license_text: [
        "NOTICE",
    ],
}

cc_defaults {
    name: "selinux_policy_version",
    cflags: ["-DSEPOLICY_VERSION=30"],
}

// For vts_treble_sys_prop_test
filegroup {
    name: "private_property_contexts",
    srcs: ["private/property_contexts"],
    visibility: [
        "//test/vts-testcase/security/system_property",
    ],
}

se_build_files {
    name: "se_build_files",
    srcs: [
        "security_classes",
        "initial_sids",
        "access_vectors",
        "global_macros",
        "neverallow_macros",
        "mls_macros",
        "mls_decl",
        "mls",
        "policy_capabilities",
        "te_macros",
        "attributes",
        "ioctl_defines",
        "ioctl_macros",
        "*.te",
        "roles_decl",
        "roles",
        "users",
        "initial_sid_contexts",
        "fs_use",
        "genfs_contexts",
        "port_contexts",
    ],
}

se_build_files {
    name: "sepolicy_technical_debt",
    srcs: ["technical_debt.cil"],
}

phony {
    // Currently used only for aosp_cf_system_x86_64
    // TODO(b/329208946): migrate selinux_policy_system to Soong
    name: "selinux_policy_system_soong",
    required: [
        "plat_bug_map",
        "plat_file_contexts",
        "plat_hwservice_contexts",
        "plat_keystore2_key_contexts",
        "plat_mac_permissions.xml",
        "plat_mapping_file",
        "plat_property_contexts",
        "plat_seapp_contexts",
        "plat_sepolicy.cil",
        "plat_sepolicy_genfs_202504.cil",
        "plat_service_contexts",
        "secilc",
        "plat_29.0.cil",
        "29.0.compat.cil",
        "plat_30.0.cil",
        "30.0.compat.cil",
        "plat_31.0.cil",
        "31.0.compat.cil",
        "plat_32.0.cil",
        "32.0.compat.cil",
        "plat_33.0.cil",
        "33.0.compat.cil",
        "plat_34.0.cil",
        "34.0.compat.cil",
    ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
        "202404": [],
        default: [
            "plat_202404.cil",
            "202404.compat.cil",
        ],
    }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
        true: ["plat_sepolicy_and_mapping.sha256"],
        default: [],
    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
        true: ["plat_tee_service_contexts"],
        default: [],
    }),
}

reqd_mask_policy = [":se_build_files{.reqd_mask}"]
plat_public_policy = [":se_build_files{.plat_public}"]
plat_private_policy = [":se_build_files{.plat_private}"]
system_ext_public_policy = [":se_build_files{.system_ext_public}"]
system_ext_private_policy = [":se_build_files{.system_ext_private}"]
product_public_policy = [":se_build_files{.product_public}"]
product_private_policy = [":se_build_files{.product_private}"]

// reqd_policy_mask - a policy.conf file which contains only the bare minimum
// policy necessary to use checkpolicy.
//
// This bare-minimum policy needs to be present in all policy.conf files, but
// should not necessarily be exported as part of the public policy.
//
// The rules generated by reqd_policy_mask will allow the compilation of public
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
    name: "reqd_policy_mask.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: reqd_mask_policy,
    installable: false,
}

se_policy_cil {
    name: "reqd_policy_mask.cil",
    src: ":reqd_policy_mask.conf",
    secilc_check: false,
    installable: false,
}

// pub_policy - policy that will be exported to be a part of non-platform
// policy corresponding to this platform version.
//
// This is a limited subset of policy that would not compile in checkpolicy on
// its own.
//
// To get around this limitation, add only the required files from private
// policy, which will generate CIL policy that will then be filtered out by the
// reqd_policy_mask.
//
// There are three pub_policy.cil files below:
//   - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
//   - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
//   - plat_pub_policy.cil: exported 'system' policy.
//
// Those above files will in turn be used to generate the following versioned cil files:
//   - product_mapping_file: the versioned, exported 'product' policy in product partition.
//   - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
//   - plat_mapping_file: the versioned, exported 'system' policy in system partition.
//   - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
//                             in vendor partition.
//
se_policy_conf {
    name: "pub_policy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        system_ext_public_policy +
        product_public_policy +
        reqd_mask_policy,
    vendor: true,
    installable: false,
}

se_policy_cil {
    name: "pub_policy.cil",
    src: ":pub_policy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false,
    vendor: true,
    installable: false,
}

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        system_ext_public_policy +
        reqd_mask_policy,
    system_ext_specific: true,
    installable: false,
}

se_policy_cil {
    name: "system_ext_pub_policy.cil",
    src: ":system_ext_pub_policy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false,
    system_ext_specific: true,
    installable: false,
}

se_policy_conf {
    name: "plat_pub_policy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        reqd_mask_policy,
    installable: false,
}

se_policy_cil {
    name: "plat_pub_policy.cil",
    src: ":plat_pub_policy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false,
    installable: false,
}

// plat_policy.conf - A combination of the private and public platform policy
// which will ship with the device.
//
// The platform will always reflect the most recent platform version and is not
// currently being attributized.
se_policy_conf {
    name: "plat_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy,
    installable: false,
}

se_policy_cil {
    name: "plat_sepolicy.cil",
    src: ":plat_sepolicy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
    dist: {
        targets: ["sepolicy_finalize"],
    },
}

// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
    name: "userdebug_plat_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy,
    build_variant: "userdebug",
    installable: false,
}

se_policy_cil {
    name: "userdebug_plat_sepolicy.cil",
    src: ":userdebug_plat_sepolicy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
    debug_ramdisk: true,
    dist: {
        targets: ["droidcore"],
    },
}

// A copy of the userdebug_plat_policy in GSI.
soong_config_module_type {
    name: "gsi_se_policy_cil",
    module_type: "se_policy_cil",
    config_namespace: "ANDROID",
    bool_variables: [
        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
    ],
    properties: [
        "enabled",
        "installable",
    ],
}

gsi_se_policy_cil {
    name: "system_ext_userdebug_plat_sepolicy.cil",
    stem: "userdebug_plat_sepolicy.cil",
    src: ":userdebug_plat_sepolicy.conf",
    additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
    system_ext_specific: true,
    enabled: false,
    installable: false,
    soong_config_variables: {
        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
            enabled: true,
            installable: true,
        },
    },
}

// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
    name: "system_ext_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy +
        system_ext_public_policy +
        system_ext_private_policy,
    system_ext_specific: true,
    installable: false,
}

se_policy_cil {
    name: "system_ext_sepolicy.cil",
    src: ":system_ext_sepolicy.conf",
    system_ext_specific: true,
    filter_out: [":plat_sepolicy.cil"],
    remove_line_marker: true,
}

// product_policy.conf - A combination of the private and public product policy
// which will ship with the device. Product policy is not attributized
se_policy_conf {
    name: "product_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy +
        system_ext_public_policy +
        system_ext_private_policy +
        product_public_policy +
        product_private_policy,
    product_specific: true,
    installable: false,
}

se_policy_cil {
    name: "product_sepolicy.cil",
    src: ":product_sepolicy.conf",
    product_specific: true,
    filter_out: [
        ":plat_sepolicy.cil",
        ":system_ext_sepolicy.cil",
    ],
    remove_line_marker: true,
}

// policy mapping files
// auto-generate the mapping file for current platform policy, since it needs to
// track platform policy development
se_versioned_policy {
    name: "plat_mapping_file",
    base: ":plat_pub_policy.cil",
    mapping: true,
    version: "current",
    relative_install_path: "mapping", // install to /system/etc/selinux/mapping
    dist: {
        targets: ["sepolicy_finalize"],
    },
}

se_versioned_policy {
    name: "system_ext_mapping_file",
    base: ":system_ext_pub_policy.cil",
    mapping: true,
    version: "current",
    filter_out: [":plat_mapping_file"],
    relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
    system_ext_specific: true,
}

se_versioned_policy {
    name: "product_mapping_file",
    base: ":pub_policy.cil",
    mapping: true,
    version: "current",
    filter_out: [
        ":plat_mapping_file",
        ":system_ext_mapping_file",
    ],
    relative_install_path: "mapping", // install to /product/etc/selinux/mapping
    product_specific: true,
}

//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////

// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
    name: "plat_pub_versioned.cil",
    base: ":pub_policy.cil",
    target_policy: ":pub_policy.cil",
    version: "vendor",
    vendor: true,
}

// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
// with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
    name: "vendor_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        system_ext_public_policy +
        product_public_policy +
        reqd_mask_policy + [
            ":se_build_files{.plat_vendor}",
            ":se_build_files{.vendor}",
        ],
    vendor: true,
    installable: false,
}

se_policy_cil {
    name: "vendor_sepolicy.cil.raw",
    src: ":vendor_sepolicy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false, // will be done in se_versioned_policy module
    vendor: true,
    installable: false,
}

se_versioned_policy {
    name: "vendor_sepolicy.cil",
    base: ":pub_policy.cil",
    target_policy: ":vendor_sepolicy.cil.raw",
    version: "vendor",
    dependent_cils: [
        ":plat_sepolicy.cil",
        ":system_ext_sepolicy.cil",
        ":product_sepolicy.cil",
        ":plat_pub_versioned.cil",
        ":plat_mapping_file",
    ],
    filter_out: [":plat_pub_versioned.cil"],
    vendor: true,
}

// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
// with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
    name: "odm_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        system_ext_public_policy +
        product_public_policy +
        reqd_mask_policy + [
            ":se_build_files{.plat_vendor}",
            ":se_build_files{.vendor}",
            ":se_build_files{.odm}",
        ],
    device_specific: true,
    installable: false,
}

se_policy_cil {
    name: "odm_sepolicy.cil.raw",
    src: ":odm_sepolicy.conf",
    filter_out: [
        ":reqd_policy_mask.cil",
        ":vendor_sepolicy.cil",
    ],
    secilc_check: false, // will be done in se_versioned_policy module
    device_specific: true,
    installable: false,
}

se_versioned_policy {
    name: "odm_sepolicy.cil",
    base: ":pub_policy.cil",
    target_policy: ":odm_sepolicy.cil.raw",
    version: "vendor",
    dependent_cils: [
        ":plat_sepolicy.cil",
        ":system_ext_sepolicy.cil",
        ":product_sepolicy.cil",
        ":plat_pub_versioned.cil",
        ":plat_mapping_file",
        ":vendor_sepolicy.cil",
    ],
    filter_out: [
        ":plat_pub_versioned.cil",
        ":vendor_sepolicy.cil",
    ],
    device_specific: true,
}

//////////////////////////////////
// Precompiled sepolicy is loaded if and only if:
// - plat_sepolicy_and_mapping.sha256 equals
//   precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
// AND
// - system_ext_sepolicy_and_mapping.sha256 equals
//   precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
// AND
// - product_sepolicy_and_mapping.sha256 equals
//   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
java_genrule {
    name: "plat_sepolicy_and_mapping.sha256_gen",
    srcs: [
        ":plat_sepolicy.cil",
        ":plat_mapping_file",
    ],
    out: ["plat_sepolicy_and_mapping.sha256"],
    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
}

prebuilt_etc {
    name: "plat_sepolicy_and_mapping.sha256",
    filename: "plat_sepolicy_and_mapping.sha256",
    src: ":plat_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
}

java_genrule {
    name: "system_ext_sepolicy_and_mapping.sha256_gen",
    srcs: [
        ":system_ext_sepolicy.cil",
        ":system_ext_mapping_file",
    ],
    out: ["system_ext_sepolicy_and_mapping.sha256"],
    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
}

prebuilt_etc {
    name: "system_ext_sepolicy_and_mapping.sha256",
    filename: "system_ext_sepolicy_and_mapping.sha256",
    src: ":system_ext_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
    system_ext_specific: true,
}

java_genrule {
    name: "product_sepolicy_and_mapping.sha256_gen",
    srcs: [
        ":product_sepolicy.cil",
        ":product_mapping_file",
    ],
    out: ["product_sepolicy_and_mapping.sha256"],
    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
}

prebuilt_etc {
    name: "product_sepolicy_and_mapping.sha256",
    filename: "product_sepolicy_and_mapping.sha256",
    src: ":product_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
    product_specific: true,
}

sepolicy_vers {
    name: "plat_sepolicy_vers.txt",
    version: "vendor",
    vendor: true,
}

genrule {
    name: "genfs_labels_version.txt.gen",
    out: ["genfs_labels_version.txt"],
    cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
        any @ value: "echo " + value + " > $(out)",
        default: "echo > $(out)",
    }),
}

prebuilt_etc {
    name: "genfs_labels_version.txt",
    src: ":genfs_labels_version.txt.gen",
    relative_install_path: "selinux",
    vendor: true,
}

soong_config_module_type {
    name: "precompiled_sepolicy_prebuilts_defaults",
    module_type: "prebuilt_defaults",
    config_namespace: "ANDROID",
    bool_variables: ["BOARD_USES_ODMIMAGE"],
    properties: [
        "vendor",
        "device_specific",
    ],
}

precompiled_sepolicy_prebuilts_defaults {
    name: "precompiled_sepolicy_prebuilts",
    soong_config_variables: {
        BOARD_USES_ODMIMAGE: {
            device_specific: true,
            conditions_default: {
                vendor: true,
            },
        },
    },
}

//////////////////////////////////
// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
    defaults: ["precompiled_sepolicy_prebuilts"],
    name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
    filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
    src: ":plat_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
}

//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
    defaults: ["precompiled_sepolicy_prebuilts"],
    name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
    filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
    src: ":system_ext_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
}

//////////////////////////////////
// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
    defaults: ["precompiled_sepolicy_prebuilts"],
    name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
    filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
    src: ":product_sepolicy_and_mapping.sha256_gen",
    relative_install_path: "selinux",
}

soong_config_module_type {
    name: "precompiled_se_policy_binary",
    module_type: "se_policy_binary",
    config_namespace: "ANDROID",
    bool_variables: ["BOARD_USES_ODMIMAGE"],
    properties: [
        "vendor",
        "device_specific",
    ],
}

filegroup {
    name: "precompiled_sepolicy_srcs",
    device_common_srcs: [
        ":plat_sepolicy.cil",
        ":plat_pub_versioned.cil",
        ":system_ext_sepolicy.cil",
        ":product_sepolicy.cil",
        ":vendor_sepolicy.cil",
        ":odm_sepolicy.cil",
        ":plat_mapping_file",
        ":system_ext_mapping_file",
        ":product_mapping_file",
    ],
    device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
        "202504": [":plat_sepolicy_genfs_202504.cil"],
        default: [],
    }),
    // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
    // Useful when some partitions need to be bind mounted across VM boundaries.
    visibility: ["//visibility:public"],
}

precompiled_se_policy_binary {
    name: "precompiled_sepolicy",
    srcs: [
        ":precompiled_sepolicy_srcs",
    ],
    soong_config_variables: {
        BOARD_USES_ODMIMAGE: {
            device_specific: true,
            conditions_default: {
                vendor: true,
            },
        },
    },
    required: [
        "sepolicy_neverallows",
    ],
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
}

// policy for recovery
se_policy_conf {
    name: "recovery_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy +
        system_ext_public_policy +
        system_ext_private_policy +
        product_public_policy +
        product_private_policy + [
            ":se_build_files{.plat_vendor}",
            ":se_build_files{.vendor}",
            ":se_build_files{.odm}",
        ],
    target_recovery: true,
    installable: false,
    recovery: true,
}

se_policy_cil {
    name: "recovery_sepolicy.cil",
    src: ":recovery_sepolicy.conf",
    secilc_check: false, // will be done in se_policy_binary module
    installable: false,
    recovery: true,
}

se_policy_binary {
    name: "sepolicy.recovery",
    srcs: [":recovery_sepolicy.cil"],
    stem: "sepolicy",
    recovery: true,
}

//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
//////////////////////////////////
se_policy_conf {
    name: "general_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy,
    build_variant: "user",
    cts: true,
    exclude_build_test: true,
    dist: {
        targets: ["sepolicy_finalize"],
    },
}

//////////////////////////////////
// Base system policy for treble sepolicy tests.
// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
// See treble_sepolicy_tests_for_release.mk for more details.
//////////////////////////////////
se_policy_conf {
    name: "base_plat_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy,
    build_variant: "user",
    installable: false,
}

se_policy_cil {
    name: "base_plat_sepolicy.cil",
    src: ":base_plat_sepolicy.conf",
    additional_cil_files: ["private/technical_debt.cil"],
    installable: false,
    secilc_check: false, // done by se_policy_binary
}

se_policy_binary {
    name: "base_plat_sepolicy",
    srcs: [":base_plat_sepolicy.cil"],
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
}

se_policy_conf {
    name: "base_product_sepolicy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy +
        system_ext_public_policy +
        system_ext_private_policy +
        product_public_policy +
        product_private_policy,
    build_variant: "user",
    installable: false,
    product_specific: true,
}

se_policy_cil {
    name: "base_product_sepolicy.cil",
    src: ":base_product_sepolicy.conf",
    additional_cil_files: ["private/technical_debt.cil"],
    product_specific: true,
    installable: false,
    secilc_check: false, // done by se_policy_binary
}

se_policy_binary {
    name: "base_product_sepolicy",
    srcs: [":base_product_sepolicy.cil"],
    product_specific: true,
    installable: false,
}

se_policy_conf {
    name: "base_plat_pub_policy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        reqd_mask_policy,
    build_variant: "user",
    installable: false,
}

se_policy_cil {
    name: "base_plat_pub_policy.cil",
    src: ":base_plat_pub_policy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false,
    installable: false,
    dist: {
        targets: ["base-sepolicy-files-for-mapping"],
    },
}

se_policy_conf {
    name: "base_product_pub_policy.conf",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        system_ext_public_policy +
        product_public_policy +
        reqd_mask_policy,
    build_variant: "user",
    installable: false,
    product_specific: true,
}

se_policy_cil {
    name: "base_product_pub_policy.cil",
    src: ":base_product_pub_policy.conf",
    filter_out: [":reqd_policy_mask.cil"],
    secilc_check: false,
    installable: false,
    product_specific: true,
}

// bug_map - Bug tracking information for selinux denials loaded by auditd.
se_build_files {
    name: "bug_map_files",
    srcs: ["bug_map"],
}

se_bug_map {
    name: "plat_bug_map",
    srcs: [":bug_map_files{.plat_private}"],
    stem: "bug_map",
}

se_bug_map {
    name: "system_ext_bug_map",
    srcs: [":bug_map_files{.system_ext_private}"],
    stem: "bug_map",
    system_ext_specific: true,
}

se_bug_map {
    name: "vendor_bug_map",
    srcs: [
        ":bug_map_files{.vendor}",
        ":bug_map_files{.plat_vendor}",
    ],
    // Legacy file name of the vendor partition bug_map.
    stem: "selinux_denial_metadata",
    vendor: true,
}

se_neverallow_test {
    name: "sepolicy_neverallows",
    defaults: ["se_policy_conf_flags_defaults"],
    srcs: plat_public_policy +
        plat_private_policy +
        system_ext_public_policy +
        system_ext_private_policy +
        product_public_policy +
        product_private_policy + [
            ":se_build_files{.plat_vendor}",
            ":se_build_files{.vendor}",
            ":se_build_files{.odm}",
        ],
}

//////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables:
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
se_freeze_test {
    name: "se_freeze_test",
}

//////////////////////////////////
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
java_genrule {
    name: "sepolicy_test",
    srcs: [
        ":plat_file_contexts",
        ":vendor_file_contexts",
        ":system_ext_file_contexts",
        ":product_file_contexts",
        ":odm_file_contexts",
        ":precompiled_sepolicy",
    ],
    tools: ["sepolicy_tests"],
    out: ["sepolicy_test"],
    cmd: "$(location sepolicy_tests) " +
        "-f $(location :plat_file_contexts) " +
        "-f $(location :vendor_file_contexts) " +
        "-f $(location :system_ext_file_contexts) " +
        "-f $(location :product_file_contexts) " +
        "-f $(location :odm_file_contexts) " +
        "-p $(location :precompiled_sepolicy) && " +
        "touch $(out)",
}

//////////////////////////////////
// TestDevTypeViolations can't run on old devices (V or before)
//////////////////////////////////

soong_config_module_type {
    name: "dev_type_test_genrule",
    module_type: "java_genrule",
    config_namespace: "ANDROID",
    bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
    properties: ["cmd"],
}

dev_type_test_genrule {
    name: "sepolicy_dev_type_test",
    srcs: [
        ":plat_file_contexts",
        ":vendor_file_contexts",
        ":system_ext_file_contexts",
        ":product_file_contexts",
        ":odm_file_contexts",
        ":precompiled_sepolicy",
    ],
    tools: ["sepolicy_tests"],
    out: ["sepolicy_dev_type_test"],
    soong_config_variables: {
        CHECK_DEV_TYPE_VIOLATIONS: {
            cmd: "$(location sepolicy_tests) " +
                "-f $(location :plat_file_contexts) " +
                "-f $(location :vendor_file_contexts) " +
                "-f $(location :system_ext_file_contexts) " +
                "-f $(location :product_file_contexts) " +
                "-f $(location :odm_file_contexts) " +
                "-p $(location :precompiled_sepolicy) " +
                "-t TestDevTypeViolations && " +
                "touch $(out)",
            conditions_default: {
                cmd: "touch $(out)",
            },
        },
    },
}

phony {
    name: "selinux_policy_system_ext",
    required: [
        //"ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY" check included in system_ext_pub_policy.cil
        "system_ext_mapping_file",
        //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil
        "system_ext_sepolicy.cil",
    ] + [
        //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil
        "system_ext_29.0.cil",
        "system_ext_30.0.cil",
        "system_ext_31.0.cil",
        "system_ext_32.0.cil",
        "system_ext_33.0.cil",
        "system_ext_34.0.cil",
    ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
        "202404": [],
        default: [
            "system_ext_202404.cil",
        ],
    }) +
    select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
        true: ["system_ext_sepolicy_and_mapping.sha256"],
        default: [],
    }) + [
        "system_ext_file_contexts",
        "system_ext_file_contexts_test",
        "system_ext_keystore2_key_contexts",
        "system_ext_hwservice_contexts",
        "system_ext_hwservice_contexts_test",
        "system_ext_property_contexts",
        "system_ext_property_contexts_test",
        "system_ext_seapp_contexts",
        "system_ext_service_contexts",
        "system_ext_service_contexts_test",
        "system_ext_mac_permissions.xml",
        "system_ext_bug_map",
        // $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
        "system_ext_29.0.compat.cil",
        "system_ext_30.0.compat.cil",
        "system_ext_31.0.compat.cil",
        "system_ext_32.0.compat.cil",
        "system_ext_33.0.compat.cil",
        "system_ext_34.0.compat.cil",
    ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
        "202404": [],
        default: [
            "system_ext_202404.compat.cil",
        ],
    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
        true: ["system_ext_tee_service_contexts"],
        default: [],
    }),
    system_ext_specific: true,
}

phony {
    name: "selinux_policy_product",
    required: [
        "product_mapping_file",
        "product_sepolicy.cil",
        // "ifdef HAS_PRODUCT_PUBLIC_SEPOLICY" check included in .cil
        "product_29.0.cil",
        "product_30.0.cil",
        "product_31.0.cil",
        "product_32.0.cil",
        "product_33.0.cil",
        "product_34.0.cil",
        "product_file_contexts",
        // "ifdef HAS_PRODUCT_SEPOLICY_DIR" in Android.mk can be ignored.
        "product_file_contexts_test",
        "product_keystore2_key_contexts",
        "product_hwservice_contexts",
        "product_hwservice_contexts_test",
        "product_property_contexts",
        "product_property_contexts_test",
        "product_seapp_contexts",
        "product_service_contexts",
        "product_service_contexts_test",
        "product_mac_permissions.xml",
    ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
        true: ["product_sepolicy_and_mapping.sha256"],
        default: [],
    }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
        "202404": [],
        default: [
            "product_202404.cil",
        ],
    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
        true: ["product_tee_service_contexts"],
        default: [],
    }),
    product_specific: true,
}

phony {
    name: "selinux_policy_nonsystem",
    required: [
        "selinux_policy_system_ext",
        "selinux_policy_product",
        "selinux_policy_vendor",
        "selinux_policy_odm",
        // Builds an additional userdebug sepolicy into the debug ramdisk.
        "userdebug_plat_sepolicy.cil",
    ],
}

phony {
    name: "selinux_policy_vendor",
    required: [
        "genfs_labels_version.txt",
        "plat_pub_versioned.cil",
        "vendor_sepolicy.cil",
        "plat_sepolicy_vers.txt",
        "vendor_file_contexts",
        "vendor_file_contexts_test",
        "vendor_keystore2_key_contexts",
        "vendor_mac_permissions.xml",
        "vendor_property_contexts",
        "vendor_property_contexts_test",
        "vendor_seapp_contexts",
        "vendor_service_contexts",
        "vendor_service_contexts_test",
        "vendor_hwservice_contexts",
        "vendor_hwservice_contexts_test",
        "vendor_bug_map",
        "vndservice_contexts",
        "vndservice_contexts_test",
    ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
        true: ["vendor_tee_service_contexts"],
        default: [],
    }),
    vendor: true,
}

phony {
    name: "selinux_policy_odm",
    required: [
        "odm_sepolicy.cil",
        "odm_file_contexts",
        "odm_file_contexts_test",
        "odm_seapp_contexts",
        "odm_property_contexts",
        "odm_property_contexts_test",
        "odm_service_contexts",
        "odm_service_contexts_test",
        "odm_hwservice_contexts",
        "odm_hwservice_contexts_test",
        "odm_mac_permissions.xml",
    ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
        true: [
            "precompiled_sepolicy",
            "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
            "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
            "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
        ],
        default: [],
    }),
    device_specific: true,
}

phony {
    name: "selinux_policy_system",
    required: [
        "29.0.compat.cil",
        "30.0.compat.cil",
        "31.0.compat.cil",
        "32.0.compat.cil",
        "33.0.compat.cil",
        "34.0.compat.cil",
        "build_sepolicy",
        "fuzzer_bindings_test",
        "plat_29.0.cil",
        "plat_30.0.cil",
        "plat_31.0.cil",
        "plat_32.0.cil",
        "plat_33.0.cil",
        "plat_34.0.cil",
        "plat_bug_map",
        "plat_file_contexts",
        "plat_file_contexts_data_test",
        "plat_file_contexts_test",
        "plat_hwservice_contexts",
        "plat_hwservice_contexts_test",
        "plat_keystore2_key_contexts",
        "plat_mac_permissions.xml",
        "plat_mapping_file",
        "plat_property_contexts",
        "plat_property_contexts_test",
        "plat_seapp_contexts",
        "plat_sepolicy.cil",
        "plat_sepolicy_genfs_202504.cil",
        "plat_service_contexts",
        "plat_service_contexts_test",
        "searchpolicy",
        "secilc",
    ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
        "202404": [],
        default: [
            "202404.compat.cil",
            "plat_202404.cil",
        ],
    }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
        true: ["plat_sepolicy_and_mapping.sha256"],
        default: [],
    }) + select((
        soong_config_variable("ANDROID", "ASAN_ENABLED"),
        product_variable("selinux_ignore_neverallows"),
    ), {
        (true, true): [
        ],
        (default, default): [
            "sepolicy_compat_test",
            "sepolicy_test",
            "sepolicy_dev_type_test",
            "treble_sepolicy_tests_29.0",
            "treble_sepolicy_tests_30.0",
            "treble_sepolicy_tests_31.0",
            "treble_sepolicy_tests_32.0",
            "treble_sepolicy_tests_33.0",
            "treble_sepolicy_tests_34.0",
        ],
    }) + select((
        soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
        soong_config_variable("ANDROID", "ASAN_ENABLED"),
        product_variable("selinux_ignore_neverallows"),
    ), {
        ("202404", true, true): [],
        (default, true, true): [],
        (default, default, default): [
            "treble_sepolicy_tests_202404",
        ],
    }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
        true: ["se_freeze_test"],
        default: [],
    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
        true: ["plat_tee_service_contexts"],
        default: [],
    }),
}

phony {
    name: "selinux_policy",
    required: [
        // Runs checkfc against merged service_contexts files
        "merged_hwservice_contexts_test",
        "merged_service_contexts_test",
        "selinux_policy_nonsystem",
        "selinux_policy_system",
    ],
}

// selinux_policy is a main goal and triggers lots of tests.
// Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
// By setting as droidcore's dependency, tests will run on normal builds.
phony_rule {
    name: "droidcore",
    phony_deps: ["selinux_policy"],
}

//-----------------------------------------------------------------------------
// TODO - remove this.   Keep around until we get the filesystem creation stuff
// taken care of.
//
// The file_contexts.bin is built in the following way:
// 1. Collect all file_contexts files in THIS repository and process them with
//    m4 into a tmp file called file_contexts.local.tmp.
// 2. Collect all device specific file_contexts files and process them with m4
//    into a tmp file called file_contexts.device.tmp.
// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
//    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
// 4. Concatenate file_contexts.local.tmp and  file_contexts.device.sorted.tmp
//    into file_contexts.concat.tmp.
// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
//    file_contexts.bin.
//
//  Note: That a newline file is placed between each file_context file found to
//        ensure a proper build when an fc file is missing an ending newline.
//---
// 1. Collect all file_contexts files in THIS repository and process them with
//    m4 into a tmp file called file_contexts.local.tmp.
java_genrule {
    name: "file_contexts.local.tmp",
    srcs: [
        ":plat_file_contexts",
        ":system_ext_file_contexts",
        ":product_file_contexts",
    ],
    tools: [
        "m4",
    ],
    out: ["file_contexts.local.tmp"],
    cmd: "$(location m4) --fatal-warnings " +
        "-s $(in) > $(out)",
}

// 2. Collect all device specific file_contexts files and process them with m4
//    into a tmp file called file_contexts.device.tmp.
PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), {
    any @ m4defs: m4defs,
    default: "",
})
java_genrule {
    name: "file_contexts.device.tmp",
    srcs: [
        ":vendor_file_contexts",
        ":odm_file_contexts",
    ],
    tools: [
        "m4",
    ],
    out: ["file_contexts.device.tmp"],
    cmd: "$(location m4) --fatal-warnings " +
        "-s " + PRIVATE_ADDITIONAL_M4DEFS +
        " $(in) > $(out)",
}

// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
//    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
java_genrule {
    name: "file_contexts.device.sorted.tmp",
    srcs: [
        ":file_contexts.device.tmp",
        ":precompiled_sepolicy",
    ],
    tools: [
        "checkfc",
        "fc_sort",
    ],
    out: ["file_contexts.device.sorted.tmp"],
    cmd: "$(location checkfc) " +
        "-e $(location :precompiled_sepolicy) " +
        "$(location :file_contexts.device.tmp) && " +
        "$(location fc_sort) " +
        "-i $(location :file_contexts.device.tmp) " +
        "-o $(out)",
}

// 4. Concatenate file_contexts.local.tmp and  file_contexts.device.sorted.tmp
//    into file_contexts.concat.tmp.
java_genrule {
    name: "file_contexts.concat.tmp",
    srcs: [
        ":file_contexts.local.tmp",
        ":file_contexts.device.sorted.tmp",
    ],
    tools: [
        "m4",
    ],
    out: ["file_contexts.concat.tmp"],
    cmd: "$(location m4) --fatal-warnings " +
        "-s $(location :file_contexts.local.tmp) " +
        "$(location :file_contexts.device.sorted.tmp) > $(out)",
}

// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
//    file_contexts.bin.
java_genrule {
    name: "file_contexts_bin_gen",
    srcs: [
        ":file_contexts.concat.tmp",
        ":precompiled_sepolicy",
    ],
    tools: [
        "checkfc",
        "sefcontext_compile",
    ],
    out: ["file_contexts.bin"],
    cmd: "$(location checkfc) " +
        "$(location :precompiled_sepolicy) " +
        "$(location :file_contexts.concat.tmp) && " +
        "$(location sefcontext_compile) " +
        "-o $(out) $(location :file_contexts.concat.tmp)",
}

prebuilt_etc {
    name: "file_contexts.bin",
    src: ":file_contexts_bin_gen",
}