xref: /aosp_15_r20/system/sepolicy/microdroid/Android.bp (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1// Copyright (C) 2021 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package {
16    // http://go/android-license-faq
17    // A large-scale-change added 'default_applicable_licenses' to import
18    // the below license kinds from "system_sepolicy_license":
19    //   SPDX-license-identifier-Apache-2.0
20    default_applicable_licenses: ["system_sepolicy_license"],
21}
22
23system_policy_files = [
24    "system/private/security_classes",
25    "system/private/initial_sids",
26    "system/private/access_vectors",
27    "system/public/global_macros",
28    "system/public/neverallow_macros",
29    "system/private/mls_macros",
30    "system/private/mls_decl",
31    "system/private/mls",
32    "system/private/policy_capabilities",
33    "system/public/te_macros",
34    "system/public/attributes",
35    "system/private/attributes",
36    "system/public/ioctl_defines",
37    "system/public/ioctl_macros",
38    "system/public/*.te",
39    "system/private/*.te",
40    "system/private/roles_decl",
41    "system/public/roles",
42    "system/private/users",
43    "system/private/initial_sid_contexts",
44    "system/private/fs_use",
45    "system/private/genfs_contexts",
46    "system/private/port_contexts",
47]
48
49reqd_mask_files = [
50    "reqd_mask/security_classes",
51    "reqd_mask/initial_sids",
52    "reqd_mask/access_vectors",
53    "reqd_mask/mls_macros",
54    "reqd_mask/mls_decl",
55    "reqd_mask/mls",
56    "reqd_mask/reqd_mask.te",
57    "reqd_mask/roles_decl",
58    "reqd_mask/roles",
59    "reqd_mask/users",
60    "reqd_mask/initial_sid_contexts",
61]
62
63system_public_policy_files = [
64    "reqd_mask/security_classes",
65    "reqd_mask/initial_sids",
66    "reqd_mask/access_vectors",
67    "system/public/global_macros",
68    "system/public/neverallow_macros",
69    "reqd_mask/mls_macros",
70    "reqd_mask/mls_decl",
71    "reqd_mask/mls",
72    "system/public/te_macros",
73    "system/public/attributes",
74    "system/public/ioctl_defines",
75    "system/public/ioctl_macros",
76    "system/public/*.te",
77    "reqd_mask/reqd_mask.te",
78    "reqd_mask/roles_decl",
79    "reqd_mask/roles",
80    "system/public/roles",
81    "reqd_mask/users",
82    "reqd_mask/initial_sid_contexts",
83]
84
85vendor_policy_files = [
86    "reqd_mask/security_classes",
87    "reqd_mask/initial_sids",
88    "reqd_mask/access_vectors",
89    "system/public/global_macros",
90    "system/public/neverallow_macros",
91    "reqd_mask/mls_macros",
92    "reqd_mask/mls_decl",
93    "reqd_mask/mls",
94    "system/public/te_macros",
95    "system/public/attributes",
96    "system/public/ioctl_defines",
97    "system/public/ioctl_macros",
98    "system/public/*.te",
99    "reqd_mask/reqd_mask.te",
100    "vendor/*.te",
101    "reqd_mask/roles_decl",
102    "reqd_mask/roles",
103    "system/public/roles",
104    "reqd_mask/users",
105    "reqd_mask/initial_sid_contexts",
106]
107
108se_policy_conf {
109    name: "microdroid_reqd_policy_mask.conf",
110    defaults: ["se_policy_conf_flags_defaults"],
111    srcs: reqd_mask_files,
112    installable: false,
113    mls_cats: 1,
114}
115
116se_policy_cil {
117    name: "microdroid_reqd_policy_mask.cil",
118    src: ":microdroid_reqd_policy_mask.conf",
119    secilc_check: false,
120    installable: false,
121}
122
123se_policy_conf {
124    name: "microdroid_plat_sepolicy.conf",
125    defaults: ["se_policy_conf_flags_defaults"],
126    srcs: system_policy_files,
127    installable: false,
128    mls_cats: 1,
129}
130
131se_policy_cil {
132    name: "microdroid_plat_sepolicy.cil",
133    stem: "plat_sepolicy.cil",
134    src: ":microdroid_plat_sepolicy.conf",
135    installable: false,
136}
137
138se_policy_conf {
139    name: "microdroid_plat_pub_policy.conf",
140    defaults: ["se_policy_conf_flags_defaults"],
141    srcs: system_public_policy_files,
142    installable: false,
143    mls_cats: 1,
144}
145
146se_policy_cil {
147    name: "microdroid_plat_pub_policy.cil",
148    src: ":microdroid_plat_pub_policy.conf",
149    filter_out: [":microdroid_reqd_policy_mask.cil"],
150    secilc_check: false,
151    installable: false,
152}
153
154se_versioned_policy {
155    name: "microdroid_plat_mapping_file",
156    base: ":microdroid_plat_pub_policy.cil",
157    mapping: true,
158    version: "current",
159    relative_install_path: "mapping", // install to /system/etc/selinux/mapping
160    installable: false,
161}
162
163se_versioned_policy {
164    name: "microdroid_plat_pub_versioned.cil",
165    stem: "plat_pub_versioned.cil",
166    base: ":microdroid_plat_pub_policy.cil",
167    target_policy: ":microdroid_plat_pub_policy.cil",
168    version: "current",
169    dependent_cils: [
170        ":microdroid_plat_sepolicy.cil",
171        ":microdroid_plat_mapping_file",
172    ],
173    installable: false,
174}
175
176se_policy_conf {
177    name: "microdroid_vendor_sepolicy.conf",
178    defaults: ["se_policy_conf_flags_defaults"],
179    srcs: vendor_policy_files,
180    installable: false,
181    mls_cats: 1,
182}
183
184se_policy_cil {
185    name: "microdroid_vendor_sepolicy.cil.raw",
186    src: ":microdroid_vendor_sepolicy.conf",
187    filter_out: [":microdroid_reqd_policy_mask.cil"],
188    secilc_check: false, // will be done in se_versioned_policy module
189    installable: false,
190}
191
192se_versioned_policy {
193    name: "microdroid_vendor_sepolicy.cil",
194    stem: "vendor_sepolicy.cil",
195    base: ":microdroid_plat_pub_policy.cil",
196    target_policy: ":microdroid_vendor_sepolicy.cil.raw",
197    version: "current", // microdroid is bundled to system
198    dependent_cils: [
199        ":microdroid_plat_sepolicy.cil",
200        ":microdroid_plat_pub_versioned.cil",
201        ":microdroid_plat_mapping_file",
202    ],
203    filter_out: [":microdroid_plat_pub_versioned.cil"],
204    installable: false,
205}
206
207sepolicy_vers {
208    name: "microdroid_plat_sepolicy_vers.txt",
209    version: "platform",
210    stem: "plat_sepolicy_vers.txt",
211    installable: false,
212}
213
214// sepolicy sha256 for vendor
215java_genrule {
216    name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
217    srcs: [
218        ":microdroid_plat_sepolicy.cil",
219        ":microdroid_plat_mapping_file",
220    ],
221    out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
222    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
223}
224
225prebuilt_etc {
226    name: "microdroid_plat_sepolicy_and_mapping.sha256",
227    src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
228    filename: "plat_sepolicy_and_mapping.sha256",
229    relative_install_path: "selinux",
230    installable: false,
231}
232
233prebuilt_etc {
234    name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
235    src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
236    filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
237    relative_install_path: "selinux",
238    installable: false,
239}
240
241se_policy_binary {
242    name: "microdroid_precompiled_sepolicy",
243    stem: "microdroid_precompiled_sepolicy",
244    srcs: [
245        ":microdroid_plat_sepolicy.cil",
246        ":microdroid_plat_mapping_file",
247        ":microdroid_plat_pub_versioned.cil",
248        ":microdroid_vendor_sepolicy.cil",
249    ],
250    no_full_install: true,
251
252    // b/259729287. In Microdroid, su is allowed to be in permissive mode.
253    // This is to support fully debuggable VMs on user builds. This is safe
254    // because we don't start adbd at all on non-debuggable VMs.
255    permissive_domains_on_user_builds: ["su"],
256}
257
258genrule {
259    name: "microdroid_file_contexts.gen",
260    srcs: ["system/private/file_contexts"],
261    tools: ["fc_sort"],
262    out: ["file_contexts"],
263    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
264        "$(location fc_sort) -i $(out).tmp -o $(out)",
265}
266
267prebuilt_etc {
268    name: "microdroid_file_contexts",
269    filename: "plat_file_contexts",
270    src: ":microdroid_file_contexts.gen",
271    relative_install_path: "selinux",
272    no_full_install: true,
273}
274
275genrule {
276    name: "microdroid_vendor_file_contexts.gen",
277    srcs: ["vendor/file_contexts"],
278    tools: ["fc_sort"],
279    out: ["file_contexts"],
280    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
281        "$(location fc_sort) -i $(out).tmp -o $(out)",
282}
283
284prebuilt_etc {
285    name: "microdroid_property_contexts",
286    filename: "plat_property_contexts",
287    src: "system/private/property_contexts",
288    relative_install_path: "selinux",
289    no_full_install: true,
290}
291
292// For CTS
293se_policy_conf {
294    name: "microdroid_general_sepolicy.conf",
295    srcs: system_policy_files,
296    exclude_build_test: true,
297    installable: false,
298    mls_cats: 1,
299}
300