1// Copyright (C) 2018 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package {
16    default_applicable_licenses: ["system_sepolicy_license"],
17}
18
19// Added automatically by a large-scale-change that took the approach of
20// 'apply every license found to every target'. While this makes sure we respect
21// every license restriction, it may not be entirely correct.
22//
23// e.g. GPL in an MIT project might only apply to the contrib/ directory.
24//
25// Please consider splitting the single license below into multiple licenses,
26// taking care not to lose any license_kind information, and overriding the
27// default license using the 'licenses: [...]' property on targets as needed.
28//
29// For unused files, consider creating a 'filegroup' with "//visibility:private"
30// to attach the license to, and including a comment whether the files may be
31// used in the current project.
32// http://go/android-license-faq
33license {
34    name: "system_sepolicy_license",
35    visibility: [":__subpackages__"],
36    license_kinds: [
37        "SPDX-license-identifier-Apache-2.0",
38        "legacy_unencumbered",
39    ],
40    license_text: [
41        "NOTICE",
42    ],
43}
44
45cc_defaults {
46    name: "selinux_policy_version",
47    cflags: ["-DSEPOLICY_VERSION=30"],
48}
49
50// For vts_treble_sys_prop_test
51filegroup {
52    name: "private_property_contexts",
53    srcs: ["private/property_contexts"],
54    visibility: [
55        "//test/vts-testcase/security/system_property",
56    ],
57}
58
59se_build_files {
60    name: "se_build_files",
61    srcs: [
62        "security_classes",
63        "initial_sids",
64        "access_vectors",
65        "global_macros",
66        "neverallow_macros",
67        "mls_macros",
68        "mls_decl",
69        "mls",
70        "policy_capabilities",
71        "te_macros",
72        "attributes",
73        "ioctl_defines",
74        "ioctl_macros",
75        "*.te",
76        "roles_decl",
77        "roles",
78        "users",
79        "initial_sid_contexts",
80        "fs_use",
81        "genfs_contexts",
82        "port_contexts",
83    ],
84}
85
86se_build_files {
87    name: "sepolicy_technical_debt",
88    srcs: ["technical_debt.cil"],
89}
90
91soong_config_module_type {
92    name: "se_phony",
93    module_type: "phony",
94    config_namespace: "ANDROID",
95    bool_variables: ["PRODUCT_PRECOMPILED_SEPOLICY"],
96    list_variables: ["PLATFORM_SEPOLICY_COMPAT_VERSIONS"],
97    properties: ["required"],
98}
99
100se_phony {
101    // Currently used only for aosp_cf_system_x86_64
102    // TODO(b/329208946): migrate selinux_policy_system to Soong
103    name: "selinux_policy_system_soong",
104    required: [
105        "plat_bug_map",
106        "plat_file_contexts",
107        "plat_hwservice_contexts",
108        "plat_keystore2_key_contexts",
109        "plat_mac_permissions.xml",
110        "plat_mapping_file",
111        "plat_property_contexts",
112        "plat_seapp_contexts",
113        "plat_sepolicy.cil",
114        "plat_service_contexts",
115        "secilc",
116    ],
117    soong_config_variables: {
118        PLATFORM_SEPOLICY_COMPAT_VERSIONS: {
119            required: [
120                "plat_%s.cil",
121                "%s.compat.cil",
122            ],
123        },
124        PRODUCT_PRECOMPILED_SEPOLICY: {
125            required: ["plat_sepolicy_and_mapping.sha256"],
126        },
127    },
128}
129
130reqd_mask_policy = [":se_build_files{.reqd_mask}"]
131plat_public_policy = [":se_build_files{.plat_public}"]
132plat_private_policy = [":se_build_files{.plat_private}"]
133system_ext_public_policy = [":se_build_files{.system_ext_public}"]
134system_ext_private_policy = [":se_build_files{.system_ext_private}"]
135product_public_policy = [":se_build_files{.product_public}"]
136product_private_policy = [":se_build_files{.product_private}"]
137
138// reqd_policy_mask - a policy.conf file which contains only the bare minimum
139// policy necessary to use checkpolicy.
140//
141// This bare-minimum policy needs to be present in all policy.conf files, but
142// should not necessarily be exported as part of the public policy.
143//
144// The rules generated by reqd_policy_mask will allow the compilation of public
145// policy and subsequent removal of CIL policy that should not be exported.
146se_policy_conf {
147    name: "reqd_policy_mask.conf",
148    defaults: ["se_policy_conf_public_flags_defaults"],
149    srcs: reqd_mask_policy,
150    installable: false,
151}
152
153se_policy_cil {
154    name: "reqd_policy_mask.cil",
155    src: ":reqd_policy_mask.conf",
156    secilc_check: false,
157    installable: false,
158}
159
160// pub_policy - policy that will be exported to be a part of non-platform
161// policy corresponding to this platform version.
162//
163// This is a limited subset of policy that would not compile in checkpolicy on
164// its own.
165//
166// To get around this limitation, add only the required files from private
167// policy, which will generate CIL policy that will then be filtered out by the
168// reqd_policy_mask.
169//
170// There are three pub_policy.cil files below:
171//   - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
172//   - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
173//   - plat_pub_policy.cil: exported 'system' policy.
174//
175// Those above files will in turn be used to generate the following versioned cil files:
176//   - product_mapping_file: the versioned, exported 'product' policy in product partition.
177//   - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
178//   - plat_mapping_file: the versioned, exported 'system' policy in system partition.
179//   - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
180//                             in vendor partition.
181//
182se_policy_conf {
183    name: "pub_policy.conf",
184    defaults: ["se_policy_conf_public_flags_defaults"],
185    srcs: plat_public_policy +
186        system_ext_public_policy +
187        product_public_policy +
188        reqd_mask_policy,
189    vendor: true,
190    installable: false,
191}
192
193se_policy_cil {
194    name: "pub_policy.cil",
195    src: ":pub_policy.conf",
196    filter_out: [":reqd_policy_mask.cil"],
197    secilc_check: false,
198    vendor: true,
199    installable: false,
200}
201
202se_policy_conf {
203    name: "system_ext_pub_policy.conf",
204    defaults: ["se_policy_conf_public_flags_defaults"],
205    srcs: plat_public_policy +
206        system_ext_public_policy +
207        reqd_mask_policy,
208    system_ext_specific: true,
209    installable: false,
210}
211
212se_policy_cil {
213    name: "system_ext_pub_policy.cil",
214    src: ":system_ext_pub_policy.conf",
215    filter_out: [":reqd_policy_mask.cil"],
216    secilc_check: false,
217    system_ext_specific: true,
218    installable: false,
219}
220
221se_policy_conf {
222    name: "plat_pub_policy.conf",
223    defaults: ["se_policy_conf_public_flags_defaults"],
224    srcs: plat_public_policy +
225        reqd_mask_policy,
226    installable: false,
227}
228
229se_policy_cil {
230    name: "plat_pub_policy.cil",
231    src: ":plat_pub_policy.conf",
232    filter_out: [":reqd_policy_mask.cil"],
233    secilc_check: false,
234    installable: false,
235}
236
237// plat_policy.conf - A combination of the private and public platform policy
238// which will ship with the device.
239//
240// The platform will always reflect the most recent platform version and is not
241// currently being attributized.
242se_policy_conf {
243    name: "plat_sepolicy.conf",
244    defaults: ["se_policy_conf_flags_defaults"],
245    srcs: plat_public_policy +
246        plat_private_policy,
247    installable: false,
248}
249
250se_policy_cil {
251    name: "plat_sepolicy.cil",
252    src: ":plat_sepolicy.conf",
253    additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
254    dist: {
255        targets: ["sepolicy_finalize"],
256    },
257}
258
259// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
260se_policy_conf {
261    name: "userdebug_plat_sepolicy.conf",
262    defaults: ["se_policy_conf_flags_defaults"],
263    srcs: plat_public_policy +
264        plat_private_policy,
265    build_variant: "userdebug",
266    installable: false,
267}
268
269se_policy_cil {
270    name: "userdebug_plat_sepolicy.cil",
271    src: ":userdebug_plat_sepolicy.conf",
272    additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
273    debug_ramdisk: true,
274    dist: {
275        targets: ["droidcore"],
276    },
277}
278
279// A copy of the userdebug_plat_policy in GSI.
280soong_config_module_type {
281    name: "gsi_se_policy_cil",
282    module_type: "se_policy_cil",
283    config_namespace: "ANDROID",
284    bool_variables: [
285        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
286    ],
287    properties: [
288        "enabled",
289        "installable",
290    ],
291}
292
293gsi_se_policy_cil {
294    name: "system_ext_userdebug_plat_sepolicy.cil",
295    stem: "userdebug_plat_sepolicy.cil",
296    src: ":userdebug_plat_sepolicy.conf",
297    additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
298    system_ext_specific: true,
299    enabled: false,
300    installable: false,
301    soong_config_variables: {
302        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
303            enabled: true,
304            installable: true,
305        },
306    },
307}
308
309// system_ext_policy.conf - A combination of the private and public system_ext
310// policy which will ship with the device. System_ext policy is not attributized
311se_policy_conf {
312    name: "system_ext_sepolicy.conf",
313    defaults: ["se_policy_conf_flags_defaults"],
314    srcs: plat_public_policy +
315        plat_private_policy +
316        system_ext_public_policy +
317        system_ext_private_policy,
318    system_ext_specific: true,
319    installable: false,
320}
321
322se_policy_cil {
323    name: "system_ext_sepolicy.cil",
324    src: ":system_ext_sepolicy.conf",
325    system_ext_specific: true,
326    filter_out: [":plat_sepolicy.cil"],
327    remove_line_marker: true,
328}
329
330// product_policy.conf - A combination of the private and public product policy
331// which will ship with the device. Product policy is not attributized
332se_policy_conf {
333    name: "product_sepolicy.conf",
334    defaults: ["se_policy_conf_flags_defaults"],
335    srcs: plat_public_policy +
336        plat_private_policy +
337        system_ext_public_policy +
338        system_ext_private_policy +
339        product_public_policy +
340        product_private_policy,
341    product_specific: true,
342    installable: false,
343}
344
345se_policy_cil {
346    name: "product_sepolicy.cil",
347    src: ":product_sepolicy.conf",
348    product_specific: true,
349    filter_out: [
350        ":plat_sepolicy.cil",
351        ":system_ext_sepolicy.cil",
352    ],
353    remove_line_marker: true,
354}
355
356// policy mapping files
357// auto-generate the mapping file for current platform policy, since it needs to
358// track platform policy development
359se_versioned_policy {
360    name: "plat_mapping_file",
361    base: ":plat_pub_policy.cil",
362    mapping: true,
363    version: "current",
364    relative_install_path: "mapping", // install to /system/etc/selinux/mapping
365    dist: {
366        targets: ["sepolicy_finalize"],
367    },
368}
369
370se_versioned_policy {
371    name: "system_ext_mapping_file",
372    base: ":system_ext_pub_policy.cil",
373    mapping: true,
374    version: "current",
375    filter_out: [":plat_mapping_file"],
376    relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
377    system_ext_specific: true,
378}
379
380se_versioned_policy {
381    name: "product_mapping_file",
382    base: ":pub_policy.cil",
383    mapping: true,
384    version: "current",
385    filter_out: [
386        ":plat_mapping_file",
387        ":system_ext_mapping_file",
388    ],
389    relative_install_path: "mapping", // install to /product/etc/selinux/mapping
390    product_specific: true,
391}
392
393//////////////////////////////////
394// vendor/odm sepolicy
395//////////////////////////////////
396
397// plat_pub_versioned.cil - the exported platform policy associated with the version
398// that non-platform policy targets.
399se_versioned_policy {
400    name: "plat_pub_versioned.cil",
401    base: ":pub_policy.cil",
402    target_policy: ":pub_policy.cil",
403    version: "vendor",
404    vendor: true,
405}
406
407// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
408// with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
409// policy and the platform public policy files in order to use checkpolicy.
410se_policy_conf {
411    name: "vendor_sepolicy.conf",
412    defaults: ["se_policy_conf_public_flags_defaults"],
413    srcs: plat_public_policy +
414        system_ext_public_policy +
415        product_public_policy +
416        reqd_mask_policy + [
417            ":se_build_files{.plat_vendor}",
418            ":se_build_files{.vendor}",
419        ],
420    vendor: true,
421    installable: false,
422}
423
424se_policy_cil {
425    name: "vendor_sepolicy.cil.raw",
426    src: ":vendor_sepolicy.conf",
427    filter_out: [":reqd_policy_mask.cil"],
428    secilc_check: false, // will be done in se_versioned_policy module
429    vendor: true,
430    installable: false,
431}
432
433se_versioned_policy {
434    name: "vendor_sepolicy.cil",
435    base: ":pub_policy.cil",
436    target_policy: ":vendor_sepolicy.cil.raw",
437    version: "vendor",
438    dependent_cils: [
439        ":plat_sepolicy.cil",
440        ":system_ext_sepolicy.cil",
441        ":product_sepolicy.cil",
442        ":plat_pub_versioned.cil",
443        ":plat_mapping_file",
444    ],
445    filter_out: [":plat_pub_versioned.cil"],
446    vendor: true,
447}
448
449// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
450// with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
451// policy and the platform public policy files in order to use checkpolicy.
452se_policy_conf {
453    name: "odm_sepolicy.conf",
454    defaults: ["se_policy_conf_public_flags_defaults"],
455    srcs: plat_public_policy +
456        system_ext_public_policy +
457        product_public_policy +
458        reqd_mask_policy + [
459            ":se_build_files{.plat_vendor}",
460            ":se_build_files{.vendor}",
461            ":se_build_files{.odm}",
462        ],
463    device_specific: true,
464    installable: false,
465}
466
467se_policy_cil {
468    name: "odm_sepolicy.cil.raw",
469    src: ":odm_sepolicy.conf",
470    filter_out: [
471        ":reqd_policy_mask.cil",
472        ":vendor_sepolicy.cil",
473    ],
474    secilc_check: false, // will be done in se_versioned_policy module
475    device_specific: true,
476    installable: false,
477}
478
479se_versioned_policy {
480    name: "odm_sepolicy.cil",
481    base: ":pub_policy.cil",
482    target_policy: ":odm_sepolicy.cil.raw",
483    version: "vendor",
484    dependent_cils: [
485        ":plat_sepolicy.cil",
486        ":system_ext_sepolicy.cil",
487        ":product_sepolicy.cil",
488        ":plat_pub_versioned.cil",
489        ":plat_mapping_file",
490        ":vendor_sepolicy.cil",
491    ],
492    filter_out: [
493        ":plat_pub_versioned.cil",
494        ":vendor_sepolicy.cil",
495    ],
496    device_specific: true,
497}
498
499//////////////////////////////////
500// Precompiled sepolicy is loaded if and only if:
501// - plat_sepolicy_and_mapping.sha256 equals
502//   precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
503// AND
504// - system_ext_sepolicy_and_mapping.sha256 equals
505//   precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
506// AND
507// - product_sepolicy_and_mapping.sha256 equals
508//   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
509// See system/core/init/selinux.cpp for details.
510//////////////////////////////////
511genrule {
512    name: "plat_sepolicy_and_mapping.sha256_gen",
513    srcs: [
514        ":plat_sepolicy.cil",
515        ":plat_mapping_file",
516    ],
517    out: ["plat_sepolicy_and_mapping.sha256"],
518    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
519}
520
521prebuilt_etc {
522    name: "plat_sepolicy_and_mapping.sha256",
523    filename: "plat_sepolicy_and_mapping.sha256",
524    src: ":plat_sepolicy_and_mapping.sha256_gen",
525    relative_install_path: "selinux",
526}
527
528genrule {
529    name: "system_ext_sepolicy_and_mapping.sha256_gen",
530    srcs: [
531        ":system_ext_sepolicy.cil",
532        ":system_ext_mapping_file",
533    ],
534    out: ["system_ext_sepolicy_and_mapping.sha256"],
535    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
536}
537
538prebuilt_etc {
539    name: "system_ext_sepolicy_and_mapping.sha256",
540    filename: "system_ext_sepolicy_and_mapping.sha256",
541    src: ":system_ext_sepolicy_and_mapping.sha256_gen",
542    relative_install_path: "selinux",
543    system_ext_specific: true,
544}
545
546genrule {
547    name: "product_sepolicy_and_mapping.sha256_gen",
548    srcs: [
549        ":product_sepolicy.cil",
550        ":product_mapping_file",
551    ],
552    out: ["product_sepolicy_and_mapping.sha256"],
553    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
554}
555
556prebuilt_etc {
557    name: "product_sepolicy_and_mapping.sha256",
558    filename: "product_sepolicy_and_mapping.sha256",
559    src: ":product_sepolicy_and_mapping.sha256_gen",
560    relative_install_path: "selinux",
561    product_specific: true,
562}
563
564sepolicy_vers {
565    name: "plat_sepolicy_vers.txt",
566    version: "vendor",
567    vendor: true,
568}
569
570soong_config_module_type {
571    name: "precompiled_sepolicy_prebuilts_defaults",
572    module_type: "prebuilt_defaults",
573    config_namespace: "ANDROID",
574    bool_variables: ["BOARD_USES_ODMIMAGE"],
575    properties: [
576        "vendor",
577        "device_specific",
578    ],
579}
580
581precompiled_sepolicy_prebuilts_defaults {
582    name: "precompiled_sepolicy_prebuilts",
583    soong_config_variables: {
584        BOARD_USES_ODMIMAGE: {
585            device_specific: true,
586            conditions_default: {
587                vendor: true,
588            },
589        },
590    },
591}
592
593//////////////////////////////////
594// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
595// which precompiled_policy was built.
596//////////////////////////////////
597prebuilt_etc {
598    defaults: ["precompiled_sepolicy_prebuilts"],
599    name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
600    filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
601    src: ":plat_sepolicy_and_mapping.sha256_gen",
602    relative_install_path: "selinux",
603}
604
605//////////////////////////////////
606// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
607// which precompiled_policy was built.
608//////////////////////////////////
609prebuilt_etc {
610    defaults: ["precompiled_sepolicy_prebuilts"],
611    name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
612    filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
613    src: ":system_ext_sepolicy_and_mapping.sha256_gen",
614    relative_install_path: "selinux",
615}
616
617//////////////////////////////////
618// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
619// which precompiled_policy was built.
620//////////////////////////////////
621prebuilt_etc {
622    defaults: ["precompiled_sepolicy_prebuilts"],
623    name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
624    filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
625    src: ":product_sepolicy_and_mapping.sha256_gen",
626    relative_install_path: "selinux",
627}
628
629soong_config_module_type {
630    name: "precompiled_se_policy_binary",
631    module_type: "se_policy_binary",
632    config_namespace: "ANDROID",
633    bool_variables: ["BOARD_USES_ODMIMAGE"],
634    properties: [
635        "vendor",
636        "device_specific",
637    ],
638}
639
640filegroup {
641    name: "precompiled_sepolicy_srcs",
642    srcs: [
643        ":plat_sepolicy.cil",
644        ":plat_pub_versioned.cil",
645        ":system_ext_sepolicy.cil",
646        ":product_sepolicy.cil",
647        ":vendor_sepolicy.cil",
648        ":odm_sepolicy.cil",
649        ":plat_mapping_file",
650        ":system_ext_mapping_file",
651        ":product_mapping_file",
652    ],
653    // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
654    // Useful when some partitions need to be bind mounted across VM boundaries.
655    visibility: ["//visibility:public"],
656}
657
658precompiled_se_policy_binary {
659    name: "precompiled_sepolicy",
660    srcs: [
661        ":precompiled_sepolicy_srcs",
662    ],
663    soong_config_variables: {
664        BOARD_USES_ODMIMAGE: {
665            device_specific: true,
666            conditions_default: {
667                vendor: true,
668            },
669        },
670    },
671    required: [
672        "sepolicy_neverallows",
673    ],
674    dist: {
675        targets: ["base-sepolicy-files-for-mapping"],
676    },
677}
678
679// policy for recovery
680se_policy_conf {
681    name: "recovery_sepolicy.conf",
682    defaults: ["se_policy_conf_flags_defaults"],
683    srcs: plat_public_policy +
684        plat_private_policy +
685        system_ext_public_policy +
686        system_ext_private_policy +
687        product_public_policy +
688        product_private_policy + [
689            ":se_build_files{.plat_vendor}",
690            ":se_build_files{.vendor}",
691            ":se_build_files{.odm}",
692        ],
693    target_recovery: true,
694    installable: false,
695    recovery: true,
696}
697
698se_policy_cil {
699    name: "recovery_sepolicy.cil",
700    src: ":recovery_sepolicy.conf",
701    secilc_check: false, // will be done in se_policy_binary module
702    installable: false,
703    recovery: true,
704}
705
706se_policy_binary {
707    name: "sepolicy.recovery",
708    srcs: [":recovery_sepolicy.cil"],
709    stem: "sepolicy",
710    recovery: true,
711}
712
713//////////////////////////////////
714// SELinux policy embedded into CTS.
715// CTS checks neverallow rules of this policy against the policy of the device under test.
716//////////////////////////////////
717se_policy_conf {
718    name: "general_sepolicy.conf",
719    defaults: ["se_policy_conf_flags_defaults"],
720    srcs: plat_public_policy +
721        plat_private_policy,
722    build_variant: "user",
723    cts: true,
724    exclude_build_test: true,
725    dist: {
726        targets: ["sepolicy_finalize"],
727    },
728}
729
730//////////////////////////////////
731// Base system policy for treble sepolicy tests.
732// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
733// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
734// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
735// See treble_sepolicy_tests_for_release.mk for more details.
736//////////////////////////////////
737se_policy_conf {
738    name: "base_plat_sepolicy.conf",
739    defaults: ["se_policy_conf_flags_defaults"],
740    srcs: plat_public_policy +
741        plat_private_policy,
742    build_variant: "user",
743    installable: false,
744}
745
746se_policy_cil {
747    name: "base_plat_sepolicy.cil",
748    src: ":base_plat_sepolicy.conf",
749    additional_cil_files: ["private/technical_debt.cil"],
750    installable: false,
751    secilc_check: false, // done by se_policy_binary
752}
753
754se_policy_binary {
755    name: "base_plat_sepolicy",
756    srcs: [":base_plat_sepolicy.cil"],
757    installable: false,
758    dist: {
759        targets: ["base-sepolicy-files-for-mapping"],
760    },
761}
762
763se_policy_conf {
764    name: "base_product_sepolicy.conf",
765    defaults: ["se_policy_conf_flags_defaults"],
766    srcs: plat_public_policy +
767        plat_private_policy +
768        system_ext_public_policy +
769        system_ext_private_policy +
770        product_public_policy +
771        product_private_policy,
772    build_variant: "user",
773    installable: false,
774    product_specific: true,
775}
776
777se_policy_cil {
778    name: "base_product_sepolicy.cil",
779    src: ":base_product_sepolicy.conf",
780    additional_cil_files: ["private/technical_debt.cil"],
781    product_specific: true,
782    installable: false,
783    secilc_check: false, // done by se_policy_binary
784}
785
786se_policy_binary {
787    name: "base_product_sepolicy",
788    srcs: [":base_product_sepolicy.cil"],
789    product_specific: true,
790    installable: false,
791}
792
793se_policy_conf {
794    name: "base_plat_pub_policy.conf",
795    defaults: ["se_policy_conf_public_flags_defaults"],
796    srcs: plat_public_policy +
797        reqd_mask_policy,
798    build_variant: "user",
799    installable: false,
800}
801
802se_policy_cil {
803    name: "base_plat_pub_policy.cil",
804    src: ":base_plat_pub_policy.conf",
805    filter_out: [":reqd_policy_mask.cil"],
806    secilc_check: false,
807    installable: false,
808    dist: {
809        targets: ["base-sepolicy-files-for-mapping"],
810    },
811}
812
813se_policy_conf {
814    name: "base_product_pub_policy.conf",
815    defaults: ["se_policy_conf_public_flags_defaults"],
816    srcs: plat_public_policy +
817        system_ext_public_policy +
818        product_public_policy +
819        reqd_mask_policy,
820    build_variant: "user",
821    installable: false,
822    product_specific: true,
823}
824
825se_policy_cil {
826    name: "base_product_pub_policy.cil",
827    src: ":base_product_pub_policy.conf",
828    filter_out: [":reqd_policy_mask.cil"],
829    secilc_check: false,
830    installable: false,
831    product_specific: true,
832}
833
834// bug_map - Bug tracking information for selinux denials loaded by auditd.
835se_build_files {
836    name: "bug_map_files",
837    srcs: ["bug_map"],
838}
839
840se_bug_map {
841    name: "plat_bug_map",
842    srcs: [":bug_map_files{.plat_private}"],
843    stem: "bug_map",
844}
845
846se_bug_map {
847    name: "system_ext_bug_map",
848    srcs: [":bug_map_files{.system_ext_private}"],
849    stem: "bug_map",
850    system_ext_specific: true,
851}
852
853se_bug_map {
854    name: "vendor_bug_map",
855    srcs: [
856        ":bug_map_files{.vendor}",
857        ":bug_map_files{.plat_vendor}",
858    ],
859    // Legacy file name of the vendor partition bug_map.
860    stem: "selinux_denial_metadata",
861    vendor: true,
862}
863
864se_neverallow_test {
865    name: "sepolicy_neverallows",
866    defaults: ["se_policy_conf_flags_defaults"],
867    srcs: plat_public_policy +
868        plat_private_policy +
869        system_ext_public_policy +
870        system_ext_private_policy +
871        product_public_policy +
872        product_private_policy + [
873            ":se_build_files{.plat_vendor}",
874            ":se_build_files{.vendor}",
875            ":se_build_files{.odm}",
876        ],
877}
878
879//////////////////////////////////
880// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
881// Additional directories can be specified via Makefile variables:
882// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
883//////////////////////////////////
884se_freeze_test {
885    name: "se_freeze_test",
886}
887
888//////////////////////////////////
889// sepolicy_test checks various types of violations, which can't be easily done
890// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
891//////////////////////////////////
892genrule {
893    name: "sepolicy_test",
894    srcs: [
895        ":plat_file_contexts",
896        ":vendor_file_contexts",
897        ":system_ext_file_contexts",
898        ":product_file_contexts",
899        ":odm_file_contexts",
900        ":precompiled_sepolicy",
901    ],
902    tools: ["sepolicy_tests"],
903    out: ["sepolicy_test"],
904    cmd: "$(location sepolicy_tests) " +
905        "-f $(location :plat_file_contexts) " +
906        "-f $(location :vendor_file_contexts) " +
907        "-f $(location :system_ext_file_contexts) " +
908        "-f $(location :product_file_contexts) " +
909        "-f $(location :odm_file_contexts) " +
910        "-p $(location :precompiled_sepolicy) && " +
911        "touch $(out)",
912}
913
914//////////////////////////////////
915// TestDevTypeViolations can't run on old devices (V or before)
916//////////////////////////////////
917
918soong_config_module_type {
919    name: "dev_type_test_genrule",
920    module_type: "genrule",
921    config_namespace: "ANDROID",
922    bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
923    properties: ["cmd"],
924}
925
926dev_type_test_genrule {
927    name: "sepolicy_dev_type_test",
928    srcs: [
929        ":plat_file_contexts",
930        ":vendor_file_contexts",
931        ":system_ext_file_contexts",
932        ":product_file_contexts",
933        ":odm_file_contexts",
934        ":precompiled_sepolicy",
935    ],
936    tools: ["sepolicy_tests"],
937    out: ["sepolicy_dev_type_test"],
938    soong_config_variables: {
939        CHECK_DEV_TYPE_VIOLATIONS: {
940            cmd: "$(location sepolicy_tests) " +
941                "-f $(location :plat_file_contexts) " +
942                "-f $(location :vendor_file_contexts) " +
943                "-f $(location :system_ext_file_contexts) " +
944                "-f $(location :product_file_contexts) " +
945                "-f $(location :odm_file_contexts) " +
946                "-p $(location :precompiled_sepolicy) " +
947                "-t TestDevTypeViolations && " +
948                "touch $(out)",
949            conditions_default: {
950                cmd: "touch $(out)",
951            },
952        },
953    },
954}
955