1LOCAL_PATH:= $(call my-dir)
2
3include $(CLEAR_VARS)
4
5ifdef BOARD_SEPOLICY_UNION
6$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
7endif
8
9ifdef BOARD_SEPOLICY_M4DEFS
10LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
11else
12LOCAL_ADDITIONAL_M4DEFS :=
13endif
14
15# sepolicy is now divided into multiple portions:
16# public - policy exported on which non-platform policy developers may write
17#   additional policy.  types and attributes are versioned and included in
18#   delivered non-platform policy, which is to be combined with platform policy.
19# private - platform-only policy required for platform functionality but which
20#  is not exported to vendor policy developers and as such may not be assumed
21#  to exist.
22# vendor - vendor-only policy required for vendor functionality. This policy can
23#  reference the public policy but cannot reference the private policy. This
24#  policy is for components which are produced from the core/non-vendor tree and
25#  placed into a vendor partition.
26# mapping - This contains policy statements which map the attributes
27#  exposed in the public policy of previous versions to the concrete types used
28#  in this policy to ensure that policy targeting attributes from public
29#  policy from an older platform version continues to work.
30
31# build process for device:
32# 1) convert policies to CIL:
33#    - private + public platform policy to CIL
34#    - mapping file to CIL (should already be in CIL form)
35#    - non-platform public policy to CIL
36#    - non-platform public + private policy to CIL
37# 2) attributize policy
38#    - run script which takes non-platform public and non-platform combined
39#      private + public policy and produces attributized and versioned
40#      non-platform policy
41# 3) combine policy files
42#    - combine mapping, platform and non-platform policy.
43#    - compile output binary policy file
44
45PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
46PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
47PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
48REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
49
50SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
51SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
52
53PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
54PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
55
56ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
57HAS_SYSTEM_EXT_SEPOLICY_DIR := true
58endif
59
60# TODO(b/119305624): Currently if the device doesn't have a product partition,
61# we install product sepolicy into /system/product. We do that because bits of
62# product sepolicy that's still in /system might depend on bits that have moved
63# to /product. Once we finish migrating product sepolicy out of system, change
64# it so that if no product partition is present, product sepolicy artifacts are
65# not built and installed at all.
66ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
67HAS_PRODUCT_SEPOLICY_DIR := true
68endif
69
70ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
71ifeq ($(TARGET_BUILD_VARIANT),user)
72$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
73endif
74$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
75          It does not work in user builds and using it will \
76          not stop you from failing CTS.)
77endif
78
79# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
80# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
81# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
82# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
83ifdef BOARD_SEPOLICY_DIRS
84BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
85endif
86
87###########################################################
88# Compute policy files to be used in policy build.
89# $(1): files to include
90# $(2): directories in which to find files
91###########################################################
92
93define build_policy
94$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
95endef
96
97sepolicy_build_files := security_classes \
98                        initial_sids \
99                        access_vectors \
100                        global_macros \
101                        neverallow_macros \
102                        mls_macros \
103                        mls_decl \
104                        mls \
105                        policy_capabilities \
106                        te_macros \
107                        attributes \
108                        ioctl_defines \
109                        ioctl_macros \
110                        *.te \
111                        roles_decl \
112                        roles \
113                        users \
114                        initial_sid_contexts \
115                        fs_use \
116                        genfs_contexts \
117                        port_contexts
118
119sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
120                           $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
121
122# Security classes and permissions defined outside of system/sepolicy.
123security_class_extension_files := $(call build_policy, security_classes access_vectors, \
124  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
125  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
126  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
127
128ifneq (,$(strip $(security_class_extension_files)))
129  $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
130endif
131
132ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
133  # Checks if there are public system_ext policy files.
134  policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
135  ifneq (,$(strip $(policy_files)))
136    HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
137  endif
138  # Checks if there are public/private system_ext policy files.
139  policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
140  ifneq (,$(strip $(policy_files)))
141    HAS_SYSTEM_EXT_SEPOLICY := true
142  endif
143endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
144
145ifdef HAS_PRODUCT_SEPOLICY_DIR
146  # Checks if there are public product policy files.
147  policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
148  ifneq (,$(strip $(policy_files)))
149    HAS_PRODUCT_PUBLIC_SEPOLICY := true
150  endif
151  # Checks if there are public/private product policy files.
152  policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
153  ifneq (,$(strip $(policy_files)))
154    HAS_PRODUCT_SEPOLICY := true
155  endif
156endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
157
158with_asan := false
159ifneq (,$(filter address,$(SANITIZE_TARGET)))
160  with_asan := true
161endif
162
163ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
164  #$(warning no product shipping level defined)
165else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
166  ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
167    $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
168  endif
169endif
170
171ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
172  #$(warning no product shipping level defined)
173else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
174  ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
175    $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
176  endif
177endif
178
179#################################
180
181include $(CLEAR_VARS)
182
183LOCAL_MODULE := selinux_policy
184LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
185LOCAL_LICENSE_CONDITIONS := notice unencumbered
186LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
187LOCAL_MODULE_TAGS := optional
188LOCAL_REQUIRED_MODULES += \
189    selinux_policy_nonsystem \
190    selinux_policy_system \
191
192include $(BUILD_PHONY_PACKAGE)
193
194# selinux_policy is a main goal and triggers lots of tests.
195# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
196# By setting as droidcore's dependency, tests will run on normal builds.
197droidcore: selinux_policy
198
199include $(CLEAR_VARS)
200LOCAL_MODULE := selinux_policy_system
201LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
202LOCAL_LICENSE_CONDITIONS := notice unencumbered
203LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
204# These build targets are not used on non-Treble devices. However, we build these to avoid
205# divergence between Treble and non-Treble devices.
206LOCAL_REQUIRED_MODULES += \
207    plat_mapping_file \
208    $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
209    $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
210    plat_sepolicy.cil \
211    secilc \
212
213ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
214LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
215endif
216
217LOCAL_REQUIRED_MODULES += \
218    build_sepolicy \
219    plat_file_contexts \
220    plat_file_contexts_test \
221    plat_keystore2_key_contexts \
222    plat_mac_permissions.xml \
223    plat_property_contexts \
224    plat_property_contexts_test \
225    plat_seapp_contexts \
226    plat_service_contexts \
227    plat_service_contexts_test \
228    plat_hwservice_contexts \
229    plat_hwservice_contexts_test \
230    fuzzer_bindings_test \
231    plat_bug_map \
232    searchpolicy \
233
234ifneq ($(with_asan),true)
235ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
236LOCAL_REQUIRED_MODULES += \
237    sepolicy_compat_test \
238
239# HACK: sepolicy_test is implemented as genrule
240# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
241# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
242LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
243LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
244
245LOCAL_REQUIRED_MODULES += \
246    $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
247
248endif  # SELINUX_IGNORE_NEVERALLOWS
249endif  # with_asan
250
251ifeq ($(RELEASE_BOARD_API_LEVEL_FROZEN),true)
252LOCAL_REQUIRED_MODULES += \
253    se_freeze_test
254endif
255
256include $(BUILD_PHONY_PACKAGE)
257
258#################################
259
260include $(CLEAR_VARS)
261
262LOCAL_MODULE := selinux_policy_system_ext
263LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
264LOCAL_LICENSE_CONDITIONS := notice unencumbered
265LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
266# Include precompiled policy, unless told otherwise.
267ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
268ifdef HAS_SYSTEM_EXT_SEPOLICY
269LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
270endif
271endif
272
273ifdef HAS_SYSTEM_EXT_SEPOLICY
274LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
275endif
276
277ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
278LOCAL_REQUIRED_MODULES += \
279    system_ext_mapping_file
280
281system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
282
283LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
284
285endif
286
287ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
288LOCAL_REQUIRED_MODULES += \
289    system_ext_file_contexts \
290    system_ext_file_contexts_test \
291    system_ext_keystore2_key_contexts \
292    system_ext_hwservice_contexts \
293    system_ext_hwservice_contexts_test \
294    system_ext_property_contexts \
295    system_ext_property_contexts_test \
296    system_ext_seapp_contexts \
297    system_ext_service_contexts \
298    system_ext_service_contexts_test \
299    system_ext_mac_permissions.xml \
300    system_ext_bug_map \
301    $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
302
303endif
304
305include $(BUILD_PHONY_PACKAGE)
306
307#################################
308
309include $(CLEAR_VARS)
310
311LOCAL_MODULE := selinux_policy_product
312LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
313LOCAL_LICENSE_CONDITIONS := notice unencumbered
314LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
315# Include precompiled policy, unless told otherwise.
316ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
317ifdef HAS_PRODUCT_SEPOLICY
318LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
319endif
320endif
321
322ifdef HAS_PRODUCT_SEPOLICY
323LOCAL_REQUIRED_MODULES += product_sepolicy.cil
324endif
325
326ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
327LOCAL_REQUIRED_MODULES += \
328    product_mapping_file
329
330product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
331
332LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
333
334endif
335
336ifdef HAS_PRODUCT_SEPOLICY_DIR
337LOCAL_REQUIRED_MODULES += \
338    product_file_contexts \
339    product_file_contexts_test \
340    product_keystore2_key_contexts \
341    product_hwservice_contexts \
342    product_hwservice_contexts_test \
343    product_property_contexts \
344    product_property_contexts_test \
345    product_seapp_contexts \
346    product_service_contexts \
347    product_service_contexts_test \
348    product_mac_permissions.xml \
349
350endif
351
352include $(BUILD_PHONY_PACKAGE)
353
354#################################
355
356include $(CLEAR_VARS)
357
358LOCAL_MODULE := selinux_policy_nonsystem
359LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
360LOCAL_LICENSE_CONDITIONS := notice unencumbered
361LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
362# Include precompiled policy, unless told otherwise.
363ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
364LOCAL_REQUIRED_MODULES += \
365    precompiled_sepolicy \
366    precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
367
368ifdef HAS_SYSTEM_EXT_SEPOLICY
369LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
370endif
371
372ifdef HAS_PRODUCT_SEPOLICY
373LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
374endif
375
376endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
377
378
379# These build targets are not used on non-Treble devices. However, we build these to avoid
380# divergence between Treble and non-Treble devices.
381LOCAL_REQUIRED_MODULES += \
382    plat_pub_versioned.cil \
383    vendor_sepolicy.cil \
384    plat_sepolicy_vers.txt \
385
386LOCAL_REQUIRED_MODULES += \
387    vendor_file_contexts \
388    vendor_file_contexts_test \
389    vendor_keystore2_key_contexts \
390    vendor_mac_permissions.xml \
391    vendor_property_contexts \
392    vendor_property_contexts_test \
393    vendor_seapp_contexts \
394    vendor_service_contexts \
395    vendor_service_contexts_test \
396    vendor_hwservice_contexts \
397    vendor_hwservice_contexts_test \
398    vendor_bug_map \
399    vndservice_contexts \
400    vndservice_contexts_test \
401
402ifdef BOARD_ODM_SEPOLICY_DIRS
403LOCAL_REQUIRED_MODULES += \
404    odm_sepolicy.cil \
405    odm_file_contexts \
406    odm_file_contexts_test \
407    odm_seapp_contexts \
408    odm_property_contexts \
409    odm_property_contexts_test \
410    odm_service_contexts \
411    odm_service_contexts_test \
412    odm_hwservice_contexts \
413    odm_hwservice_contexts_test \
414    odm_mac_permissions.xml
415endif
416
417LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
418LOCAL_REQUIRED_MODULES += selinux_policy_product
419
420# Builds an addtional userdebug sepolicy into the debug ramdisk.
421LOCAL_REQUIRED_MODULES += \
422    userdebug_plat_sepolicy.cil \
423
424include $(BUILD_PHONY_PACKAGE)
425
426##################################
427# Policy files are now built with Android.bp. Grab them from intermediate.
428# See Android.bp for details of policy files.
429#
430built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
431
432##################################
433# TODO - remove this.   Keep around until we get the filesystem creation stuff taken care of.
434#
435include $(CLEAR_VARS)
436
437LOCAL_MODULE := file_contexts.bin
438LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
439LOCAL_LICENSE_CONDITIONS := notice unencumbered
440LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
441LOCAL_MODULE_CLASS := ETC
442LOCAL_MODULE_TAGS := optional
443LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
444
445include $(BUILD_SYSTEM)/base_rules.mk
446
447# The file_contexts.bin is built in the following way:
448# 1. Collect all file_contexts files in THIS repository and process them with
449#    m4 into a tmp file called file_contexts.local.tmp.
450# 2. Collect all device specific file_contexts files and process them with m4
451#    into a tmp file called file_contexts.device.tmp.
452# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
453#    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
454# 4. Concatenate file_contexts.local.tmp and  file_contexts.device.sorted.tmp
455#    into file_contexts.concat.tmp.
456# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
457#    file_contexts.bin.
458#
459#  Note: That a newline file is placed between each file_context file found to
460#        ensure a proper build when an fc file is missing an ending newline.
461
462local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
463
464ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
465local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
466endif
467
468ifdef HAS_PRODUCT_SEPOLICY_DIR
469local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
470endif
471
472###########################################################
473## Collect file_contexts files into a single tmp file with m4
474##
475## $(1): list of file_contexts files
476## $(2): filename into which file_contexts files are merged
477###########################################################
478
479define _merge-fc-files
480$(2): $(1) $(M4)
481	$(hide) mkdir -p $$(dir $$@)
482	$(hide) $(M4) --fatal-warnings -s $(1) > $$@
483endef
484
485define merge-fc-files
486$(eval $(call _merge-fc-files,$(1),$(2)))
487endef
488
489file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
490$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
491
492device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
493
494ifdef BOARD_ODM_SEPOLICY_DIRS
495device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
496endif
497
498file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
499$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
500$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files)
501$(file_contexts.device.tmp): $(device_fc_files) $(M4)
502	@mkdir -p $(dir $@)
503	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@
504
505file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
506$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
507$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
508  $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
509	@mkdir -p $(dir $@)
510	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
511	$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
512
513file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
514$(call merge-fc-files,\
515  $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
516
517$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
518$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
519	@mkdir -p $(dir $@)
520	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
521	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
522
523local_fc_files :=
524device_fc_files :=
525file_contexts.concat.tmp :=
526file_contexts.device.sorted.tmp :=
527file_contexts.device.tmp :=
528file_contexts.local.tmp :=
529
530##################################
531# Tests for Treble compatibility of current platform policy and vendor policy of
532# given release version.
533
534ver := $(PLATFORM_SEPOLICY_VERSION)
535ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
536# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
537base_plat_pub_policy.cil    := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
538base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
539else
540# If not, use ToT for compat test
541base_plat_pub_policy.cil    := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
542base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
543endif
544ver :=
545
546$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
547  $(eval version_under_treble_tests := $(v)) \
548  $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
549)
550
551base_plat_pub_policy.cil :=
552base_product_pub_policy.cil :=
553
554#################################
555
556
557build_policy :=
558built_sepolicy :=
559sepolicy_build_files :=
560with_asan :=
561