// Copyright (C) 2021 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package { // http://go/android-license-faq // A large-scale-change added 'default_applicable_licenses' to import // the below license kinds from "system_sepolicy_license": // SPDX-license-identifier-Apache-2.0 default_applicable_licenses: ["system_sepolicy_license"], } system_policy_files = [ "system/private/security_classes", "system/private/initial_sids", "system/private/access_vectors", "system/public/global_macros", "system/public/neverallow_macros", "system/private/mls_macros", "system/private/mls_decl", "system/private/mls", "system/private/policy_capabilities", "system/public/te_macros", "system/public/attributes", "system/private/attributes", "system/public/ioctl_defines", "system/public/ioctl_macros", "system/public/*.te", "system/private/*.te", "system/private/roles_decl", "system/public/roles", "system/private/users", "system/private/initial_sid_contexts", "system/private/fs_use", "system/private/genfs_contexts", "system/private/port_contexts", ] reqd_mask_files = [ "reqd_mask/security_classes", "reqd_mask/initial_sids", "reqd_mask/access_vectors", "reqd_mask/mls_macros", "reqd_mask/mls_decl", "reqd_mask/mls", "reqd_mask/reqd_mask.te", "reqd_mask/roles_decl", "reqd_mask/roles", "reqd_mask/users", "reqd_mask/initial_sid_contexts", ] system_public_policy_files = [ "reqd_mask/security_classes", "reqd_mask/initial_sids", "reqd_mask/access_vectors", "system/public/global_macros", "system/public/neverallow_macros", "reqd_mask/mls_macros", "reqd_mask/mls_decl", "reqd_mask/mls", "system/public/te_macros", "system/public/attributes", "system/public/ioctl_defines", "system/public/ioctl_macros", "system/public/*.te", "reqd_mask/reqd_mask.te", "reqd_mask/roles_decl", "reqd_mask/roles", "system/public/roles", "reqd_mask/users", "reqd_mask/initial_sid_contexts", ] vendor_policy_files = [ "reqd_mask/security_classes", "reqd_mask/initial_sids", "reqd_mask/access_vectors", "system/public/global_macros", "system/public/neverallow_macros", "reqd_mask/mls_macros", "reqd_mask/mls_decl", "reqd_mask/mls", "system/public/te_macros", "system/public/attributes", "system/public/ioctl_defines", "system/public/ioctl_macros", "system/public/*.te", "reqd_mask/reqd_mask.te", "vendor/*.te", "reqd_mask/roles_decl", "reqd_mask/roles", "system/public/roles", "reqd_mask/users", "reqd_mask/initial_sid_contexts", ] se_policy_conf { name: "microdroid_reqd_policy_mask.conf", srcs: reqd_mask_files, installable: false, mls_cats: 1, } se_policy_cil { name: "microdroid_reqd_policy_mask.cil", src: ":microdroid_reqd_policy_mask.conf", secilc_check: false, installable: false, } se_policy_conf { name: "microdroid_plat_sepolicy.conf", srcs: system_policy_files, installable: false, mls_cats: 1, } se_policy_cil { name: "microdroid_plat_sepolicy.cil", stem: "plat_sepolicy.cil", src: ":microdroid_plat_sepolicy.conf", installable: false, } se_policy_conf { name: "microdroid_plat_pub_policy.conf", srcs: system_public_policy_files, installable: false, mls_cats: 1, } se_policy_cil { name: "microdroid_plat_pub_policy.cil", src: ":microdroid_plat_pub_policy.conf", filter_out: [":microdroid_reqd_policy_mask.cil"], secilc_check: false, installable: false, } se_versioned_policy { name: "microdroid_plat_mapping_file", base: ":microdroid_plat_pub_policy.cil", mapping: true, version: "current", relative_install_path: "mapping", // install to /system/etc/selinux/mapping installable: false, } se_versioned_policy { name: "microdroid_plat_pub_versioned.cil", stem: "plat_pub_versioned.cil", base: ":microdroid_plat_pub_policy.cil", target_policy: ":microdroid_plat_pub_policy.cil", version: "current", dependent_cils: [ ":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file", ], installable: false, } se_policy_conf { name: "microdroid_vendor_sepolicy.conf", srcs: vendor_policy_files, installable: false, mls_cats: 1, } se_policy_cil { name: "microdroid_vendor_sepolicy.cil.raw", src: ":microdroid_vendor_sepolicy.conf", filter_out: [":microdroid_reqd_policy_mask.cil"], secilc_check: false, // will be done in se_versioned_policy module installable: false, } se_versioned_policy { name: "microdroid_vendor_sepolicy.cil", stem: "vendor_sepolicy.cil", base: ":microdroid_plat_pub_policy.cil", target_policy: ":microdroid_vendor_sepolicy.cil.raw", version: "current", // microdroid is bundled to system dependent_cils: [ ":microdroid_plat_sepolicy.cil", ":microdroid_plat_pub_versioned.cil", ":microdroid_plat_mapping_file", ], filter_out: [":microdroid_plat_pub_versioned.cil"], installable: false, } sepolicy_vers { name: "microdroid_plat_sepolicy_vers.txt", version: "platform", stem: "plat_sepolicy_vers.txt", installable: false, } // sepolicy sha256 for vendor genrule { name: "microdroid_plat_sepolicy_and_mapping.sha256_gen", srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"], out: ["microdroid_plat_sepolicy_and_mapping.sha256"], cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)", } prebuilt_etc { name: "microdroid_plat_sepolicy_and_mapping.sha256", src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen", filename: "plat_sepolicy_and_mapping.sha256", relative_install_path: "selinux", installable: false, } prebuilt_etc { name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen", filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", relative_install_path: "selinux", installable: false, } se_policy_binary { name: "microdroid_precompiled_sepolicy", stem: "microdroid_precompiled_sepolicy", srcs: [ ":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file", ":microdroid_plat_pub_versioned.cil", ":microdroid_vendor_sepolicy.cil", ], installable: false, // b/259729287. In Microdroid, su is allowed to be in permissive mode. // This is to support fully debuggable VMs on user builds. This is safe // because we don't start adbd at all on non-debuggable VMs. permissive_domains_on_user_builds: ["su"], } genrule { name: "microdroid_file_contexts.gen", srcs: ["system/private/file_contexts"], tools: ["fc_sort"], out: ["file_contexts"], cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " + "$(location fc_sort) -i $(out).tmp -o $(out)", } prebuilt_etc { name: "microdroid_file_contexts", filename: "plat_file_contexts", src: ":microdroid_file_contexts.gen", relative_install_path: "selinux", installable: false, } genrule { name: "microdroid_vendor_file_contexts.gen", srcs: ["vendor/file_contexts"], tools: ["fc_sort"], out: ["file_contexts"], cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " + "$(location fc_sort) -i $(out).tmp -o $(out)", } prebuilt_etc { name: "microdroid_property_contexts", filename: "plat_property_contexts", src: "system/private/property_contexts", relative_install_path: "selinux", installable: false, } // For CTS se_policy_conf { name: "microdroid_general_sepolicy.conf", srcs: system_policy_files, exclude_build_test: true, installable: false, mls_cats: 1, }