Android.mk revision 2e0cd5ad36321fd7a8f21768dac080d09b658920 
1LOCAL_PATH:= $(call my-dir)
2
3include $(CLEAR_VARS)
4
5# SELinux policy version.
6# Must be <= /selinux/policyvers reported by the Android kernel.
7# Must be within the compatibility range reported by checkpolicy -V.
8POLICYVERS ?= 26
9
10MLS_SENS=1
11MLS_CATS=1024
12
13# Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
14# Builds the singular path for each replace file.
15sepolicy_replace_paths :=
16$(foreach pf, $(BOARD_SEPOLICY_REPLACE), \
17  $(if $(filter $(pf), $(BOARD_SEPOLICY_UNION)), \
18    $(error Ambiguous request for sepolicy $(pf). Appears in both \
19      BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION), \
20  ) \
21  $(eval _paths := $(filter-out $(BOARD_SEPOLICY_IGNORE), \
22  $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))) \
23  $(eval _occurrences := $(words $(_paths))) \
24  $(if $(filter 0,$(_occurrences)), \
25    $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
26  ) \
27  $(if $(filter 1, $(_occurrences)), \
28    $(eval sepolicy_replace_paths += $(_paths)), \
29    $(error Multiple occurrences of replace file $(pf) in $(_paths)) \
30  ) \
31  $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(LOCAL_PATH))))), \
32    $(error Specified the sepolicy file $(pf) in BOARD_SEPOLICY_REPLACE, \
33      but none found in $(LOCAL_PATH)), \
34  ) \
35)
36
37# Quick edge case error detection for BOARD_SEPOLICY_UNION.
38# This ensures that a requested union file exists somewhere
39# in one of the listed BOARD_SEPOLICY_DIRS.
40$(foreach pf, $(BOARD_SEPOLICY_UNION), \
41  $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \
42    $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
43  ) \
44)
45
46# Builds paths for all requested policy files w.r.t
47# both BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION
48# product variables.
49# $(1): the set of policy name paths to build
50build_policy = $(foreach type, $(1), \
51  $(filter-out $(BOARD_SEPOLICY_IGNORE), \
52    $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \
53      $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \
54        $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \
55        $(LOCAL_PATH)/$(expanded_type) \
56      ) \
57    ) \
58    $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \
59      $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \
60        $(union_policy), \
61      ) \
62    ) \
63  ) \
64)
65
66sepolicy_build_files := security_classes \
67                        initial_sids \
68                        access_vectors \
69                        global_macros \
70                        neverallow_macros \
71                        mls_macros \
72                        mls \
73                        policy_capabilities \
74                        te_macros \
75                        attributes \
76                        *.te \
77                        roles \
78                        users \
79                        initial_sid_contexts \
80                        fs_use \
81                        genfs_contexts \
82                        port_contexts
83
84##################################
85include $(CLEAR_VARS)
86
87LOCAL_MODULE := sepolicy
88LOCAL_MODULE_CLASS := ETC
89LOCAL_MODULE_TAGS := optional
90LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
91
92include $(BUILD_SYSTEM)/base_rules.mk
93
94sepolicy_policy.conf := $(intermediates)/policy.conf
95$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
96$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
97$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
98	@mkdir -p $(dir $@)
99	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
100		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
101		-s $^ > $@
102	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
103
104$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
105	@mkdir -p $(dir $@)
106	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
107	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
108
109built_sepolicy := $(LOCAL_BUILT_MODULE)
110sepolicy_policy.conf :=
111
112##################################
113include $(CLEAR_VARS)
114
115LOCAL_MODULE := sepolicy.recovery
116LOCAL_MODULE_CLASS := ETC
117LOCAL_MODULE_TAGS := eng
118
119include $(BUILD_SYSTEM)/base_rules.mk
120
121sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
122$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
123$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
124$(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
125	@mkdir -p $(dir $@)
126	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
127		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
128		-D target_recovery=true \
129		-s $^ > $@
130
131$(LOCAL_BUILT_MODULE) : $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
132	@mkdir -p $(dir $@)
133	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
134
135built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
136sepolicy_policy_recovery.conf :=
137
138##################################
139include $(CLEAR_VARS)
140
141LOCAL_MODULE := general_sepolicy.conf
142LOCAL_MODULE_CLASS := ETC
143LOCAL_MODULE_TAGS := tests
144
145include $(BUILD_SYSTEM)/base_rules.mk
146
147exp_sepolicy_build_files :=\
148  $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))
149
150$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
151$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
152$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
153	mkdir -p $(dir $@)
154	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
155		-D target_build_variant=user \
156		-s $^ > $@
157	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
158
159GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)
160
161exp_sepolicy_build_files :=
162
163##################################
164include $(CLEAR_VARS)
165
166LOCAL_MODULE := file_contexts
167LOCAL_MODULE_CLASS := ETC
168LOCAL_MODULE_TAGS := optional
169LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
170
171include $(BUILD_SYSTEM)/base_rules.mk
172
173ALL_FC_FILES := $(call build_policy, file_contexts)
174
175$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
176$(LOCAL_BUILT_MODULE):  $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
177	@mkdir -p $(dir $@)
178	$(hide) m4 -s $(ALL_FC_FILES) > $@
179	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
180
181built_fc := $(LOCAL_BUILT_MODULE)
182
183##################################
184include $(CLEAR_VARS)
185
186LOCAL_MODULE := general_file_contexts
187LOCAL_MODULE_CLASS := ETC
188LOCAL_MODULE_TAGS := tests
189
190include $(BUILD_SYSTEM)/base_rules.mk
191
192$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
193$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, file_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
194	@mkdir -p $(dir $@)
195	$(hide) m4 -s $< > $@
196	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
197
198GENERAL_FILE_CONTEXTS := $(LOCAL_BUILT_MODULE)
199
200##################################
201include $(CLEAR_VARS)
202LOCAL_MODULE := seapp_contexts
203LOCAL_MODULE_CLASS := ETC
204LOCAL_MODULE_TAGS := optional
205LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
206
207include $(BUILD_SYSTEM)/base_rules.mk
208
209seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
210$(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
211	@mkdir -p $(dir $@)
212	$(hide) m4 -s $^ > $@
213
214$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
215$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
216	@mkdir -p $(dir $@)
217	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
218
219built_sc := $(LOCAL_BUILT_MODULE)
220seapp_contexts.tmp :=
221
222##################################
223include $(CLEAR_VARS)
224LOCAL_MODULE := general_seapp_contexts
225LOCAL_MODULE_CLASS := ETC
226LOCAL_MODULE_TAGS := tests
227
228include $(BUILD_SYSTEM)/base_rules.mk
229
230general_seapp_contexts.tmp := $(intermediates)/general_seapp_contexts.tmp
231$(general_seapp_contexts.tmp): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
232	@mkdir -p $(dir $@)
233	$(hide) m4 -s $^ > $@
234
235$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
236$(LOCAL_BUILT_MODULE) : $(general_seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
237	@mkdir -p $(dir $@)
238	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
239
240GENERAL_SEAPP_CONTEXTS := $(LOCAL_BUILT_MODULE)
241general_seapp_contexts.tmp :=
242
243##################################
244include $(CLEAR_VARS)
245
246LOCAL_MODULE := property_contexts
247LOCAL_MODULE_CLASS := ETC
248LOCAL_MODULE_TAGS := optional
249LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
250
251include $(BUILD_SYSTEM)/base_rules.mk
252
253ALL_PC_FILES := $(call build_policy, property_contexts)
254
255$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
256$(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
257	@mkdir -p $(dir $@)
258	$(hide) m4 -s $(ALL_PC_FILES) > $@
259	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
260
261built_pc := $(LOCAL_BUILT_MODULE)
262
263##################################
264include $(CLEAR_VARS)
265
266LOCAL_MODULE := general_property_contexts
267LOCAL_MODULE_CLASS := ETC
268LOCAL_MODULE_TAGS := tests
269
270$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
271$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, property_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
272	@mkdir -p $(dir $@)
273	$(hide) m4 -s $< > $@
274	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
275
276GENERAL_PROPERTY_CONTEXTS := $(LOCAL_BUILT_MODULE)
277
278##################################
279include $(CLEAR_VARS)
280
281LOCAL_MODULE := service_contexts
282LOCAL_MODULE_CLASS := ETC
283LOCAL_MODULE_TAGS := optional
284LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
285
286include $(BUILD_SYSTEM)/base_rules.mk
287
288ALL_SVC_FILES := $(call build_policy, service_contexts)
289
290$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
291$(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
292	@mkdir -p $(dir $@)
293	$(hide) m4 -s $(ALL_SVC_FILES) > $@
294	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
295
296built_svc := $(LOCAL_BUILT_MODULE)
297
298##################################
299include $(CLEAR_VARS)
300
301LOCAL_MODULE := general_service_contexts
302LOCAL_MODULE_CLASS := ETC
303LOCAL_MODULE_TAGS := tests
304
305include $(BUILD_SYSTEM)/base_rules.mk
306
307$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
308$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, service_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
309	@mkdir -p $(dir $@)
310	$(hide) m4 -s $< > $@
311	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
312
313GENERAL_SERVICE_CONTEXTS := $(LOCAL_BUILT_MODULE)
314
315##################################
316include $(CLEAR_VARS)
317
318LOCAL_MODULE := mac_permissions.xml
319LOCAL_MODULE_CLASS := ETC
320LOCAL_MODULE_TAGS := optional
321LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
322
323include $(BUILD_SYSTEM)/base_rules.mk
324
325# Build keys.conf
326mac_perms_keys.tmp := $(intermediates)/keys.tmp
327$(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
328	@mkdir -p $(dir $@)
329	$(hide) m4 -s $^ > $@
330
331ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
332
333$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
334	@mkdir -p $(dir $@)
335	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
336		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
337
338mac_perms_keys.tmp :=
339##################################
340include $(CLEAR_VARS)
341
342LOCAL_MODULE := selinux_version
343LOCAL_MODULE_CLASS := ETC
344LOCAL_MODULE_TAGS := optional
345LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
346
347include $(BUILD_SYSTEM)/base_rules.mk
348$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
349	@mkdir -p $(dir $@)
350	$(hide) echo -n $(BUILD_FINGERPRINT) > $@
351
352##################################
353
354build_policy :=
355sepolicy_build_files :=
356sepolicy_replace_paths :=
357built_sepolicy :=
358built_sc :=
359built_fc :=
360built_pc :=
361built_svc :=
362
363include $(call all-makefiles-under,$(LOCAL_PATH))
364