1LOCAL_PATH:= $(call my-dir) 2 3include $(LOCAL_PATH)/definitions.mk 4 5include $(CLEAR_VARS) 6# SELinux policy version. 7# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. 8# Must be within the compatibility range reported by checkpolicy -V. 9POLICYVERS ?= 30 10 11MLS_SENS=1 12MLS_CATS=1024 13 14ifdef BOARD_SEPOLICY_REPLACE 15$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) 16endif 17 18ifdef BOARD_SEPOLICY_IGNORE 19$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) 20endif 21 22ifdef BOARD_SEPOLICY_UNION 23$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) 24endif 25 26ifdef BOARD_SEPOLICY_M4DEFS 27LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) 28else 29LOCAL_ADDITIONAL_M4DEFS := 30endif 31 32# sepolicy is now divided into multiple portions: 33# public - policy exported on which non-platform policy developers may write 34# additional policy. types and attributes are versioned and included in 35# delivered non-platform policy, which is to be combined with platform policy. 36# private - platform-only policy required for platform functionality but which 37# is not exported to vendor policy developers and as such may not be assumed 38# to exist. 39# vendor - vendor-only policy required for vendor functionality. This policy can 40# reference the public policy but cannot reference the private policy. This 41# policy is for components which are produced from the core/non-vendor tree and 42# placed into a vendor partition. 43# mapping - This contains policy statements which map the attributes 44# exposed in the public policy of previous versions to the concrete types used 45# in this policy to ensure that policy targeting attributes from public 46# policy from an older platform version continues to work. 47 48# build process for device: 49# 1) convert policies to CIL: 50# - private + public platform policy to CIL 51# - mapping file to CIL (should already be in CIL form) 52# - non-platform public policy to CIL 53# - non-platform public + private policy to CIL 54# 2) attributize policy 55# - run script which takes non-platform public and non-platform combined 56# private + public policy and produces attributized and versioned 57# non-platform policy 58# 3) combine policy files 59# - combine mapping, platform and non-platform policy. 60# - compile output binary policy file 61 62PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public 63ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)) 64PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) 65endif 66PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private 67ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)) 68PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) 69endif 70PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor 71REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask 72 73# TODO: move to README when doing the README update and finalizing versioning. 74# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy 75# version identifier corresponding to the sepolicy on which the non-platform 76# policy is to be based. If unspecified, this will build against the current 77# public platform policy in tree 78ifndef BOARD_SEPOLICY_VERS 79$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version) 80# The default platform policy version. 81BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION) 82endif 83 84NEVERALLOW_ARG := 85ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 86ifeq ($(TARGET_BUILD_VARIANT),user) 87$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds) 88endif 89$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ 90 It does not work in user builds and using it will \ 91 not stop you from failing CTS.) 92NEVERALLOW_ARG := -N 93endif 94 95# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. 96# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and 97# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for 98# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. 99ifdef BOARD_SEPOLICY_DIRS 100BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) 101endif 102 103ifdef BOARD_ODM_SEPOLICY_DIRS 104ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 105$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) 106endif 107endif 108 109platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil 110 111########################################################### 112# Compute policy files to be used in policy build. 113# $(1): files to include 114# $(2): directories in which to find files 115########################################################### 116 117define build_policy 118$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))) 119endef 120 121# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. 122# $(1): the set of policy name paths to build 123build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 124 125# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. 126build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) 127 128# Add a file containing only a newline in-between each policy configuration 129# 'contexts' file. This will allow OEM policy configuration files without a 130# final newline (0x0A) to be built correctly by the m4(1) macro processor. 131# $(1): the set of contexts file names. 132# $(2): the file containing only 0x0A. 133add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry))) 134 135sepolicy_build_files := security_classes \ 136 initial_sids \ 137 access_vectors \ 138 global_macros \ 139 neverallow_macros \ 140 mls_macros \ 141 mls_decl \ 142 mls \ 143 policy_capabilities \ 144 te_macros \ 145 attributes \ 146 ioctl_defines \ 147 ioctl_macros \ 148 *.te \ 149 roles_decl \ 150 roles \ 151 users \ 152 initial_sid_contexts \ 153 fs_use \ 154 genfs_contexts \ 155 port_contexts 156 157# CIL files which contain workarounds for current limitation of human-readable 158# module policy language. These files are appended to the CIL files produced 159# from module language files. 160sepolicy_build_cil_workaround_files := technical_debt.cil 161 162my_target_arch := $(TARGET_ARCH) 163ifneq (,$(filter mips mips64,$(TARGET_ARCH))) 164 my_target_arch := mips 165endif 166 167intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates 168 169with_asan := false 170ifneq (,$(filter address,$(SANITIZE_TARGET))) 171 with_asan := true 172endif 173 174# Library extension for host-side tests 175ifeq ($(HOST_OS),darwin) 176SHAREDLIB_EXT=dylib 177else 178SHAREDLIB_EXT=so 179endif 180 181include $(CLEAR_VARS) 182LOCAL_MODULE := selinux_policy 183LOCAL_MODULE_TAGS := optional 184# Include SELinux policy. We do this here because different modules 185# need to be included based on the value of PRODUCT_SEPOLICY_SPLIT. This 186# type of conditional inclusion cannot be done in top-level files such 187# as build/target/product/embedded.mk. 188# This conditional inclusion closely mimics the conditional logic 189# inside init/init.cpp for loading SELinux policy from files. 190ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 191 192# Use split SELinux policy 193LOCAL_REQUIRED_MODULES += \ 194 $(platform_mapping_file) \ 195 $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \ 196 plat_pub_versioned.cil \ 197 vendor_sepolicy.cil \ 198 plat_sepolicy.cil \ 199 plat_and_mapping_sepolicy.cil.sha256 \ 200 secilc \ 201 plat_sepolicy_vers.txt \ 202 203# Include precompiled policy, unless told otherwise 204ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false) 205LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256 206endif 207else 208# The following files are only allowed for non-Treble devices. 209LOCAL_REQUIRED_MODULES += \ 210 sepolicy \ 211 vendor_service_contexts 212endif 213 214LOCAL_REQUIRED_MODULES += \ 215 build_sepolicy \ 216 vendor_file_contexts \ 217 vendor_mac_permissions.xml \ 218 vendor_property_contexts \ 219 vendor_seapp_contexts \ 220 vendor_hwservice_contexts \ 221 plat_file_contexts \ 222 plat_mac_permissions.xml \ 223 plat_property_contexts \ 224 plat_seapp_contexts \ 225 plat_service_contexts \ 226 plat_hwservice_contexts \ 227 searchpolicy \ 228 vndservice_contexts \ 229 230ifneq ($(TARGET_BUILD_VARIANT), user) 231LOCAL_REQUIRED_MODULES += \ 232 selinux_denial_metadata \ 233 234endif 235 236ifneq ($(with_asan),true) 237ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 238LOCAL_REQUIRED_MODULES += \ 239 sepolicy_tests \ 240 treble_sepolicy_tests_26.0 \ 241 treble_sepolicy_tests_27.0 \ 242 243endif 244endif 245 246ifdef BOARD_ODM_SEPOLICY_DIRS 247LOCAL_REQUIRED_MODULES += \ 248 odm_sepolicy.cil \ 249 odm_file_contexts \ 250 odm_seapp_contexts \ 251 odm_property_contexts \ 252 odm_hwservice_contexts \ 253 odm_mac_permissions.xml 254endif 255 256ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 257LOCAL_REQUIRED_MODULES += \ 258 sepolicy_freeze_test \ 259 260endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 261 262include $(BUILD_PHONY_PACKAGE) 263 264################################# 265include $(CLEAR_VARS) 266 267LOCAL_MODULE := sepolicy_neverallows 268LOCAL_MODULE_CLASS := ETC 269LOCAL_MODULE_TAGS := optional 270LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 271 272include $(BUILD_SYSTEM)/base_rules.mk 273 274# sepolicy_policy.conf - All of the policy for the device. This is only used to 275# check neverallow rules. 276sepolicy_policy.conf := $(intermediates)/policy.conf 277$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 278$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 279$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 280$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 281$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 282$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 283$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 284$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 285$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS)) 286 $(transform-policy-to-conf) 287 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 288 289$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 290 rm -f $@ 291ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true) 292 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 293 $(POLICYVERS) -o $@ $< 294else # ($(SELINUX_IGNORE_NEVERALLOWS),true) 295 $(hide) touch $@ 296endif # ($(SELINUX_IGNORE_NEVERALLOWS),true) 297 298sepolicy_policy.conf := 299built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE) 300 301################################## 302# reqd_policy_mask - a policy.conf file which contains only the bare minimum 303# policy necessary to use checkpolicy. This bare-minimum policy needs to be 304# present in all policy.conf files, but should not necessarily be exported as 305# part of the public policy. The rules generated by reqd_policy_mask will allow 306# the compilation of public policy and subsequent removal of CIL policy that 307# should not be exported. 308 309reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf 310$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 311$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 312$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 313$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 314$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 315$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 316$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 317$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 318$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY)) 319 $(transform-policy-to-conf) 320# b/37755687 321CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 322 323reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil 324$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy 325 @mkdir -p $(dir $@) 326 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \ 327 $(POLICYVERS) -o $@ $< 328 329reqd_policy_mask.conf := 330 331################################## 332# plat_pub_policy - policy that will be exported to be a part of non-platform 333# policy corresponding to this platform version. This is a limited subset of 334# policy that would not compile in checkpolicy on its own. To get around this 335# limitation, add only the required files from private policy, which will 336# generate CIL policy that will then be filtered out by the reqd_policy_mask. 337plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf 338$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 339$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 340$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 341$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 342$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 343$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 344$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 345$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 346$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 347$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY)) 348 $(transform-policy-to-conf) 349plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil 350$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf) 351$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 352$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil) 353 @mkdir -p $(dir $@) 354 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF) 355 $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@ 356 357plat_pub_policy.conf := 358 359################################## 360include $(CLEAR_VARS) 361 362LOCAL_MODULE := sectxfile_nl 363LOCAL_MODULE_CLASS := ETC 364LOCAL_MODULE_TAGS := optional 365 366# Create a file containing newline only to add between context config files 367include $(BUILD_SYSTEM)/base_rules.mk 368$(LOCAL_BUILT_MODULE): 369 @mkdir -p $(dir $@) 370 $(hide) echo > $@ 371 372built_nl := $(LOCAL_BUILT_MODULE) 373 374################################# 375include $(CLEAR_VARS) 376 377LOCAL_MODULE := plat_sepolicy.cil 378LOCAL_MODULE_CLASS := ETC 379LOCAL_MODULE_TAGS := optional 380LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 381 382include $(BUILD_SYSTEM)/base_rules.mk 383 384# plat_policy.conf - A combination of the private and public platform policy 385# which will ship with the device. The platform will always reflect the most 386# recent platform version and is not currently being attributized. 387plat_policy.conf := $(intermediates)/plat_policy.conf 388$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 389$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 390$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 391$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 392$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 393$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 394$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 395$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 396$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 397$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 398 $(transform-policy-to-conf) 399 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 400 401$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ 402 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) 403$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 404$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 405 $(HOST_OUT_EXECUTABLES)/secilc \ 406 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ 407 $(built_sepolicy_neverallows) 408 @mkdir -p $(dir $@) 409 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 410 $(POLICYVERS) -o $@ $< 411 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 412 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null 413 414built_plat_cil := $(LOCAL_BUILT_MODULE) 415plat_policy.conf := 416 417################################# 418include $(CLEAR_VARS) 419 420LOCAL_MODULE := plat_sepolicy_vers.txt 421LOCAL_MODULE_CLASS := ETC 422LOCAL_MODULE_TAGS := optional 423LOCAL_PROPRIETARY_MODULE := true 424LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 425 426include $(BUILD_SYSTEM)/base_rules.mk 427 428$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS) 429$(LOCAL_BUILT_MODULE) : 430 mkdir -p $(dir $@) 431 echo $(PRIVATE_PLAT_SEPOL_VERS) > $@ 432 433################################# 434include $(CLEAR_VARS) 435 436LOCAL_MODULE := $(platform_mapping_file) 437LOCAL_MODULE_CLASS := ETC 438LOCAL_MODULE_TAGS := optional 439LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 440 441include $(BUILD_SYSTEM)/base_rules.mk 442 443current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil 444ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION)) 445# auto-generate the mapping file for current platform policy, since it needs to 446# track platform policy development 447$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION) 448$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy 449 @mkdir -p $(dir $@) 450 $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@ 451 452else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION)) 453prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY))) 454$(current_mapping.cil) : $(prebuilt_mapping_files) 455 @mkdir -p $(dir $@) 456 cat $^ > $@ 457 458prebuilt_mapping_files := 459endif 460 461$(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP) 462 $(hide) $(ACP) $< $@ 463 464built_mapping_cil := $(LOCAL_BUILT_MODULE) 465current_mapping.cil := 466 467################################# 468include $(CLEAR_VARS) 469 470LOCAL_MODULE := 27.0.cil 471LOCAL_SRC_FILES := private/compat/27.0/27.0.cil 472LOCAL_MODULE_CLASS := ETC 473LOCAL_MODULE_TAGS := optional 474LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 475 476include $(BUILD_PREBUILT) 477################################# 478include $(CLEAR_VARS) 479 480LOCAL_MODULE := 26.0.cil 481LOCAL_SRC_FILES := private/compat/26.0/26.0.cil 482LOCAL_MODULE_CLASS := ETC 483LOCAL_MODULE_TAGS := optional 484LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping 485 486include $(BUILD_PREBUILT) 487################################# 488include $(CLEAR_VARS) 489 490LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256 491LOCAL_MODULE_CLASS := ETC 492LOCAL_MODULE_TAGS := optional 493LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux 494 495include $(BUILD_SYSTEM)/base_rules.mk 496 497$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil) 498 cat $^ | sha256sum | cut -d' ' -f1 > $@ 499 500################################# 501include $(CLEAR_VARS) 502 503# plat_pub_versioned.cil - the exported platform policy associated with the version 504# that non-platform policy targets. 505LOCAL_MODULE := plat_pub_versioned.cil 506LOCAL_MODULE_CLASS := ETC 507LOCAL_MODULE_TAGS := optional 508LOCAL_PROPRIETARY_MODULE := true 509LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 510 511include $(BUILD_SYSTEM)/base_rules.mk 512 513$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 514$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil) 515$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) 516$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \ 517 $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil) 518 @mkdir -p $(dir $@) 519 $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@ 520 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ 521 $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null 522 523built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE) 524 525################################# 526include $(CLEAR_VARS) 527 528# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined 529# with the platform-provided policy. It makes use of the reqd_policy_mask files from private 530# policy and the platform public policy files in order to use checkpolicy. 531LOCAL_MODULE := vendor_sepolicy.cil 532LOCAL_MODULE_CLASS := ETC 533LOCAL_MODULE_TAGS := optional 534LOCAL_PROPRIETARY_MODULE := true 535LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 536 537include $(BUILD_SYSTEM)/base_rules.mk 538 539vendor_policy.conf := $(intermediates)/vendor_policy.conf 540$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 541$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 542$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 543$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 544$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 545$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 546$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 547$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 548$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 549$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) 550 $(transform-policy-to-conf) 551 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 552 553$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf) 554$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 555$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) 556$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 557$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) 558$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil) 559$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 560 $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ 561 $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) 562 @mkdir -p $(dir $@) 563 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 564 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 565 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \ 566 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 567 568built_vendor_cil := $(LOCAL_BUILT_MODULE) 569vendor_policy.conf := 570 571################################# 572include $(CLEAR_VARS) 573 574# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined 575# with the platform-provided policy. It makes use of the reqd_policy_mask files from private 576# policy and the platform public policy files in order to use checkpolicy. 577LOCAL_MODULE := odm_sepolicy.cil 578LOCAL_MODULE_CLASS := ETC 579LOCAL_MODULE_TAGS := optional 580LOCAL_PROPRIETARY_MODULE := true 581LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 582 583include $(BUILD_SYSTEM)/base_rules.mk 584 585odm_policy.conf := $(intermediates)/odm_policy.conf 586$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 587$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 588$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 589$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 590$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 591$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 592$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) 593$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 594$(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 595 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ 596 $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) 597 $(transform-policy-to-conf) 598 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 599 600$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf) 601$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) 602$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) 603$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) 604$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) \ 605 $(built_mapping_cil) $(built_vendor_cil) 606$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_pub_vers_cil) $(built_vendor_cil) 607$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ 608 $(odm_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ 609 $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil) 610 @mkdir -p $(dir $@) 611 $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ 612 -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ 613 -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \ 614 -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ 615 616built_odm_cil := $(LOCAL_BUILT_MODULE) 617odm_policy.conf := 618odm_policy_raw := 619 620################################# 621include $(CLEAR_VARS) 622 623LOCAL_MODULE := precompiled_sepolicy 624LOCAL_MODULE_CLASS := ETC 625LOCAL_MODULE_TAGS := optional 626LOCAL_PROPRIETARY_MODULE := true 627 628ifeq ($(BOARD_USES_ODMIMAGE),true) 629LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 630else 631LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 632endif 633 634include $(BUILD_SYSTEM)/base_rules.mk 635 636all_cil_files := \ 637 $(built_plat_cil) \ 638 $(built_mapping_cil) \ 639 $(built_plat_pub_vers_cil) \ 640 $(built_vendor_cil) 641 642ifdef BOARD_ODM_SEPOLICY_DIRS 643all_cil_files += $(built_odm_cil) 644endif 645 646$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 647$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 648$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) 649 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \ 650 $(PRIVATE_CIL_FILES) -o $@ -f /dev/null 651 652built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE) 653all_cil_files := 654 655################################# 656# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against 657# which precompiled_policy was built. 658################################# 659include $(CLEAR_VARS) 660LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256 661LOCAL_MODULE_CLASS := ETC 662LOCAL_MODULE_TAGS := optional 663LOCAL_PROPRIETARY_MODULE := true 664 665ifeq ($(BOARD_USES_ODMIMAGE),true) 666LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 667else 668LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 669endif 670 671include $(BUILD_SYSTEM)/base_rules.mk 672 673$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) 674$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil) 675 cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@ 676 677################################# 678include $(CLEAR_VARS) 679# build this target so that we can still perform neverallow checks 680 681LOCAL_MODULE := sepolicy 682LOCAL_MODULE_CLASS := ETC 683LOCAL_MODULE_TAGS := optional 684LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 685 686include $(BUILD_SYSTEM)/base_rules.mk 687 688all_cil_files := \ 689 $(built_plat_cil) \ 690 $(built_mapping_cil) \ 691 $(built_plat_pub_vers_cil) \ 692 $(built_vendor_cil) 693 694ifdef BOARD_ODM_SEPOLICY_DIRS 695all_cil_files += $(built_odm_cil) 696endif 697 698$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) 699$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 700$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ 701$(built_sepolicy_neverallows) 702 @mkdir -p $(dir $@) 703 $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null 704 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 705 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 706 echo "==========" 1>&2; \ 707 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 708 echo "List of invalid domains:" 1>&2; \ 709 cat $@.permissivedomains 1>&2; \ 710 exit 1; \ 711 fi 712 $(hide) mv $@.tmp $@ 713 714built_sepolicy := $(LOCAL_BUILT_MODULE) 715all_cil_files := 716 717################################# 718include $(CLEAR_VARS) 719 720# keep concrete sepolicy for neverallow checks 721# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling. 722 723LOCAL_MODULE := sepolicy.recovery 724LOCAL_MODULE_STEM := sepolicy 725LOCAL_MODULE_CLASS := ETC 726LOCAL_MODULE_TAGS := optional 727LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 728 729include $(BUILD_SYSTEM)/base_rules.mk 730 731sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf 732$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 733$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 734$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) 735$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 736$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 737$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 738$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true 739$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ 740 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ 741 $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ 742 $(BOARD_ODM_SEPOLICY_DIRS)) 743 $(transform-policy-to-conf) 744 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 745ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) 746 $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow 747 $(hide) mv $@.neverallow $@ 748endif 749 750$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 751 $(HOST_OUT_EXECUTABLES)/sepolicy-analyze 752 @mkdir -p $(dir $@) 753 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \ 754 $(POLICYVERS) -o $@.tmp $< 755 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains 756 $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ 757 echo "==========" 1>&2; \ 758 echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ 759 echo "List of invalid domains:" 1>&2; \ 760 cat $@.permissivedomains 1>&2; \ 761 exit 1; \ 762 fi 763 $(hide) mv $@.tmp $@ 764 765sepolicy.recovery.conf := 766 767################################## 768# SELinux policy embedded into CTS. 769# CTS checks neverallow rules of this policy against the policy of the device under test. 770################################## 771include $(CLEAR_VARS) 772 773LOCAL_MODULE := general_sepolicy.conf 774LOCAL_MODULE_CLASS := ETC 775LOCAL_MODULE_TAGS := tests 776 777include $(BUILD_SYSTEM)/base_rules.mk 778 779$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) 780$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) 781$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user 782$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch) 783$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false 784$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts 785$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts 786$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \ 787$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) 788 $(transform-policy-to-conf) 789 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 790 791################################## 792# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of. 793# 794include $(CLEAR_VARS) 795 796LOCAL_MODULE := file_contexts.bin 797LOCAL_MODULE_CLASS := ETC 798LOCAL_MODULE_TAGS := optional 799LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 800 801include $(BUILD_SYSTEM)/base_rules.mk 802 803# The file_contexts.bin is built in the following way: 804# 1. Collect all file_contexts files in THIS repository and process them with 805# m4 into a tmp file called file_contexts.local.tmp. 806# 2. Collect all device specific file_contexts files and process them with m4 807# into a tmp file called file_contexts.device.tmp. 808# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on 809# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. 810# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into 811# file_contexts.concat.tmp. 812# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce 813# file_contexts.bin. 814# 815# Note: That a newline file is placed between each file_context file found to 816# ensure a proper build when an fc file is missing an ending newline. 817 818local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 819 820ifneq ($(filter address,$(SANITIZE_TARGET)),) 821 local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 822endif 823local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) 824 825file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp 826$(file_contexts.local.tmp): $(local_fcfiles_with_nl) 827 @mkdir -p $(dir $@) 828 $(hide) m4 -s $^ > $@ 829 830device_fc_files := $(call build_vendor_policy, file_contexts) 831 832ifdef BOARD_ODM_SEPOLICY_DIRS 833device_fc_files += $(call build_odm_policy, file_contexts) 834endif 835 836device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl)) 837 838file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp 839$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 840$(file_contexts.device.tmp): $(device_fcfiles_with_nl) 841 @mkdir -p $(dir $@) 842 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 843 844file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp 845$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) 846$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \ 847 $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc 848 @mkdir -p $(dir $@) 849 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< 850 $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@ 851 852file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp 853$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) 854 @mkdir -p $(dir $@) 855 $(hide) m4 -s $^ > $@ 856 857$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 858$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc 859 @mkdir -p $(dir $@) 860 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< 861 $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< 862 863built_fc := $(LOCAL_BUILT_MODULE) 864local_fc_files := 865local_fcfiles_with_nl := 866device_fc_files := 867device_fcfiles_with_nl := 868file_contexts.concat.tmp := 869file_contexts.device.sorted.tmp := 870file_contexts.device.tmp := 871file_contexts.local.tmp := 872 873################################## 874ifneq ($(TARGET_BUILD_VARIANT), user) 875include $(CLEAR_VARS) 876 877LOCAL_MODULE := selinux_denial_metadata 878LOCAL_MODULE_CLASS := ETC 879LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 880 881include $(BUILD_SYSTEM)/base_rules.mk 882 883bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY)) 884 885$(LOCAL_BUILT_MODULE) : $(bug_files) 886 @mkdir -p $(dir $@) 887 cat $^ > $@ 888 889bug_files := 890endif 891################################## 892include $(CLEAR_VARS) 893 894LOCAL_MODULE := plat_file_contexts 895LOCAL_MODULE_CLASS := ETC 896LOCAL_MODULE_TAGS := optional 897ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 898LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 899else 900LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 901endif 902 903include $(BUILD_SYSTEM)/base_rules.mk 904 905local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY)) 906ifneq ($(filter address,$(SANITIZE_TARGET)),) 907 local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) 908endif 909local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) 910 911$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl) 912$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 913$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 914$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 915$(local_fcfiles_with_nl) $(built_sepolicy) 916 @mkdir -p $(dir $@) 917 $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp 918 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 919 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 920 921built_plat_fc := $(LOCAL_BUILT_MODULE) 922local_fc_files := 923local_fcfiles_with_nl := 924 925################################## 926include $(CLEAR_VARS) 927 928LOCAL_MODULE := vendor_file_contexts 929LOCAL_MODULE_CLASS := ETC 930LOCAL_MODULE_TAGS := optional 931ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 932LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 933else 934LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 935endif 936 937include $(BUILD_SYSTEM)/base_rules.mk 938 939vendor_fc_files := $(call build_vendor_policy, file_contexts) 940vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl)) 941 942$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl) 943$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 944$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 945$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 946$(vendor_fcfiles_with_nl) $(built_sepolicy) 947 @mkdir -p $(dir $@) 948 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp 949 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 950 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 951 952built_vendor_fc := $(LOCAL_BUILT_MODULE) 953vendor_fc_files := 954vendor_fcfiles_with_nl := 955 956################################## 957include $(CLEAR_VARS) 958 959LOCAL_MODULE := odm_file_contexts 960LOCAL_MODULE_CLASS := ETC 961LOCAL_MODULE_TAGS := optional 962LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 963 964include $(BUILD_SYSTEM)/base_rules.mk 965 966odm_fc_files := $(call build_odm_policy, file_contexts) 967odm_fcfiles_with_nl := $(call add_nl, $(odm_fc_files), $(built_nl)) 968 969$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl) 970$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 971$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort 972$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \ 973$(odm_fcfiles_with_nl) $(built_sepolicy) 974 @mkdir -p $(dir $@) 975 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp 976 $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp 977 $(hide) $(PRIVATE_FC_SORT) $@.tmp $@ 978 979built_odm_fc := $(LOCAL_BUILT_MODULE) 980odm_fc_files := 981odm_fcfiles_with_nl := 982 983################################## 984include $(CLEAR_VARS) 985 986LOCAL_MODULE := plat_file_contexts.recovery 987LOCAL_MODULE_STEM := plat_file_contexts 988LOCAL_MODULE_CLASS := ETC 989LOCAL_MODULE_TAGS := optional 990LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 991 992include $(BUILD_SYSTEM)/base_rules.mk 993 994$(LOCAL_BUILT_MODULE): $(built_plat_fc) 995 $(hide) cp -f $< $@ 996 997################################## 998include $(CLEAR_VARS) 999LOCAL_MODULE := vendor_file_contexts.recovery 1000LOCAL_MODULE_STEM := vendor_file_contexts 1001LOCAL_MODULE_CLASS := ETC 1002LOCAL_MODULE_TAGS := optional 1003LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1004 1005include $(BUILD_SYSTEM)/base_rules.mk 1006 1007$(LOCAL_BUILT_MODULE): $(built_vendor_fc) 1008 $(hide) cp -f $< $@ 1009 1010################################## 1011include $(CLEAR_VARS) 1012LOCAL_MODULE := odm_file_contexts.recovery 1013LOCAL_MODULE_STEM := odm_file_contexts 1014LOCAL_MODULE_CLASS := ETC 1015LOCAL_MODULE_TAGS := optional 1016LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1017 1018include $(BUILD_SYSTEM)/base_rules.mk 1019 1020$(LOCAL_BUILT_MODULE): $(built_odm_fc) 1021 $(hide) cp -f $< $@ 1022 1023################################## 1024include $(CLEAR_VARS) 1025LOCAL_MODULE := plat_seapp_contexts 1026LOCAL_MODULE_CLASS := ETC 1027LOCAL_MODULE_TAGS := optional 1028ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1029LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1030else 1031LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1032endif 1033 1034include $(BUILD_SYSTEM)/base_rules.mk 1035 1036plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 1037 1038$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1039$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files) 1040$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp 1041 @mkdir -p $(dir $@) 1042 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) 1043 1044built_plat_sc := $(LOCAL_BUILT_MODULE) 1045plat_sc_files := 1046 1047################################## 1048include $(CLEAR_VARS) 1049LOCAL_MODULE := vendor_seapp_contexts 1050LOCAL_MODULE_CLASS := ETC 1051LOCAL_MODULE_TAGS := optional 1052ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1053LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1054else 1055LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1056endif 1057 1058include $(BUILD_SYSTEM)/base_rules.mk 1059 1060vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1061plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 1062 1063$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1064$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files) 1065$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files) 1066$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files) 1067 @mkdir -p $(dir $@) 1068 $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp 1069 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp 1070 1071built_vendor_sc := $(LOCAL_BUILT_MODULE) 1072vendor_sc_files := 1073 1074################################## 1075include $(CLEAR_VARS) 1076LOCAL_MODULE := odm_seapp_contexts 1077LOCAL_MODULE_CLASS := ETC 1078LOCAL_MODULE_TAGS := optional 1079LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1080 1081include $(BUILD_SYSTEM)/base_rules.mk 1082 1083odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS)) 1084plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY)) 1085 1086$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1087$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files) 1088$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files) 1089$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files) 1090 @mkdir -p $(dir $@) 1091 $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp 1092 $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp 1093 1094built_odm_sc := $(LOCAL_BUILT_MODULE) 1095odm_sc_files := 1096 1097################################## 1098include $(CLEAR_VARS) 1099LOCAL_MODULE := plat_seapp_neverallows 1100LOCAL_MODULE_CLASS := ETC 1101LOCAL_MODULE_TAGS := tests 1102 1103include $(BUILD_SYSTEM)/base_rules.mk 1104 1105$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files) 1106 @mkdir -p $(dir $@) 1107 - $(hide) grep -ihe '^neverallow' $< > $@ 1108 1109plat_sc_neverallow_files := 1110 1111################################## 1112include $(CLEAR_VARS) 1113 1114LOCAL_MODULE := plat_property_contexts 1115LOCAL_MODULE_CLASS := ETC 1116LOCAL_MODULE_TAGS := optional 1117 1118ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1119LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1120else 1121LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1122endif 1123 1124include $(BUILD_SYSTEM)/base_rules.mk 1125 1126plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY)) 1127ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true) 1128plat_pcfiles += $(LOCAL_PATH)/public/property_contexts 1129endif 1130 1131plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp 1132$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles) 1133$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1134$(plat_property_contexts.tmp): $(plat_pcfiles) 1135 @mkdir -p $(dir $@) 1136 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 1137$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1138$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker 1139 @mkdir -p $(dir $@) 1140 $(hide) cp -f $< $@ 1141 $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@ 1142 1143built_plat_pc := $(LOCAL_BUILT_MODULE) 1144plat_pcfiles := 1145plat_property_contexts.tmp := 1146 1147################################## 1148include $(CLEAR_VARS) 1149LOCAL_MODULE := vendor_property_contexts 1150LOCAL_MODULE_CLASS := ETC 1151LOCAL_MODULE_TAGS := optional 1152 1153ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1154LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1155else 1156LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1157endif 1158 1159include $(BUILD_SYSTEM)/base_rules.mk 1160 1161vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1162 1163vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp 1164$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles) 1165$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1166$(vendor_property_contexts.tmp): $(vendor_pcfiles) 1167 @mkdir -p $(dir $@) 1168 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 1169 1170$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1171$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc) 1172$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker 1173 @mkdir -p $(dir $@) 1174 $(hide) cp -f $< $@ 1175 $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $@ 1176 1177built_vendor_pc := $(LOCAL_BUILT_MODULE) 1178vendor_pcfiles := 1179vendor_property_contexts.tmp := 1180 1181################################## 1182include $(CLEAR_VARS) 1183LOCAL_MODULE := odm_property_contexts 1184LOCAL_MODULE_CLASS := ETC 1185LOCAL_MODULE_TAGS := optional 1186LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1187 1188include $(BUILD_SYSTEM)/base_rules.mk 1189 1190odm_pcfiles := $(call build_policy, property_contexts, $(BOARD_ODM_SEPOLICY_DIRS)) 1191 1192odm_property_contexts.tmp := $(intermediates)/odm_property_contexts.tmp 1193$(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles) 1194$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1195$(odm_property_contexts.tmp): $(odm_pcfiles) 1196 @mkdir -p $(dir $@) 1197 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ 1198 1199 1200$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1201$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc) 1202$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_VENDOR_PC := $(built_vendor_pc) 1203$(LOCAL_BUILT_MODULE): $(odm_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(built_vendor_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker 1204 @mkdir -p $(dir $@) 1205 $(hide) cp -f $< $@ 1206 $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $(PRIVATE_BUILT_VENDOR_PC) $@ 1207 1208built_odm_pc := $(LOCAL_BUILT_MODULE) 1209odm_pcfiles := 1210odm_property_contexts.tmp := 1211 1212################################## 1213include $(CLEAR_VARS) 1214 1215LOCAL_MODULE := plat_property_contexts.recovery 1216LOCAL_MODULE_STEM := plat_property_contexts 1217LOCAL_MODULE_CLASS := ETC 1218LOCAL_MODULE_TAGS := optional 1219LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1220 1221include $(BUILD_SYSTEM)/base_rules.mk 1222 1223$(LOCAL_BUILT_MODULE): $(built_plat_pc) 1224 $(hide) cp -f $< $@ 1225 1226################################## 1227include $(CLEAR_VARS) 1228LOCAL_MODULE := vendor_property_contexts.recovery 1229LOCAL_MODULE_STEM := vendor_property_contexts 1230LOCAL_MODULE_CLASS := ETC 1231LOCAL_MODULE_TAGS := optional 1232LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1233 1234include $(BUILD_SYSTEM)/base_rules.mk 1235 1236$(LOCAL_BUILT_MODULE): $(built_vendor_pc) 1237 $(hide) cp -f $< $@ 1238 1239################################## 1240include $(CLEAR_VARS) 1241LOCAL_MODULE := odm_property_contexts.recovery 1242LOCAL_MODULE_STEM := odm_property_contexts 1243LOCAL_MODULE_CLASS := ETC 1244LOCAL_MODULE_TAGS := optional 1245LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT) 1246 1247include $(BUILD_SYSTEM)/base_rules.mk 1248 1249$(LOCAL_BUILT_MODULE): $(built_odm_pc) 1250 $(hide) cp -f $< $@ 1251 1252################################## 1253include $(CLEAR_VARS) 1254 1255LOCAL_MODULE := plat_service_contexts 1256LOCAL_MODULE_CLASS := ETC 1257LOCAL_MODULE_TAGS := optional 1258ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1259LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1260else 1261LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1262endif 1263 1264include $(BUILD_SYSTEM)/base_rules.mk 1265 1266plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY)) 1267 1268plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp 1269$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles) 1270$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1271$(plat_service_contexts.tmp): $(plat_svcfiles) 1272 @mkdir -p $(dir $@) 1273 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1274 1275$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1276$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1277 @mkdir -p $(dir $@) 1278 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1279 $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ 1280 1281built_plat_svc := $(LOCAL_BUILT_MODULE) 1282plat_svcfiles := 1283plat_service_contexts.tmp := 1284 1285################################## 1286# nonplat_service_contexts is only allowed on non-full-treble devices 1287ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) 1288 1289include $(CLEAR_VARS) 1290 1291LOCAL_MODULE := vendor_service_contexts 1292LOCAL_MODULE_CLASS := ETC 1293LOCAL_MODULE_TAGS := optional 1294LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1295 1296include $(BUILD_SYSTEM)/base_rules.mk 1297 1298vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1299 1300vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp 1301$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles) 1302$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1303$(vendor_service_contexts.tmp): $(vendor_svcfiles) 1304 @mkdir -p $(dir $@) 1305 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1306 1307$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1308$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1309 @mkdir -p $(dir $@) 1310 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1311 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ 1312 1313built_vendor_svc := $(LOCAL_BUILT_MODULE) 1314vendor_svcfiles := 1315vendor_service_contexts.tmp := 1316 1317endif 1318 1319################################## 1320include $(CLEAR_VARS) 1321 1322LOCAL_MODULE := plat_hwservice_contexts 1323LOCAL_MODULE_CLASS := ETC 1324LOCAL_MODULE_TAGS := optional 1325ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1326LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1327else 1328LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1329endif 1330 1331include $(BUILD_SYSTEM)/base_rules.mk 1332 1333plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY)) 1334 1335plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp 1336$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles) 1337$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1338$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles) 1339 @mkdir -p $(dir $@) 1340 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1341 1342$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1343$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1344 @mkdir -p $(dir $@) 1345 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1346 $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1347 1348plat_hwsvcfiles := 1349plat_hwservice_contexts.tmp := 1350 1351################################## 1352include $(CLEAR_VARS) 1353 1354LOCAL_MODULE := vendor_hwservice_contexts 1355LOCAL_MODULE_CLASS := ETC 1356LOCAL_MODULE_TAGS := optional 1357ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1358LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1359else 1360LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1361endif 1362 1363include $(BUILD_SYSTEM)/base_rules.mk 1364 1365vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1366 1367vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp 1368$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles) 1369$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1370$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles) 1371 @mkdir -p $(dir $@) 1372 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1373 1374$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1375$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1376 @mkdir -p $(dir $@) 1377 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1378 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1379 1380vendor_hwsvcfiles := 1381vendor_hwservice_contexts.tmp := 1382 1383################################## 1384include $(CLEAR_VARS) 1385 1386LOCAL_MODULE := odm_hwservice_contexts 1387LOCAL_MODULE_CLASS := ETC 1388LOCAL_MODULE_TAGS := optional 1389LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1390 1391include $(BUILD_SYSTEM)/base_rules.mk 1392 1393odm_hwsvcfiles := $(call build_policy, hwservice_contexts, $(BOARD_ODM_SEPOLICY_DIRS)) 1394 1395odm_hwservice_contexts.tmp := $(intermediates)/odm_hwservice_contexts.tmp 1396$(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles) 1397$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1398$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles) 1399 @mkdir -p $(dir $@) 1400 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1401 1402$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1403$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1404 @mkdir -p $(dir $@) 1405 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1406 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@ 1407 1408odm_hwsvcfiles := 1409odm_hwservice_contexts.tmp := 1410 1411################################## 1412include $(CLEAR_VARS) 1413 1414LOCAL_MODULE := vndservice_contexts 1415LOCAL_MODULE_CLASS := ETC 1416LOCAL_MODULE_TAGS := optional 1417ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1418LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1419else 1420LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) 1421endif 1422 1423include $(BUILD_SYSTEM)/base_rules.mk 1424 1425vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1426 1427vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp 1428$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) 1429$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1430$(vndservice_contexts.tmp): $(vnd_svcfiles) 1431 @mkdir -p $(dir $@) 1432 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ 1433 1434$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) 1435$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) 1436 @mkdir -p $(dir $@) 1437 sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ 1438 $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@ 1439 1440vnd_svcfiles := 1441vndservice_contexts.tmp := 1442################################## 1443include $(CLEAR_VARS) 1444 1445LOCAL_MODULE := plat_mac_permissions.xml 1446LOCAL_MODULE_CLASS := ETC 1447LOCAL_MODULE_TAGS := optional 1448LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux 1449 1450include $(BUILD_SYSTEM)/base_rules.mk 1451 1452# Build keys.conf 1453plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp 1454$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1455$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY)) 1456 @mkdir -p $(dir $@) 1457 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1458 1459all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY)) 1460 1461# Should be synced with keys.conf. 1462all_plat_keys := platform media shared testkey 1463all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem) 1464 1465$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files) 1466$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1467$(all_plat_mac_perms_files) $(all_plat_keys) 1468 @mkdir -p $(dir $@) 1469 $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \ 1470 $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1471 1472all_mac_perms_files := 1473all_plat_keys := 1474plat_mac_perms_keys.tmp := 1475 1476################################## 1477include $(CLEAR_VARS) 1478 1479LOCAL_MODULE := vendor_mac_permissions.xml 1480LOCAL_MODULE_CLASS := ETC 1481LOCAL_MODULE_TAGS := optional 1482LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux 1483 1484include $(BUILD_SYSTEM)/base_rules.mk 1485 1486# Build keys.conf 1487vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp 1488$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1489$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1490 @mkdir -p $(dir $@) 1491 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1492 1493all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1494 1495$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files) 1496$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1497$(all_vendor_mac_perms_files) 1498 @mkdir -p $(dir $@) 1499 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1500 1501vendor_mac_perms_keys.tmp := 1502all_vendor_mac_perms_files := 1503 1504################################## 1505include $(CLEAR_VARS) 1506 1507LOCAL_MODULE := odm_mac_permissions.xml 1508LOCAL_MODULE_CLASS := ETC 1509LOCAL_MODULE_TAGS := optional 1510LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux 1511 1512include $(BUILD_SYSTEM)/base_rules.mk 1513 1514# Build keys.conf 1515odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp 1516$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1517$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1518 @mkdir -p $(dir $@) 1519 $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ 1520 1521all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) 1522 1523$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files) 1524$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \ 1525$(all_odm_mac_perms_files) 1526 @mkdir -p $(dir $@) 1527 $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) 1528 1529odm_mac_perms_keys.tmp := 1530all_odm_mac_perms_files := 1531 1532################################# 1533include $(CLEAR_VARS) 1534LOCAL_MODULE := sepolicy_tests 1535LOCAL_MODULE_CLASS := ETC 1536LOCAL_MODULE_TAGS := tests 1537 1538include $(BUILD_SYSTEM)/base_rules.mk 1539 1540all_fc_files := $(built_plat_fc) $(built_vendor_fc) 1541ifdef BOARD_ODM_SEPOLICY_DIRS 1542all_fc_files += $(built_odm_fc) 1543endif 1544all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 1545 1546sepolicy_tests := $(intermediates)/sepolicy_tests 1547$(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args) 1548$(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy) 1549$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy) 1550 @mkdir -p $(dir $@) 1551 $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \ 1552 $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY) 1553 $(hide) touch $@ 1554 1555################################## 1556ifeq ($(PRODUCT_SEPOLICY_SPLIT),true) 1557 1558intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,) 1559 1560# plat_sepolicy - the current platform policy only, built into a policy binary. 1561# TODO - this currently excludes partner extensions, but support should be added 1562# to enable partners to add their own compatibility mapping 1563BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY)) 1564BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY)) 1565base_plat_policy.conf := $(intermediates)/base_plat_policy.conf 1566$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) 1567$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) 1568$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user 1569$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) 1570$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) 1571$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) 1572$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true 1573$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) 1574$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ 1575$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY)) 1576 $(transform-policy-to-conf) 1577 $(hide) sed '/dontaudit/d' $@ > $@.dontaudit 1578 1579built_plat_sepolicy := $(intermediates)/built_plat_sepolicy 1580$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \ 1581 $(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) 1582$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) 1583$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ 1584$(HOST_OUT_EXECUTABLES)/secilc \ 1585$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) \ 1586$(built_sepolicy_neverallows) 1587 @mkdir -p $(dir $@) 1588 $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ 1589 $(POLICYVERS) -o $@ $< 1590 $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@ 1591 $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null 1592 1593all_fc_files := $(built_plat_fc) $(built_vendor_fc) 1594ifdef BOARD_ODM_SEPOLICY_DIRS 1595all_fc_files += $(built_odm_fc) 1596endif 1597all_fc_args := $(foreach file, $(all_fc_files), -f $(file)) 1598 1599# Tests for Treble compatibility of current platform policy and vendor policy of 1600# given release version. 1601version_under_treble_tests := 26.0 1602include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1603 1604version_under_treble_tests := 27.0 1605include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk 1606 1607BASE_PLAT_PUBLIC_POLICY := 1608BASE_PLAT_PRIVATE_POLICY := 1609base_plat_policy.conf := 1610plat_sepolicy := 1611 1612endif # ($(PRODUCT_SEPOLICY_SPLIT),true) 1613 1614################################# 1615include $(CLEAR_VARS) 1616LOCAL_MODULE := sepolicy_freeze_test 1617LOCAL_MODULE_CLASS := ETC 1618LOCAL_MODULE_TAGS := tests 1619 1620include $(BUILD_SYSTEM)/base_rules.mk 1621 1622base_plat_public := $(LOCAL_PATH)/public 1623base_plat_private := $(LOCAL_PATH)/private 1624base_plat_public_prebuilt := \ 1625 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public 1626base_plat_private_prebuilt := \ 1627 $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private 1628 1629all_frozen_files := $(call build_policy,$(sepolicy_build_files), \ 1630$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt)) 1631 1632$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public) 1633$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private) 1634$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt) 1635$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt) 1636$(LOCAL_BUILT_MODULE): $(all_frozen_files) 1637ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1638 @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC) 1639 @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE) 1640endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION)) 1641 $(hide) touch $@ 1642 1643base_plat_public := 1644base_plat_private := 1645base_plat_public_prebuilt := 1646base_plat_private_prebuilt := 1647all_frozen_files := 1648 1649################################# 1650 1651 1652add_nl := 1653build_vendor_policy := 1654build_odm_policy := 1655build_policy := 1656built_plat_fc := 1657built_vendor_fc := 1658built_odm_fc := 1659built_nl := 1660built_plat_cil := 1661built_plat_pub_vers_cil := 1662built_mapping_cil := 1663built_plat_pc := 1664built_vendor_cil := 1665built_vendor_pc := 1666built_vendor_sc := 1667built_odm_cil := 1668built_odm_pc := 1669built_odm_sc := 1670built_plat_sc := 1671built_precompiled_sepolicy := 1672built_sepolicy := 1673built_sepolicy_neverallows := 1674built_plat_svc := 1675built_vendor_svc := 1676built_plat_sepolicy := 1677mapping_policy := 1678my_target_arch := 1679plat_pub_policy.cil := 1680reqd_policy_mask.cil := 1681sepolicy_build_files := 1682sepolicy_build_cil_workaround_files := 1683with_asan := 1684 1685include $(call all-makefiles-under,$(LOCAL_PATH)) 1686