Android.mk 10.3 KB
Newer Older
Stephen Smalley's avatar
Stephen Smalley committed
1
LOCAL_PATH:= $(call my-dir)
2

Stephen Smalley's avatar
Stephen Smalley committed
3 4 5
include $(CLEAR_VARS)

# SELinux policy version.
6
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
Stephen Smalley's avatar
Stephen Smalley committed
7
# Must be within the compatibility range reported by checkpolicy -V.
8
POLICYVERS ?= 30
Stephen Smalley's avatar
Stephen Smalley committed
9 10 11 12

MLS_SENS=1
MLS_CATS=1024

13 14 15 16 17 18 19
ifdef BOARD_SEPOLICY_REPLACE
$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
endif

ifdef BOARD_SEPOLICY_IGNORE
$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
endif
20

Stephen Smalley's avatar
Stephen Smalley committed
21 22 23 24 25
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif

# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
26
# $(1): the set of policy name paths to build
Stephen Smalley's avatar
Stephen Smalley committed
27
build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS))))
28

29 30 31 32
sepolicy_build_files := security_classes \
                        initial_sids \
                        access_vectors \
                        global_macros \
33
                        neverallow_macros \
34 35 36 37 38 39 40 41 42 43 44 45 46
                        mls_macros \
                        mls \
                        policy_capabilities \
                        te_macros \
                        attributes \
                        *.te \
                        roles \
                        users \
                        initial_sid_contexts \
                        fs_use \
                        genfs_contexts \
                        port_contexts

Ying Wang's avatar
Ying Wang committed
47 48 49 50 51 52 53 54 55 56 57 58 59
##################################
include $(CLEAR_VARS)

LOCAL_MODULE := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

include $(BUILD_SYSTEM)/base_rules.mk

sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
60
$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
Ying Wang's avatar
Ying Wang committed
61
	@mkdir -p $(dir $@)
62 63 64
	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
		-s $^ > $@
Robert Craig's avatar
Robert Craig committed
65
	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
Ying Wang's avatar
Ying Wang committed
66

67
$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
Ying Wang's avatar
Ying Wang committed
68
	@mkdir -p $(dir $@)
69
	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
Robert Craig's avatar
Robert Craig committed
70
	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
Ying Wang's avatar
Ying Wang committed
71

Ying Wang's avatar
Ying Wang committed
72
built_sepolicy := $(LOCAL_BUILT_MODULE)
Ying Wang's avatar
Ying Wang committed
73
sepolicy_policy.conf :=
74

75 76 77 78 79 80 81 82 83 84 85 86
##################################
include $(CLEAR_VARS)

LOCAL_MODULE := sepolicy.recovery
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := eng

include $(BUILD_SYSTEM)/base_rules.mk

sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
87
$(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
88 89 90 91 92 93 94 95 96 97 98 99 100
	@mkdir -p $(dir $@)
	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
		-D target_recovery=true \
		-s $^ > $@

$(LOCAL_BUILT_MODULE) : $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
	@mkdir -p $(dir $@)
	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<

built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
sepolicy_policy_recovery.conf :=

101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
##################################
include $(CLEAR_VARS)

LOCAL_MODULE := general_sepolicy.conf
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests

include $(BUILD_SYSTEM)/base_rules.mk

exp_sepolicy_build_files :=\
  $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))

$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
	mkdir -p $(dir $@)
	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
		-D target_build_variant=user \
		-s $^ > $@
	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit

GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)

exp_sepolicy_build_files :=

##################################
127 128
include $(CLEAR_VARS)

Ying Wang's avatar
Ying Wang committed
129 130 131 132 133
LOCAL_MODULE := file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

134
include $(BUILD_SYSTEM)/base_rules.mk
Ying Wang's avatar
Ying Wang committed
135

136
ALL_FC_FILES := $(call build_policy, file_contexts)
137

Ying Wang's avatar
Ying Wang committed
138 139
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE):  $(ALL_FC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
140
	@mkdir -p $(dir $@)
141
	$(hide) m4 -s $(ALL_FC_FILES) > $@
Ying Wang's avatar
Ying Wang committed
142
	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
Ying Wang's avatar
Ying Wang committed
143

Robert Craig's avatar
Robert Craig committed
144
built_fc := $(LOCAL_BUILT_MODULE)
145

146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162
##################################
include $(CLEAR_VARS)

LOCAL_MODULE := general_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, file_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
	@mkdir -p $(dir $@)
	$(hide) m4 -s $< > $@
	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@

GENERAL_FILE_CONTEXTS := $(LOCAL_BUILT_MODULE)

Ying Wang's avatar
Ying Wang committed
163 164 165 166 167 168 169
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

170 171
include $(BUILD_SYSTEM)/base_rules.mk

172
seapp_contexts.tmp := $(intermediates)/seapp_contexts.tmp
173
$(seapp_contexts.tmp): $(call build_policy, seapp_contexts)
174 175 176
	@mkdir -p $(dir $@)
	$(hide) m4 -s $^ > $@

Ying Wang's avatar
Ying Wang committed
177 178
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE) : $(seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
179
	@mkdir -p $(dir $@)
Ying Wang's avatar
Ying Wang committed
180
	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<
Ying Wang's avatar
Ying Wang committed
181

Robert Craig's avatar
Robert Craig committed
182
built_sc := $(LOCAL_BUILT_MODULE)
183
seapp_contexts.tmp :=
Robert Craig's avatar
Robert Craig committed
184

185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := general_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests

include $(BUILD_SYSTEM)/base_rules.mk

general_seapp_contexts.tmp := $(intermediates)/general_seapp_contexts.tmp
$(general_seapp_contexts.tmp): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
	@mkdir -p $(dir $@)
	$(hide) m4 -s $^ > $@

$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE) : $(general_seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp
	@mkdir -p $(dir $@)
	$(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $<

GENERAL_SEAPP_CONTEXTS := $(LOCAL_BUILT_MODULE)
general_seapp_contexts.tmp :=

206 207 208 209 210 211 212 213 214 215
##################################
include $(CLEAR_VARS)

LOCAL_MODULE := property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

include $(BUILD_SYSTEM)/base_rules.mk

216 217 218 219
ALL_PC_FILES := $(call build_policy, property_contexts)

$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
220
	@mkdir -p $(dir $@)
221 222
	$(hide) m4 -s $(ALL_PC_FILES) > $@
	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
223

Robert Craig's avatar
Robert Craig committed
224 225
built_pc := $(LOCAL_BUILT_MODULE)

226 227 228
##################################
include $(CLEAR_VARS)

229 230 231 232
LOCAL_MODULE := general_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests

233 234
include $(BUILD_SYSTEM)/base_rules.mk

235 236 237 238 239 240 241 242 243 244 245
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, property_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
	@mkdir -p $(dir $@)
	$(hide) m4 -s $< > $@
	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@

GENERAL_PROPERTY_CONTEXTS := $(LOCAL_BUILT_MODULE)

##################################
include $(CLEAR_VARS)

246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262
LOCAL_MODULE := service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

include $(BUILD_SYSTEM)/base_rules.mk

ALL_SVC_FILES := $(call build_policy, service_contexts)

$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
	@mkdir -p $(dir $@)
	$(hide) m4 -s $(ALL_SVC_FILES) > $@
	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@

built_svc := $(LOCAL_BUILT_MODULE)

rpcraig's avatar
rpcraig committed
263 264 265
##################################
include $(CLEAR_VARS)

266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282
LOCAL_MODULE := general_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, service_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
	@mkdir -p $(dir $@)
	$(hide) m4 -s $< > $@
	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@

GENERAL_SERVICE_CONTEXTS := $(LOCAL_BUILT_MODULE)

##################################
include $(CLEAR_VARS)

283
LOCAL_MODULE := mac_permissions.xml
rpcraig's avatar
rpcraig committed
284 285 286 287
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security

288
include $(BUILD_SYSTEM)/base_rules.mk
rpcraig's avatar
rpcraig committed
289

290 291 292 293 294 295
# Build keys.conf
mac_perms_keys.tmp := $(intermediates)/keys.tmp
$(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
	@mkdir -p $(dir $@)
	$(hide) m4 -s $^ > $@

296
ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
rpcraig's avatar
rpcraig committed
297

298
$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
299
	@mkdir -p $(dir $@)
300 301
	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
302

303
mac_perms_keys.tmp :=
304
##################################
Robert Craig's avatar
Robert Craig committed
305 306 307 308 309 310 311 312
include $(CLEAR_VARS)

LOCAL_MODULE := selinux_version
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

include $(BUILD_SYSTEM)/base_rules.mk
313
$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
Robert Craig's avatar
Robert Craig committed
314 315 316 317
	@mkdir -p $(dir $@)
	$(hide) echo -n $(BUILD_FINGERPRINT) > $@

##################################
318 319

build_policy :=
320
sepolicy_build_files :=
Robert Craig's avatar
Robert Craig committed
321 322 323 324
built_sepolicy :=
built_sc :=
built_fc :=
built_pc :=
325
built_svc :=
326 327

include $(call all-makefiles-under,$(LOCAL_PATH))