diff options
author | Bowgo Tsai | 2017-11-26 21:41:33 -0600 |
---|---|---|
committer | Bowgo Tsai | 2018-03-16 02:44:23 -0500 |
commit | 45457e3a2b26b8c5d4a13b694e9d781ec4438b04 (patch) | |
tree | 40a3a9d70031efc3697bd7909be332821733f244 /Android.mk | |
parent | 4eb10d809ab4294da21e41199df3eb943fc1bd75 (diff) | |
download | system-sepolicy-45457e3a2b26b8c5d4a13b694e9d781ec4438b04.tar.gz system-sepolicy-45457e3a2b26b8c5d4a13b694e9d781ec4438b04.tar.xz system-sepolicy-45457e3a2b26b8c5d4a13b694e9d781ec4438b04.zip |
Add /odm/etc/selinux/odm_sepolicy.cil
This change adds the support of odm sepolicy customization, which can
be configured through the newly added build varaible:
- BOARD_ODM_SEPOLICY_DIRS += device/${ODM_NAME}/${BOM_NAME}/sepolicy
Also moving precompiled sepolicy to /odm when BOARD_ODM_SEPOLICY_DIRS
is set. On a DUT, precompiled sepolicy on /odm will override the one in
/vendor. This is intentional because /odm is the hardware customization
for /vendor and both should be updated together if desired.
Bug: 64240127
Test: boot a device with /odm partition
Change-Id: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
Diffstat (limited to 'Android.mk')
-rw-r--r-- | Android.mk | 89 |
1 files changed, 84 insertions, 5 deletions
@@ -100,14 +100,20 @@ $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \ | |||
100 | NEVERALLOW_ARG := -N | 100 | NEVERALLOW_ARG := -N |
101 | endif | 101 | endif |
102 | 102 | ||
103 | # BOARD_SEPOLICY_DIRS was used for vendor sepolicy customization before. | 103 | # BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before. |
104 | # It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS. BOARD_SEPOLICY_DIRS is | 104 | # It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and |
105 | # still allowed for backward compatibility, which will be merged into | 105 | # BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for |
106 | # BOARD_VENDOR_SEPOLICY_DIRS. | 106 | # backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS. |
107 | ifdef BOARD_SEPOLICY_DIRS | 107 | ifdef BOARD_SEPOLICY_DIRS |
108 | BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) | 108 | BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS) |
109 | endif | 109 | endif |
110 | 110 | ||
111 | ifdef BOARD_ODM_SEPOLICY_DIRS | ||
112 | ifneq ($(PRODUCT_SEPOLICY_SPLIT),true) | ||
113 | $(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS) | ||
114 | endif | ||
115 | endif | ||
116 | |||
111 | platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil | 117 | platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil |
112 | 118 | ||
113 | ########################################################### | 119 | ########################################################### |
@@ -242,6 +248,10 @@ LOCAL_REQUIRED_MODULES += \ | |||
242 | endif | 248 | endif |
243 | endif | 249 | endif |
244 | 250 | ||
251 | ifdef BOARD_ODM_SEPOLICY_DIRS | ||
252 | LOCAL_REQUIRED_MODULES += odm_sepolicy.cil | ||
253 | endif | ||
254 | |||
245 | include $(BUILD_PHONY_PACKAGE) | 255 | include $(BUILD_PHONY_PACKAGE) |
246 | 256 | ||
247 | ################################# | 257 | ################################# |
@@ -554,11 +564,65 @@ vendor_policy.conf := | |||
554 | ################################# | 564 | ################################# |
555 | include $(CLEAR_VARS) | 565 | include $(CLEAR_VARS) |
556 | 566 | ||
567 | # odm_policy.cil - the odm sepolicy. This needs attributization and to be combined | ||
568 | # with the platform-provided policy. It makes use of the reqd_policy_mask files from private | ||
569 | # policy and the platform public policy files in order to use checkpolicy. | ||
570 | LOCAL_MODULE := odm_sepolicy.cil | ||
571 | LOCAL_MODULE_CLASS := ETC | ||
572 | LOCAL_MODULE_TAGS := optional | ||
573 | LOCAL_PROPRIETARY_MODULE := true | ||
574 | LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux | ||
575 | |||
576 | include $(BUILD_SYSTEM)/base_rules.mk | ||
577 | |||
578 | odm_policy.conf := $(intermediates)/odm_policy.conf | ||
579 | $(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) | ||
580 | $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) | ||
581 | $(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) | ||
582 | $(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) | ||
583 | $(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) | ||
584 | $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) | ||
585 | $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) | ||
586 | $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) | ||
587 | $(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \ | ||
588 | $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \ | ||
589 | $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS)) | ||
590 | $(transform-policy-to-conf) | ||
591 | $(hide) sed '/dontaudit/d' $@ > $@.dontaudit | ||
592 | |||
593 | $(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf) | ||
594 | $(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil) | ||
595 | $(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil) | ||
596 | $(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS) | ||
597 | $(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) \ | ||
598 | $(built_mapping_cil) $(built_vendor_cil) | ||
599 | $(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_pub_vers_cil) $(built_vendor_cil) | ||
600 | $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \ | ||
601 | $(odm_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \ | ||
602 | $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil) | ||
603 | @mkdir -p $(dir $@) | ||
604 | $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \ | ||
605 | -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \ | ||
606 | -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \ | ||
607 | -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@ | ||
608 | |||
609 | built_odm_cil := $(LOCAL_BUILT_MODULE) | ||
610 | odm_policy.conf := | ||
611 | odm_policy_raw := | ||
612 | |||
613 | ################################# | ||
614 | include $(CLEAR_VARS) | ||
615 | |||
557 | LOCAL_MODULE := precompiled_sepolicy | 616 | LOCAL_MODULE := precompiled_sepolicy |
558 | LOCAL_MODULE_CLASS := ETC | 617 | LOCAL_MODULE_CLASS := ETC |
559 | LOCAL_MODULE_TAGS := optional | 618 | LOCAL_MODULE_TAGS := optional |
560 | LOCAL_PROPRIETARY_MODULE := true | 619 | LOCAL_PROPRIETARY_MODULE := true |
620 | |||
621 | ifeq ($(BOARD_USES_ODMIMAGE),true) | ||
622 | LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux | ||
623 | else | ||
561 | LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux | 624 | LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
625 | endif | ||
562 | 626 | ||
563 | include $(BUILD_SYSTEM)/base_rules.mk | 627 | include $(BUILD_SYSTEM)/base_rules.mk |
564 | 628 | ||
@@ -568,6 +632,10 @@ all_cil_files := \ | |||
568 | $(built_plat_pub_vers_cil) \ | 632 | $(built_plat_pub_vers_cil) \ |
569 | $(built_vendor_cil) | 633 | $(built_vendor_cil) |
570 | 634 | ||
635 | ifdef BOARD_ODM_SEPOLICY_DIRS | ||
636 | all_cil_files += $(built_odm_cil) | ||
637 | endif | ||
638 | |||
571 | $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) | 639 | $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) |
572 | $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) | 640 | $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
573 | $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) | 641 | $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows) |
@@ -586,7 +654,12 @@ LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256 | |||
586 | LOCAL_MODULE_CLASS := ETC | 654 | LOCAL_MODULE_CLASS := ETC |
587 | LOCAL_MODULE_TAGS := optional | 655 | LOCAL_MODULE_TAGS := optional |
588 | LOCAL_PROPRIETARY_MODULE := true | 656 | LOCAL_PROPRIETARY_MODULE := true |
657 | |||
658 | ifeq ($(BOARD_USES_ODMIMAGE),true) | ||
659 | LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux | ||
660 | else | ||
589 | LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux | 661 | LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux |
662 | endif | ||
590 | 663 | ||
591 | include $(BUILD_SYSTEM)/base_rules.mk | 664 | include $(BUILD_SYSTEM)/base_rules.mk |
592 | 665 | ||
@@ -611,6 +684,10 @@ all_cil_files := \ | |||
611 | $(built_plat_pub_vers_cil) \ | 684 | $(built_plat_pub_vers_cil) \ |
612 | $(built_vendor_cil) | 685 | $(built_vendor_cil) |
613 | 686 | ||
687 | ifdef BOARD_ODM_SEPOLICY_DIRS | ||
688 | all_cil_files += $(built_odm_cil) | ||
689 | endif | ||
690 | |||
614 | $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) | 691 | $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files) |
615 | $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) | 692 | $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) |
616 | $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ | 693 | $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \ |
@@ -654,7 +731,8 @@ $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEF | |||
654 | $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true | 731 | $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true |
655 | $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ | 732 | $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ |
656 | $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ | 733 | $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \ |
657 | $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) | 734 | $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \ |
735 | $(BOARD_ODM_SEPOLICY_DIRS)) | ||
658 | $(transform-policy-to-conf) | 736 | $(transform-policy-to-conf) |
659 | $(hide) sed '/dontaudit/d' $@ > $@.dontaudit | 737 | $(hide) sed '/dontaudit/d' $@ > $@.dontaudit |
660 | ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) | 738 | ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true) |
@@ -1365,6 +1443,7 @@ built_plat_pc := | |||
1365 | built_vendor_cil := | 1443 | built_vendor_cil := |
1366 | built_vendor_pc := | 1444 | built_vendor_pc := |
1367 | built_vendor_sc := | 1445 | built_vendor_sc := |
1446 | built_odm_cil := | ||
1368 | built_plat_sc := | 1447 | built_plat_sc := |
1369 | built_precompiled_sepolicy := | 1448 | built_precompiled_sepolicy := |
1370 | built_sepolicy := | 1449 | built_sepolicy := |