Skip to content
Snippets Groups Projects
Select Git revision
  • ebbbe6dd36c69e366fb8fabaff272c2863d4b3dd
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

Android.mk

Blame
    • Alex Klyubin's avatar
      5596172d
      Device-agnostic policy for vendor image · 5596172d
      Alex Klyubin authored 
      Default HAL implementations are built from the platform tree and get
placed into the vendor image. The SELinux rules needed for these HAL
implementations to operate thus need to reside on the vendor
partition.

Up to now, the only place to define such rules in the source tree was
the system/sepolicy/public directory. These rules are placed into the
vendor partition. Unfortunately, they are also placed into the
system/root partition, which thus unnecessarily grants these rules to
all HAL implementations of the specified service, default/in-process
shims or not.

This commit adds a new directory, system/sepolicy/vendor, whose
rules are concatenated with the device-specific rules at build time.
These rules are thus placed into the vendor partition and are not
placed into the system/root partition.

Test: No change to SELinux policy.
Test: Rules placed into vendor directory end up in nonplat* artefacts,
      but not in plat* artefacts.
Bug: 34715716
Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
      5596172d
      History
      Device-agnostic policy for vendor image
      Alex Klyubin authored 
      Default HAL implementations are built from the platform tree and get
placed into the vendor image. The SELinux rules needed for these HAL
implementations to operate thus need to reside on the vendor
partition.

Up to now, the only place to define such rules in the source tree was
the system/sepolicy/public directory. These rules are placed into the
vendor partition. Unfortunately, they are also placed into the
system/root partition, which thus unnecessarily grants these rules to
all HAL implementations of the specified service, default/in-process
shims or not.

This commit adds a new directory, system/sepolicy/vendor, whose
rules are concatenated with the device-specific rules at build time.
These rules are thus placed into the vendor partition and are not
placed into the system/root partition.

Test: No change to SELinux policy.
Test: Rules placed into vendor directory end up in nonplat* artefacts,
      but not in plat* artefacts.
Bug: 34715716
Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
    Android.mk 38.14 KiB 
    LOCAL_PATH:= $(call my-dir)

include $(CLEAR_VARS)

# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
POLICYVERS ?= 30

MLS_SENS=1
MLS_CATS=1024

ifdef BOARD_SEPOLICY_REPLACE
$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
endif

ifdef BOARD_SEPOLICY_IGNORE
$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
endif

ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif

ifdef BOARD_SEPOLICY_M4DEFS
LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
endif

# sepolicy is now divided into multiple portions:
# public - policy exported on which non-platform policy developers may write
#   additional policy.  types and attributes are versioned and included in
#   delivered non-platform policy, which is to be combined with platform policy.
# private - platform-only policy required for platform functionality but which
#  is not exported to vendor policy developers and as such may not be assumed
#  to exist.
# vendor - vendor-only policy required for vendor functionality. This policy can
#  reference the public policy but cannot reference the private policy. This
#  policy is for components which are produced from the core/non-vendor tree and
#  placed into a vendor partition.
# mapping - This contains policy statements which map the attributes
#  exposed in the public policy of previous versions to the concrete types used
#  in this policy to ensure that policy targeting attributes from public
#  policy from an older platform version continues to work.

# build process for device:
# 1) convert policies to CIL:
#    - private + public platform policy to CIL
#    - mapping file to CIL (should already be in CIL form)
#    - non-platform public policy to CIL
#    - non-platform public + private policy to CIL
# 2) attributize policy
#    - run script which takes non-platform public and non-platform combined
#      private + public policy and produces attributized and versioned
#      non-platform policy
# 3) combine policy files
#    - combine mapping, platform and non-platform policy.
#    - compile output binary policy file

PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask

# TODO: move to README when doing the README update and finalizing versioning.
# BOARD_SEPOLICY_VERS should contain the platform version identifier
#  corresponding to the platform on which the non-platform policy is to be
#  based.  If unspecified, this will build against the current public platform
#  policy in tree.
# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
#  is associated with the given BOARD_SEPOLICY_VERS.  The policy therein will be