Add sepolicy definitions.mk and create policy.conf function.

Bug: 36899958 Test: Builds 'n' boots. Change-Id: I5836a18f9d0a9a976dda7304045e3b9e1e84565e Merged-In: I5836a18f9d0a9a976dda7304045e3b9e1e84565e (cherry picked from commit c0713e86)

Add sepolicy definitions.mk and create policy.conf function.
36ee91d4 · Dan Cashman · Bowgo Tsai · 99cbe530 · 36ee91d4 · 36ee91d4
Commit 36ee91d4 authored 7 years ago by Dan Cashman Committed by Bowgo Tsai 7 years ago
--- a/Android.mk
+++ b/Android.mk
 LOCAL_PATH:= $(call my-dir)
+include $(LOCAL_PATH)/definitions.mk
 # PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
 # PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
 # changes independent of PLATFORM_SDK_VERSION.  This value will be set to
@@ -47,6 +49,8 @@ endif
 ifdef BOARD_SEPOLICY_M4DEFS
 LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
+else
+LOCAL_ADDITIONAL_M4DEFS :=
 endif
 # sepolicy is now divided into multiple portions:
@@ -233,17 +237,9 @@ $(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(reqd_policy_mask.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
 $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
-	@mkdir -p $(dir $@)
+	$(transform-policy-to-conf)
-	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-		-D target_arch=$(PRIVATE_TGT_ARCH) \
-		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-		-s $^ > $@
 # b/37755687
 CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
@@ -267,18 +263,10 @@ $(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_pub_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
 $(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-	@mkdir -p $(dir $@)
+	$(transform-policy-to-conf)
-	 $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-		-D target_arch=$(PRIVATE_TGT_ARCH) \
-		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-		-s $^ > $@
 plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
 $(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
 $(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
@@ -323,17 +311,10 @@ $(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
 $(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-	@mkdir -p $(dir $@)
+	$(transform-policy-to-conf)
-	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-		-D target_arch=$(PRIVATE_TGT_ARCH) \
-		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
@@ -435,17 +416,10 @@ $(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
 $(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
 $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
-	@mkdir -p $(dir $@)
+	$(transform-policy-to-conf)
-	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-		-D target_arch=$(PRIVATE_TGT_ARCH) \
-		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
@@ -561,18 +535,11 @@ $(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
 $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
                           $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
                           $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
-	@mkdir -p $(dir $@)
+	$(transform-policy-to-conf)
-	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-		-D target_arch=$(PRIVATE_TGT_ARCH) \
-		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-		-D target_recovery=true \
-		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
@@ -607,16 +574,11 @@ include $(BUILD_SYSTEM)/base_rules.mk
 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
+$(LOCAL_BUILT_MODULE): PRIVATE_FULL_TREBLE := cts
 $(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-	mkdir -p $(dir $@)
+	$(transform-policy-to-conf)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=user \
-		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-		-D target_arch=$(PRIVATE_TGT_ARCH) \
-		-D target_with_asan=false \
-		-D target_full_treble=cts \
-		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 ##################################

--- a/definitions.mk
+++ b/definitions.mk
+# Command to turn collection of policy files into a policy.conf file to be
+# processed by checkpolicy
+define transform-policy-to-conf
+@mkdir -p $(dir $@)
+$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+	-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+	-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+	-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+	-D target_arch=$(PRIVATE_TGT_ARCH) \
+	-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+	-D target_full_treble=$(PRIVATE_FULL_TREBLE) \
+	$(PRIVATE_TGT_RECOVERY) \
+	-s $^ > $@
+endef
+.KATI_READONLY := transform-policy-to-conf