xref: /aosp_15_r20/system/sepolicy/contexts/Android.bp (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1// Copyright (C) 2021 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// This file contains module definitions for various contexts files.
16
17package {
18    // See: http://go/android-license-faq
19    // A large-scale-change added 'default_applicable_licenses' to import
20    // all of the 'license_kinds' from "system_sepolicy_license"
21    // to get the below license kinds:
22    //   SPDX-license-identifier-Apache-2.0
23    default_applicable_licenses: ["system_sepolicy_license"],
24}
25
26se_build_files {
27    name: "file_contexts_files",
28    srcs: ["file_contexts"],
29}
30
31se_build_files {
32    name: "file_contexts_asan_files",
33    srcs: ["file_contexts_asan"],
34}
35
36se_build_files {
37    name: "file_contexts_overlayfs_files",
38    srcs: ["file_contexts_overlayfs"],
39}
40
41se_build_files {
42    name: "hwservice_contexts_files",
43    srcs: ["hwservice_contexts"],
44}
45
46se_build_files {
47    name: "property_contexts_files",
48    srcs: ["property_contexts"],
49}
50
51se_build_files {
52    name: "service_contexts_files",
53    srcs: ["service_contexts"],
54}
55
56se_build_files {
57    name: "keystore2_key_contexts_files",
58    srcs: ["keystore2_key_contexts"],
59}
60
61se_build_files {
62    name: "seapp_contexts_files",
63    srcs: ["seapp_contexts"],
64}
65
66se_build_files {
67    name: "vndservice_contexts_files",
68    srcs: ["vndservice_contexts"],
69}
70
71se_build_files {
72    name: "tee_service_contexts_files",
73    srcs: ["tee_service_contexts"],
74}
75
76file_contexts {
77    name: "plat_file_contexts",
78    defaults: ["contexts_flags_defaults"],
79    srcs: [":file_contexts_files{.plat_private}"],
80    product_variables: {
81        address_sanitize: {
82            srcs: [":file_contexts_asan_files{.plat_private}"],
83        },
84        debuggable: {
85            srcs: [":file_contexts_overlayfs_files{.plat_private}"],
86        },
87    },
88}
89
90file_contexts {
91    name: "plat_file_contexts.recovery",
92    defaults: ["contexts_flags_defaults"],
93    srcs: [":file_contexts_files{.plat_private}"],
94    stem: "plat_file_contexts",
95    product_variables: {
96        address_sanitize: {
97            srcs: [":file_contexts_asan_files{.plat_private}"],
98        },
99        debuggable: {
100            srcs: [":file_contexts_overlayfs_files{.plat_private}"],
101        },
102    },
103    recovery: true,
104}
105
106file_contexts {
107    name: "vendor_file_contexts",
108    defaults: ["contexts_flags_defaults"],
109    srcs: [
110        ":file_contexts_files{.plat_vendor}",
111        ":file_contexts_files{.vendor}",
112    ],
113    soc_specific: true,
114    fc_sort: true,
115}
116
117file_contexts {
118    name: "vendor_file_contexts.recovery",
119    defaults: ["contexts_flags_defaults"],
120    srcs: [
121        ":file_contexts_files{.plat_vendor}",
122        ":file_contexts_files{.vendor}",
123    ],
124    stem: "vendor_file_contexts",
125    recovery: true,
126    fc_sort: true,
127}
128
129file_contexts {
130    name: "system_ext_file_contexts",
131    defaults: ["contexts_flags_defaults"],
132    srcs: [":file_contexts_files{.system_ext_private}"],
133    system_ext_specific: true,
134}
135
136file_contexts {
137    name: "system_ext_file_contexts.recovery",
138    defaults: ["contexts_flags_defaults"],
139    srcs: [":file_contexts_files{.system_ext_private}"],
140    stem: "system_ext_file_contexts",
141    recovery: true,
142}
143
144file_contexts {
145    name: "product_file_contexts",
146    defaults: ["contexts_flags_defaults"],
147    srcs: [":file_contexts_files{.product_private}"],
148    product_specific: true,
149}
150
151file_contexts {
152    name: "product_file_contexts.recovery",
153    defaults: ["contexts_flags_defaults"],
154    srcs: [":file_contexts_files{.product_private}"],
155    stem: "product_file_contexts",
156    recovery: true,
157}
158
159file_contexts {
160    name: "odm_file_contexts",
161    defaults: ["contexts_flags_defaults"],
162    srcs: [":file_contexts_files{.odm}"],
163    device_specific: true,
164    fc_sort: true,
165}
166
167file_contexts {
168    name: "odm_file_contexts.recovery",
169    defaults: ["contexts_flags_defaults"],
170    srcs: [":file_contexts_files{.odm}"],
171    stem: "odm_file_contexts",
172    recovery: true,
173    fc_sort: true,
174}
175
176hwservice_contexts {
177    name: "plat_hwservice_contexts",
178    defaults: ["contexts_flags_defaults"],
179    srcs: [":hwservice_contexts_files{.plat_private}"],
180}
181
182hwservice_contexts {
183    name: "system_ext_hwservice_contexts",
184    defaults: ["contexts_flags_defaults"],
185    srcs: [":hwservice_contexts_files{.system_ext_private}"],
186    system_ext_specific: true,
187}
188
189hwservice_contexts {
190    name: "product_hwservice_contexts",
191    defaults: ["contexts_flags_defaults"],
192    srcs: [":hwservice_contexts_files{.product_private}"],
193    product_specific: true,
194}
195
196hwservice_contexts {
197    name: "vendor_hwservice_contexts",
198    defaults: ["contexts_flags_defaults"],
199    srcs: [
200        ":hwservice_contexts_files{.plat_vendor}",
201        ":hwservice_contexts_files{.vendor}",
202        ":hwservice_contexts_files{.reqd_mask}",
203    ],
204    soc_specific: true,
205}
206
207hwservice_contexts {
208    name: "odm_hwservice_contexts",
209    defaults: ["contexts_flags_defaults"],
210    srcs: [":hwservice_contexts_files{.odm}"],
211    device_specific: true,
212}
213
214hwservice_contexts {
215    name: "merged_hwservice_contexts",
216    defaults: ["contexts_flags_defaults"],
217    srcs: [
218        ":plat_hwservice_contexts",
219        ":system_ext_hwservice_contexts",
220        ":product_hwservice_contexts",
221        ":vendor_hwservice_contexts",
222        ":odm_hwservice_contexts",
223    ],
224}
225
226property_contexts {
227    name: "plat_property_contexts",
228    defaults: ["contexts_flags_defaults"],
229    srcs: [":property_contexts_files{.plat_private}"],
230}
231
232property_contexts {
233    name: "plat_property_contexts.recovery",
234    defaults: ["contexts_flags_defaults"],
235    srcs: [":property_contexts_files{.plat_private}"],
236    stem: "plat_property_contexts",
237    recovery: true,
238}
239
240property_contexts {
241    name: "system_ext_property_contexts",
242    defaults: ["contexts_flags_defaults"],
243    srcs: [":property_contexts_files{.system_ext_private}"],
244    system_ext_specific: true,
245    recovery_available: true,
246}
247
248property_contexts {
249    name: "product_property_contexts",
250    defaults: ["contexts_flags_defaults"],
251    srcs: [":property_contexts_files{.product_private}"],
252    product_specific: true,
253    recovery_available: true,
254}
255
256property_contexts {
257    name: "vendor_property_contexts",
258    defaults: ["contexts_flags_defaults"],
259    srcs: [
260        ":property_contexts_files{.plat_vendor}",
261        ":property_contexts_files{.vendor}",
262        ":property_contexts_files{.reqd_mask}",
263    ],
264    soc_specific: true,
265    recovery_available: true,
266}
267
268property_contexts {
269    name: "odm_property_contexts",
270    defaults: ["contexts_flags_defaults"],
271    srcs: [":property_contexts_files{.odm}"],
272    device_specific: true,
273    recovery_available: true,
274}
275
276service_contexts {
277    name: "plat_service_contexts",
278    defaults: ["contexts_flags_defaults"],
279    srcs: [":service_contexts_files{.plat_private}"],
280}
281
282service_contexts {
283    name: "plat_service_contexts.recovery",
284    defaults: ["contexts_flags_defaults"],
285    srcs: [":service_contexts_files{.plat_private}"],
286    stem: "plat_service_contexts",
287    recovery: true,
288}
289
290service_contexts {
291    name: "system_ext_service_contexts",
292    defaults: ["contexts_flags_defaults"],
293    srcs: [":service_contexts_files{.system_ext_private}"],
294    system_ext_specific: true,
295    recovery_available: true,
296}
297
298service_contexts {
299    name: "product_service_contexts",
300    defaults: ["contexts_flags_defaults"],
301    srcs: [":service_contexts_files{.product_private}"],
302    product_specific: true,
303    recovery_available: true,
304}
305
306service_contexts {
307    name: "vendor_service_contexts",
308    defaults: ["contexts_flags_defaults"],
309    srcs: [
310        ":service_contexts_files{.plat_vendor}",
311        ":service_contexts_files{.vendor}",
312        ":service_contexts_files{.reqd_mask}",
313    ],
314    soc_specific: true,
315    recovery_available: true,
316}
317
318service_contexts {
319    name: "odm_service_contexts",
320    defaults: ["contexts_flags_defaults"],
321    srcs: [
322        ":service_contexts_files{.odm}",
323    ],
324    device_specific: true,
325    recovery_available: true,
326}
327
328service_contexts {
329    name: "merged_service_contexts",
330    defaults: ["contexts_flags_defaults"],
331    srcs: [
332        ":plat_service_contexts",
333        ":system_ext_service_contexts",
334        ":product_service_contexts",
335        ":vendor_service_contexts",
336        ":odm_service_contexts",
337    ],
338}
339
340keystore2_key_contexts {
341    name: "plat_keystore2_key_contexts",
342    defaults: ["contexts_flags_defaults"],
343    srcs: [":keystore2_key_contexts_files{.plat_private}"],
344}
345
346keystore2_key_contexts {
347    name: "system_ext_keystore2_key_contexts",
348    defaults: ["contexts_flags_defaults"],
349    srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
350    system_ext_specific: true,
351}
352
353keystore2_key_contexts {
354    name: "product_keystore2_key_contexts",
355    defaults: ["contexts_flags_defaults"],
356    srcs: [":keystore2_key_contexts_files{.product_private}"],
357    product_specific: true,
358}
359
360keystore2_key_contexts {
361    name: "vendor_keystore2_key_contexts",
362    defaults: ["contexts_flags_defaults"],
363    srcs: [
364        ":keystore2_key_contexts_files{.plat_vendor}",
365        ":keystore2_key_contexts_files{.vendor}",
366        ":keystore2_key_contexts_files{.reqd_mask}",
367    ],
368    soc_specific: true,
369}
370
371seapp_contexts {
372    name: "plat_seapp_contexts",
373    defaults: ["contexts_flags_defaults"],
374    srcs: [":seapp_contexts_files{.plat_private}"],
375    sepolicy: ":precompiled_sepolicy",
376}
377
378seapp_contexts {
379    name: "system_ext_seapp_contexts",
380    defaults: ["contexts_flags_defaults"],
381    srcs: [":seapp_contexts_files{.system_ext_private}"],
382    neverallow_files: [":seapp_contexts_files{.plat_private}"],
383    system_ext_specific: true,
384    sepolicy: ":precompiled_sepolicy",
385}
386
387seapp_contexts {
388    name: "product_seapp_contexts",
389    defaults: ["contexts_flags_defaults"],
390    srcs: [":seapp_contexts_files{.product_private}"],
391    neverallow_files: [
392        ":seapp_contexts_files{.plat_private}",
393        ":seapp_contexts_files{.system_ext_private}",
394    ],
395    product_specific: true,
396    sepolicy: ":precompiled_sepolicy",
397}
398
399seapp_contexts {
400    name: "vendor_seapp_contexts",
401    defaults: ["contexts_flags_defaults"],
402    srcs: [
403        ":seapp_contexts_files{.plat_vendor}",
404        ":seapp_contexts_files{.vendor}",
405        ":seapp_contexts_files{.reqd_mask}",
406    ],
407    neverallow_files: [
408        ":seapp_contexts_files{.plat_private}",
409        ":seapp_contexts_files{.system_ext_private}",
410        ":seapp_contexts_files{.product_private}",
411    ],
412    soc_specific: true,
413    sepolicy: ":precompiled_sepolicy",
414}
415
416seapp_contexts {
417    name: "odm_seapp_contexts",
418    defaults: ["contexts_flags_defaults"],
419    srcs: [
420        ":seapp_contexts_files{.odm}",
421    ],
422    neverallow_files: [
423        ":seapp_contexts_files{.plat_private}",
424        ":seapp_contexts_files{.system_ext_private}",
425        ":seapp_contexts_files{.product_private}",
426    ],
427    device_specific: true,
428    sepolicy: ":precompiled_sepolicy",
429}
430
431vndservice_contexts {
432    name: "vndservice_contexts",
433    defaults: ["contexts_flags_defaults"],
434    srcs: [
435        ":vndservice_contexts_files{.plat_vendor}",
436        ":vndservice_contexts_files{.vendor}",
437        ":vndservice_contexts_files{.reqd_mask}",
438    ],
439    soc_specific: true,
440}
441
442// for CTS
443genrule {
444    name: "plat_seapp_neverallows",
445    srcs: [
446        ":seapp_contexts_files{.plat_private}",
447        ":seapp_contexts_files{.system_ext_private}",
448        ":seapp_contexts_files{.product_private}",
449    ],
450    out: ["plat_seapp_neverallows"],
451    cmd: "grep -ihe '^neverallow' $(in) > $(out) || true",
452}
453
454//////////////////////////////////
455// Run host-side test with contexts files and the sepolicy file
456file_contexts_test {
457    name: "plat_file_contexts_test",
458    srcs: [":plat_file_contexts"],
459    sepolicy: ":precompiled_sepolicy",
460}
461
462file_contexts_test {
463    name: "plat_file_contexts_data_test",
464    srcs: [":file_contexts_files{.plat_private}"],
465    test_data: "plat_file_contexts_test",
466}
467
468file_contexts_test {
469    name: "system_ext_file_contexts_test",
470    srcs: [":system_ext_file_contexts"],
471    sepolicy: ":precompiled_sepolicy",
472}
473
474file_contexts_test {
475    name: "product_file_contexts_test",
476    srcs: [":product_file_contexts"],
477    sepolicy: ":precompiled_sepolicy",
478}
479
480file_contexts_test {
481    name: "vendor_file_contexts_test",
482    srcs: [":vendor_file_contexts"],
483    sepolicy: ":precompiled_sepolicy",
484}
485
486file_contexts_test {
487    name: "odm_file_contexts_test",
488    srcs: [":odm_file_contexts"],
489    sepolicy: ":precompiled_sepolicy",
490}
491
492hwservice_contexts_test {
493    name: "plat_hwservice_contexts_test",
494    srcs: [":plat_hwservice_contexts"],
495    sepolicy: ":precompiled_sepolicy",
496}
497
498hwservice_contexts_test {
499    name: "system_ext_hwservice_contexts_test",
500    srcs: [":system_ext_hwservice_contexts"],
501    sepolicy: ":precompiled_sepolicy",
502}
503
504hwservice_contexts_test {
505    name: "product_hwservice_contexts_test",
506    srcs: [":product_hwservice_contexts"],
507    sepolicy: ":precompiled_sepolicy",
508}
509
510hwservice_contexts_test {
511    name: "vendor_hwservice_contexts_test",
512    srcs: [":vendor_hwservice_contexts"],
513    sepolicy: ":precompiled_sepolicy",
514}
515
516hwservice_contexts_test {
517    name: "odm_hwservice_contexts_test",
518    srcs: [":odm_hwservice_contexts"],
519    sepolicy: ":precompiled_sepolicy",
520}
521
522hwservice_contexts_test {
523    name: "merged_hwservice_contexts_test",
524    srcs: [":merged_hwservice_contexts"],
525    sepolicy: ":precompiled_sepolicy",
526}
527
528property_contexts_test {
529    name: "plat_property_contexts_test",
530    srcs: [":plat_property_contexts"],
531    sepolicy: ":precompiled_sepolicy",
532}
533
534property_contexts_test {
535    name: "system_ext_property_contexts_test",
536    srcs: [
537        ":plat_property_contexts",
538        ":system_ext_property_contexts",
539    ],
540    sepolicy: ":precompiled_sepolicy",
541}
542
543property_contexts_test {
544    name: "product_property_contexts_test",
545    srcs: [
546        ":plat_property_contexts",
547        ":system_ext_property_contexts",
548        ":product_property_contexts",
549    ],
550    sepolicy: ":precompiled_sepolicy",
551}
552
553property_contexts_test {
554    name: "vendor_property_contexts_test",
555    srcs: [
556        ":plat_property_contexts",
557        ":system_ext_property_contexts",
558        ":product_property_contexts",
559        ":vendor_property_contexts",
560    ],
561    sepolicy: ":precompiled_sepolicy",
562}
563
564property_contexts_test {
565    name: "odm_property_contexts_test",
566    srcs: [
567        ":plat_property_contexts",
568        ":system_ext_property_contexts",
569        ":product_property_contexts",
570        ":vendor_property_contexts",
571        ":odm_property_contexts",
572    ],
573    sepolicy: ":precompiled_sepolicy",
574}
575
576service_contexts_test {
577    name: "plat_service_contexts_test",
578    srcs: [":plat_service_contexts"],
579    sepolicy: ":precompiled_sepolicy",
580}
581
582service_contexts_test {
583    name: "system_ext_service_contexts_test",
584    srcs: [":system_ext_service_contexts"],
585    sepolicy: ":precompiled_sepolicy",
586}
587
588service_contexts_test {
589    name: "product_service_contexts_test",
590    srcs: [":product_service_contexts"],
591    sepolicy: ":precompiled_sepolicy",
592}
593
594service_contexts_test {
595    name: "vendor_service_contexts_test",
596    srcs: [":vendor_service_contexts"],
597    sepolicy: ":precompiled_sepolicy",
598}
599
600service_contexts_test {
601    name: "odm_service_contexts_test",
602    srcs: [":odm_service_contexts"],
603    sepolicy: ":precompiled_sepolicy",
604}
605
606service_contexts_test {
607    name: "merged_service_contexts_test",
608    srcs: [":merged_service_contexts"],
609    sepolicy: ":precompiled_sepolicy",
610}
611
612vndservice_contexts_test {
613    name: "vndservice_contexts_test",
614    srcs: [":vndservice_contexts"],
615    sepolicy: ":precompiled_sepolicy",
616}
617
618fuzzer_bindings_test {
619    name: "fuzzer_bindings_test",
620    srcs: [":plat_service_contexts"],
621}
622
623tee_service_contexts {
624    name: "plat_tee_service_contexts",
625    defaults: ["contexts_flags_defaults"],
626    srcs: [":tee_service_contexts_files{.plat_private}"],
627}
628
629tee_service_contexts {
630    name: "system_ext_tee_service_contexts",
631    defaults: ["contexts_flags_defaults"],
632    srcs: [":tee_service_contexts_files{.system_ext_private}"],
633    system_ext_specific: true,
634}
635
636tee_service_contexts {
637    name: "product_tee_service_contexts",
638    defaults: ["contexts_flags_defaults"],
639    srcs: [":tee_service_contexts_files{.product_private}"],
640    product_specific: true,
641}
642
643tee_service_contexts {
644    name: "vendor_tee_service_contexts",
645    defaults: ["contexts_flags_defaults"],
646    srcs: [
647        ":tee_service_contexts_files{.plat_vendor}",
648        ":tee_service_contexts_files{.vendor}",
649        ":tee_service_contexts_files{.reqd_mask}",
650    ],
651    soc_specific: true,
652}
653