Since the introduction of the Treble framework in Android 8, Android has divided the system into System and Vendor parts, allowing independent upgrades of system and vendor. Subsequently, Product, ODM, and other partitions were introduced. In this context, SELinux policies are also divided into several parts: platform (system), system_ext, product, vendor, and odm.<\/p>\n
This article uses the Vendor partition as an example to analyze in detail how to include sepolicy files in the Android build system, how Android.mk variables are passed to the Soong build system, and finally how they correspond to modules and variables in Android.bp.<\/p>\n
First, the SELinux policy files for the Vendor are added to the Android build system through the These Makefile variables are converted to JSON format via In Soong\u2019s Soong provides an interface to get the list of paths to Vendor policy files.<\/p>\n In the In the code above, If The final compilation of plat_policy_for_vendor generates a plat_policy_for_vendor.cli file, which depends on the plat_policy_for_vendor.conf file. The compilation process of plat_policy_for_vendor.conf is as follows:<\/p>\n plat_policies_for_vendor is as follows:<\/p>\n As seen, the compilation process for plat_policy_for_vendor does not use the sepolicy files defined in plat_vendor_for_vendor. Therefore, if a rule is added in system_ext_public_for_vendor that depends on a type defined in plat_vendor_for_vendor, a compilation error will inevitably occur.<\/p>\n","protected":false},"excerpt":{"rendered":" Since the introduction of the Treble framework in Android 8, Android has divided the system into System and Vendor parts, allowing independent upgrades of system and vendor. Subsequently, Product, ODM, and other partitions were introduced. In this context, SELinux policies are also divided into several parts: platform (system), system_ext, product, vendor, and odm. This article uses the Vendor partition as an example to analyze in detail how to include sepolicy files in the Android build system, how Android.mk variables are passed to the Soong build system, and finally how they correspond to modules and variables in Android.bp. 1. Including SELinux Policy Files in Android Makefile First, the SELinux policy files for the Vendor are added to the Android build system through the BOARD_VENDOR_SEPOLICY_DIRS or BOARD_SEPOLICY_DIRS variables. For example: BOARD_VENDOR_SEPOLICY_DIRS += vendor\/xx\/featureA\/sepolicy 2. Passing Android Makefile Variables to Soong These Makefile variables are converted to JSON format via soong_config.mk and then passed to the Soong build system, specifying the corresponding Go language variables (e.g., BoardVendorSepolicyDirs). .\/build\/make\/core\/soong_config.mk:203: $(call add_json_list, BoardVendorSepolicyDirs, $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_SEPOLICY_DIRS)) 3. Declaration of Variables in Soong In Soong\u2019s variable.go file, the variable that stores the path of the Vendor SELinux policy files is defined. .\/build\/soong\/android\/variable.go:355: BoardVendorSepolicyDirs []string `json:",omitempty"` 4. Interface to Get Vendor Policy Paths Soong provides an interface to get the list of paths to Vendor policy files. func (c *deviceConfig) VendorSepolicyDirs() []string { return c.config.productVariables.BoardVendorSepolicyDirs } 5. Correspondence Between Variables in Android.bp and SELinux Variables in Makefile In the build\/soong\/build_files.go file of the Android build system, the mapping between variables in Android.bp and SELinux varia…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[60,62,64],"tags":[69,73,75,77],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-android-en","category-english","category-selinux-en","tag-android-en","tag-linux-en","tag-selinux-en","tag-sepolicy-en"],"yoast_head":"\nBOARD_VENDOR_SEPOLICY_DIRS<\/code> or BOARD_SEPOLICY_DIRS<\/code> variables. For example:<\/p>\nBOARD_VENDOR_SEPOLICY_DIRS += vendor\/xx\/featureA\/sepolicy<\/code><\/pre>\n2. Passing Android Makefile Variables to Soong<\/h2>\n
soong_config.mk<\/code> and then passed to the Soong build system, specifying the corresponding Go language variables (e.g., BoardVendorSepolicyDirs<\/code>).<\/p>\n.\/build\/make\/core\/soong_config.mk:203: $(call add_json_list, BoardVendorSepolicyDirs, $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_SEPOLICY_DIRS))<\/code><\/pre>\n3. Declaration of Variables in Soong<\/h2>\n
variable.go<\/code> file, the variable that stores the path of the Vendor SELinux policy files is defined.<\/p>\n.\/build\/soong\/android\/variable.go:355: BoardVendorSepolicyDirs []string `json:",omitempty"`<\/code><\/pre>\n4. Interface to Get Vendor Policy Paths<\/h2>\n
func (c *deviceConfig) VendorSepolicyDirs() []string {\n return c.config.productVariables.BoardVendorSepolicyDirs\n}<\/code><\/pre>\n5. Correspondence Between Variables in Android.bp and SELinux Variables in Makefile<\/h2>\n
build\/soong\/build_files.go<\/code> file of the Android build system, the mapping between variables in Android.bp and SELinux variables in Makefile is implemented.<\/p>\nfunc (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {\n b.srcs = make(map[string]android.Paths)\n b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))\n b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))\n b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))\n b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))\n b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)\n b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)\n b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)\n b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)\n b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)\n b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)\n\n if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {\n \/\/ vendor uses the same source with plat policy\n b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]\n b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]\n b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]\n b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]\n b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]\n b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]\n b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]\n b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]\n } else {\n \/\/ use vendor-supplied plat prebuilts\n b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)\n b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)\n b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))\n b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))\n b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)\n b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)\n b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)\n b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)\n }\n}<\/code><\/pre>\nb.srcs[xxx]<\/code> with xxx<\/code> refers to variables in Android.bp, which can be used directly in the Android.bp file. The following table summarizes this:<\/p>\n\n\n
\n \nAndroid.bp<\/th>\n Corresponding Android.mk Variable or Directory Path<\/th>\n<\/tr>\n<\/thead>\n \n .reqd_mask<\/td>\n system\/sepolicy\/reqd_mask<\/td>\n<\/tr>\n \n .plat_public<\/td>\n system\/sepolicy\/public<\/td>\n<\/tr>\n \n .plat_private<\/td>\n system\/sepolicy\/private<\/td>\n<\/tr>\n \n .plat_vendor<\/td>\n system\/sepolicy\/vendor<\/td>\n<\/tr>\n \n .system_ext_public<\/td>\n $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)<\/td>\n<\/tr>\n \n .system_ext_private<\/td>\n $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)<\/td>\n<\/tr>\n \n .product_public<\/td>\n $(PRODUCT_PUBLIC_SEPOLICY_DIRS)<\/td>\n<\/tr>\n \n .product_private<\/td>\n $(PRODUCT_PRIVATE_SEPOLICY_DIRS)<\/td>\n<\/tr>\n \n .vendor<\/td>\n $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_SEPOLICY_DIRS)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n BOARD_SEPOLICY_VERS<\/code> and PLATFORM_SEPOLICY_VERSION<\/code> are equal, it indicates that the Vendor uses the current platform\u2019s SELinux rules; otherwise, it uses the SELinux rules specified by BOARD_SEPOLICY_VERS<\/code>. When they are equal, the related SELinux policy variables in Android.bp can be simplified as follows:<\/p>\n\n\n
\n \nAndroid.bp<\/th>\n Value<\/th>\n<\/tr>\n<\/thead>\n \n .reqd_mask_for_vendor<\/td>\n .reqd_mask<\/td>\n<\/tr>\n \n .plat_public_for_vendor<\/td>\n .plat_public<\/td>\n<\/tr>\n \n .plat_private_for_vendor<\/td>\n .plat_private<\/td>\n<\/tr>\n \n .plat_vendor_for_vendor<\/td>\n .plat_vendor<\/td>\n<\/tr>\n \n .system_ext_public_for_vendor<\/td>\n .system_ext_public<\/td>\n<\/tr>\n \n .system_ext_private_for_vendor<\/td>\n .system_ext_private<\/td>\n<\/tr>\n \n .product_public_for_vendor<\/td>\n .product_public<\/td>\n<\/tr>\n \n .product_private_for_vendor<\/td>\n .product_private<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n 6. Compiling the plat_policy_for_vendor Module<\/h2>\n
se_policy_conf {\n name: "plat_policy_for_vendor.conf",\n srcs: plat_policies_for_vendor,\n installable: false,\n}<\/code><\/pre>\nplat_policies_for_vendor = [\n ":se_build_files{.plat_public_for_vendor}",\n ":se_build_files{.plat_private_for_vendor}",\n ":se_build_files{.system_ext_public_for_vendor}",\n ":se_build_files{.system_ext_private_for_vendor}",\n ":se_build_files{.product_public_for_vendor}",\n ":se_build_files{.product_private_for_vendor}",\n]<\/code><\/pre>\n