From 0e9c47c0af92005ea81772e82663865f1a3572b3 Mon Sep 17 00:00:00 2001
From: Dan Cashman <dcashman@google.com>
Date: Tue, 4 Apr 2017 14:27:41 -0700
Subject: [PATCH] Move mapping_sepolicy.cil to /system partition.
This is a necessary first step to finalizing the SELinux policy build
process. The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.
This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
---
Android.mk | 44 +++++++++++++++++++++----------------------
CleanSpec.mk | 4 ++++
private/file_contexts | 6 +++---
3 files changed, 29 insertions(+), 25 deletions(-)
diff --git a/Android.mk b/Android.mk
index b941bf370..3f691e904 100644
--- a/Android.mk
+++ b/Android.mk
@@ -15,14 +15,14 @@ LOCAL_REQUIRED_MODULES += \
mapping_sepolicy.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
- plat_sepolicy.cil.sha256 \
+ plat_and_mapping_sepolicy.cil.sha256 \
secilc \
nonplat_file_contexts \
plat_file_contexts
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
endif
else
@@ -310,24 +310,10 @@ plat_policy.conf :=
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil)
- sha256sum $^ | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := mapping_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
@@ -357,6 +343,19 @@ current_mapping.cil :=
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := nonplat_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -444,10 +443,11 @@ $(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
#################################
-# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# which precompiled_policy was built.
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -455,9 +455,9 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
- sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
include $(CLEAR_VARS)
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 496214943..9e2c464c1 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -65,4 +65,8 @@ $(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/property_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
+
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
diff --git a/private/file_contexts b/private/file_contexts
index 9feeef9cf..e0b7e1c49 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,13 +247,14 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
#############################
@@ -273,7 +274,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
@@ -281,7 +281,7 @@
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
#############################
--
GitLab