From 193dccda7922e3cfdcbbd19da93960335ca0d224 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 7 Mar 2017 14:05:57 -0800
Subject: [PATCH] Precompiled kernel policy for on-device use

This adds build targets for outputing precompiled kernel policy usable
on devices with policy split between system and vendor partitions. On
such devices, precompiled policy must reside on the vendor partition.

Because such devices support updating these partitions independently
of each other, the precompiled policy must reference the system
partition's policy against which it was compiled. This enables init to
establish whether the precompiled policy is valid for the current
combination of system and vendor partitions.

The referencing is performed by both the system and vendor partitions
including the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil). Only the when the digest is the same on both
partitions can the precompiled policy be used.

Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the
      SHA-256 digest of plat_sepolicy.cil
Test: plat_sepolicy.cil.sha256 is identical
      precompiled_sepolicy.plat.sha256.
Bug: 31363362
Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3
---
 Android.mk | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/Android.mk b/Android.mk
index 812c4ca90..46adbe970 100644
--- a/Android.mk
+++ b/Android.mk
@@ -254,6 +254,19 @@ plat_policy.conf :=
 #################################
 include $(CLEAR_VARS)
 
+LOCAL_MODULE := plat_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil)
+	sha256sum $^ | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := mapping_sepolicy.cil
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
@@ -347,9 +360,46 @@ $(built_mapping_cil)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
 		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
 
+built_nonplat_cil := $(LOCAL_BUILT_MODULE)
 nonplat_policy.conf :=
 nonplat_policy_raw :=
 
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := precompiled_sepolicy
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
+	sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+
 #################################
 include $(CLEAR_VARS)
 # build this target so that we can still perform neverallow checks
@@ -1033,9 +1083,11 @@ built_plat_cil.recovery :=
 built_mapping_cil :=
 built_mapping_cil.recovery :=
 built_plat_pc :=
+built_nonplat_cil :=
 built_nonplat_pc :=
 built_nonplat_sc :=
 built_plat_sc :=
+built_precompiled_sepolicy :=
 built_sepolicy :=
 built_plat_svc :=
 built_nonplat_svc :=
-- 
GitLab