Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS

Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c Merged-In: I38efe2248520804a123603bb050bba75563fe45c (cherry picked from commit f893700c)

Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c Merged-In: I38efe2248520804a123603bb050bba75563fe45c (cherry picked from commit f893700c)
1b0a71f3 · Dan Cashman · Bowgo Tsai · c67fa9bf · 1b0a71f3
Commit 1b0a71f3 authored 7 years ago by Dan Cashman Committed by Bowgo Tsai 7 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -80,7 +80,9 @@ endif
 #    - compile output binary policy file
 PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIRS)
 PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIRS)
 PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
 REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
@@ -344,22 +346,25 @@ LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
 include $(BUILD_SYSTEM)/base_rules.mk
+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
 # auto-generate the mapping file for current platform policy, since it needs to
 # track platform policy development
-current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
 $(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
 $(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
+prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)))
+$(current_mapping.cil) : $(prebuilt_mapping_files)
+	@mkdir -p $(dir $@)
+	cat $^ > $@
-ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
+prebuilt_mapping_files :=
-mapping_policy := $(current_mapping.cil)
-else
-mapping_policy := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
 endif
-$(LOCAL_BUILT_MODULE): $(mapping_policy) $(ACP)
+$(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP)
 	$(hide) $(ACP) $< $@
 built_mapping_cil := $(LOCAL_BUILT_MODULE)
@@ -610,9 +615,10 @@ include $(BUILD_SYSTEM)/base_rules.mk
 #  Note: That a newline file is placed between each file_context file found to
 #        ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
+  local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
 endif
 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -682,9 +688,9 @@ LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
 include $(BUILD_SYSTEM)/base_rules.mk
-local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files += $(PLAT_PRIVATE_POLICY)/file_contexts_asan
+  local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
 endif
 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -767,7 +773,7 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk
 nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)