Don't allow permissive SELinux domains on user builds.

It's a CTS requirement that all SELinux domains be in enforcing mode. Add the same assertion to the build system when targeting user builds. In particular, this avoids a situation where device integrity checking is enabled on user builds, but permissive denials are being generated, causing the device to unexpectedly reboot into safe mode. A developer wanting to put an SELinux domain into permissive mode for userdebug/eng purposes can write the following in their policy: userdebug_or_eng(` permissive foo; ') Bug: 26902605 Bug: 27313768 (cherry picked from commit bca98efa) Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73

Don't allow permissive SELinux domains on user builds.
It's a CTS requirement that all SELinux domains be in enforcing mode. Add the same assertion to the build system when targeting user builds. In particular, this avoids a situation where device integrity checking is enabled on user builds, but permissive denials are being generated, causing the device to unexpectedly reboot into safe mode. A developer wanting to put an SELinux domain into permissive mode for userdebug/eng purposes can write the following in their policy: userdebug_or_eng(` permissive foo; ') Bug: 26902605 Bug: 27313768 (cherry picked from commit bca98efa) Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73
3df1fda5 · Nick Kralevich · a395f875 · 3df1fda5
Commit 3df1fda5 authored 9 years ago by Nick Kralevich
--- a/Android.mk
+++ b/Android.mk
@@ -98,10 +98,19 @@ $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+		echo "==========" 1>&2; \
+		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+		echo "List of invalid domains:" 1>&2; \
+		cat $@.permissivedomains 1>&2; \
+		exit 1; \
+		fi
+	$(hide) mv $@.tmp $@
 built_sepolicy := $(LOCAL_BUILT_MODULE)
 sepolicy_policy.conf :=
@@ -127,9 +136,18 @@ $(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
 		-D target_recovery=true \
 		-s $^ > $@
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+		echo "==========" 1>&2; \
+		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+		echo "List of invalid domains:" 1>&2; \
+		cat $@.permissivedomains 1>&2; \
+		exit 1; \
+		fi
+	$(hide) mv $@.tmp $@
 built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
 sepolicy_policy_recovery.conf :=