From 6ac0896b90700fc7a355dbb5beaf278a94bb175b Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Fri, 21 Dec 2018 12:28:14 -0800
Subject: [PATCH] Separate product_service_contexts out of system sepolicy.

Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: I15aa275fa658b58f5a5d3e651d164f9fcd87c0af
---
 Android.mk            | 32 ++++++++++++++++++++++++++++++--
 private/file_contexts |  1 +
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/Android.mk b/Android.mk
index a17cc50f3..1d7cecb81 100644
--- a/Android.mk
+++ b/Android.mk
@@ -289,6 +289,7 @@ LOCAL_REQUIRED_MODULES += \
     product_hwservice_contexts \
     product_property_contexts \
     product_seapp_contexts \
+    product_service_contexts \
 
 endif
 include $(BUILD_PHONY_PACKAGE)
@@ -1493,8 +1494,7 @@ endif
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-# TODO(b/119305624): Move product-specific sepolicy out of plat_service_contexts.
-plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
 
 plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
 $(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
@@ -1513,6 +1513,34 @@ built_plat_svc := $(LOCAL_BUILT_MODULE)
 plat_svcfiles :=
 plat_service_contexts.tmp :=
 
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
+$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
+$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_service_contexts.tmp): $(product_svcfiles)
+	@mkdir -p $(dir $@)
+	$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+	@mkdir -p $(dir $@)
+	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+	$(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+product_svcfiles :=
+product_service_contexts.tmp :=
+
 ##################################
 # nonplat_service_contexts is only allowed on non-full-treble devices
 ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
diff --git a/private/file_contexts b/private/file_contexts
index d0936e934..6b15fc05b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -378,6 +378,7 @@
 /(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
 /(product|system/product)/etc/selinux/product_property_contexts  u:object_r:property_contexts_file:s0
 /(product|system/product)/etc/selinux/product_seapp_contexts     u:object_r:seapp_contexts_file:s0
+/(product|system/product)/etc/selinux/product_service_contexts   u:object_r:service_contexts_file:s0
 
 #############################
 # Product-Services files
-- 
GitLab