From bca98efa575bedab68f2d5eaee2cd1fd1741962b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 26 Feb 2016 20:06:52 -0800
Subject: [PATCH] Don't allow permissive SELinux domains on user builds.

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
---
 Android.mk | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/Android.mk b/Android.mk
index 81e4871e7..a2a04c35b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -97,10 +97,19 @@ $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+		echo "==========" 1>&2; \
+		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+		echo "List of invalid domains:" 1>&2; \
+		cat $@.permissivedomains 1>&2; \
+		exit 1; \
+		fi
+	$(hide) mv $@.tmp $@
 
 built_sepolicy := $(LOCAL_BUILT_MODULE)
 sepolicy_policy.conf :=
@@ -126,9 +135,18 @@ $(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
 		-D target_recovery=true \
 		-s $^ > $@
 
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+		echo "==========" 1>&2; \
+		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+		echo "List of invalid domains:" 1>&2; \
+		cat $@.permissivedomains 1>&2; \
+		exit 1; \
+		fi
+	$(hide) mv $@.tmp $@
 
 built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
 sepolicy_policy_recovery.conf :=
-- 
GitLab