From cf5c6ecb93931ca5853b9954979d785d259453ce Mon Sep 17 00:00:00 2001
From: Dan Cashman <dcashman@google.com>
Date: Fri, 16 Dec 2016 14:20:33 -0800
Subject: [PATCH] Move sepolicy and recovery from on-device tree and add
 dependency.

Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it.  Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.

Bug: 31363362
Test: Builds and boots, including recovery, without additional
  denials.  Neverallow violations still caught at build time.

Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
---
 Android.mk | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Android.mk b/Android.mk
index bd2927177..ff7420a77 100644
--- a/Android.mk
+++ b/Android.mk
@@ -338,7 +338,7 @@ include $(CLEAR_VARS)
 LOCAL_MODULE := sepolicy
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_OUT_INTERMEDIATES)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
@@ -525,7 +525,7 @@ include $(CLEAR_VARS)
 LOCAL_MODULE := sepolicy.recovery
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_OUT_INTERMEDIATES)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
@@ -548,6 +548,7 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
 		fi
 	$(hide) mv $@.tmp $@
 
+built_sepolicy.recovery := $(LOCAL_BUILT_MODULE)
 all_cil_files.recovery :=
 
 ##################################
@@ -916,7 +917,8 @@ LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_sepolicy.recovery) $(built_pc) \
+$(built_fc) $(built_sc) $(built_svc)
 	@mkdir -p $(dir $@)
 	$(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
 
@@ -932,6 +934,7 @@ built_nl :=
 built_pc :=
 built_sc :=
 built_sepolicy :=
+built_sepolicy.recovery :=
 built_svc :=
 mapping_policy_nvr :=
 mapping_policy_nvr.recovery :=
-- 
GitLab