From d4a3e9dd485ebd37b4e323098ae08cd0dc38e942 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 22 Mar 2017 16:20:24 -0700
Subject: [PATCH] Create selinux_policy phony target

Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.

Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
      included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235
---
 Android.mk | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/Android.mk b/Android.mk
index d0edeab68..da58e53c9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,38 @@
 LOCAL_PATH:= $(call my-dir)
 
 include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+    mapping_sepolicy.cil \
+    nonplat_sepolicy.cil \
+    plat_sepolicy.cil \
+    plat_sepolicy.cil.sha256 \
+    secilc \
+    nonplat_file_contexts \
+    plat_file_contexts
+
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+endif
 
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+    file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
+include $(CLEAR_VARS)
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
-- 
GitLab