Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS

Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c

Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS
Add new build variables for partner customization (additions) to platform sepolicy. This allows partners to add their own policy without having to touch the AOSP sepolicy directories and potentially disrupting compatibility with an AOSP system image. Bug: 36467375 Test: Add public and private files to sailfish policy and verify that they are added to the appropriate policy files, but that the policy is otherwise identical. Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS to trigger use of prebuilt mapping files and verify that they are appropriately combined and built in policy. Change-Id: I38efe2248520804a123603bb050bba75563fe45c
f893700c · Dan Cashman · e0da11d0 · f893700c
Commit f893700c authored 7 years ago by Dan Cashman
--- a/Android.mk
+++ b/Android.mk
@@ -80,7 +80,9 @@ endif
 #    - compile output binary policy file

 PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIRS)
 PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIRS)
 PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
 REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask

@@ -349,22 +351,25 @@ LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping

 include $(BUILD_SYSTEM)/base_rules.mk

+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
 # auto-generate the mapping file for current platform policy, since it needs to
 # track platform policy development
-current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
 $(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
 $(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@

+else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
+prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)))
+$(current_mapping.cil) : $(prebuilt_mapping_files)
+	@mkdir -p $(dir $@)
+	cat $^ > $@

-ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-mapping_policy := $(current_mapping.cil)
-else
-mapping_policy := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
+prebuilt_mapping_files :=
 endif

-$(LOCAL_BUILT_MODULE): $(mapping_policy) $(ACP)
+$(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP)
 	$(hide) $(ACP) $< $@

 built_mapping_cil := $(LOCAL_BUILT_MODULE)
@@ -616,9 +621,10 @@ include $(BUILD_SYSTEM)/base_rules.mk
 #  Note: That a newline file is placed between each file_context file found to
 #        ensure a proper build when an fc file is missing an ending newline.

-local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
+  local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
 endif
 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))

@@ -688,7 +694,7 @@ LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux

 include $(BUILD_SYSTEM)/base_rules.mk

-local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
  local_fc_files += $(PLAT_PRIVATE_POLICY)/file_contexts_asan
 endif
@@ -773,7 +779,7 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk

 nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))

 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)