From 2a7171a71a17d7e9ef78b1c924cde95f66eb937e Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Fri, 10 Mar 2017 12:53:02 -0800 Subject: [PATCH] Explicitly depend on sepolicy artifacts in recovery targets This makes recoveryimage/bootimage targets explicitly depend on SELinux policy artifacts needed by recovery. Prior to this change, the dependency was contrived: these targets would rely on copying these files from "root" directory, and then overwriting sepolicy file with sepolicy.recovery. Test: Clean build, flash, device boots up just fine. No new denials. Reboot into recovery, recovery boot up just fine, no denials. This was tested on bullhead (non A/B device) and sailfish (A/B device). Bug: 33642277 Change-Id: Id2369253d0c7e02e079ae01ac7140b41880fd5ad --- core/Makefile | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/core/Makefile b/core/Makefile index 3a570c795d..b0a03b5843 100644 --- a/core/Makefile +++ b/core/Makefile @@ -910,7 +910,15 @@ INTERNAL_RECOVERYIMAGE_FILES := $(filter $(TARGET_RECOVERY_OUT)/%, \ $(ALL_DEFAULT_INSTALLED_MODULES)) recovery_initrc := $(call include-path-for, recovery)/etc/init.rc -recovery_sepolicy := $(call intermediates-dir-for,ETC,sepolicy.recovery)/sepolicy.recovery +recovery_sepolicy := \ + $(TARGET_RECOVERY_ROOT_OUT)/sepolicy \ + $(TARGET_RECOVERY_ROOT_OUT)/file_contexts.bin \ + $(TARGET_RECOVERY_ROOT_OUT)/plat_property_contexts \ + $(TARGET_RECOVERY_ROOT_OUT)/nonplat_property_contexts +# Passed into rsync from non-recovery root to recovery root, to avoid overwriting recovery-specific +# SELinux files +IGNORE_RECOVERY_SEPOLICY := $(patsubst $(TARGET_RECOVERY_OUT)/%,--exclude=/%,$(recovery_sepolicy)) + recovery_kernel := $(INSTALLED_KERNEL_TARGET) # same as a non-recovery system recovery_ramdisk := $(PRODUCT_OUT)/ramdisk-recovery.img recovery_build_prop := $(intermediate_system_build_prop) @@ -1045,14 +1053,13 @@ define build-recoveryimage-target $(hide) mkdir -p $(TARGET_RECOVERY_OUT) $(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/etc $(TARGET_RECOVERY_ROOT_OUT)/sdcard $(TARGET_RECOVERY_ROOT_OUT)/tmp @echo Copying baseline ramdisk... - $(hide) rsync -a --exclude=etc --exclude=sdcard $(IGNORE_CACHE_LINK) $(TARGET_ROOT_OUT) $(TARGET_RECOVERY_OUT) # "cp -Rf" fails to overwrite broken symlinks on Mac. + # Use rsync because "cp -Rf" fails to overwrite broken symlinks on Mac. + $(hide) rsync -a --exclude=etc --exclude=sdcard $(IGNORE_RECOVERY_SEPOLICY) $(IGNORE_CACHE_LINK) $(TARGET_ROOT_OUT) $(TARGET_RECOVERY_OUT) @echo Modifying ramdisk contents... $(if $(BOARD_RECOVERY_KERNEL_MODULES), \ $(call build-image-kernel-modules,$(BOARD_RECOVERY_KERNEL_MODULES),$(TARGET_RECOVERY_ROOT_OUT),,$(call intermediates-dir-for,PACKAGING,depmod_recovery))) $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/init*.rc $(hide) cp -f $(recovery_initrc) $(TARGET_RECOVERY_ROOT_OUT)/ - $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/sepolicy - $(hide) cp -f $(recovery_sepolicy) $(TARGET_RECOVERY_ROOT_OUT)/sepolicy $(hide) cp $(TARGET_ROOT_OUT)/init.recovery.*.rc $(TARGET_RECOVERY_ROOT_OUT)/ || true # Ignore error when the src file doesn't exist. $(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/res $(hide) rm -rf $(TARGET_RECOVERY_ROOT_OUT)/res/*