From 8f719500fddedf2041ddd03f016688b91687eb41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Thu, 22 Feb 2024 15:43:39 +1100
Subject: [PATCH] Add build flags for libselinux

Consider /data/data as an app data directory (and skip any restorcon) if
the flag release_selinux_data_data_ignore is enabled.

Test: boot;
      setfattr -x security.sehash /data;
      setfattr -x security.sehash /data/data;
      reboot, restorecon ignores /data/data
Bug: 317296680
Change-Id: If341864555398cd042dbe5b89085821cc2f8a0c0
---
 libselinux/Android.bp                   | 23 +++++++++++++++++++++++
 libselinux/src/android/android_device.c |  5 +++++
 2 files changed, 28 insertions(+)

diff --git a/libselinux/Android.bp b/libselinux/Android.bp
index ff7dc3d3..fc303843 100644
--- a/libselinux/Android.bp
+++ b/libselinux/Android.bp
@@ -52,6 +52,7 @@ common_CFLAGS = [
 
 cc_defaults {
     name: "libselinux_defaults",
+    defaults: ["libselinux_flags_defaults"],
 
     cflags: common_CFLAGS,
 
@@ -157,6 +158,28 @@ cc_defaults {
     stl: "none",
 }
 
+soong_config_module_type {
+    name: "cc_defaults_libselinux_flags",
+    module_type: "cc_defaults",
+    config_namespace: "ANDROID",
+    bool_variables: [
+        "release_selinux_data_data_ignore",
+    ],
+    properties: [
+        "cflags",
+    ],
+}
+
+cc_defaults_libselinux_flags {
+    name: "libselinux_flags_defaults",
+    host_supported: true,
+    soong_config_variables: {
+        release_selinux_data_data_ignore: {
+            cflags: ["-DSELINUX_FLAGS_DATA_DATA_IGNORE"],
+        }
+    }
+}
+
 cc_library {
     name: "libselinux",
     defaults: ["libselinux_defaults"],
diff --git a/libselinux/src/android/android_device.c b/libselinux/src/android/android_device.c
index 5d1c4d31..63f3355b 100644
--- a/libselinux/src/android/android_device.c
+++ b/libselinux/src/android/android_device.c
@@ -281,6 +281,11 @@ struct pkg_info *package_info_lookup(const char *name)
  */
 static bool is_app_data_path(const char *pathname) {
     int flags = FNM_LEADING_DIR|FNM_PATHNAME;
+#ifdef SELINUX_FLAGS_DATA_DATA_IGNORE
+    if (!strcmp(pathname, DATA_DATA_PATH)) {
+        return true;
+    }
+#endif
     return (!strncmp(pathname, DATA_DATA_PREFIX, sizeof(DATA_DATA_PREFIX)-1) ||
         !strncmp(pathname, DATA_USER_PREFIX, sizeof(DATA_USER_PREFIX)-1) ||
         !strncmp(pathname, DATA_USER_DE_PREFIX, sizeof(DATA_USER_DE_PREFIX)-1) ||