Move mapping_sepolicy.cil to /system partition.
This is a necessary first step to finalizing the SELinux policy build process. The mapping_sepolicy.cil file is required to provide backward compatibility with the indicated vendor-targeted version. This still needs to be extended to provide N mapping files and corresponding SHA256 outputs, one for each of the N previous platform versions with which we're backward-compatible. Bug: 36783775 Test: boot device with matching sha256 and non-matching and verify that device boots and uses either precompiled or compiled policy as needed. Also verify that mapping_sepolicy.cil has moved. Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
This commit is contained in:
Dan Cashman
parent
7c3dbfeb69
commit
0e9c47c0af
3 changed files with 29 additions and 25 deletions
44
Android.mk
44
Android.mk
|
|
@ -15,14 +15,14 @@ LOCAL_REQUIRED_MODULES += \
|
|||
mapping_sepolicy.cil \
|
||||
nonplat_sepolicy.cil \
|
||||
plat_sepolicy.cil \
|
||||
plat_sepolicy.cil.sha256 \
|
||||
plat_and_mapping_sepolicy.cil.sha256 \
|
||||
secilc \
|
||||
nonplat_file_contexts \
|
||||
plat_file_contexts
|
||||
|
||||
# Include precompiled policy, unless told otherwise
|
||||
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
|
||||
LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
|
||||
LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
|
||||
endif
|
||||
|
||||
else
|
||||
|
|
@ -310,24 +310,10 @@ plat_policy.conf :=
|
|||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := plat_sepolicy.cil.sha256
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
$(LOCAL_BUILT_MODULE): $(built_plat_cil)
|
||||
sha256sum $^ | cut -d' ' -f1 > $@
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := mapping_sepolicy.cil
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_PROPRIETARY_MODULE := true
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
|
|
@ -357,6 +343,19 @@ current_mapping.cil :=
|
|||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
|
||||
cat $^ | sha256sum | cut -d' ' -f1 > $@
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := nonplat_sepolicy.cil
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
|
|
@ -444,10 +443,11 @@ $(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
|
|||
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
|
||||
|
||||
#################################
|
||||
# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
|
||||
# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
|
||||
# which precompiled_policy was built.
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE := precompiled_sepolicy.plat.sha256
|
||||
LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_PROPRIETARY_MODULE := true
|
||||
|
|
@ -455,9 +455,9 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
|
|||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
|
||||
$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
|
||||
sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
|
||||
$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
|
||||
cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
|
|
|||
|
|
@ -65,4 +65,8 @@ $(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/property_contexts)
|
|||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
|
||||
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
|
||||
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
|
||||
|
|
|
|||
|
|
@ -247,13 +247,14 @@
|
|||
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
|
||||
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
|
||||
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
|
||||
/system/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
|
||||
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
|
||||
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
|
||||
|
||||
#############################
|
||||
|
|
@ -273,7 +274,6 @@
|
|||
# HAL location
|
||||
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
|
||||
|
||||
/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
|
||||
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
|
|
@ -281,7 +281,7 @@
|
|||
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
#############################
|
||||
|
|
|
|||
Loading…
Reference in a new issue