Change mapping file name to reflect its platform version.
As the platform progresses in the split SELinux world, the platform will need to maintain mapping files back to previous platform versions to maintain backwards compatibility with vendor images which have SELinux policy written based on the older versions. This requires shipping multiple mapping files with the system image so that the right one can be selected. Change the name and location of the mapping file to reflect this. Also add a file to the vendor partition indicating which version is being targeted that the platform can use to determine which mapping file to choose. Bug: 36783775 Test: Force compilation of sepolicy on-device with mapping file changed to new location and name, using the value reported on /vendor. Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
This commit is contained in:
Dan Cashman
parent
976fb16bc1
commit
4f9a648e90
3 changed files with 59 additions and 38 deletions
88
Android.mk
88
Android.mk
|
|
@ -24,38 +24,6 @@ PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sep
|
|||
sepolicy_major_vers :=
|
||||
sepolicy_minor_vers :=
|
||||
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE := selinux_policy
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
# Include SELinux policy. We do this here because different modules
|
||||
# need to be included based on the value of PRODUCT_FULL_TREBLE. This
|
||||
# type of conditional inclusion cannot be done in top-level files such
|
||||
# as build/target/product/embedded.mk.
|
||||
# This conditional inclusion closely mimics the conditional logic
|
||||
# inside init/init.cpp for loading SELinux policy from files.
|
||||
ifeq ($(PRODUCT_FULL_TREBLE),true)
|
||||
# Use split SELinux policy
|
||||
LOCAL_REQUIRED_MODULES += \
|
||||
mapping_sepolicy.cil \
|
||||
nonplat_sepolicy.cil \
|
||||
plat_sepolicy.cil \
|
||||
plat_and_mapping_sepolicy.cil.sha256 \
|
||||
secilc \
|
||||
nonplat_file_contexts \
|
||||
plat_file_contexts
|
||||
|
||||
# Include precompiled policy, unless told otherwise
|
||||
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
|
||||
LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
|
||||
endif
|
||||
|
||||
else
|
||||
# Use monolithic SELinux policy
|
||||
LOCAL_REQUIRED_MODULES += sepolicy \
|
||||
file_contexts.bin
|
||||
endif
|
||||
include $(BUILD_PHONY_PACKAGE)
|
||||
|
||||
include $(CLEAR_VARS)
|
||||
# SELinux policy version.
|
||||
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
|
||||
|
|
@ -197,6 +165,42 @@ ifneq (,$(filter address,$(SANITIZE_TARGET)))
|
|||
with_asan := true
|
||||
endif
|
||||
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE := selinux_policy
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
# Include SELinux policy. We do this here because different modules
|
||||
# need to be included based on the value of PRODUCT_FULL_TREBLE. This
|
||||
# type of conditional inclusion cannot be done in top-level files such
|
||||
# as build/target/product/embedded.mk.
|
||||
# This conditional inclusion closely mimics the conditional logic
|
||||
# inside init/init.cpp for loading SELinux policy from files.
|
||||
ifeq ($(PRODUCT_FULL_TREBLE),true)
|
||||
|
||||
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
|
||||
|
||||
# Use split SELinux policy
|
||||
LOCAL_REQUIRED_MODULES += \
|
||||
$(platform_mapping_file) \
|
||||
nonplat_sepolicy.cil \
|
||||
plat_sepolicy.cil \
|
||||
plat_and_mapping_sepolicy.cil.sha256 \
|
||||
secilc \
|
||||
nonplat_file_contexts \
|
||||
plat_file_contexts \
|
||||
plat_sepolicy_vers.txt
|
||||
|
||||
# Include precompiled policy, unless told otherwise
|
||||
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
|
||||
LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
|
||||
endif
|
||||
|
||||
else
|
||||
# Use monolithic SELinux policy
|
||||
LOCAL_REQUIRED_MODULES += sepolicy \
|
||||
file_contexts.bin
|
||||
endif
|
||||
include $(BUILD_PHONY_PACKAGE)
|
||||
|
||||
##################################
|
||||
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
|
||||
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
|
||||
|
|
@ -335,10 +339,26 @@ plat_policy.conf :=
|
|||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := mapping_sepolicy.cil
|
||||
LOCAL_MODULE := plat_sepolicy_vers.txt
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
|
||||
LOCAL_PROPRIETARY_MODULE := true
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
|
||||
$(LOCAL_BUILT_MODULE) :
|
||||
mkdir -p $(dir $@)
|
||||
echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
|
||||
|
||||
#################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := $(platform_mapping_file)
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
|
|
|
|||
|
|
@ -70,3 +70,4 @@ $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property
|
|||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
|
||||
|
|
|
|||
|
|
@ -248,14 +248,14 @@
|
|||
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
|
||||
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
|
||||
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
|
||||
/system/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
|
||||
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
|
||||
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
|
||||
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
|
||||
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
|
||||
|
||||
#############################
|
||||
|
|
@ -284,7 +284,7 @@
|
|||
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
#############################
|
||||
|
|
|
|||
Loading…
Reference in a new issue