From 4eb68150aa0cf79dd375d80886aa59c693e5bcda Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 23 Jan 2019 09:47:05 -0800
Subject: [PATCH] Move selinux_denial_metadata to /vendor.

selinux_denial_metadate is an concatenation of different bug maps on the
device, including vendor one. This file is only used for debugging, so
we simply move it to /vendor instead of splitting it up.

/vendor/etc/selinux/selinux_denial_metadata has vendor_configs_file
selinux type, which is logd readable.

Bug: 5159394
Test: bug information is still preserved in avc logs, e.g.
audit(0.0:248): avc: denied { read } for
name="u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=18012
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=0
b/79617173 app=com.android.systemui
Change-Id: Id5eb9abd3bdeed92feb2aca40880903533468d50
---
 Android.mk | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/Android.mk b/Android.mk
index a6c4f2a73..eed488afb 100644
--- a/Android.mk
+++ b/Android.mk
@@ -217,12 +217,6 @@ LOCAL_REQUIRED_MODULES += \
 
 endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
 
-ifneq ($(TARGET_BUILD_VARIANT), user)
-LOCAL_REQUIRED_MODULES += \
-    selinux_denial_metadata \
-
-endif
-
 ifneq ($(with_asan),true)
 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 LOCAL_REQUIRED_MODULES += \
@@ -292,6 +286,12 @@ LOCAL_REQUIRED_MODULES += \
     product_mapping_file \
     product_sepolicy_and_mapping.sha256 \
 
+endif
+
+ifneq ($(TARGET_BUILD_VARIANT), user)
+LOCAL_REQUIRED_MODULES += \
+    selinux_denial_metadata \
+
 endif
 include $(BUILD_PHONY_PACKAGE)
 
@@ -1085,7 +1085,7 @@ include $(CLEAR_VARS)
 
 LOCAL_MODULE := selinux_denial_metadata
 LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
 
 include $(BUILD_SYSTEM)/base_rules.mk