diff --git a/Android.bp b/Android.bp index 402821553..cac07480d 100644 --- a/Android.bp +++ b/Android.bp @@ -142,6 +142,7 @@ se_policy_conf { system_ext_public_policy + product_public_policy + reqd_mask_policy, + vendor: true, installable: false, } @@ -150,6 +151,7 @@ se_policy_cil { src: ":pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, + vendor: true, installable: false, } @@ -158,6 +160,7 @@ se_policy_conf { srcs: plat_public_policy + system_ext_public_policy + reqd_mask_policy, + system_ext_specific: true, installable: false, } @@ -166,6 +169,7 @@ se_policy_cil { src: ":system_ext_pub_policy.conf", filter_out: [":reqd_policy_mask.cil"], secilc_check: false, + system_ext_specific: true, installable: false, } @@ -290,6 +294,7 @@ se_policy_conf { plat_private_policy + system_ext_public_policy + system_ext_private_policy, + system_ext_specific: true, installable: false, } @@ -311,6 +316,7 @@ se_policy_conf { system_ext_private_policy + product_public_policy + product_private_policy, + product_specific: true, installable: false, } @@ -476,6 +482,7 @@ se_policy_conf { ":se_build_files{.plat_vendor_for_vendor}", ":se_build_files{.vendor}", ], + vendor: true, installable: false, } @@ -484,6 +491,7 @@ se_policy_cil { src: ":vendor_sepolicy.conf", filter_out: [":reqd_policy_mask_for_vendor.cil"], secilc_check: false, // will be done in se_versioned_policy module + vendor: true, installable: false, } @@ -511,6 +519,7 @@ se_policy_conf { ":se_build_files{.vendor}", ":se_build_files{.odm}", ], + device_specific: true, installable: false, } @@ -522,6 +531,7 @@ se_policy_cil { ":vendor_sepolicy.cil", ], secilc_check: false, // will be done in se_versioned_policy module + device_specific: true, installable: false, } @@ -795,6 +805,7 @@ se_policy_conf { ], target_recovery: true, installable: false, + recovery: true, } se_policy_cil { @@ -802,6 +813,7 @@ se_policy_cil { src: ":recovery_sepolicy.conf", secilc_check: false, // will be done in se_policy_binary module installable: false, + recovery: true, } se_policy_binary { @@ -864,6 +876,7 @@ se_policy_conf { system_ext_private_policy, build_variant: "user", installable: false, + system_ext_specific: true, } se_policy_cil { @@ -892,6 +905,7 @@ se_policy_conf { product_private_policy, build_variant: "user", installable: false, + product_specific: true, } se_policy_cil { @@ -936,6 +950,7 @@ se_policy_conf { reqd_mask_policy, build_variant: "user", installable: false, + system_ext_specific: true, } se_policy_cil { @@ -944,6 +959,7 @@ se_policy_cil { filter_out: [":reqd_policy_mask.cil"], secilc_check: false, installable: false, + system_ext_specific: true, } se_policy_conf { @@ -954,6 +970,7 @@ se_policy_conf { reqd_mask_policy, build_variant: "user", installable: false, + product_specific: true, } se_policy_cil { @@ -962,6 +979,7 @@ se_policy_cil { filter_out: [":reqd_policy_mask.cil"], secilc_check: false, installable: false, + product_specific: true, } // bug_map - Bug tracking information for selinux denials loaded by auditd. @@ -1008,6 +1026,7 @@ se_neverallow_test { ":se_build_files{.vendor}", ":se_build_files{.odm}", ], + vendor: true, } ////////////////////////////////// diff --git a/build/soong/policy.go b/build/soong/policy.go index aea8e0961..7c1aab211 100644 --- a/build/soong/policy.go +++ b/build/soong/policy.go @@ -209,7 +209,7 @@ func findPolicyConfOrder(name string) int { } func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath { - conf := android.PathForModuleOut(ctx, c.stem()).OutputPath + conf := pathForModuleOut(ctx, c.stem()) rule := android.NewRuleBuilder(pctx, ctx) srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs) @@ -340,7 +340,7 @@ func (c *policyCil) stem() string { } func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath { - cil := android.PathForModuleOut(ctx, c.stem()).OutputPath + cil := pathForModuleOut(ctx, c.stem()) rule := android.NewRuleBuilder(pctx, ctx) checkpolicyCmd := rule.Command().BuiltTool("checkpolicy"). Flag("-C"). // Write CIL @@ -496,7 +496,7 @@ func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) { ctx.PropertyErrorf("srcs", "must be specified") return } - bin := android.PathForModuleOut(ctx, c.stem()+"_policy") + bin := pathForModuleOut(ctx, c.stem()+"_policy") rule := android.NewRuleBuilder(pctx, ctx) secilcCmd := rule.Command().BuiltTool("secilc"). Flag("-m"). // Multiple decls @@ -514,7 +514,7 @@ func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) { // permissive check is performed only in user build (not debuggable). if !ctx.Config().Debuggable() { - permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive") + permissiveDomains := pathForModuleOut(ctx, c.stem()+"_permissive") cmd := rule.Command().BuiltTool("sepolicy-analyze"). Input(bin). Text("permissive") @@ -544,7 +544,7 @@ func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) { Text("; exit 1; fi") } - out := android.PathForModuleOut(ctx, c.stem()) + out := pathForModuleOut(ctx, c.stem()) rule.Command().Text("cp"). Flag("-f"). Input(bin). diff --git a/build/soong/selinux.go b/build/soong/selinux.go index 7ad4776ac..5fbe01ebe 100644 --- a/build/soong/selinux.go +++ b/build/soong/selinux.go @@ -28,3 +28,15 @@ type dependencyTag struct { var ( pctx = android.NewPackageContext("android/soong/selinux") ) + +// pathForModuleOut is same as android.PathForModuleOut, except that it uses DeviceName() as its +// intermediate directory name for system_ext/product/vendor/odm modules, to avoid rebuilding upon +// target change. Contents of system modules (core sepolicy) should be identical across devices, so +// they falls back to android.PathForModuleOut. +func pathForModuleOut(ctx android.ModuleContext, paths ...string) android.OutputPath { + if ctx.Platform() && !ctx.InstallInRecovery() { + return android.PathForModuleOut(ctx, paths...).OutputPath + } + + return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...) +} diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go index 7faafc683..587fe9192 100644 --- a/build/soong/selinux_contexts.go +++ b/build/soong/selinux_contexts.go @@ -243,11 +243,11 @@ func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, var _ android.ImageInterface = (*selinuxContextsModule)(nil) func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path { - builtContext := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out") + builtContext := pathForModuleOut(ctx, ctx.ModuleName()+"_m4out") rule := android.NewRuleBuilder(pctx, ctx) - newlineFile := android.PathForModuleGen(ctx, "newline") + newlineFile := pathForModuleOut(ctx, "newline") rule.Command().Text("echo").FlagWithOutput("> ", newlineFile) rule.Temporary(newlineFile) @@ -267,7 +267,7 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, if proptools.Bool(m.properties.Remove_comment) { rule.Temporary(builtContext) - remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment") + remove_comment_output := pathForModuleOut(ctx, ctx.ModuleName()+"_remove_comment") rule.Command(). Text("sed -e 's/#.*$//' -e '/^$/d'"). @@ -280,7 +280,7 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, if proptools.Bool(m.properties.Fc_sort) { rule.Temporary(builtContext) - sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted") + sorted_output := pathForModuleOut(ctx, ctx.ModuleName()+"_sorted") rule.Command(). Tool(ctx.Config().HostToolPath(ctx, "fc_sort")). @@ -290,7 +290,7 @@ func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, builtContext = sorted_output } - ret := android.PathForModuleGen(ctx, m.stem()) + ret := pathForModuleOut(ctx, m.stem()) rule.Temporary(builtContext) rule.Command().Text("cp").Input(builtContext).Output(ret) @@ -309,7 +309,7 @@ func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inp if ctx.Config().FlattenApex() { for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) { - out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel()) + out := pathForModuleOut(ctx, "flattened_apex", path.Rel()) apex_path := "/system/apex/" + strings.Replace( strings.TrimSuffix(path.Base(), "-file_contexts"), ".", "\\\\.", -1) @@ -394,7 +394,7 @@ func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleC cmd.Flag("--strict") } - out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String()) + out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String()) rule.Command().Text("cp -f").Input(input).Output(out) ret = append(ret, out) } @@ -426,7 +426,7 @@ func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, // check compatibility with sysprop_library if len(apiFiles) > 0 { - out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked") + out := pathForModuleOut(ctx, ctx.ModuleName()+"_api_checked") rule := android.NewRuleBuilder(pctx, ctx) msg := `\n******************************\n` + @@ -452,8 +452,8 @@ func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, } func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path { - neverallowFile := android.PathForModuleGen(ctx, "neverallow") - ret := android.PathForModuleGen(ctx, m.stem()) + neverallowFile := pathForModuleOut(ctx, "neverallow") + ret := pathForModuleOut(ctx, m.stem()) rule := android.NewRuleBuilder(pctx, ctx) rule.Command().Text("(grep"). @@ -547,7 +547,7 @@ type contextsTestModule struct { flags []string properties contextsTestProperties - testTimestamp android.ModuleOutPath + testTimestamp android.OutputPath } // checkfc parses a context file and checks for syntax errors. @@ -622,7 +622,7 @@ func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleConte Input(sepolicy). Inputs(srcs) - m.testTimestamp = android.PathForModuleOut(ctx, "timestamp") + m.testTimestamp = pathForModuleOut(ctx, "timestamp") rule.Command().Text("touch").Output(m.testTimestamp) rule.Build("contexts_test", "running contexts test: "+ctx.ModuleName()) } diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go index 98dd3cf03..fc47ab34f 100644 --- a/build/soong/sepolicy_neverallow.go +++ b/build/soong/sepolicy_neverallow.go @@ -36,7 +36,7 @@ type neverallowTestProperties struct { type neverallowTestModule struct { android.ModuleBase properties neverallowTestProperties - testTimestamp android.ModuleOutPath + testTimestamp android.OutputPath } type nameProperties struct { @@ -98,7 +98,7 @@ func (n *neverallowTestModule) DepsMutator(ctx android.BottomUpMutatorContext) { } func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) { - n.testTimestamp = android.PathForModuleOut(ctx, "timestamp") + n.testTimestamp = pathForModuleOut(ctx, "timestamp") if ctx.Config().SelinuxIgnoreNeverallows() { // just touch android.WriteFileRule(ctx, n.testTimestamp, "") @@ -146,7 +146,7 @@ func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleCon rule := android.NewRuleBuilder(pctx, ctx) // Step 1. Build a binary policy from the conf file including build test - binaryPolicy := android.PathForModuleOut(ctx, "policy") + binaryPolicy := pathForModuleOut(ctx, "policy") rule.Command().BuiltTool("checkpolicy"). Flag("-M"). FlagWithArg("-c ", strconv.Itoa(PolicyVers)). diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go index c316d2a80..be396e366 100644 --- a/build/soong/versioned_policy.go +++ b/build/soong/versioned_policy.go @@ -103,7 +103,7 @@ func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext) stem = ctx.ModuleName() } - out := android.PathForModuleOut(ctx, stem) + out := pathForModuleOut(ctx, stem) rule := android.NewRuleBuilder(pctx, ctx) if proptools.String(m.properties.Base) == "" {