diff --git a/Android.bp b/Android.bp index 999333d35..3c99744ab 100644 --- a/Android.bp +++ b/Android.bp @@ -687,6 +687,21 @@ se_policy_cil { additional_cil_files: ["private/technical_debt.cil"], } +// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil +se_policy_conf { + name: "userdebug_plat_sepolicy.conf", + srcs: [":se_build_files{.plat}"], + build_variant: "userdebug", + installable: false, +} + +se_policy_cil { + name: "userdebug_plat_sepolicy.cil", + src: ":userdebug_plat_sepolicy.conf", + additional_cil_files: ["private/technical_debt.cil"], + debug_ramdisk: true, +} + // system_ext_policy.conf - A combination of the private and public system_ext // policy which will ship with the device. System_ext policy is not attributized se_policy_conf { diff --git a/Android.mk b/Android.mk index 7e83f7084..9feb39260 100644 --- a/Android.mk +++ b/Android.mk @@ -795,55 +795,6 @@ CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0 ################################# include $(CLEAR_VARS) -LOCAL_MODULE := userdebug_plat_sepolicy.cil -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered -LOCAL_LICENSE_CONDITIONS := notice unencumbered -LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk - -# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil -policy_files := $(call build_policy, $(sepolicy_build_files), \ - $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) -userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf -$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug -$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) -$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) -$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) -$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) -$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) -$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) -$(userdebug_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) -$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) -$(userdebug_plat_policy.conf): $(policy_files) $(M4) - $(transform-policy-to-conf) - $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit - -$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \ - $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) -$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG) -$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \ - $(HOST_OUT_EXECUTABLES)/secilc \ - $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \ - $(built_sepolicy_neverallows) - @mkdir -p $(dir $@) - $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \ - $(POLICYVERS) -o $@.tmp $< - $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp - $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null - $(hide) mv $@.tmp $@ - -userdebug_plat_policy.conf := - -################################# -include $(CLEAR_VARS) - # vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined # with the platform-provided policy. It makes use of the reqd_policy_mask files from private # policy and the platform public policy files in order to use checkpolicy. diff --git a/build/soong/policy.go b/build/soong/policy.go index d734c97f0..9d574c98e 100644 --- a/build/soong/policy.go +++ b/build/soong/policy.go @@ -317,7 +317,12 @@ func (c *policyCil) GenerateAndroidBuildActions(ctx android.ModuleContext) { conf := android.PathForModuleSrc(ctx, *c.properties.Src) cil := c.compileConfToCil(ctx, conf) - c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux") + if c.InstallInDebugRamdisk() { + // for userdebug_plat_sepolicy.cil + c.installPath = android.PathForModuleInstall(ctx) + } else { + c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux") + } c.installSource = cil ctx.InstallFile(c.installPath, c.stem(), c.installSource) diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go index d7a079825..a9aed6024 100644 --- a/build/soong/selinux_contexts.go +++ b/build/soong/selinux_contexts.go @@ -257,6 +257,10 @@ func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModul return false } +func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool { + return false +} + func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool { return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available) }