From 7174ffec38b6d60105868e4fe12eb45d2a748912 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 8 Dec 2021 22:45:58 +0900 Subject: [PATCH] Fix vendor contexts files in mixed build BOARD_PLAT_VENDOR_POLICY should be used for all vendor stuff, when in mixed sepolicy build (BOARD_SEPOLICY_VERS != PLATFORM_SEPOLICY_VERSION). This fixes an issue that system/sepolicy/vendor has been incorrectly used in mixed sepolicy build. Bug: 205924657 Test: Try AOSP + rvc-dev mixed sepolicy build 1) copy cuttlefish sepolicy prebuilts from rvc-dev branch. 2) set prebuilt variables: - BOARD_PLAT_VENDOR_POLICY - BOARD_REQD_MASK_POLICY - BOARD_(SYSTEM_EXT|PRODUCT)_PRIVATE_PREBUILT_DIRS - BOARD_SEPOLICY_VERS 3) lunch aosp_cf_x86_64_phone-userdebug; m selinux_policy 4) compare $OUT/vendor/etc/selinux with rvc-dev's artifacts. Change-Id: I2ed1e25255c825c24dab99ae4903328b0400c414 --- Android.mk | 4 ++-- build/soong/filegroup.go | 6 +++++- build/soong/selinux_contexts.go | 4 +--- mac_permissions.mk | 4 ++-- seapp_contexts.mk | 2 +- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/Android.mk b/Android.mk index 9ebe603a5..e487214bb 100644 --- a/Android.mk +++ b/Android.mk @@ -188,7 +188,7 @@ endef # Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS. # $(1): the set of policy name paths to build -build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) +build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS)) # Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS. build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS)) @@ -1230,7 +1230,7 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk -vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY)) vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go index 0d426afff..9dd4bd981 100644 --- a/build/soong/filegroup.go +++ b/build/soong/filegroup.go @@ -137,7 +137,6 @@ func (fg *fileGroup) DepsMutator(ctx android.BottomUpMutatorContext) {} func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) { fg.systemPublicSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "public")) fg.systemPrivateSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "private")) - fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor")) fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask")) fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()) @@ -146,6 +145,11 @@ func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) { fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()) fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()) + systemVendorDirs := ctx.DeviceConfig().BoardPlatVendorPolicy() + if len(systemVendorDirs) == 0 || ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() { + systemVendorDirs = []string{filepath.Join(ctx.ModuleDir(), "vendor")} + } + fg.systemVendorSrcs = fg.findSrcsInDirs(ctx, systemVendorDirs) fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()) fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()) fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()) diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go index fefdd4529..a40716ab1 100644 --- a/build/soong/selinux_contexts.go +++ b/build/soong/selinux_contexts.go @@ -162,9 +162,7 @@ func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleCo if ctx.ProductSpecific() { inputs = append(inputs, segroup.ProductPrivateSrcs()...) } else if ctx.SocSpecific() { - if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() { - inputs = append(inputs, segroup.SystemVendorSrcs()...) - } + inputs = append(inputs, segroup.SystemVendorSrcs()...) inputs = append(inputs, segroup.VendorSrcs()...) } else if ctx.DeviceSpecific() { inputs = append(inputs, segroup.OdmSrcs()...) diff --git a/mac_permissions.mk b/mac_permissions.mk index 7827286d1..7c478b46a 100644 --- a/mac_permissions.mk +++ b/mac_permissions.mk @@ -119,8 +119,8 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk -all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) -all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY)) +all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY)) # Build keys.conf vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp diff --git a/seapp_contexts.mk b/seapp_contexts.mk index b33b82087..c0c3abbd2 100644 --- a/seapp_contexts.mk +++ b/seapp_contexts.mk @@ -84,7 +84,7 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux include $(BUILD_SYSTEM)/base_rules.mk -vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) +vendor_sc_files := $(call build_policy, seapp_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY)) plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY)) $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)