From 814f3deb9417d5ea93ebbb7d9a48c22e6b4c4ed5 Mon Sep 17 00:00:00 2001
From: Yi-Yo Chiang <yochiang@google.com>
Date: Sat, 11 Sep 2021 19:24:22 +0800
Subject: [PATCH] Add system_ext_userdebug_plat_sepolicy.cil for GSI

system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.

Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
  gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883
---
 Android.bp            | 30 ++++++++++++++++++++++++++++++
 private/file_contexts |  1 +
 2 files changed, 31 insertions(+)

diff --git a/Android.bp b/Android.bp
index 4d4fb99b7..a815d9da0 100644
--- a/Android.bp
+++ b/Android.bp
@@ -792,6 +792,36 @@ se_policy_cil {
     debug_ramdisk: true,
 }
 
+// A copy of the userdebug_plat_policy in GSI.
+soong_config_module_type {
+    name: "gsi_se_policy_cil",
+    module_type: "se_policy_cil",
+    config_namespace: "ANDROID",
+    bool_variables: [
+        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
+    ],
+    properties: [
+        "enabled",
+        "installable",
+    ],
+}
+
+gsi_se_policy_cil {
+    name: "system_ext_userdebug_plat_sepolicy.cil",
+    stem: "userdebug_plat_sepolicy.cil",
+    src: ":userdebug_plat_sepolicy.conf",
+    additional_cil_files: ["private/technical_debt.cil"],
+    system_ext_specific: true,
+    enabled: false,
+    installable: false,
+    soong_config_variables: {
+        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
+            enabled: true,
+            installable: true,
+        },
+    },
+}
+
 // system_ext_policy.conf - A combination of the private and public system_ext
 // policy which will ship with the device. System_ext policy is not attributized
 se_policy_conf {
diff --git a/private/file_contexts b/private/file_contexts
index 88496021e..ed972c04d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -477,6 +477,7 @@
 /(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts       u:object_r:seapp_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts     u:object_r:service_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil    u:object_r:sepolicy_file:s0
 
 /(system_ext|system/system_ext)/bin/aidl_lazy_test_server    u:object_r:aidl_lazy_test_server_exec:s0
 /(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0