Separate system_ext_file_contexts out of system sepolicy.

Bug: 137712473 Test: boot crosshatch Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
2019-09-09 22:04:06 +08:00 · 2019-09-09 22:04:06 +08:00 · 86a048d4df
commit 86a048d4df
parent 948934bae3
5 changed files with 32 additions and 1 deletions
--- a/Android.bp
+++ b/Android.bp
@ -198,6 +198,13 @@ file_contexts {
    recovery_available: true,
 }

+file_contexts {
+    name: "system_ext_file_contexts",
+    srcs: [":file_contexts_files"],
+    system_ext_specific: true,
+    recovery_available: true,
+}
+
 file_contexts {
    name: "product_file_contexts",
    srcs: [":file_contexts_files"],
--- a/Android.mk
+++ b/Android.mk
@ -314,6 +314,8 @@ endif
 ifdef HAS_SYSTEM_EXT_SEPOLICY
 LOCAL_REQUIRED_MODULES += \
    system_ext_sepolicy.cil \
+    system_ext_file_contexts \
+    system_ext_file_contexts_test \
    system_ext_mapping_file \

 endif
@ -1313,6 +1315,10 @@ include $(BUILD_SYSTEM)/base_rules.mk

 local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))

+ifdef HAS_SYSTEM_EXT_SEPOLICY
+local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+endif
+
 ifdef HAS_PRODUCT_SEPOLICY
 local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
 endif
@ -1447,6 +1453,9 @@ include $(BUILD_SYSTEM)/base_rules.mk

 all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
 all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
+endif
 ifdef HAS_PRODUCT_SEPOLICY
 all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
 endif
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@ -142,9 +142,10 @@ func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleCo
 			inputs = append(inputs, segroup.VendorSrcs()...)
 		} else if ctx.DeviceSpecific() {
 			inputs = append(inputs, segroup.OdmSrcs()...)
+		} else if ctx.SystemExtSpecific() {
+			inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
 		} else {
 			inputs = append(inputs, segroup.SystemPrivateSrcs()...)
-			inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)

 			if ctx.Config().ProductCompatibleProperty() {
 				inputs = append(inputs, segroup.SystemPublicSrcs()...)
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@ -30,6 +30,7 @@ $$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
 endef

 system_out := $(TARGET_OUT)/etc/selinux
+system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
 product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
 vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
 odm_out := $(TARGET_OUT_ODM)/etc/selinux
@ -49,6 +50,17 @@ $(eval $(call run_contexts_test, $(system_out)/plat_file_contexts, $(checkfc),))
 ##################################
 include $(CLEAR_VARS)

+LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := product_file_contexts_test
 LOCAL_MODULE_CLASS := FAKE
 LOCAL_MODULE_TAGS := optional
--- a/private/file_contexts
+++ b/private/file_contexts
@ -422,6 +422,8 @@
 /(system_ext|system/system_ext)/etc/passwd          u:object_r:system_passwd_file:s0
 /(system_ext|system/system_ext)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0

+/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts  u:object_r:file_contexts_file:s0
+
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay
 #