From 8e0ca8867eac09f8fd740485f147684d6a88b803 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 1 Apr 2015 10:14:56 -0400 Subject: [PATCH] Drop BOARD_SEPOLICY_UNION. As suggested in the comments on https://android-review.googlesource.com/#/c/141560/ drop BOARD_SEPOLICY_UNION and simplify the build_policy logic. Union all files found under BOARD_SEPOLICY_DIRS. Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error to catch any lingering uses and force updating of the BoardConfig.mk files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid breaking the build until all device BoardConfig*.mk files have been updated, and since they should be harmless - the files will be unioned regardless. Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b Signed-off-by: Stephen Smalley --- Android.mk | 25 +++++-------------------- README | 39 +++++++++------------------------------ 2 files changed, 14 insertions(+), 50 deletions(-) diff --git a/Android.mk b/Android.mk index f7d103cce..3635a01a2 100644 --- a/Android.mk +++ b/Android.mk @@ -18,28 +18,13 @@ ifdef BOARD_SEPOLICY_IGNORE $(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) endif -# Quick edge case error detection for BOARD_SEPOLICY_UNION. -# This ensures that a requested union file exists somewhere -# in one of the listed BOARD_SEPOLICY_DIRS. -$(foreach pf, $(BOARD_SEPOLICY_UNION), \ - $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \ - $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \ - ) \ -) +ifdef BOARD_SEPOLICY_UNION +$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) +endif -# Builds paths for all requested policy files w.r.t -# BOARD_SEPOLICY_UNION variables. +# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS. # $(1): the set of policy name paths to build -build_policy = $(foreach type, $(1), \ - $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \ - $(LOCAL_PATH)/$(expanded_type) \ - ) \ - $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \ - $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \ - $(union_policy), \ - ) \ - ) \ - ) +build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)))) sepolicy_build_files := security_classes \ initial_sids \ diff --git a/README b/README index f16790e03..8202c67af 100644 --- a/README +++ b/README @@ -9,41 +9,22 @@ Policy Generation: Additional, per device, policy files can be added into the policy build. -They can be configured through the use of two variables, -they are: -1. BOARD_SEPOLICY_UNION -2. BOARD_SEPOLICY_DIRS - -The variables should be set in the BoardConfig.mk file in +They can be configured through the use of the BOARD_SEPOLICY_DIRS +variable. This variable should be set in the BoardConfig.mk file in the device or vendor directories. -BOARD_SEPOLICY_UNION is a list of files that will be -"unioned", IE concatenated, at the END of their respective -file in external/sepolicy. Note, to add a unique file you -would use this variable. - BOARD_SEPOLICY_DIRS contains a list of directories to search -for BOARD_SEPOLICY_UNION files. Order matters in this list. -eg.) If you have BOARD_SEPOLICY_UNION += widget.te and have 2 -instances of widget.te files on BOARD_SEPOLICY_DIRS search path. -The first one found (at the first search dir containing the file) -gets processed first. +for additional policy files. Order matters in this list. +For example, if you have 2 instances of widget.te files in the +BOARD_SEPOLICY_DIRS search path, then the first one found (at the +first search dir containing the file) will be concatenated first. Reviewing out/target/product//etc/sepolicy_intermediates/policy.conf will help sort out ordering issues. -It is an error to specify a BOARD_POLICY_UNION file that -doesn't appear in any of the BOARD_SEPOLICY_DIRS locations. - Example BoardConfig.mk Usage: From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk -BOARD_SEPOLICY_DIRS += \ - device/samsung/tuna/sepolicy - -BOARD_SEPOLICY_UNION += \ - genfs_contexts \ - file_contexts \ - sepolicy.te +BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy SPECIFIC POLICY FILE INFORMATION @@ -55,8 +36,7 @@ mac_permissions.xml: top of that file. The seinfo string, previously mentioned, is the same string that is referenced in seapp_contexts. - This file can be appended to by using the BOARD_SEPOLICY_UNION - variable. It is important to note the final processed version of this file + It is important to note the final processed version of this file is stripped of comments and whitespace. This is to preserve space on the system.img. If one wishes to view it in a more human friendly format, the "tidy" or "xmllint" command will assist you. @@ -73,8 +53,7 @@ mac_permissions.xml: keys.conf The keys.conf file is used for controlling the mapping of "tags" found in the mac_permissions.xml signature stanzas with actual public keys found in - pem files. The configuration file can be used in BOARD_SEPOLICY_UNION - variables and is processed via m4. + pem files. The configuration file is processed via m4. The script allows for mapping any string contained in TARGET_BUILD_VARIANT with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either