Drop BOARD_SEPOLICY_UNION.

As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Android.mk

@@ -18,28 +18,13 @@ ifdef BOARD_SEPOLICY_IGNORE
 $(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
 endif
 
-# Quick edge case error detection for BOARD_SEPOLICY_UNION.
+ifdef BOARD_SEPOLICY_UNION
-# This ensures that a requested union file exists somewhere
+$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
-# in one of the listed BOARD_SEPOLICY_DIRS.
+endif
-$(foreach pf, $(BOARD_SEPOLICY_UNION), \
-  $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \
-    $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \
-  ) \
-)
 
-# Builds paths for all requested policy files w.r.t
+# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
-# BOARD_SEPOLICY_UNION variables.
 # $(1): the set of policy name paths to build
-build_policy = $(foreach type, $(1), \
+build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS))))
-    $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \
-        $(LOCAL_PATH)/$(expanded_type) \
-      ) \
-    $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \
-      $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \
-        $(union_policy), \
-      ) \
-    ) \
-  )
 
 sepolicy_build_files := security_classes \
                         initial_sids \

README

@@ -9,41 +9,22 @@ Policy Generation:
 Additional, per device, policy files can be added into the
 policy build.
 
-They can be configured through the use of two variables,
+They can be configured through the use of the BOARD_SEPOLICY_DIRS
-they are:
+variable. This variable should be set in the BoardConfig.mk file in
-1. BOARD_SEPOLICY_UNION
-2. BOARD_SEPOLICY_DIRS
-
-The variables should be set in the BoardConfig.mk file in
 the device or vendor directories.
 
-BOARD_SEPOLICY_UNION is a list of files that will be
-"unioned", IE concatenated, at the END of their respective
-file in external/sepolicy. Note, to add a unique file you
-would use this variable.
-
 BOARD_SEPOLICY_DIRS contains a list of directories to search
-for BOARD_SEPOLICY_UNION files. Order matters in this list.
+for additional policy files. Order matters in this list.
-eg.) If you have BOARD_SEPOLICY_UNION += widget.te and have 2
+For example, if you have 2 instances of widget.te files in the
-instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
+BOARD_SEPOLICY_DIRS search path, then the first one found (at the
-The first one found (at the first search dir containing the file)
+first search dir containing the file) will be concatenated first.
-gets processed first.
 Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
 will help sort out ordering issues.
 
-It is an error to specify a BOARD_POLICY_UNION file that
-doesn't appear in any of the BOARD_SEPOLICY_DIRS locations.
-
 Example BoardConfig.mk Usage:
 From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
 
-BOARD_SEPOLICY_DIRS += \
+BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-        device/samsung/tuna/sepolicy
-
-BOARD_SEPOLICY_UNION += \
-        genfs_contexts \
-        file_contexts \
-        sepolicy.te
 
 SPECIFIC POLICY FILE INFORMATION
 
@@ -55,8 +36,7 @@ mac_permissions.xml:
     top of that file. The seinfo string, previously mentioned, is the same string
     that is referenced in seapp_contexts.
 
-    This file can be appended to by using the BOARD_SEPOLICY_UNION
+    It is important to note the final processed version of this file
-    variable. It is important to note the final processed version of this file
     is stripped of comments and whitespace. This is to preserve space on the
     system.img. If one wishes to view it in a more human friendly format,
     the "tidy" or "xmllint" command will assist you.
@@ -73,8 +53,7 @@ mac_permissions.xml:
       keys.conf
         The keys.conf file is used for controlling the mapping of "tags" found in
         the mac_permissions.xml signature stanzas with actual public keys found in
-        pem files. The configuration file can be used in BOARD_SEPOLICY_UNION
+        pem files. The configuration file is processed via m4.
-        variables and is processed via m4.
 
         The script allows for mapping any string contained in TARGET_BUILD_VARIANT
         with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either