Split seapp_contexts into plat and nonplat components.

Bug: 33746381
Test: Device boots with no extra denials.
Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e

Android.mk

@@ -706,45 +706,47 @@ nonplat_fcfiles_with_nl :=
 
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := seapp_contexts
+LOCAL_MODULE := plat_seapp_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
+plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
 
-built_sc := $(LOCAL_BUILT_MODULE)
-all_sc_files :=
+built_plat_sc := $(LOCAL_BUILT_MODULE)
+plat_sc_files :=
 
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := general_seapp_contexts
+LOCAL_MODULE := nonplat_seapp_contexts
 LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_sc_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
+nonplat_sc_files := $(call build_policy, seapp_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
 
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILE)
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
 
-all_sc_files :=
+built_nonplat_sc := $(LOCAL_BUILT_MODULE)
+nonplat_sc_files :=
 
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := general_seapp_neverallows
+LOCAL_MODULE := plat_seapp_neverallows
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := tests
 
@@ -934,7 +936,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 $(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_plat_fc) \
-$(buit_nonplat_fc) $(built_sc) $(built_svc)
+$(buit_nonplat_fc) $(built_plat_sc) $(built_nonplat_sc) $(built_svc)
 	@mkdir -p $(dir $@)
 	$(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
 
@@ -949,7 +951,8 @@ built_general_sepolicy :=
 built_general_sepolicy.conf :=
 built_nl :=
 built_pc :=
-built_sc :=
+built_nonplat_sc :=
+built_plat_sc :=
 built_sepolicy :=
 built_svc :=
 mapping_policy_nvr :=

private/file_contexts

@@ -43,6 +43,8 @@
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
 /property_contexts  u:object_r:property_contexts:s0
 /seapp_contexts     u:object_r:rootfs:s0
+/nonplat_seapp_contexts     u:object_r:rootfs:s0
+/plat_seapp_contexts     u:object_r:rootfs:s0
 /sepolicy           u:object_r:rootfs:s0
 /service_contexts   u:object_r:rootfs:s0
 

reqd_mask/seapp_contexts

@@ -0,0 +1,2 @@
+# empty seapp_contexts file - used to generate an empty seapp_contexts for
+# devices without any non-platform seapp_contexts customizations.