From 06518b14f7a79f5438bbaf44da1acfd509692f34 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 25 Aug 2023 21:20:08 +0900 Subject: [PATCH] Use board api level for seapp coredomain check Rather than PRODUCT_SHIPPING_API_LEVEL, use board api level (BOARD_API_LEVEL or BOARD_SHIPPING_API_LEVEL) to determine whether we check coredomain violations or not. Bug: 280547417 Test: see build command of vendor_seapp_contexts Change-Id: I20859d6054ab85f464b29631bdfd55ade3e78f53 --- build/soong/selinux_contexts.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go index f3fb33c2a..a7a2436d6 100644 --- a/build/soong/selinux_contexts.go +++ b/build/soong/selinux_contexts.go @@ -419,6 +419,14 @@ func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, return builtCtxFile } +func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext) bool { + if !ctx.SocSpecific() && !ctx.DeviceSpecific() { + return false + } + + return ctx.DeviceConfig().CheckVendorSeappViolations() +} + func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path { neverallowFile := pathForModuleOut(ctx, "neverallow") ret := pathForModuleOut(ctx, m.stem()) @@ -440,10 +448,8 @@ func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, in Inputs(inputs). Input(neverallowFile) - shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel() - ApiLevelU := android.ApiLevelOrPanic(ctx, "UpsideDownCake") - if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThan(ApiLevelU) { - checkCmd.Flag("-c") // check coredomain for V (or later) launching devices + if m.shouldCheckCoredomain(ctx) { + checkCmd.Flag("-c") // check coredomain for vendor contexts } rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())