Support for APEX updatable sepolicy

Builds:
 - sepolicy_test - file that init mounts in /dev/selinux to demonstrate
   that updatable sepolicy is loaded.
 - apex_sepolicy.cil - Initially includes a rule allowing shell
   to read sepolicy_test.
 - apex_file_contexts - Initially includes mapping of
    /dev/selinux/sepolicy_test.
 - apex_sepolicy.sha256. Used by init to determine of
    precompiled_sepolicy can be used.
 - apex_service_contexts - Currently empty.
 - apex_property_contexts - Currently empty.
 - apex_seapp_contexts - Currently empty.

Bug: 199914227
Test: Build, boot, ls -laZ /dev/selinux/sepolicy_test
Change-Id: I6aa625dda5235c6e7a0cfff777a9e15606084c12

Android.bp

@@ -342,6 +342,21 @@ se_policy_cil {
     additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
 }
 
+
+se_policy_conf {
+    name: "apex_sepolicy-33.conf",
+    srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+    installable: false,
+}
+
+se_policy_cil {
+    name: "apex_sepolicy-33.cil",
+    src: ":apex_sepolicy-33.conf",
+    filter_out: [":plat_sepolicy.cil"],
+    installable: false,
+    stem: "apex_sepolicy.cil",
+}
+
 // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
 se_policy_conf {
     name: "userdebug_plat_sepolicy.conf",
@@ -659,6 +674,9 @@ se_versioned_policy {
 // AND
 // - product_sepolicy_and_mapping.sha256 equals
 //   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// AND
+// - apex_sepolicy.sha256 equals
+//   precompiled_sepolicy.apex_sepolicy.sha256
 // See system/core/init/selinux.cpp for details.
 //////////////////////////////////
 genrule {
@@ -675,6 +693,20 @@ prebuilt_etc {
     relative_install_path: "selinux",
 }
 
+genrule {
+    name: "apex_sepolicy.sha256_gen",
+    srcs: [":apex_sepolicy-33.cil"],
+    out: ["apex_sepolicy.sha256"],
+    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+    name: "apex_sepolicy.sha256",
+    filename: "apex_sepolicy.sha256",
+    src: ":apex_sepolicy.sha256_gen",
+    installable: false,
+}
+
 genrule {
     name: "system_ext_sepolicy_and_mapping.sha256_gen",
     srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
@@ -743,6 +775,18 @@ prebuilt_etc {
     relative_install_path: "selinux",
 }
 
+//////////////////////////////////
+// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
+// was built.
+//////////////////////////////////
+prebuilt_etc {
+    defaults: ["precompiled_sepolicy_prebuilts"],
+    name: "precompiled_sepolicy.apex_sepolicy.sha256",
+    filename: "precompiled_sepolicy.apex_sepolicy.sha256",
+    src: ":apex_sepolicy.sha256_gen",
+    relative_install_path: "selinux",
+}
+
 //////////////////////////////////
 // SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
 // which precompiled_policy was built.
@@ -780,6 +824,7 @@ precompiled_se_policy_binary {
     name: "precompiled_sepolicy",
     srcs: [
         ":plat_sepolicy.cil",
+        ":apex_sepolicy-33.cil",
         ":plat_pub_versioned.cil",
         ":system_ext_sepolicy.cil",
         ":product_sepolicy.cil",

com.android.sepolicy/33/Android.bp

@@ -0,0 +1,56 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // the below license kinds from "system_sepolicy_license":
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule {
+    name: "apex_file_contexts-33.gen",
+    defaults: ["sepolicy_file_contexts_gen_default"],
+    srcs: ["file_contexts"],
+    out: ["apex_file_contexts-33"],
+}
+
+prebuilt_etc {
+    name: "apex_file_contexts-33",
+    filename: "apex_file_contexts",
+    src: ":apex_file_contexts-33.gen",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "apex_property_contexts-33",
+    filename: "apex_property_contexts",
+    src: "property_contexts",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "apex_service_contexts-33",
+    filename: "apex_service_contexts",
+    src: "service_contexts",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "apex_seapp_contexts-33",
+    filename: "apex_seapp_contexts",
+    src: "seapp_contexts",
+    installable: false,
+}

com.android.sepolicy/33/file_contexts

@@ -0,0 +1 @@
+/dev/selinux/apex_test	u:object_r:sepolicy_test_file:s0

com.android.sepolicy/33/shell.te

@@ -0,0 +1,2 @@
+allow shell sepolicy_test_file:file r_file_perms;
+

com.android.sepolicy/Android.bp

@@ -0,0 +1,28 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // the below license kinds from "system_sepolicy_license":
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule_defaults {
+    name: "sepolicy_file_contexts_gen_default",
+    tools: ["fc_sort"],
+    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+         "$(location fc_sort) -i $(out).tmp -o $(out)",
+}