tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/README
William Roberts 15b3ceda5c Add BOARD_SEPOLICY_IGNORE 
See README for further details.

Change-Id: I4599c7ecd5a552e38de89d0a9e496e047068fe05
2013-03-21 02:55:49 +00:00

77 lines
2.7 KiB
Text
Raw Blame History

Policy Generation:
Additional, per device, policy files can be added into the
policy build.
They can be configured through the use of three variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
3. BOARD_SEPOLICY_DIRS
4. BOARD_SEPOLICY_IGNORE
The variables should be set in the BoardConfig.mk file in
the device or vendor directories.
BOARD_SEPOLICY_UNION is a list of files that will be
"unioned", IE concatenated, at the END of their respective
file in external/sepolicy. Note, to add a unique file you
would use this variable.
BOARD_SEPOLICY_REPLACE is a list of files that will be
used instead of the corresponding file in external/sepolicy.
BOARD_SEPOLICY_DIRS contains a list of directories to search
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
matters in this list.
eg.) If you have BOARD_SEPOLICY_UNION := widget.te and have 2
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
The first one found (at the first search dir containing the file)
gets processed first.
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
will help sort out ordering issues.
It is an error to specify a BOARD_POLICY_REPLACE file that does
not exist in external/sepolicy.
It is an error to specify a BOARD_POLICY_REPLACE file that appears
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
BOARD_SEPOLICY_DIRS is set to
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
appears in both locations, it is an error. Unless it is in
BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
for more details.
It is an error to specify the same file name in both
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
specifying BOARD_SEPOLICY_REPLACE.
BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
files that are not to be included in the resulting policy. This list
is passed to filter-out to remove any paths you may want to ignore. This
is useful if you have numerous config directories that contain a file
and you want to NOT include a particular file in your resulting
policy file, either by UNION or REPLACE.
Eg.) Suppose the follwoing:
BOARD_SEPOLICY_DIRS := X Y
BOARD_SEPOLICY_REPLACE := A
BOARD_SEPOLICY_IGNORE := X/A
Directories X and Y contain A.
The resulting policy is created by using Y/A only, thus X/A was
ignored.
Example BoardConfig.mk Usage:
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
BOARD_SEPOLICY_DIRS := \
device/samsung/tuna/sepolicy
BOARD_SEPOLICY_UNION := \
genfs_contexts \
file_contexts \
sepolicy.te
Reference in a new issue View git blame Copy permalink