commit 07791558051d0ffbbb6ac015cd4f195455695523
author dcashman <dcashman@google.com> Wed Dec 07 11:27:47 2016 -0800
committer dcashman <dcashman@google.com> Wed Dec 07 11:27:47 2016 -0800
tree 4387ad03f56e3bde9545d07bc9ac959671ac8386
parent 2a0053b223cc1c90ce943fdef9653984bb5f70e2

Restore checkfc and neverallow checks.

Bug: 33388095
Test: Builds and boots.
Change-Id: Ief9064a16fc733bed54eb76f509ff5aaf5db4baf

Android.mk

diff --git a/Android.mk b/Android.mk
index 5209145..c24329a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -33,7 +33,7 @@
 # private - platform-only policy required for platform functionality but which
 #  is not exported to vendor policy developers and as such may not be assumed
 #  to exist.
-# mapping - TODO.  This contains policy statements which map the attributes
+# mapping - This contains policy statements which map the attributes
 #  exposed in the public policy of previous versions to the concrete types used
 #  in this policy to ensure that policy targeting attributes from public
 #  policy from an older platform version continues to work.
@@ -222,8 +222,7 @@
 plat_policy.cil := $(intermediates)/plat_policy.cil
 $(plat_policy.cil): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@.tmp $<
-	$(hide) grep -v neverallow $@.tmp > $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
 
 # nonplat_policy.conf - A combination of the non-platform private and the
 # exported platform policy associated with the version the non-platform policy
@@ -255,7 +254,7 @@
 pruned_nonplat_policy.cil := $(intermediates)/pruned_nonplat_policy.cil
 $(pruned_nonplat_policy.cil): $(reqd_policy_mask.cil) $(nonplat_policy.cil)
 	@mkdir -p $(dir $@)
-	$(hide) grep -Fxv -f $^ | grep -v neverallow > $@
+	$(hide) grep -Fxv -f $^ > $@
 
 vers_nonplat_policy.cil := $(intermediates)/vers_nonplat_policy.cil
 $(vers_nonplat_policy.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
@@ -445,7 +444,7 @@
 $(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
-	# TODO: fix with attributized types $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
 
 file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
@@ -456,7 +455,7 @@
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
-	# TODO: fix with attributized types	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
 
 built_fc := $(LOCAL_BUILT_MODULE)
@@ -486,7 +485,7 @@
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
 $(LOCAL_BUILT_MODULE): $(general_file_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
-	#  TODO: fix with attributized types $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
 
 general_file_contexts.tmp :=
@@ -567,7 +566,7 @@
 $(LOCAL_BUILT_MODULE): $(property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
 	$(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	# TODO: fix with attributized types $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
 
 built_pc := $(LOCAL_BUILT_MODULE)
 all_pc_files :=
@@ -592,7 +591,7 @@
 $(LOCAL_BUILT_MODULE): $(general_property_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	$(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	# TODO: fix with attributized types $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
 
 general_property_contexts.tmp :=
 
@@ -620,7 +619,7 @@
 $(LOCAL_BUILT_MODULE): $(service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	# TODO: fix with attributized types$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+	$(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
 
 built_svc := $(LOCAL_BUILT_MODULE)
 all_svc_files :=
@@ -645,7 +644,7 @@
 $(LOCAL_BUILT_MODULE): $(general_service_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	# TODO: fix with attributized types $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
 
 general_service_contexts.tmp :=