commit 0a707fadb2340c42626ec5ac379ba832ef5d2d55
author Inseob Kim <inseob@google.com> Thu Dec 09 23:35:11 2021 +0900
committer Inseob Kim <inseob@google.com> Fri Dec 10 00:31:53 2021 +0900
tree a6b8ce1a2cb3bab6640060b67d8414e0aae5f078
parent 04a2389d590e34d609d97eb85b154f690fc22bcf

Refactor Android.bp build modules for readability

When we compile sepolicy files into a cil file, we first gather all
sepolicy files to create a conf file, and then convert the conf file to
a cil file with checkpolicy. The problem is that checkpolicy is
sensitive to the input order; the conf file should contain statements in
a specific order: classes, initial_sid, access vectors, macros, mls,
etc.

This restriction has made Android.bp migration difficult, and we had to
create a magical module called "se_build_files" to correctly include
source files in the designated order. It works, but significant
readability problem has happened. For example, when we write
":se_build_files{.system_ext_public}", how can we easily figure out that
the tag actually includes plat public + system_ext public + reqd mask,
without taking a look at the build system code?

This change refactors the se_build_files module and se_policy_conf
module, so we can easily see the desginated files for each module, just
like we did in the Android.mk. se_policy_conf module now stably sorts
source files in an order which will make checkpolicy happy.
se_build_files module is also refactored, so one tag can represent
exactly one set of policy files, rather than doing magical works behind
the scene. For example, system_ext public policy module is changed from:

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    // se_build_files automatically adds plat public and reqd mask
    srcs: [":se_build_files{.system_ext_public}"],
}

to:

se_policy_conf {
    name: "system_ext_pub_policy.conf",
    // se_policy_conf automatically sorts the input files
    srcs: [
        ":se_build_files{.plat_public}",
        ":se_build_files{.system_ext_public}",
        ":se_build_files{.reqd_mask}",
    ],
}

Bug: 209933272
Test: build and diff before/after
Change-Id: I97a76ed910645c1607d913fd646c27e87af0afd3

Android.bp

diff --git a/Android.bp b/Android.bp
index 9a13c9c..d22010c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -661,6 +661,14 @@
     ],
 }
 
+reqd_mask_policy          = [":se_build_files{.reqd_mask}"]
+plat_public_policy        = [":se_build_files{.plat_public}"]
+plat_private_policy       = [":se_build_files{.plat_private}"]
+system_ext_public_policy  = [":se_build_files{.system_ext_public}"]
+system_ext_private_policy = [":se_build_files{.system_ext_private}"]
+product_public_policy     = [":se_build_files{.product_public}"]
+product_private_policy    = [":se_build_files{.product_private}"]
+
 // reqd_policy_mask - a policy.conf file which contains only the bare minimum
 // policy necessary to use checkpolicy.
 //
@@ -671,7 +679,7 @@
 // policy and subsequent removal of CIL policy that should not be exported.
 se_policy_conf {
     name: "reqd_policy_mask.conf",
-    srcs: [":se_build_files{.reqd_mask}"],
+    srcs: reqd_mask_policy,
     installable: false,
 }
 
@@ -706,7 +714,10 @@
 //
 se_policy_conf {
     name: "pub_policy.conf",
-    srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+    srcs: plat_public_policy +
+        system_ext_public_policy +
+        product_public_policy +
+        reqd_mask_policy,
     installable: false,
 }
 
@@ -720,7 +731,9 @@
 
 se_policy_conf {
     name: "system_ext_pub_policy.conf",
-    srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+    srcs: plat_public_policy +
+        system_ext_public_policy +
+        reqd_mask_policy,
     installable: false,
 }
 
@@ -734,7 +747,8 @@
 
 se_policy_conf {
     name: "plat_pub_policy.conf",
-    srcs: [":se_build_files{.plat_public}"],
+    srcs: plat_public_policy +
+        reqd_mask_policy,
     installable: false,
 }
 
@@ -753,7 +767,8 @@
 // currently being attributized.
 se_policy_conf {
     name: "plat_sepolicy.conf",
-    srcs: [":se_build_files{.plat}"],
+    srcs: plat_public_policy +
+        plat_private_policy,
     installable: false,
 }
 
@@ -766,7 +781,8 @@
 // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
 se_policy_conf {
     name: "userdebug_plat_sepolicy.conf",
-    srcs: [":se_build_files{.plat}"],
+    srcs: plat_public_policy +
+        plat_private_policy,
     build_variant: "userdebug",
     installable: false,
 }
@@ -815,7 +831,10 @@
 // policy which will ship with the device. System_ext policy is not attributized
 se_policy_conf {
     name: "system_ext_sepolicy.conf",
-    srcs: [":se_build_files{.system_ext}"],
+    srcs: plat_public_policy +
+        plat_private_policy +
+        system_ext_public_policy +
+        system_ext_private_policy,
     installable: false,
 }
 
@@ -831,7 +850,12 @@
 // which will ship with the device. Product policy is not attributized
 se_policy_conf {
     name: "product_sepolicy.conf",
-    srcs: [":se_build_files{.product}"],
+    srcs: plat_public_policy +
+        plat_private_policy +
+        system_ext_public_policy +
+        system_ext_private_policy +
+        product_public_policy +
+        product_private_policy,
     installable: false,
 }
 
@@ -1017,7 +1041,8 @@
 //////////////////////////////////
 se_policy_conf {
     name: "general_sepolicy.conf",
-    srcs: [":se_build_files{.plat}"],
+    srcs: plat_public_policy +
+        plat_private_policy,
     build_variant: "user",
     cts: true,
     exclude_build_test: true,
@@ -1032,7 +1057,8 @@
 //////////////////////////////////
 se_policy_conf {
     name: "base_plat_sepolicy.conf",
-    srcs: [":se_build_files{.plat}"],
+    srcs: plat_public_policy +
+        plat_private_policy,
     build_variant: "user",
     installable: false,
 }
@@ -1053,7 +1079,10 @@
 
 se_policy_conf {
     name: "base_system_ext_sepolicy.conf",
-    srcs: [":se_build_files{.system_ext}"],
+    srcs: plat_public_policy +
+        plat_private_policy +
+        system_ext_public_policy +
+        system_ext_private_policy,
     build_variant: "user",
     installable: false,
 }
@@ -1076,7 +1105,12 @@
 
 se_policy_conf {
     name: "base_product_sepolicy.conf",
-    srcs: [":se_build_files{.product}"],
+    srcs: plat_public_policy +
+        plat_private_policy +
+        system_ext_public_policy +
+        system_ext_private_policy +
+        product_public_policy +
+        product_private_policy,
     build_variant: "user",
     installable: false,
 }
@@ -1099,7 +1133,8 @@
 
 se_policy_conf {
     name: "base_plat_pub_policy.conf",
-    srcs: [":se_build_files{.plat_public}"],
+    srcs: plat_public_policy +
+        reqd_mask_policy,
     build_variant: "user",
     installable: false,
 }
@@ -1114,7 +1149,9 @@
 
 se_policy_conf {
     name: "base_system_ext_pub_policy.conf",
-    srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+    srcs: plat_public_policy +
+        system_ext_public_policy +
+        reqd_mask_policy,
     build_variant: "user",
     installable: false,
 }
@@ -1129,7 +1166,10 @@
 
 se_policy_conf {
     name: "base_product_pub_policy.conf",
-    srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+    srcs: plat_public_policy +
+        system_ext_public_policy +
+        product_public_policy +
+        reqd_mask_policy,
     build_variant: "user",
     installable: false,
 }