commit 1824e25b1cc285f1e9f87aad92bd61dff35f0efd
author Tri Vo <trong@google.com> Tue Jan 22 18:07:58 2019 -0800
committer Tri Vo <trong@google.com> Wed Jan 23 09:19:35 2019 -0800
tree b4116fecf13b4a7142cc45a272f3cb5fdae61f80
parent 1b02031d18719cbf76cd141ea7bc716413a84142

Split system and product sepolicy hashes.

We need to be able to tell if /system was updated independently
/product, and vice versa.  Otherwise, the device might accidentally load
the precompiled_policy after a /product sepolicy update.

Also change the name of the hash file to more closely reflect how its
generated.

Bug: 119305624
Test: boot aosp_taimen, precompiled policy is loaded
Test: If either of these hashes
/system/etc/selinux/plat_sepolicy_and_mapping.sha256
/product/etc/selinux/product_sepolicy_and_mapping.sha256
are removed, then init falls back to compiling sepolicy at boot time.
Change-Id: I14af81c8d3c5cb85c01592518e22077a8c8c3e5e

Android.mk

diff --git a/Android.mk b/Android.mk
index 4387090..a6c4f2a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -194,7 +194,7 @@
     plat_mapping_file \
     $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
     plat_sepolicy.cil \
-    plat_and_mapping_sepolicy.cil.sha256 \
+    plat_sepolicy_and_mapping.sha256 \
     secilc \
 
 LOCAL_REQUIRED_MODULES += \
@@ -249,7 +249,8 @@
 ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
 LOCAL_REQUIRED_MODULES += \
     precompiled_sepolicy \
-    precompiled_sepolicy.plat_and_mapping.sha256 \
+    precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
+    precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
 
 endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
 
@@ -289,6 +290,7 @@
     product_service_contexts \
     product_mac_permissions.xml \
     product_mapping_file \
+    product_sepolicy_and_mapping.sha256 \
 
 endif
 include $(BUILD_PHONY_PACKAGE)
@@ -620,21 +622,6 @@
 #################################
 include $(CLEAR_VARS)
 
-LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# TODO(b/119305624): Need one hash for system, one for product.
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_product_cil) \
-$(built_plat_mapping_cil) $(built_product_mapping_cil)
-	cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
 # plat_pub_versioned.cil - the exported platform policy associated with the version
 # that non-platform policy targets.
 LOCAL_MODULE := plat_pub_versioned.cil
@@ -804,14 +791,47 @@
 all_cil_files :=
 
 #################################
-# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# Precompiled sepolicy is loaded if and only if:
+# - plat_sepolicy_and_mapping.sha256 equals
+#   precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+# AND
+# - product_sepolicy_and_mapping.sha256 equals
+#   precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+# See system/core/init/selinux.cpp for details.
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
+	cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
+	cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
 # which precompiled_policy was built.
 #################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
 
 ifeq ($(BOARD_USES_ODMIMAGE),true)
 LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -821,11 +841,29 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-# TODO(b/119305624): Need one hash for system, one for product.
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_product_cil) \
-$(built_plat_mapping_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_product_cil)\
-$(built_plat_mapping_cil) $(built_product_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
+	cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
 	cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
 
 #################################