Separate product_seapp_contexts out of system sepolicy. Bug: 119305624 Test: normal/recovery boot aosp_taimen Change-Id: Ia8d69be16011db8dd63fa41672449a4ade7302c2

commit: 3507678d2e78cb19fa4a1df21cf034fcbfa9a7f7 [log] [tgz]
author: Tri Vo <trong@google.com> Fri Dec 21 10:46:45 2018 -0800
committer: Tri Vo <trong@google.com> Tue Jan 08 09:49:30 2019 -0800
tree: 1c7ae398d5f5919e5659cf217226b9b5d5161db1
parent: 5da7200510b67712c3e337cf72d68eef9ca3ba76 [diff] [blame]
diff --git a/Android.mk b/Android.mk
index cad4d37..a17cc50 100644
--- a/Android.mk
+++ b/Android.mk

@@ -288,6 +288,7 @@
     product_file_contexts \
     product_hwservice_contexts \
     product_property_contexts \
+    product_seapp_contexts \
 
 endif
 include $(BUILD_PHONY_PACKAGE)
@@ -1198,8 +1199,7 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-# TODO(b/119305624): Move product-specific sepolicy out of plat_seapp_contexts
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
@@ -1212,6 +1212,29 @@
 
 ##################################
 include $(CLEAR_VARS)
+LOCAL_MODULE := product_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+	@mkdir -p $(dir $@)
+	$(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+product_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
 LOCAL_MODULE := vendor_seapp_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
commit	3507678d2e78cb19fa4a1df21cf034fcbfa9a7f7	[log] [tgz]
author	Tri Vo <trong@google.com>	Fri Dec 21 10:46:45 2018 -0800
committer	Tri Vo <trong@google.com>	Tue Jan 08 09:49:30 2019 -0800
tree	1c7ae398d5f5919e5659cf217226b9b5d5161db1
parent	5da7200510b67712c3e337cf72d68eef9ca3ba76 [diff] [blame]