Change mapping file name to reflect its platform version. As the platform progresses in the split SELinux world, the platform will need to maintain mapping files back to previous platform versions to maintain backwards compatibility with vendor images which have SELinux policy written based on the older versions. This requires shipping multiple mapping files with the system image so that the right one can be selected. Change the name and location of the mapping file to reflect this. Also add a file to the vendor partition indicating which version is being targeted that the platform can use to determine which mapping file to choose. Bug: 36783775 Test: Force compilation of sepolicy on-device with mapping file changed to new location and name, using the value reported on /vendor. Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4

commit: 4f9a648e90ed95716224b96348805accd27f4f51 [log] [tgz]
author: Dan Cashman <dcashman@google.com> Mon Apr 10 12:27:18 2017 -0700
committer: Dan Cashman <dcashman@google.com> Wed Apr 12 09:16:51 2017 -0700
tree: 326e198120c797c81f13bbb0194b67aa08c663be
parent: 976fb16bc14dfefe12f56e23a677dce99a091b14 [diff]
diff --git a/Android.mk b/Android.mk
index 776be6c..10848b3 100644
--- a/Android.mk
+++ b/Android.mk

@@ -25,38 +25,6 @@
 sepolicy_minor_vers :=
 
 include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy
-LOCAL_MODULE_TAGS := optional
-# Include SELinux policy. We do this here because different modules
-# need to be included based on the value of PRODUCT_FULL_TREBLE. This
-# type of conditional inclusion cannot be done in top-level files such
-# as build/target/product/embedded.mk.
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-# Use split SELinux policy
-LOCAL_REQUIRED_MODULES += \
-    mapping_sepolicy.cil \
-    nonplat_sepolicy.cil \
-    plat_sepolicy.cil \
-    plat_and_mapping_sepolicy.cil.sha256 \
-    secilc \
-    nonplat_file_contexts \
-    plat_file_contexts
-
-# Include precompiled policy, unless told otherwise
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
-endif
-
-else
-# Use monolithic SELinux policy
-LOCAL_REQUIRED_MODULES += sepolicy \
-    file_contexts.bin
-endif
-include $(BUILD_PHONY_PACKAGE)
-
-include $(CLEAR_VARS)
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
@@ -197,6 +165,42 @@
   with_asan := true
 endif
 
+include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+
+platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
+
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+    $(platform_mapping_file) \
+    nonplat_sepolicy.cil \
+    plat_sepolicy.cil \
+    plat_and_mapping_sepolicy.cil.sha256 \
+    secilc \
+    nonplat_file_contexts \
+    plat_file_contexts \
+    plat_sepolicy_vers.txt
+
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+    file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
 ##################################
 # reqd_policy_mask - a policy.conf file which contains only the bare minimum
 # policy necessary to use checkpolicy.  This bare-minimum policy needs to be
@@ -335,10 +339,26 @@
 #################################
 include $(CLEAR_VARS)
 
-LOCAL_MODULE := mapping_sepolicy.cil
+LOCAL_MODULE := plat_sepolicy_vers.txt
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) :
+	mkdir -p $(dir $@)
+	echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := $(platform_mapping_file)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
 
 include $(BUILD_SYSTEM)/base_rules.mk
 

diff --git a/CleanSpec.mk b/CleanSpec.mk
index 9e2c464..0933115 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk

@@ -70,3 +70,4 @@
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)

diff --git a/private/file_contexts b/private/file_contexts
index d547a9f..aa89601 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -248,14 +248,14 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
-/system/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 
 #############################
@@ -284,7 +284,7 @@
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
 /vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/vndservice_contexts         u:object_r:vndservice_contexts_file:s0
 
 #############################
commit	4f9a648e90ed95716224b96348805accd27f4f51	[log] [tgz]
author	Dan Cashman <dcashman@google.com>	Mon Apr 10 12:27:18 2017 -0700
committer	Dan Cashman <dcashman@google.com>	Wed Apr 12 09:16:51 2017 -0700
tree	326e198120c797c81f13bbb0194b67aa08c663be
parent	976fb16bc14dfefe12f56e23a677dce99a091b14 [diff]