Move sepolicy_test to Android.bp Bug: 33691272 Test: m selinux_policy triggers sepolicy_test Change-Id: I1618c2a35b3ce9d747db3955788427dc422fd532

commit: 61257ca545fd1468571f9c7a977960426d390160 [log] [tgz]
author: Inseob Kim <inseob@google.com> Fri Feb 25 11:26:16 2022 +0900
committer: Inseob Kim <inseob@google.com> Wed Mar 02 17:25:52 2022 +0900
tree: 35ecff68d7b16560e8cbaa3de06afbcefac2dda6
parent: 8ce2e156d0acd8763978bdcdf9aa51390c9fd20a [diff]
diff --git a/Android.bp b/Android.bp
index 0ca82a6..9f3a111 100644
--- a/Android.bp
+++ b/Android.bp

@@ -1103,3 +1103,29 @@
 se_freeze_test {
     name: "sepolicy_freeze_test",
 }
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+    name: "sepolicy_test",
+    srcs: [
+        ":plat_file_contexts",
+        ":vendor_file_contexts",
+        ":system_ext_file_contexts",
+        ":product_file_contexts",
+        ":odm_file_contexts",
+        ":precompiled_sepolicy",
+    ],
+    tools: ["sepolicy_tests"],
+    out: ["sepolicy_test"],
+    cmd: "$(location sepolicy_tests) " +
+        "-f $(location :plat_file_contexts) " +
+        "-f $(location :vendor_file_contexts) " +
+        "-f $(location :system_ext_file_contexts) " +
+        "-f $(location :product_file_contexts) " +
+        "-f $(location :odm_file_contexts) " +
+        "-p $(location :precompiled_sepolicy) && " +
+        "touch $(out)",
+}

diff --git a/Android.mk b/Android.mk
index 27123d7..6054cbb 100644
--- a/Android.mk
+++ b/Android.mk

@@ -347,9 +347,13 @@
 ifneq ($(with_asan),true)
 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 LOCAL_REQUIRED_MODULES += \
-    sepolicy_tests \
     sepolicy_compat_test \
 
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 LOCAL_REQUIRED_MODULES += \
     $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -697,17 +701,6 @@
 ##################################
 include $(LOCAL_PATH)/mac_permissions.mk
 
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
 all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
 all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -721,13 +714,6 @@
 endif
 all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
 
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
-	$(hide) touch $@
-
 ##################################
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.

diff --git a/contexts/Android.bp b/contexts/Android.bp
index 3062a61..8eeed3a 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp

@@ -67,28 +67,55 @@
         ":file_contexts_files{.vendor}",
     ],
     soc_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "vendor_file_contexts.recovery",
+    srcs: [
+        ":file_contexts_files{.plat_vendor_for_vendor}",
+        ":file_contexts_files{.vendor}",
+    ],
+    stem: "vendor_file_contexts",
+    recovery: true,
 }
 
 file_contexts {
     name: "system_ext_file_contexts",
     srcs: [":file_contexts_files{.system_ext_private}"],
     system_ext_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "system_ext_file_contexts.recovery",
+    srcs: [":file_contexts_files{.system_ext_private}"],
+    stem: "system_ext_file_contexts",
+    recovery: true,
 }
 
 file_contexts {
     name: "product_file_contexts",
     srcs: [":file_contexts_files{.product_private}"],
     product_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "product_file_contexts.recovery",
+    srcs: [":file_contexts_files{.product_private}"],
+    stem: "product_file_contexts",
+    recovery: true,
 }
 
 file_contexts {
     name: "odm_file_contexts",
     srcs: [":file_contexts_files{.odm}"],
     device_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "odm_file_contexts.recovery",
+    srcs: [":file_contexts_files{.odm}"],
+    stem: "odm_file_contexts",
+    recovery: true,
 }
 
 hwservice_contexts {
commit	61257ca545fd1468571f9c7a977960426d390160	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Fri Feb 25 11:26:16 2022 +0900
committer	Inseob Kim <inseob@google.com>	Wed Mar 02 17:25:52 2022 +0900
tree	35ecff68d7b16560e8cbaa3de06afbcefac2dda6
parent	8ce2e156d0acd8763978bdcdf9aa51390c9fd20a [diff]