Separate product_service_contexts out of system sepolicy. Bug: 119305624 Test: normal/recovery boot aosp_taimen Change-Id: I15aa275fa658b58f5a5d3e651d164f9fcd87c0af

commit: 6ac0896b90700fc7a355dbb5beaf278a94bb175b [log] [tgz]
author: Tri Vo <trong@google.com> Fri Dec 21 12:28:14 2018 -0800
committer: Tri Vo <trong@google.com> Tue Jan 08 09:49:30 2019 -0800
tree: b40833a9dd3faf5ad29d3fdce1ea11bcda95249a
parent: 3507678d2e78cb19fa4a1df21cf034fcbfa9a7f7 [diff] [blame]
diff --git a/Android.mk b/Android.mk
index a17cc50..1d7cecb 100644
--- a/Android.mk
+++ b/Android.mk

@@ -289,6 +289,7 @@
     product_hwservice_contexts \
     product_property_contexts \
     product_seapp_contexts \
+    product_service_contexts \
 
 endif
 include $(BUILD_PHONY_PACKAGE)
@@ -1493,8 +1494,7 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-# TODO(b/119305624): Move product-specific sepolicy out of plat_service_contexts.
-plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
 
 plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
 $(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
@@ -1514,6 +1514,34 @@
 plat_service_contexts.tmp :=
 
 ##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
+$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
+$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_service_contexts.tmp): $(product_svcfiles)
+	@mkdir -p $(dir $@)
+	$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+	@mkdir -p $(dir $@)
+	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+	$(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+product_svcfiles :=
+product_service_contexts.tmp :=
+
+##################################
 # nonplat_service_contexts is only allowed on non-full-treble devices
 ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
commit	6ac0896b90700fc7a355dbb5beaf278a94bb175b	[log] [tgz]
author	Tri Vo <trong@google.com>	Fri Dec 21 12:28:14 2018 -0800
committer	Tri Vo <trong@google.com>	Tue Jan 08 09:49:30 2019 -0800
tree	b40833a9dd3faf5ad29d3fdce1ea11bcda95249a
parent	3507678d2e78cb19fa4a1df21cf034fcbfa9a7f7 [diff] [blame]