sepolicy: build error if non-platform classes present Error out if we detect that there is a security_classes or access_vectors file outside of system/sepolicy. Of course, this test can't enforce any requirements, as it's not part of CTS. But it can still serve as an early signal. Fixes: 142153384 Test: add access_vectors to device policy, observe build error Change-Id: Ib94b7f85e184340de8ec7943c8da88a0af3427e8

commit: 71f12392e37b376025d71422652c3f66e650d539 [log] [tgz]
author: Tri Vo <trong@google.com> Mon Oct 07 16:31:40 2019 -0700
committer: Steven Moreland <smoreland@google.com> Mon Oct 14 21:49:52 2019 +0000
tree: c7ff3a9410bb08c9898afab43afbe76d76d7575e
parent: 41b41949828dbb1b7c8e174947b6c1e9048b2e58 [diff]
diff --git a/Android.mk b/Android.mk
index 5f35f53..233d20d 100644
--- a/Android.mk
+++ b/Android.mk

@@ -145,6 +145,16 @@
                         genfs_contexts \
                         port_contexts
 
+# Security classes and permissions defined outside of system/sepolicy.
+security_class_extension_files := $(call build_policy, security_classes access_vectors, \
+  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+ifneq (,$(strip $(security_class_extension_files)))
+  $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
+endif
+
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
   # Checks if there are public system_ext policy files.
   policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
commit	71f12392e37b376025d71422652c3f66e650d539	[log] [tgz]
author	Tri Vo <trong@google.com>	Mon Oct 07 16:31:40 2019 -0700
committer	Steven Moreland <smoreland@google.com>	Mon Oct 14 21:49:52 2019 +0000
tree	c7ff3a9410bb08c9898afab43afbe76d76d7575e
parent	41b41949828dbb1b7c8e174947b6c1e9048b2e58 [diff]