Separate system_ext_seapp_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I2c2acbcf234861feb39834c867a4eb74c506692d
diff --git a/Android.mk b/Android.mk
index d4f09c4..092d568 100644
--- a/Android.mk
+++ b/Android.mk
@@ -317,6 +317,7 @@
system_ext_file_contexts \
system_ext_file_contexts_test \
system_ext_mapping_file \
+ system_ext_seapp_contexts \
endif
diff --git a/private/file_contexts b/private/file_contexts
index 8d4e6bc..a6c4edd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -423,6 +423,7 @@
/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index 9c22099..462fa27 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -19,6 +19,29 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+system_ext_sc_files := $(call build_policy, seapp_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(system_ext_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(system_ext_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+system_ext_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := product_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -50,7 +73,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
@@ -73,7 +96,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)