commit 7c4150c5d23e660e6e4ed72294973d365d04b86b
author Bowgo Tsai <bowgotsai@google.com> Fri Oct 04 15:36:05 2019 +0800
committer Bowgo Tsai <bowgotsai@google.com> Fri Oct 04 08:27:58 2019 +0000
tree a91e48e663bd7c204181ee65b4c192b2cd81f986
parent ac3812518ca9dc23832243becf57c32bc6a12697

Allowing product sepolicy to be empty

Some targets just need to extend product context files, e.g.,
file_contexts, service_contexts, etc., without adding any
product-specific policy files, e.g., *.te files. Or just need to
add private product sepolicy without adding public product sepolicy.

Currently, this will lead to build errors. This CL allows
product_sepolicy.cil and the product mapping file to be empty.

It's now also possible to just set PRODUCT_PRIVATE_POLICY
without setting PRODUCT_PUBLIC_POLICY.

Bug: 131193755
Test: Only adds product private sepolicy, then `mmma system/sepolicy`
Change-Id: Ifed5af7413b2a1e20a0628518582615708c8c31a

Android.mk

diff --git a/Android.mk b/Android.mk
index 7a1340b..dfc25a1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -68,7 +68,7 @@
 # it so that if no product partition is present, product sepolicy artifacts are
 # not built and installed at all.
 ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY := true
+HAS_PRODUCT_SEPOLICY_DIR := true
 endif
 
 # TODO: move to README when doing the README update and finalizing versioning.
@@ -158,6 +158,19 @@
   endif
 endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
 
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+  # Checks if there are public product policy files.
+  policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
+  ifneq (,$(strip $(policy_files)))
+    HAS_PRODUCT_PUBLIC_SEPOLICY := true
+  endif
+  # Checks if there are public/private product policy files.
+  policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+  ifneq (,$(strip $(policy_files)))
+    HAS_PRODUCT_SEPOLICY := true
+  endif
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
 # CIL files which contain workarounds for current limitation of human-readable
 # module policy language. These files are appended to the CIL files produced
 # from module language files.
@@ -348,8 +361,15 @@
 endif
 
 ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_mapping_file
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
 LOCAL_REQUIRED_MODULES += \
-    product_sepolicy.cil \
     product_file_contexts \
     product_file_contexts_test \
     product_hwservice_contexts \
@@ -360,7 +380,6 @@
     product_service_contexts \
     product_service_contexts_test \
     product_mac_permissions.xml \
-    product_mapping_file \
 
 endif
 
@@ -852,7 +871,7 @@
 #################################
 include $(CLEAR_VARS)
 
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
 LOCAL_MODULE := product_mapping_file
 LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
 LOCAL_MODULE_CLASS := ETC
@@ -873,7 +892,7 @@
 		-f $(PRIVATE_FILTER_CIL_FILES) -t $@
 
 built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_PRODUCT_SEPOLICY
+endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
 
 #################################
 include $(CLEAR_VARS)
@@ -1045,10 +1064,11 @@
 endif
 
 ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
-    $(built_product_cil) \
-    $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
 
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
 endif
 
 ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1203,10 +1223,11 @@
 endif
 
 ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
-    $(built_product_cil) \
-    $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
 
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
 endif
 
 ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1348,7 +1369,7 @@
 local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
 endif
 
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
 local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
 endif
 
@@ -1485,7 +1506,7 @@
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
 all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
 endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
 all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
 endif
 ifdef BOARD_ODM_SEPOLICY_DIRS

compat.mk

diff --git a/compat.mk b/compat.mk
index 9c4fa79..5e6dc41 100644
--- a/compat.mk
+++ b/compat.mk
@@ -27,10 +27,11 @@
 endif
 
 ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
-    $(built_product_cil) \
-    $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
 
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
 endif
 
 ifdef BOARD_ODM_SEPOLICY_DIRS

contexts_tests.mk

diff --git a/contexts_tests.mk b/contexts_tests.mk
index a78216a..da5dd83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -213,7 +213,7 @@
 
 ##################################
 
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
 
 pc_files += $(product_out)/product_property_contexts