Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 814f3deb9417d5ea93ebbb7d9a48c22e6b4c4ed5^! / .
commit814f3deb9417d5ea93ebbb7d9a48c22e6b4c4ed5[log] [tgz]
authorYi-Yo Chiang <yochiang@google.com>Sat Sep 11 19:24:22 2021 +0800
committerYi-Yo Chiang <yochiang@google.com>Fri Sep 17 20:27:28 2021 +0800
tree03de0fa6359c51c5bb157ccda6cc3425906a56cf
parent6e60287a1f73c4f792350f7c86dc7bb3e1d6d623 [diff]
Add system_ext_userdebug_plat_sepolicy.cil for GSI

system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.

Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
  gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883

diff --git a/Android.bp b/Android.bp
index 4d4fb99..a815d9d 100644
--- a/Android.bp
+++ b/Android.bp

@@ -792,6 +792,36 @@
     debug_ramdisk: true,
 }
 
+// A copy of the userdebug_plat_policy in GSI.
+soong_config_module_type {
+    name: "gsi_se_policy_cil",
+    module_type: "se_policy_cil",
+    config_namespace: "ANDROID",
+    bool_variables: [
+        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
+    ],
+    properties: [
+        "enabled",
+        "installable",
+    ],
+}
+
+gsi_se_policy_cil {
+    name: "system_ext_userdebug_plat_sepolicy.cil",
+    stem: "userdebug_plat_sepolicy.cil",
+    src: ":userdebug_plat_sepolicy.conf",
+    additional_cil_files: ["private/technical_debt.cil"],
+    system_ext_specific: true,
+    enabled: false,
+    installable: false,
+    soong_config_variables: {
+        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
+            enabled: true,
+            installable: true,
+        },
+    },
+}
+
 // system_ext_policy.conf - A combination of the private and public system_ext
 // policy which will ship with the device. System_ext policy is not attributized
 se_policy_conf {

diff --git a/private/file_contexts b/private/file_contexts
index 8849602..ed972c0 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -477,6 +477,7 @@
 /(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts       u:object_r:seapp_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts     u:object_r:service_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil    u:object_r:sepolicy_file:s0
 
 /(system_ext|system/system_ext)/bin/aidl_lazy_test_server    u:object_r:aidl_lazy_test_server_exec:s0
 /(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0