Separate system_ext_file_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
diff --git a/Android.bp b/Android.bp
index e1b57a5..5dd8628 100644
--- a/Android.bp
+++ b/Android.bp
@@ -199,6 +199,13 @@
}
file_contexts {
+ name: "system_ext_file_contexts",
+ srcs: [":file_contexts_files"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files"],
product_specific: true,
diff --git a/Android.mk b/Android.mk
index 6ab494b..d4f09c4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -314,6 +314,8 @@
ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_REQUIRED_MODULES += \
system_ext_sepolicy.cil \
+ system_ext_file_contexts \
+ system_ext_file_contexts_test \
system_ext_mapping_file \
endif
@@ -1313,6 +1315,10 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+endif
+
ifdef HAS_PRODUCT_SEPOLICY
local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
endif
@@ -1447,6 +1453,9 @@
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
+endif
ifdef HAS_PRODUCT_SEPOLICY
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
endif
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 020357a..6259c9a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -142,9 +142,10 @@
inputs = append(inputs, segroup.VendorSrcs()...)
} else if ctx.DeviceSpecific() {
inputs = append(inputs, segroup.OdmSrcs()...)
+ } else if ctx.SystemExtSpecific() {
+ inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
} else {
inputs = append(inputs, segroup.SystemPrivateSrcs()...)
- inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
if ctx.Config().ProductCompatibleProperty() {
inputs = append(inputs, segroup.SystemPublicSrcs()...)
diff --git a/contexts_tests.mk b/contexts_tests.mk
index 5756d8f..a549b3f 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -30,6 +30,7 @@
endef
system_out := $(TARGET_OUT)/etc/selinux
+system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
odm_out := $(TARGET_OUT_ODM)/etc/selinux
@@ -49,6 +50,17 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := product_file_contexts_test
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/private/file_contexts b/private/file_contexts
index 1e9549c..8d4e6bc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -422,6 +422,8 @@
/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#