Create new conditional userdebug_or_eng
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.
Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te
Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
diff --git a/Android.mk b/Android.mk
index a3cd385..fa6cd78 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,14 +10,6 @@
MLS_SENS=1
MLS_CATS=1024
-ifeq ($(TARGET_BUILD_VARIANT),user)
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell.te
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
-else
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell_user.te
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
-endif
-
# Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
# Builds the singular path for each replace file.
sepolicy_replace_paths :=
@@ -77,7 +69,7 @@
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
@mkdir -p $(dir $@)
- $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
+ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
diff --git a/shell.te b/shell.te
index 18c1dfc..6b9f996 100644
--- a/shell.te
+++ b/shell.te
@@ -9,7 +9,9 @@
# XXX Transition into its own domain?
app_domain(shell)
-# userdebug/eng shell is also permissive to permit setenforce.
-permissive shell;
+userdebug_or_eng(`
+ # userdebug/eng shell is also permissive to permit setenforce.
+ permissive shell;
+')
# inherits from shelldomain.te
diff --git a/shell_user.te b/shell_user.te
deleted file mode 100644
index ad30802..0000000
--- a/shell_user.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# Domain for shell processes spawned by ADB
-type shell, domain, shelldomain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# inherits from shelldomain.te
diff --git a/su.te b/su.te
index 2a3d007..b4b9f6d 100644
--- a/su.te
+++ b/su.te
@@ -1,13 +1,17 @@
-type su, domain;
+# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
-domain_auto_trans(shell, su_exec, su)
-# Allow dumpstate to call su on userdebug / eng builds to collect
-# additional information.
-domain_auto_trans(dumpstate, su_exec, su)
+userdebug_or_eng(`
+ type su, domain;
+ domain_auto_trans(shell, su_exec, su)
-# su is unconfined.
-unconfined_domain(su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
-# su is also permissive to permit setenforce.
-permissive su;
+ # su is unconfined.
+ unconfined_domain(su)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+')
diff --git a/su_user.te b/su_user.te
deleted file mode 100644
index 6f936a0..0000000
--- a/su_user.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-# No allow rules
diff --git a/te_macros b/te_macros
index a05b7ac..9396e4f 100644
--- a/te_macros
+++ b/te_macros
@@ -321,3 +321,9 @@
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))