Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 94b0e84094c103b94bdf9573e609e01f638f7ab6^1..94b0e84094c103b94bdf9573e609e01f638f7ab6 / .
commit94b0e84094c103b94bdf9573e609e01f638f7ab6[log] [tgz]
authorTri Vo <trong@google.com>Fri Oct 18 20:21:52 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Oct 18 20:21:52 2019 +0000
tree734d7af0a3256dbb935ddddae283c3b638c92f62
parent037299c9984cf62f255181f1fa2a407777437dc8 [diff]
parent71f12392e37b376025d71422652c3f66e650d539 [diff]
Merge "sepolicy: build error if non-platform classes present"
diff --git a/Android.mk b/Android.mk
index d63d937..c4d6fd3 100644
--- a/Android.mk
+++ b/Android.mk

@@ -145,6 +145,16 @@
                         genfs_contexts \
                         port_contexts
 
+# Security classes and permissions defined outside of system/sepolicy.
+security_class_extension_files := $(call build_policy, security_classes access_vectors, \
+  $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+  $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+  $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+ifneq (,$(strip $(security_class_extension_files)))
+  $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
+endif
+
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
   # Checks if there are public system_ext policy files.
   policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))