commit a3429fcc2bae73174a9d0fa833014490e8c338c6
author Bowgo Tsai <bowgotsai@google.com> Mon Sep 09 22:05:49 2019 +0800
committer Bowgo Tsai <bowgotsai@google.com> Thu Sep 26 21:29:36 2019 +0800
tree 4edbaaf4d7204f8c11ce830533bcb76989f62d87
parent 9823116355b6289bcd60a687b86e94e939674087

Separate system_ext_mac_permissions.xml out of system sepolicy.

Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
      /system_ext/etc/selinux are identical to previous contents in
      /product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9

Android.mk

diff --git a/Android.mk b/Android.mk
index f8b6803..9d04e93 100644
--- a/Android.mk
+++ b/Android.mk
@@ -323,6 +323,7 @@
     system_ext_seapp_contexts \
     system_ext_service_contexts \
     system_ext_service_contexts_test \
+    system_ext_mac_permissions.xml \
     system_ext_mapping_file \
 
 endif

mac_permissions.mk

diff --git a/mac_permissions.mk b/mac_permissions.mk
index 3a28197..3bcff95 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -7,7 +7,7 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
 all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
 
 # Build keys.conf
@@ -38,6 +38,37 @@
 ##################################
 include $(CLEAR_VARS)
 
+LOCAL_MODULE := system_ext_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+all_system_ext_mac_perms_keys := $(call build_policy, keys.conf, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+all_system_ext_mac_perms_files := $(call build_policy, mac_permissions.xml, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+# Build keys.conf
+system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
+$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
+$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys)
+	@mkdir -p $(dir $@)
+	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_system_ext_mac_perms_files)
+	@mkdir -p $(dir $@)
+	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+system_ext_mac_perms_keys.tmp :=
+all_system_ext_mac_perms_files :=
+all_system_ext_mac_perms_keys :=
+
+##################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := product_mac_permissions.xml
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index aa620fa..eec4a18 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -422,11 +422,12 @@
 /(system_ext|system/system_ext)/etc/passwd          u:object_r:system_passwd_file:s0
 /(system_ext|system/system_ext)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
 
-/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts      u:object_r:file_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts  u:object_r:property_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts     u:object_r:seapp_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts   u:object_r:service_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts        u:object_r:file_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts    u:object_r:property_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts       u:object_r:seapp_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts     u:object_r:service_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
 
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay