Make sure platform policy builds with compatible versions.
Platform SELinux policy may be updated without a corresponding
update to non-platform policy. This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.
Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it. Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.
Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file. Removed private type with no effect. Removed
public type without corresponding mapping entry causes build to fail.
Change-Id: I7994ed651352e2da632fc91e598f819b64c05753
diff --git a/Android.mk b/Android.mk
index e9f8853..b3c90de 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1185,22 +1185,38 @@
ifeq ($(PRODUCT_FULL_TREBLE),true)
include $(CLEAR_VARS)
# For Treble builds run tests verifying that processes are properly labeled and
-# permissions granted do not violate the treble model.
+# permissions granted do not violate the treble model. Also ensure that treble
+# compatibility guarantees are upheld between SELinux version bumps.
LOCAL_MODULE := treble_sepolicy_tests
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
+# 26.0_compat - the current plat_sepolicy.cil built
+# with the compatibility file targeting the 26.0
+# SELinux release.
+26.0_compat := $(intermediates)/26.0_compat
+26.0_mapping_cil := $(LOCAL_PATH)/prebuilts/api/26.0/26.0.cil
+26.0_nonplat := $(LOCAL_PATH)/prebuilts/api/26.0/nonplat_sepolicy.cil
+$(26.0_compat): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $(26.0_mapping_cil) $(26.0_nonplat)
+$(26.0_compat): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(26.0_mapping_cil) $(26.0_nonplat)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
+$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(26.0_compat)
@mkdir -p $(dir $@)
$(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
+
+26.0_compat :=
endif # ($(PRODUCT_FULL_TREBLE),true)
#################################