Move sepolicy and recovery from on-device tree and add dependency.
Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it. Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.
Bug: 31363362
Test: Builds and boots, including recovery, without additional
denials. Neverallow violations still caught at build time.
Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
diff --git a/Android.mk b/Android.mk
index bd29271..ff7420a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -338,7 +338,7 @@
LOCAL_MODULE := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_OUT_INTERMEDIATES)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -525,7 +525,7 @@
LOCAL_MODULE := sepolicy.recovery
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_OUT_INTERMEDIATES)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -548,6 +548,7 @@
fi
$(hide) mv $@.tmp $@
+built_sepolicy.recovery := $(LOCAL_BUILT_MODULE)
all_cil_files.recovery :=
##################################
@@ -916,7 +917,8 @@
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_sepolicy.recovery) $(built_pc) \
+$(built_fc) $(built_sc) $(built_svc)
@mkdir -p $(dir $@)
$(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
@@ -932,6 +934,7 @@
built_pc :=
built_sc :=
built_sepolicy :=
+built_sepolicy.recovery :=
built_svc :=
mapping_policy_nvr :=
mapping_policy_nvr.recovery :=