Ensure vendor seapp contexts can't use coredomain Bug: 280547417 Test: build Change-Id: Iadff17523767f91f073c6569400e17f1da55fbdc

commit: d7d3609af7530d260b4b461b82630535ef533e41 [log] [tgz]
author: Inseob Kim <inseob@google.com> Mon Jun 26 20:48:48 2023 +0900
committer: Inseob Kim <inseob@google.com> Fri Jul 28 16:18:11 2023 +0900
tree: 0e7c4b6cf04d6bab0a3a21fe645fde87d6449c88
parent: db1535a09bc2ca76e6094579942cd86cae9a3eb4 [diff] [blame]
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 2416dc9..644a2dd 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go

@@ -434,12 +434,16 @@
 		Text("|| true)") // to make ninja happy even when result is empty
 
 	rule.Temporary(neverallowFile)
-	rule.Command().BuiltTool("checkseapp").
+	checkCmd := rule.Command().BuiltTool("checkseapp").
 		FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
 		FlagWithOutput("-o ", ret).
 		Inputs(inputs).
 		Input(neverallowFile)
 
+	if ctx.SocSpecific() || ctx.DeviceSpecific() {
+		checkCmd.Flag("-c") // check coredomain
+	}
+
 	rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
 	return ret
 }
commit	d7d3609af7530d260b4b461b82630535ef533e41	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Mon Jun 26 20:48:48 2023 +0900
committer	Inseob Kim <inseob@google.com>	Fri Jul 28 16:18:11 2023 +0900
tree	0e7c4b6cf04d6bab0a3a21fe645fde87d6449c88
parent	db1535a09bc2ca76e6094579942cd86cae9a3eb4 [diff] [blame]