Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d9745f3dec53e9df1a944982d3cdc00510bffb54^! / .
commitd9745f3dec53e9df1a944982d3cdc00510bffb54[log] [tgz]
authorAlex Klyubin <klyubin@google.com>Thu Apr 13 13:28:35 2017 -0700
committerAlex Klyubin <klyubin@google.com>Thu Apr 13 14:17:32 2017 -0700
treef0f611aac95b2fd4d2b6bde19497cc3207a96277
parent4641f67215e0851fd8961be087e62917a9f2ab03 [diff]
Unbreak user builds

This unbreaks user builds broken by recently landed changes to secilc
which is now aggressively removing attributes which aren't used in
allow rules, even when they are used in other places, such as being
referenced from *_contexts files.

User builds are broken by vndservice_manager_type not being found when
checkfc is run for *vndservice_contexts targets.

Test: On a clean user build: mmma system/sepolicy
Bug: 37319524
Bug: 36508258
Change-Id: I4a1727a74122ecd9020c3831462d56a65ee6d304

diff --git a/public/domain.te b/public/domain.te
index 91e1671..9c591db 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -214,7 +214,12 @@
 
 # TODO(b/34454312) remove this when the correct policy is in place
 allow domain default_android_hwservice:hwservice_manager { add find };
-allow domain hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
 
 ###
 ### neverallow rules

diff --git a/public/te_macros b/public/te_macros
index b931f1e..beec546 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -509,8 +509,7 @@
 # others from adding it.
 define(`add_hwservice', `
   allow $1 $2:hwservice_manager { add find };
-# TODO(b/34454312): Uncomment the neverallow once issues on user builds are resolved
-#  neverallow { domain -$1 } $2:hwservice_manager add;
+  neverallow { domain -$1 } $2:hwservice_manager add;
 ')
 
 ##########################################