Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e3f4f77d3924982c23ce4c1dbc43360a1c895938^! / . / Android.mk
commite3f4f77d3924982c23ce4c1dbc43360a1c895938[log] [tgz]
authorTri Vo <trong@google.com>Fri Sep 28 17:21:08 2018 -0700
committerTri Vo <trong@google.com>Fri Sep 28 17:22:25 2018 -0700
tree438336736f776dd5886644f7bcfb00474c0397be
parentda427a33c95fc0d0f3e002f04eb9e10fcc2b6442 [diff] [blame]
Don't require private types in mapping file.

Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.

We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.

Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5

diff --git a/Android.mk b/Android.mk
index 0359776..4368e48 100644
--- a/Android.mk
+++ b/Android.mk

@@ -1610,6 +1610,27 @@
 	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
 
+base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
+$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+	$(transform-policy-to-conf)
+
+base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
+$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
+$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
+	@mkdir -p $(dir $@)
+	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+	$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+
 all_fc_files := $(built_plat_fc) $(built_vendor_fc)
 ifdef BOARD_ODM_SEPOLICY_DIRS
 all_fc_files += $(built_odm_fc)
@@ -1630,6 +1651,7 @@
 BASE_PLAT_PUBLIC_POLICY :=
 BASE_PLAT_PRIVATE_POLICY :=
 base_plat_policy.conf :=
+base_plat_pub_policy.conf :=
 plat_sepolicy :=
 
 endif # ($(PRODUCT_SEPOLICY_SPLIT),true)