Add permissive_domains_on_user_builds to se_policy_binary
In Android, we don't allow any domain to be permissive in user builds.
However, in Microdroid permissive domains should be allowed even in user
builds because fully debuggable VMs (where adb root is supported) can be
created there.
This change adds a new property `permissive_domains_on_user_builds` to
the `se_policy_binary` module as a controlled way of adding exceptions
to the enforcement.
Bug: 259729287
Test: m. This CL doesn't add any exception.
Change-Id: I2ae240e92dfdeadd827f027534e3e11ce4534240
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // List of domains that are allowed to be in permissive mode on user builds.
+ Permissive_domains_on_user_builds []string
}
type policyBinary struct {
@@ -512,11 +515,19 @@
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
- rule.Command().BuiltTool("sepolicy-analyze").
+ cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
- Text("permissive").
- Text(" > ").
- Output(permissiveDomains)
+ Text("permissive")
+ // Filter-out domains listed in permissive_domains_on_user_builds
+ allowedDomains := c.properties.Permissive_domains_on_user_builds
+ if len(allowedDomains) != 0 {
+ cmd.Text("| { grep -Fxv")
+ for _, d := range allowedDomains {
+ cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+ }
+ cmd.Text(" || true; }") // no match doesn't fail the cmd
+ }
+ cmd.Text(" > ").Output(permissiveDomains)
rule.Temporary(permissiveDomains)
msg := `==========\n` +