Include correct type of SELinux policy

This makes the build system include split SELinux policy (three CIL
files and the secilc compiler needed to compile them) if
PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux
policy is included.

Split policy currently adds around 400 ms to boot time (measured on
marlin/sailfish and bullhead) because the policy needs to be compiled
during boot. This is the main reason why we include split policy only
on devices which require it.

Test: Device boots, no additional SELinux denials. This test is
      performed on a device with PRODUCT_FULL_TREBLE set to true, and
      on a device with PRODUCT_FULL_TREBLE set to false.
Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and
      the three *.cil files, but does not contain the sepolicy file.
      Device with PRODUCT_FULL_TREBLE set to false contains sepolicy
      file but does not contain the secilc file or any *.cil files.
Bug: 31363362

Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc

init/Android.mk

@@ -107,6 +107,24 @@ LOCAL_STATIC_LIBRARIES := \
     libnl \
     libavb
 
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+    mapping_sepolicy.cil \
+    nonplat_sepolicy.cil \
+    plat_sepolicy.cil \
+    secilc
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy
+endif
+
 # Create symlinks.
 LOCAL_POST_INSTALL_CMD := $(hide) mkdir -p $(TARGET_ROOT_OUT)/sbin; \
     ln -sf ../init $(TARGET_ROOT_OUT)/sbin/ueventd; \