From b51f9abf45a58c1ec3a1917eb19b9b8bc6886b8f Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Thu, 2 Mar 2017 12:53:32 -0800 Subject: [PATCH] Include correct type of SELinux policy This makes the build system include split SELinux policy (three CIL files and the secilc compiler needed to compile them) if PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux policy is included. Split policy currently adds around 400 ms to boot time (measured on marlin/sailfish and bullhead) because the policy needs to be compiled during boot. This is the main reason why we include split policy only on devices which require it. Test: Device boots, no additional SELinux denials. This test is performed on a device with PRODUCT_FULL_TREBLE set to true, and on a device with PRODUCT_FULL_TREBLE set to false. Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and the three *.cil files, but does not contain the sepolicy file. Device with PRODUCT_FULL_TREBLE set to false contains sepolicy file but does not contain the secilc file or any *.cil files. Bug: 31363362 Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc --- init/Android.mk | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/init/Android.mk b/init/Android.mk index 18cbedcd1..2fc6f19fc 100644 --- a/init/Android.mk +++ b/init/Android.mk @@ -107,6 +107,24 @@ LOCAL_STATIC_LIBRARIES := \ libnl \ libavb +# Include SELinux policy. We do this here because different modules +# need to be included based on the value of PRODUCT_FULL_TREBLE. This +# type of conditional inclusion cannot be done in top-level files such +# as build/target/product/embedded.mk. +# This conditional inclusion closely mimics the conditional logic +# inside init/init.cpp for loading SELinux policy from files. +ifeq ($(PRODUCT_FULL_TREBLE),true) +# Use split SELinux policy +LOCAL_REQUIRED_MODULES += \ + mapping_sepolicy.cil \ + nonplat_sepolicy.cil \ + plat_sepolicy.cil \ + secilc +else +# Use monolithic SELinux policy +LOCAL_REQUIRED_MODULES += sepolicy +endif + # Create symlinks. LOCAL_POST_INSTALL_CMD := $(hide) mkdir -p $(TARGET_ROOT_OUT)/sbin; \ ln -sf ../init $(TARGET_ROOT_OUT)/sbin/ueventd; \