Preserve treble-only flag for CTS neverallows

CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf

1 files changed, 4 insertions, 21 deletions

diff --git a/Android.mk b/Android.mk
index 3f691e90..025347e2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -648,6 +648,9 @@ mapping_policy_nvr.recovery :=
 nonplat_policy_nvr.recovery :=
 
 ##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
 include $(CLEAR_VARS)
 
 LOCAL_MODULE := general_sepolicy.conf
@@ -667,28 +670,10 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
                 -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
                 -D target_arch=$(PRIVATE_TGT_ARCH) \
                 -D target_with_asan=false \
+                -D target_full_treble=cts \
                 -s $^ > $@
         $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
-        @mkdir -p $(dir $@)
-        $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-
 ##################################
 # TODO - remove this.   Keep around until we get the filesystem creation stuff taken care of.
 #
@@ -1164,8 +1149,6 @@ build_device_policy :=
 build_policy :=
 built_plat_fc :=
 built_nonplat_fc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
 built_nl :=
 built_plat_cil :=
 built_mapping_cil :=