Remove unnecessary recovery-related targets

Recovery should always use monolithic policy. Thus, we don't need split policy files *.recovery.cil. This commit removes these targets and rolls up the relevant parts of the targets into "sepolicy.recovery" which is the target which produces monolithic policy for recovery. Test: make clean && make sepolicy.recovery, then confirm that repolicy.recovery is identical to the one produced prior to this change. Test: Clean build, flash, device boots up fine, no new denials. Device also boots into recovery just fine, no denials. Bug: 31363362 Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
author: Alex Klyubin 2017-03-10 11:36:07 -0600
committer: Alex Klyubin 2017-03-10 12:06:26 -0600
commit: 84aa74218421f8d2dbad1408ba114f680331ace0 (patch)
tree: 97670a915d3395b5ead94f21e275375ddab285e8 /Android.mk
parent: de41e81fa99ef8f6060d72544e1c76802419627b (diff)
download: system-sepolicy-84aa74218421f8d2dbad1408ba114f680331ace0.tar.gz
system-sepolicy-84aa74218421f8d2dbad1408ba114f680331ace0.tar.xz
system-sepolicy-84aa74218421f8d2dbad1408ba114f680331ace0.zip
1 files changed, 16 insertions, 81 deletions
diff --git a/Android.mk b/Android.mk
index 3975f769..39b97157 100644
--- a/Android.mk
+++ b/Android.mk
@@ -433,7 +433,18 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
 built_sepolicy := $(LOCAL_BUILT_MODULE)
 all_cil_files :=
-##################################
+#################################
+include $(CLEAR_VARS)
+# keep concrete sepolicy for neverallow checks
+LOCAL_MODULE := sepolicy.recovery
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+include $(BUILD_SYSTEM)/base_rules.mk
 plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf
 $(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -461,16 +472,6 @@ $(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
 plat_pub_policy.recovery.conf :=
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy.recovery.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-include $(BUILD_SYSTEM)/base_rules.mk
 plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf
 $(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -493,29 +494,8 @@ $(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES
        @mkdir -p $(dir $@)
        $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr.recovery)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr.recovery)
-        @mkdir -p $(dir $@)
-        # Strip out neverallow statements. They aren't needed on-device and their presence
-        # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
-        # sailfish-eng).
-        grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
-        # Confirm that the resulting policy compiles
-        $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
-built_plat_cil.recovery := $(LOCAL_BUILT_MODULE)
 plat_policy.recovery.conf :=
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := mapping_sepolicy.recovery.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-include $(BUILD_SYSTEM)/base_rules.mk
 # auto-generate the mapping file for current platform policy, since it needs to
 # track platform policy development
 current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
@@ -531,25 +511,8 @@ mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil,
 $(PLAT_PRIVATE_POLICY)/mapping)
 endif
-$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr.recovery)
-        # Strip out neverallow statements. They aren't needed on-device and their presence
-        # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
-        # sailfish-eng).
-        grep -v '^(neverallow' $< > $@
-built_mapping_cil.recovery := $(LOCAL_BUILT_MODULE)
 current_mapping.recovery.cil :=
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_sepolicy.recovery.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-include $(BUILD_SYSTEM)/base_rules.mk
 # nonplat_policy.recovery.conf - A combination of the non-platform private,
 # vendor and the exported platform policy associated with the version the
 # non-platform policy targets.  This needs attributization and to be combined
@@ -590,35 +553,9 @@ $(HOST_OUT_EXECUTABLES)/version_policy
        @mkdir -p $(dir $@)
        $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr.recovery)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil.recovery) \
-$(built_mapping_cil.recovery)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr.recovery) \
-$(built_plat_cil.recovery) $(built_mapping_cil.recovery)
-        @mkdir -p $(dir $@)
-        # Strip out neverallow statements. They aren't needed on-device and their presence
-        # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
-        # sailfish-eng).
-        grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
-        # Confirm that the resulting policy compiles combined with platform and mapping policies
-        $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
-                $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
 nonplat_policy.recovery.conf :=
 nonplat_policy_raw.recovery :=
-##################################
-include $(CLEAR_VARS)
-# keep concrete sepolicy for neverallow checks
-LOCAL_MODULE := sepolicy.recovery
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-include $(BUILD_SYSTEM)/base_rules.mk
 all_cil_files.recovery := \
    $(plat_policy_nvr.recovery) \
    $(mapping_policy_nvr.recovery) \
@@ -639,6 +576,10 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
        $(hide) mv $@.tmp $@
 all_cil_files.recovery :=
+plat_pub_policy.recovery.cil :=
+plat_policy_nvr.recovery :=
+mapping_policy_nvr.recovery :=
+nonplat_policy_nvr.recovery :=
 ##################################
 include $(CLEAR_VARS)
@@ -1093,9 +1034,7 @@ built_general_sepolicy :=
 built_general_sepolicy.conf :=
 built_nl :=
 built_plat_cil :=
-built_plat_cil.recovery :=
 built_mapping_cil :=
-built_mapping_cil.recovery :=
 built_plat_pc :=
 built_nonplat_cil :=
 built_nonplat_pc :=
@@ -1106,14 +1045,10 @@ built_sepolicy :=
 built_plat_svc :=
 built_nonplat_svc :=
 mapping_policy_nvr :=
-mapping_policy_nvr.recovery :=
 my_target_arch :=
 nonplat_policy_nvr :=
-nonplat_policy_nvr.recovery :=
 plat_policy_nvr :=
-plat_policy_nvr.recovery :=
 plat_pub_policy.cil :=
-plat_pub_policy.recovery.cil :=
 reqd_policy_mask.cil :=
 sepolicy_build_files :=
author	Alex Klyubin	2017-03-10 11:36:07 -0600
committer	Alex Klyubin	2017-03-10 12:06:26 -0600
commit	84aa74218421f8d2dbad1408ba114f680331ace0 (patch)
tree	97670a915d3395b5ead94f21e275375ddab285e8 /Android.mk
parent	de41e81fa99ef8f6060d72544e1c76802419627b (diff)
download	system-sepolicy-84aa74218421f8d2dbad1408ba114f680331ace0.tar.gz system-sepolicy-84aa74218421f8d2dbad1408ba114f680331ace0.tar.xz system-sepolicy-84aa74218421f8d2dbad1408ba114f680331ace0.zip

diff --git a/Android.mk b/Android.mk index 3975f769..39b97157 100644 --- a/Android.mk +++ b/Android.mk
@@ -433,7 +433,18 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
433	built_sepolicy := $(LOCAL_BUILT_MODULE)	433	built_sepolicy := $(LOCAL_BUILT_MODULE)
434	all_cil_files :=	434	all_cil_files :=
435		435
436	##################################	436	#################################
		437	include $(CLEAR_VARS)
		438
		439	# keep concrete sepolicy for neverallow checks
		440
		441	LOCAL_MODULE := sepolicy.recovery
		442	LOCAL_MODULE_CLASS := ETC
		443	LOCAL_MODULE_TAGS := optional
		444	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
		445
		446	include $(BUILD_SYSTEM)/base_rules.mk
		447
437	plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf	448	plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf
438	$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)	449	$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
439	$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)	450	$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -461,16 +472,6 @@ $(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
461		472
462	plat_pub_policy.recovery.conf :=	473	plat_pub_policy.recovery.conf :=
463		474
464	#################################
465	include $(CLEAR_VARS)
466
467	LOCAL_MODULE := plat_sepolicy.recovery.cil
468	LOCAL_MODULE_CLASS := ETC
469	LOCAL_MODULE_TAGS := optional
470	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
471
472	include $(BUILD_SYSTEM)/base_rules.mk
473
474	plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf	475	plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf
475	$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)	476	$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
476	$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)	477	$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -493,29 +494,8 @@ $(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES
493	@mkdir -p $(dir $@)	494	@mkdir -p $(dir $@)
494	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<	495	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
495		496
496	$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr.recovery)
497	$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr.recovery)
498	@mkdir -p $(dir $@)
499	# Strip out neverallow statements. They aren't needed on-device and their presence
500	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
501	# sailfish-eng).
502	grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
503	# Confirm that the resulting policy compiles
504	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
505
506	built_plat_cil.recovery := $(LOCAL_BUILT_MODULE)
507	plat_policy.recovery.conf :=	497	plat_policy.recovery.conf :=
508		498
509	#################################
510	include $(CLEAR_VARS)
511
512	LOCAL_MODULE := mapping_sepolicy.recovery.cil
513	LOCAL_MODULE_CLASS := ETC
514	LOCAL_MODULE_TAGS := optional
515	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
516
517	include $(BUILD_SYSTEM)/base_rules.mk
518
519	# auto-generate the mapping file for current platform policy, since it needs to	499	# auto-generate the mapping file for current platform policy, since it needs to
520	# track platform policy development	500	# track platform policy development
521	current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil	501	current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
@@ -531,25 +511,8 @@ mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil,
531	$(PLAT_PRIVATE_POLICY)/mapping)	511	$(PLAT_PRIVATE_POLICY)/mapping)
532	endif	512	endif
533		513
534	$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr.recovery)
535	# Strip out neverallow statements. They aren't needed on-device and their presence
536	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
537	# sailfish-eng).
538	grep -v '^(neverallow' $< > $@
539
540	built_mapping_cil.recovery := $(LOCAL_BUILT_MODULE)
541	current_mapping.recovery.cil :=	514	current_mapping.recovery.cil :=
542		515
543	#################################
544	include $(CLEAR_VARS)
545
546	LOCAL_MODULE := nonplat_sepolicy.recovery.cil
547	LOCAL_MODULE_CLASS := ETC
548	LOCAL_MODULE_TAGS := optional
549	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
550
551	include $(BUILD_SYSTEM)/base_rules.mk
552
553	# nonplat_policy.recovery.conf - A combination of the non-platform private,	516	# nonplat_policy.recovery.conf - A combination of the non-platform private,
554	# vendor and the exported platform policy associated with the version the	517	# vendor and the exported platform policy associated with the version the
555	# non-platform policy targets. This needs attributization and to be combined	518	# non-platform policy targets. This needs attributization and to be combined
@@ -590,35 +553,9 @@ $(HOST_OUT_EXECUTABLES)/version_policy
590	@mkdir -p $(dir $@)	553	@mkdir -p $(dir $@)
591	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@	554	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
592		555
593	$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr.recovery)
594	$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil.recovery) \
595	$(built_mapping_cil.recovery)
596	$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr.recovery) \
597	$(built_plat_cil.recovery) $(built_mapping_cil.recovery)
598	@mkdir -p $(dir $@)
599	# Strip out neverallow statements. They aren't needed on-device and their presence
600	# significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
601	# sailfish-eng).
602	grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
603	# Confirm that the resulting policy compiles combined with platform and mapping policies
604	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
605	$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
606
607	nonplat_policy.recovery.conf :=	556	nonplat_policy.recovery.conf :=
608	nonplat_policy_raw.recovery :=	557	nonplat_policy_raw.recovery :=
609		558
610	##################################
611	include $(CLEAR_VARS)
612
613	# keep concrete sepolicy for neverallow checks
614
615	LOCAL_MODULE := sepolicy.recovery
616	LOCAL_MODULE_CLASS := ETC
617	LOCAL_MODULE_TAGS := optional
618	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
619
620	include $(BUILD_SYSTEM)/base_rules.mk
621
622	all_cil_files.recovery := \	559	all_cil_files.recovery := \
623	$(plat_policy_nvr.recovery) \	560	$(plat_policy_nvr.recovery) \
624	$(mapping_policy_nvr.recovery) \	561	$(mapping_policy_nvr.recovery) \
@@ -639,6 +576,10 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
639	$(hide) mv $@.tmp $@	576	$(hide) mv $@.tmp $@
640		577
641	all_cil_files.recovery :=	578	all_cil_files.recovery :=
		579	plat_pub_policy.recovery.cil :=
		580	plat_policy_nvr.recovery :=
		581	mapping_policy_nvr.recovery :=
		582	nonplat_policy_nvr.recovery :=
642		583
643	##################################	584	##################################
644	include $(CLEAR_VARS)	585	include $(CLEAR_VARS)
@@ -1093,9 +1034,7 @@ built_general_sepolicy :=
1093	built_general_sepolicy.conf :=	1034	built_general_sepolicy.conf :=
1094	built_nl :=	1035	built_nl :=
1095	built_plat_cil :=	1036	built_plat_cil :=
1096	built_plat_cil.recovery :=
1097	built_mapping_cil :=	1037	built_mapping_cil :=
1098	built_mapping_cil.recovery :=
1099	built_plat_pc :=	1038	built_plat_pc :=
1100	built_nonplat_cil :=	1039	built_nonplat_cil :=
1101	built_nonplat_pc :=	1040	built_nonplat_pc :=
@@ -1106,14 +1045,10 @@ built_sepolicy :=
1106	built_plat_svc :=	1045	built_plat_svc :=
1107	built_nonplat_svc :=	1046	built_nonplat_svc :=
1108	mapping_policy_nvr :=	1047	mapping_policy_nvr :=
1109	mapping_policy_nvr.recovery :=
1110	my_target_arch :=	1048	my_target_arch :=
1111	nonplat_policy_nvr :=	1049	nonplat_policy_nvr :=
1112	nonplat_policy_nvr.recovery :=
1113	plat_policy_nvr :=	1050	plat_policy_nvr :=
1114	plat_policy_nvr.recovery :=
1115	plat_pub_policy.cil :=	1051	plat_pub_policy.cil :=
1116	plat_pub_policy.recovery.cil :=
1117	reqd_policy_mask.cil :=	1052	reqd_policy_mask.cil :=
1118	sepolicy_build_files :=	1053	sepolicy_build_files :=
1119		1054