Add build dependencies for split sepolicy files.

Add build targets for split sepolicy files so they'll appear in the root dir for
on-device compilation.  nonplat_sepolicy will eventually be removed as it should
be provided by a different partition.  Also replace sepolicy.recovery with the
appropriate split components.

Bug: 31363362
Test: Policy builds on-device and boots.
Change-Id: I017dabe6940c3cd20de6c00bb5253274d5a9269b

diff --git a/core/Makefile b/core/Makefile
index c409458..851c38e 100644 (file)
--- a/core/Makefile
+++ b/core/Makefile
@@ -900,7 +900,12 @@ INTERNAL_RECOVERYIMAGE_FILES := $(filter $(TARGET_RECOVERY_OUT)/%, \
     $(ALL_DEFAULT_INSTALLED_MODULES))
 
 recovery_initrc := $(call include-path-for, recovery)/etc/init.rc
-recovery_sepolicy := $(call intermediates-dir-for,ETC,sepolicy.recovery)/sepolicy.recovery
+recovery_mapping_sepolicy := \
+    $(call intermediates-dir-for,ETC,mapping_sepolicy.recovery.cil)/mapping_sepolicy.recovery.cil
+recovery_nonplat_sepolicy := \
+    $(call intermediates-dir-for,ETC,nonplat_sepolicy.recovery.cil)/nonplat_sepolicy.recovery.cil
+recovery_plat_sepolicy := \
+    $(call intermediates-dir-for,ETC,plat_sepolicy.recovery.cil)/plat_sepolicy.recovery.cil
 recovery_kernel := $(INSTALLED_KERNEL_TARGET) # same as a non-recovery system
 recovery_ramdisk := $(PRODUCT_OUT)/ramdisk-recovery.img
 recovery_build_prop := $(intermediate_system_build_prop)
@@ -1021,8 +1026,12 @@ define build-recoveryimage-target
   @echo Modifying ramdisk contents...
   $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/init*.rc
   $(hide) cp -f $(recovery_initrc) $(TARGET_RECOVERY_ROOT_OUT)/
-  $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/sepolicy
-  $(hide) cp -f $(recovery_sepolicy) $(TARGET_RECOVERY_ROOT_OUT)/sepolicy
+  $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/mapping_sepolicy.cil
+  $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/nonplat_sepolicy.cil
+  $(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/plat_sepolicy.cil
+  $(hide) cp -f $(recovery_mapping_sepolicy) $(TARGET_RECOVERY_ROOT_OUT)/mapping_sepolicy.cil
+  $(hide) cp -f $(recovery_nonplat_sepolicy) $(TARGET_RECOVERY_ROOT_OUT)/nonplat_sepolicy.cil
+  $(hide) cp -f $(recovery_plat_sepolicy) $(TARGET_RECOVERY_ROOT_OUT)/plat_sepolicy.cil
   $(hide) cp $(TARGET_ROOT_OUT)/init.recovery.*.rc $(TARGET_RECOVERY_ROOT_OUT)/ || true # Ignore error when the src file doesn't exist.
   $(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/res
   $(hide) rm -rf $(TARGET_RECOVERY_ROOT_OUT)/res/*
@@ -1076,7 +1085,8 @@ endif
 $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTFS) $(MKBOOTIMG) $(MINIGZIP) \
                $(INSTALLED_RAMDISK_TARGET) \
                $(INTERNAL_RECOVERYIMAGE_FILES) \
-               $(recovery_initrc) $(recovery_sepolicy) $(recovery_kernel) \
+               $(recovery_initrc) $(recovery_mapping_sepolicy) $(recovery_nonplat_sepolicy) \
+               $(recovery_plat_sepolicy) $(recovery_kernel) \
                $(INSTALLED_2NDBOOTLOADER_TARGET) \
                $(recovery_build_prop) $(recovery_resource_deps) \
                $(recovery_fstab) \
@@ -1089,7 +1099,8 @@ $(INSTALLED_RECOVERYIMAGE_TARGET): $(MKBOOTFS) $(MKBOOTIMG) $(MINIGZIP) \
                $(INSTALLED_RAMDISK_TARGET) \
                $(INSTALLED_BOOTIMAGE_TARGET) \
                $(INTERNAL_RECOVERYIMAGE_FILES) \
-               $(recovery_initrc) $(recovery_sepolicy) $(recovery_kernel) \
+               $(recovery_initrc) $(recovery_mapping_sepolicy) $(recovery_nonplat_sepolicy) \
+               $(recovery_plat_sepolicy) $(recovery_kernel) \
                $(INSTALLED_2NDBOOTLOADER_TARGET) \
                $(recovery_build_prop) $(recovery_resource_deps) \
                $(recovery_fstab) \

diff --git a/target/product/embedded.mk b/target/product/embedded.mk
index 48916b2..670b306 100644 (file)
--- a/target/product/embedded.mk
+++ b/target/product/embedded.mk
@@ -80,12 +80,14 @@ PRODUCT_PACKAGES += \
 # SELinux packages
 PRODUCT_PACKAGES += \
     file_contexts.bin \
+    mapping_sepolicy.cil \
     nonplat_mac_permissions.xml \
+    nonplat_sepolicy.cil \
     plat_mac_permissions.xml \
+    plat_sepolicy.cil \
     property_contexts \
     seapp_contexts \
     selinux_version \
-    sepolicy \
     service_contexts
 
 # Ensure that this property is always defined so that bionic_systrace.cpp