diff options
| author | Alex Klyubin <klyubin@google.com> | 2017-03-02 12:53:32 -0800 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2017-03-02 13:25:17 -0800 |
| commit | b51f9abf45a58c1ec3a1917eb19b9b8bc6886b8f (patch) | |
| tree | 78d2339c216c4f5fcbaa53436e2ce4565a084b3b | |
| parent | 8c3549115100c258b9b99c46c6f8cce782540d4f (diff) | |
Include correct type of SELinux policy
This makes the build system include split SELinux policy (three CIL
files and the secilc compiler needed to compile them) if
PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux
policy is included.
Split policy currently adds around 400 ms to boot time (measured on
marlin/sailfish and bullhead) because the policy needs to be compiled
during boot. This is the main reason why we include split policy only
on devices which require it.
Test: Device boots, no additional SELinux denials. This test is
performed on a device with PRODUCT_FULL_TREBLE set to true, and
on a device with PRODUCT_FULL_TREBLE set to false.
Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and
the three *.cil files, but does not contain the sepolicy file.
Device with PRODUCT_FULL_TREBLE set to false contains sepolicy
file but does not contain the secilc file or any *.cil files.
Bug: 31363362
Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc
| -rw-r--r-- | init/Android.mk | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/init/Android.mk b/init/Android.mk index 18cbedcd1..2fc6f19fc 100644 --- a/init/Android.mk +++ b/init/Android.mk @@ -107,6 +107,24 @@ LOCAL_STATIC_LIBRARIES := \ libnl \ libavb +# Include SELinux policy. We do this here because different modules +# need to be included based on the value of PRODUCT_FULL_TREBLE. This +# type of conditional inclusion cannot be done in top-level files such +# as build/target/product/embedded.mk. +# This conditional inclusion closely mimics the conditional logic +# inside init/init.cpp for loading SELinux policy from files. +ifeq ($(PRODUCT_FULL_TREBLE),true) +# Use split SELinux policy +LOCAL_REQUIRED_MODULES += \ + mapping_sepolicy.cil \ + nonplat_sepolicy.cil \ + plat_sepolicy.cil \ + secilc +else +# Use monolithic SELinux policy +LOCAL_REQUIRED_MODULES += sepolicy +endif + # Create symlinks. LOCAL_POST_INSTALL_CMD := $(hide) mkdir -p $(TARGET_ROOT_OUT)/sbin; \ ln -sf ../init $(TARGET_ROOT_OUT)/sbin/ueventd; \ |