Don't allow permissive SELinux domains on user builds.
It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.
In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.
A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:
userdebug_or_eng(`
permissive foo;
')
Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
diff --git a/Android.mk b/Android.mk
index 81e4871..a2a04c3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -97,10 +97,19 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+ $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+ echo "==========" 1>&2; \
+ echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+ echo "List of invalid domains:" 1>&2; \
+ cat $@.permissivedomains 1>&2; \
+ exit 1; \
+ fi
+ $(hide) mv $@.tmp $@
built_sepolicy := $(LOCAL_BUILT_MODULE)
sepolicy_policy.conf :=
@@ -126,9 +135,18 @@
-D target_recovery=true \
-s $^ > $@
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+ $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+ echo "==========" 1>&2; \
+ echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+ echo "List of invalid domains:" 1>&2; \
+ cat $@.permissivedomains 1>&2; \
+ exit 1; \
+ fi
+ $(hide) mv $@.tmp $@
built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
sepolicy_policy_recovery.conf :=