Don't allow permissive SELinux domains on user builds. It's a CTS requirement that all SELinux domains be in enforcing mode. Add the same assertion to the build system when targeting user builds. In particular, this avoids a situation where device integrity checking is enabled on user builds, but permissive denials are being generated, causing the device to unexpectedly reboot into safe mode. A developer wanting to put an SELinux domain into permissive mode for userdebug/eng purposes can write the following in their policy: userdebug_or_eng(` permissive foo; ') Bug: 26902605 Bug: 27313768 Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21

commit: bca98efa575bedab68f2d5eaee2cd1fd1741962b [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Feb 26 20:06:52 2016 -0800
committer: Nick Kralevich <nnk@google.com> Fri Feb 26 20:06:52 2016 -0800
tree: cf2e2dfab673dcf553358dba4afb2698596e8f51
parent: f25ea5f9c00dff32a2d04c7af3e76d0efac28a7c [diff]
diff --git a/Android.mk b/Android.mk
index 81e4871..a2a04c3 100644
--- a/Android.mk
+++ b/Android.mk

@@ -97,10 +97,19 @@
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+		echo "==========" 1>&2; \
+		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+		echo "List of invalid domains:" 1>&2; \
+		cat $@.permissivedomains 1>&2; \
+		exit 1; \
+		fi
+	$(hide) mv $@.tmp $@
 
 built_sepolicy := $(LOCAL_BUILT_MODULE)
 sepolicy_policy.conf :=
@@ -126,9 +135,18 @@
 		-D target_recovery=true \
 		-s $^ > $@
 
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+	$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+		echo "==========" 1>&2; \
+		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+		echo "List of invalid domains:" 1>&2; \
+		cat $@.permissivedomains 1>&2; \
+		exit 1; \
+		fi
+	$(hide) mv $@.tmp $@
 
 built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
 sepolicy_policy_recovery.conf :=
commit	bca98efa575bedab68f2d5eaee2cd1fd1741962b	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Feb 26 20:06:52 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Fri Feb 26 20:06:52 2016 -0800
tree	cf2e2dfab673dcf553358dba4afb2698596e8f51
parent	f25ea5f9c00dff32a2d04c7af3e76d0efac28a7c [diff]