diff options
author | Nick Kralevich <nnk@google.com> | 2016-02-27 04:36:39 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-02-27 04:36:39 +0000 |
commit | 0551e9e8d4764578d7304d695ba20040a6e0ea0b (patch) | |
tree | cf2e2dfab673dcf553358dba4afb2698596e8f51 | |
parent | fff4bf792a47194ce0a17575bc5468cf62132b77 (diff) | |
parent | bca98efa575bedab68f2d5eaee2cd1fd1741962b (diff) | |
download | sepolicy-0551e9e8d4764578d7304d695ba20040a6e0ea0b.tar.gz |
Don\'t allow permissive SELinux domains on user builds.
am: bca98efa57
* commit 'bca98efa575bedab68f2d5eaee2cd1fd1741962b':
Don't allow permissive SELinux domains on user builds.
-rw-r--r-- | Android.mk | 26 |
1 files changed, 22 insertions, 4 deletions
@@ -97,10 +97,19 @@ $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files)) -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit -$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy +$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $< + $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit + $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains + $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ + echo "==========" 1>&2; \ + echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ + echo "List of invalid domains:" 1>&2; \ + cat $@.permissivedomains 1>&2; \ + exit 1; \ + fi + $(hide) mv $@.tmp $@ built_sepolicy := $(LOCAL_BUILT_MODULE) sepolicy_policy.conf := @@ -126,9 +135,18 @@ $(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files)) -D target_recovery=true \ -s $^ > $@ -$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy +$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $< + $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< + $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains + $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ + echo "==========" 1>&2; \ + echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ + echo "List of invalid domains:" 1>&2; \ + cat $@.permissivedomains 1>&2; \ + exit 1; \ + fi + $(hide) mv $@.tmp $@ built_sepolicy_recovery := $(LOCAL_BUILT_MODULE) sepolicy_policy_recovery.conf := |