Something went wrong on our end

Android.mk

9 years ago

Don't allow permissive SELinux domains on user builds. · 3df1fda5

Nick Kralevich authored 9 years ago

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768

(cherry picked from commit bca98efa)

Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73

3df1fda5

History

Don't allow permissive SELinux domains on user builds.

Nick Kralevich authored 9 years ago

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768

(cherry picked from commit bca98efa)

Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73