Merge changes from topic "revert-vendor-sepolicy" am: 7feb77cf am: b89ceffd

am: 5d38c93d Change-Id: I22ae35eff6c53083a92864393b92ce36d56a2d07

Merge changes from topic "revert-vendor-sepolicy" am: 7feb77cf am: b89ceffd
04f59c5e · Bowgo Tsai · android-build-merger · fdaad102 · 5d38c93d · 04f59c5e
Commit 04f59c5e authored Feb 3, 2018 by Bowgo Tsai Committed by android-build-merger Feb 3, 2018
--- a/Android.mk
+++ b/Android.mk
@@ -124,13 +124,6 @@ $(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
 NEVERALLOW_ARG := -N
 endif
-# BOARD_SEPOLICY_DIRS was used for vendor sepolicy customization before.
-# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS. BOARD_SEPOLICY_DIRS is
-# still allowed for backward compatibility, which will be merged into
-# BOARD_VENDOR_SEPOLICY_DIRS.
-ifdef BOARD_SEPOLICY_DIRS
-BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
-endif
 platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
@@ -144,9 +137,9 @@ define build_policy
 $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
 endef
-# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
+# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
 # $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_device_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
 # Add a file containing only a newline in-between each policy configuration
 # 'contexts' file. This will allow OEM policy configuration files without a
@@ -216,8 +209,7 @@ ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 LOCAL_REQUIRED_MODULES += \
    $(platform_mapping_file) \
    26.0.cil \
-    plat_pub_versioned.cil \
+    nonplat_sepolicy.cil \
-    vendor_sepolicy.cil \
    plat_sepolicy.cil \
    plat_and_mapping_sepolicy.cil.sha256 \
    secilc \
@@ -233,11 +225,11 @@ LOCAL_REQUIRED_MODULES += sepolicy
 endif
 LOCAL_REQUIRED_MODULES += \
-    vendor_file_contexts \
+    nonplat_file_contexts \
-    vendor_mac_permissions.xml \
+    nonplat_mac_permissions.xml \
-    vendor_property_contexts \
+    nonplat_property_contexts \
-    vendor_seapp_contexts \
+    nonplat_seapp_contexts \
-    vendor_hwservice_contexts \
+    nonplat_hwservice_contexts \
    plat_file_contexts \
    plat_mac_permissions.xml \
    plat_property_contexts \
@@ -248,7 +240,7 @@ LOCAL_REQUIRED_MODULES += \
    vndservice_contexts \
 ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_REQUIRED_MODULES += vendor_service_contexts
+LOCAL_REQUIRED_MODULES += nonplat_service_contexts
 endif
 ifneq ($(TARGET_BUILD_VARIANT), user)
@@ -491,9 +483,7 @@ $(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
 #################################
 include $(CLEAR_VARS)
-# plat_pub_versioned.cil - the exported platform policy associated with the version
+LOCAL_MODULE := nonplat_sepolicy.cil
-# that non-platform policy targets.
-LOCAL_MODULE := plat_pub_versioned.cil
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_PROPRIETARY_MODULE := true
@@ -501,70 +491,47 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
 include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+# nonplat_policy.conf - A combination of the non-platform private, vendor and
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil)
+# the exported platform policy associated with the version the non-platform
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+# policy targets.  This needs attributization and to be combined with the
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+# platform-provided policy.  Like plat_pub_policy.conf, this needs to make use
-  $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil)
+# of the reqd_policy_mask files from private policy in order to use checkpolicy.
-	@mkdir -p $(dir $@)
+nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
-	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-#################################
+$(nonplat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-include $(CLEAR_VARS)
+$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
-# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
-# with the platform-provided policy.  It makes use of the reqd_policy_mask files from private
-# policy and the platform public policy files in order to use checkpolicy.
-LOCAL_MODULE := vendor_sepolicy.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-include $(BUILD_SYSTEM)/base_rules.mk
-vendor_policy.conf := $(intermediates)/vendor_policy.conf
-$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
 	$(transform-policy-to-conf)
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-vendor_policy_raw := $(intermediates)/vendor_policy_raw.cil
+nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
-$(vendor_policy_raw): PRIVATE_POL_CONF := $(vendor_policy.conf)
+$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
-$(vendor_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(vendor_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(vendor_policy.conf) \
+$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
 $(reqd_policy_mask.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
 	$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
 $(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(vendor_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(vendor_policy_raw) \
 $(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
-  $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+$(built_plat_cil) $(built_mapping_cil)
 	@mkdir -p $(dir $@)
-	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@.tmp
+	$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-	$(hide) grep -Fxv -f $(PRIVATE_FILTER_CIL) $@.tmp > $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
 		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-built_vendor_cil := $(LOCAL_BUILT_MODULE)
+built_nonplat_cil := $(LOCAL_BUILT_MODULE)
-vendor_policy.conf :=
+nonplat_policy.conf :=
-vendor_policy_raw :=
+nonplat_policy_raw :=
 #################################
 include $(CLEAR_VARS)
@@ -577,20 +544,16 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
 include $(BUILD_SYSTEM)/base_rules.mk
-all_cil_files := \
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
-    $(built_plat_cil) \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
-    $(built_mapping_cil) \
-    $(built_plat_pub_vers_cil) \
-    $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil) \
+$(built_sepolicy_neverallows)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
 		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
 built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
-all_cil_files :=
 #################################
 # SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
@@ -623,8 +586,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 all_cil_files := \
    $(built_plat_cil) \
    $(built_mapping_cil) \
-    $(built_plat_pub_vers_cil) \
+    $(built_nonplat_cil)
-    $(built_vendor_cil)
 $(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
@@ -668,7 +630,7 @@ $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEF
 $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
 $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
                           $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
-                           $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+                           $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
 	$(transform-policy-to-conf)
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
@@ -754,7 +716,7 @@ $(file_contexts.local.tmp): $(local_fcfiles_with_nl)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $^ > $@
-device_fc_files := $(call build_vendor_policy, file_contexts)
+device_fc_files := $(call build_device_policy, file_contexts)
 device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
 file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -765,8 +727,7 @@ $(file_contexts.device.tmp): $(device_fcfiles_with_nl)
 file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
 $(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
+$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
-  $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
@@ -847,7 +808,7 @@ local_fcfiles_with_nl :=
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_file_contexts
+LOCAL_MODULE := nonplat_file_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -858,22 +819,22 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk
-vendor_fc_files := $(call build_vendor_policy, file_contexts)
+nonplat_fc_files := $(call build_device_policy, file_contexts)
-vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl))
+nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
 $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(vendor_fcfiles_with_nl) $(built_sepolicy)
+$(nonplat_fcfiles_with_nl) $(built_sepolicy)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
 	$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
 	$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-built_vendor_fc := $(LOCAL_BUILT_MODULE)
+built_nonplat_fc := $(LOCAL_BUILT_MODULE)
-vendor_fc_files :=
+nonplat_fc_files :=
-vendor_fcfiles_with_nl :=
+nonplat_fcfiles_with_nl :=
 ##################################
 include $(CLEAR_VARS)
@@ -891,15 +852,15 @@ $(LOCAL_BUILT_MODULE): $(built_plat_fc)
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_file_contexts.recovery
+LOCAL_MODULE := nonplat_file_contexts.recovery
-LOCAL_MODULE_STEM := vendor_file_contexts
+LOCAL_MODULE_STEM := nonplat_file_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
 include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_vendor_fc)
+$(LOCAL_BUILT_MODULE): $(built_nonplat_fc)
 	$(hide) cp -f $< $@
 ##################################
@@ -928,7 +889,7 @@ plat_sc_files :=
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_seapp_contexts
+LOCAL_MODULE := nonplat_seapp_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -939,19 +900,19 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk
-vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
 plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
 $(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
 	@mkdir -p $(dir $@)
 	$(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-built_vendor_sc := $(LOCAL_BUILT_MODULE)
+built_nonplat_sc := $(LOCAL_BUILT_MODULE)
-vendor_sc_files :=
+nonplat_sc_files :=
 ##################################
 include $(CLEAR_VARS)
@@ -1004,7 +965,7 @@ plat_property_contexts.tmp :=
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_property_contexts
+LOCAL_MODULE := nonplat_property_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
@@ -1016,24 +977,24 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk
-vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+nonplat_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp
+nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
-$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
+$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
-$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_property_contexts.tmp): $(vendor_pcfiles)
+$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
+$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
 	@mkdir -p $(dir $@)
 	$(hide) cp -f $< $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $@
-built_vendor_pc := $(LOCAL_BUILT_MODULE)
+built_nonplat_pc := $(LOCAL_BUILT_MODULE)
-vendor_pcfiles :=
+nonplat_pcfiles :=
-vendor_property_contexts.tmp :=
+nonplat_property_contexts.tmp :=
 ##################################
 include $(CLEAR_VARS)
@@ -1051,15 +1012,15 @@ $(LOCAL_BUILT_MODULE): $(built_plat_pc)
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_property_contexts.recovery
+LOCAL_MODULE := nonplat_property_contexts.recovery
-LOCAL_MODULE_STEM := vendor_property_contexts
+LOCAL_MODULE_STEM := nonplat_property_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
 include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_vendor_pc)
+$(LOCAL_BUILT_MODULE): $(built_nonplat_pc)
 	$(hide) cp -f $< $@
 ##################################
@@ -1101,31 +1062,31 @@ ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_service_contexts
+LOCAL_MODULE := nonplat_service_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 include $(BUILD_SYSTEM)/base_rules.mk
-vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+nonplat_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp
+nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
-$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
+$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
-$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_service_contexts.tmp): $(vendor_svcfiles)
+$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-built_vendor_svc := $(LOCAL_BUILT_MODULE)
+built_nonplat_svc := $(LOCAL_BUILT_MODULE)
-vendor_svcfiles :=
+nonplat_svcfiles :=
-vendor_service_contexts.tmp :=
+nonplat_service_contexts.tmp :=
 endif
@@ -1164,7 +1125,7 @@ plat_hwservice_contexts.tmp :=
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_hwservice_contexts
+LOCAL_MODULE := nonplat_hwservice_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -1175,24 +1136,23 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk
-vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp
+nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
-$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
+$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
-$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
+$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-vendor_hwsvcfiles :=
+nonplat_hwsvcfiles :=
-vendor_hwservice_contexts.tmp :=
+nonplat_hwservice_contexts.tmp :=
 ##################################
 include $(CLEAR_VARS)
@@ -1208,7 +1168,7 @@ endif
 include $(BUILD_SYSTEM)/base_rules.mk
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
 vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
 $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
@@ -1262,7 +1222,7 @@ plat_mac_perms_keys.tmp :=
 ##################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_mac_permissions.xml
+LOCAL_MODULE := nonplat_mac_permissions.xml
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1270,22 +1230,22 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
 include $(BUILD_SYSTEM)/base_rules.mk
 # Build keys.conf
-vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
+nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
-$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_vendor_mac_perms_files)
+$(all_nonplat_mac_perms_files)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-vendor_mac_perms_keys.tmp :=
+nonplat_mac_perms_keys.tmp :=
-all_vendor_mac_perms_files :=
+all_nonplat_mac_perms_files :=
 #################################
 include $(CLEAR_VARS)
@@ -1295,16 +1255,15 @@ LOCAL_MODULE_TAGS := tests
 include $(BUILD_SYSTEM)/base_rules.mk
-all_fc_files := $(built_plat_fc) $(built_vendor_fc)
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
 sepolicy_tests := $(intermediates)/sepolicy_tests
-$(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
+$(sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
+$(sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
 $(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
+$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests \
+$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
-		$(ALL_FC_ARGS)  -p $(PRIVATE_SEPOLICY)
+		-f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
 	$(hide) touch $@
 ##################################
@@ -1409,11 +1368,9 @@ $(built_sepolicy_neverallows)
 	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-all_fc_files := $(built_plat_fc) $(built_vendor_fc)
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
 treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
-$(treble_sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
+$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
+$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
 $(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
 $(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
@@ -1424,11 +1381,12 @@ else
 $(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE :=
 endif
 $(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-  $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
 $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
-		$(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+		$(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
+		-f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
 		-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
 		-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
 		$(PRIVATE_FAKE_TREBLE)
@@ -1451,24 +1409,23 @@ endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
 #################################
 add_nl :=
-build_vendor_policy :=
+build_device_policy :=
 build_policy :=
 built_plat_fc :=
-built_vendor_fc :=
+built_nonplat_fc :=
 built_nl :=
 built_plat_cil :=
-built_plat_pub_vers_cil :=
 built_mapping_cil :=
 built_plat_pc :=
-built_vendor_cil :=
+built_nonplat_cil :=
-built_vendor_pc :=
+built_nonplat_pc :=
-built_vendor_sc :=
+built_nonplat_sc :=
 built_plat_sc :=
 built_precompiled_sepolicy :=
 built_sepolicy :=
 built_sepolicy_neverallows :=
 built_plat_svc :=
-built_vendor_svc :=
+built_nonplat_svc :=
 mapping_policy :=
 my_target_arch :=
 plat_pub_policy.cil :=

--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -83,3 +83,22 @@ $(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_property_
 $(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+# For non-Treble devices.
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/vendor_property_contexts)
+# For non-Treble devices.
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_seapp_contexts)
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -46,20 +46,14 @@
 /plat_sepolicy\.cil      u:object_r:sepolicy_file:s0
 /plat_property_contexts  u:object_r:property_contexts_file:s0
 /nonplat_property_contexts  u:object_r:property_contexts_file:s0
-/vendor_property_contexts   u:object_r:property_contexts_file:s0
 /seapp_contexts     u:object_r:seapp_contexts_file:s0
 /nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
-/vendor_seapp_contexts      u:object_r:seapp_contexts_file:s0
 /plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /plat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
 /nonplat_service_contexts   u:object_r:nonplat_service_contexts_file:s0
-# Use nonplat_service_contexts_file to allow servicemanager to read it
-# on non full-treble devices.
-/vendor_service_contexts    u:object_r:nonplat_service_contexts_file:s0
 /nonplat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
-/vendor_hwservice_contexts    u:object_r:hwservice_contexts_file:s0
 /vndservice_contexts   u:object_r:vndservice_contexts_file:s0
 ##########################