Precompiled kernel policy for on-device use

This adds build targets for outputing precompiled kernel policy usable on devices with policy split between system and vendor partitions. On such devices, precompiled policy must reside on the vendor partition. Because such devices support updating these partitions independently of each other, the precompiled policy must reference the system partition's policy against which it was compiled. This enables init to establish whether the precompiled policy is valid for the current combination of system and vendor partitions. The referencing is performed by both the system and vendor partitions including the SHA-256 digest of the system partition's policy (plat_sepolicy.cil). Only the when the digest is the same on both partitions can the precompiled policy be used. Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the SHA-256 digest of plat_sepolicy.cil Test: plat_sepolicy.cil.sha256 is identical precompiled_sepolicy.plat.sha256. Bug: 31363362 Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3

Precompiled kernel policy for on-device use
193dccda · Alex Klyubin · 87ae5f7d · 193dccda
Commit 193dccda authored 8 years ago by Alex Klyubin
--- a/Android.mk
+++ b/Android.mk
@@ -254,6 +254,19 @@ plat_policy.conf :=
 #################################
 include $(CLEAR_VARS)

+LOCAL_MODULE := plat_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil)
+	sha256sum $^ | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := mapping_sepolicy.cil
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
@@ -347,9 +360,46 @@ $(built_mapping_cil)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
 		$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null

+built_nonplat_cil := $(LOCAL_BUILT_MODULE)
 nonplat_policy.conf :=
 nonplat_policy_raw :=

+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := precompiled_sepolicy
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+		$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
+	sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+
 #################################
 include $(CLEAR_VARS)
 # build this target so that we can still perform neverallow checks
@@ -1033,9 +1083,11 @@ built_plat_cil.recovery :=
 built_mapping_cil :=
 built_mapping_cil.recovery :=
 built_plat_pc :=
+built_nonplat_cil :=
 built_nonplat_pc :=
 built_nonplat_sc :=
 built_plat_sc :=
+built_precompiled_sepolicy :=
 built_sepolicy :=
 built_plat_svc :=
 built_nonplat_svc :=