Skip to content
Snippets Groups Projects
Commit 3df1fda5 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Don't allow permissive SELinux domains on user builds. 

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768

(cherry picked from commit bca98efa)

Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73
parent a395f875
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 22 additions and 4 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment