From 88ce951d89c4c4ad4d870ca34cc5bdcc8b60f54d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 9 Jan 2014 15:25:36 -0800
Subject: [PATCH] Create new conditional userdebug_or_eng

Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
---
 Android.mk    | 10 +---------
 shell.te      |  6 ++++--
 shell_user.te | 12 ------------
 su.te         | 22 +++++++++++++---------
 su_user.te    |  4 ----
 te_macros     |  6 ++++++
 6 files changed, 24 insertions(+), 36 deletions(-)
 delete mode 100644 shell_user.te
 delete mode 100644 su_user.te

diff --git a/Android.mk b/Android.mk
index a3cd38541..fa6cd7836 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,14 +10,6 @@ POLICYVERS ?= 26
 MLS_SENS=1
 MLS_CATS=1024
 
-ifeq ($(TARGET_BUILD_VARIANT),user)
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell.te
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
-else
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell_user.te
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
-endif
-
 # Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
 # Builds the singular path for each replace file.
 sepolicy_replace_paths :=
@@ -77,7 +69,7 @@ $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
+	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
diff --git a/shell.te b/shell.te
index 18c1dfc22..6b9f99602 100644
--- a/shell.te
+++ b/shell.te
@@ -9,7 +9,9 @@ net_domain(shell)
 # XXX Transition into its own domain?
 app_domain(shell)
 
-# userdebug/eng shell is also permissive to permit setenforce.
-permissive shell;
+userdebug_or_eng(`
+  # userdebug/eng shell is also permissive to permit setenforce.
+  permissive shell;
+')
 
 # inherits from shelldomain.te
diff --git a/shell_user.te b/shell_user.te
deleted file mode 100644
index ad30802c7..000000000
--- a/shell_user.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# Domain for shell processes spawned by ADB
-type shell, domain, shelldomain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# inherits from shelldomain.te
diff --git a/su.te b/su.te
index 2a3d0075d..b4b9f6dad 100644
--- a/su.te
+++ b/su.te
@@ -1,13 +1,17 @@
-type su, domain;
+# File types must be defined for file_contexts.
 type su_exec, exec_type, file_type;
-domain_auto_trans(shell, su_exec, su)
 
-# Allow dumpstate to call su on userdebug / eng builds to collect
-# additional information.
-domain_auto_trans(dumpstate, su_exec, su)
+userdebug_or_eng(`
+  type su, domain;
+  domain_auto_trans(shell, su_exec, su)
 
-# su is unconfined.
-unconfined_domain(su)
+  # Allow dumpstate to call su on userdebug / eng builds to collect
+  # additional information.
+  domain_auto_trans(dumpstate, su_exec, su)
 
-# su is also permissive to permit setenforce.
-permissive su;
+  # su is unconfined.
+  unconfined_domain(su)
+
+  # su is also permissive to permit setenforce.
+  permissive su;
+')
diff --git a/su_user.te b/su_user.te
deleted file mode 100644
index 6f936a081..000000000
--- a/su_user.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-# No allow rules
diff --git a/te_macros b/te_macros
index a05b7aca2..9396e4f74 100644
--- a/te_macros
+++ b/te_macros
@@ -321,3 +321,9 @@ allow $1 $1_devpts:chr_file { open getattr read write ioctl };
 # Non system_app application set
 #
 define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-- 
GitLab