Create new conditional userdebug_or_eng

Create a new m4 macro called userdebug_or_eng. Arguments passed to this macro are only emitted if we're performing a userdebug or eng build. Merge shell.te and shell_user.te and eliminate duplicate lines. Same for su.te and su_user.te Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0

Create new conditional userdebug_or_eng
88ce951d · Nick Kralevich · 39fd7818 · 88ce951d · 88ce951d · 39fd7818
Commit 88ce951d authored 11 years ago by Nick Kralevich
--- a/Android.mk
+++ b/Android.mk
@@ -10,14 +10,6 @@ POLICYVERS ?= 26
 MLS_SENS=1
 MLS_CATS=1024
-ifeq ($(TARGET_BUILD_VARIANT),user)
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell.te
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
-else
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell_user.te
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
-endif
 # Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
 # Builds the singular path for each replace file.
 sepolicy_replace_paths :=
@@ -77,7 +69,7 @@ $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
+	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy

--- a/shell.te
+++ b/shell.te
@@ -9,7 +9,9 @@ net_domain(shell)
 # XXX Transition into its own domain?
 app_domain(shell)
-# userdebug/eng shell is also permissive to permit setenforce.
+userdebug_or_eng(`
-permissive shell;
+  # userdebug/eng shell is also permissive to permit setenforce.
+  permissive shell;
+')
 # inherits from shelldomain.te
--- a/shell_user.te
+++ b/shell_user.te
-# Domain for shell processes spawned by ADB
-type shell, domain, shelldomain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-# Create and use network sockets.
-net_domain(shell)
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-# inherits from shelldomain.te
--- a/su.te
+++ b/su.te
-type su, domain;
+# File types must be defined for file_contexts.
 type su_exec, exec_type, file_type;
-domain_auto_trans(shell, su_exec, su)
-# Allow dumpstate to call su on userdebug / eng builds to collect
+userdebug_or_eng(`
-# additional information.
+  type su, domain;
-domain_auto_trans(dumpstate, su_exec, su)
+  domain_auto_trans(shell, su_exec, su)
-# su is unconfined.
+  # Allow dumpstate to call su on userdebug / eng builds to collect
-unconfined_domain(su)
+  # additional information.
+  domain_auto_trans(dumpstate, su_exec, su)
-# su is also permissive to permit setenforce.
+  # su is unconfined.
-permissive su;
+  unconfined_domain(su)
+  # su is also permissive to permit setenforce.
+  permissive su;
+')
--- a/su_user.te
+++ b/su_user.te
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-# No allow rules
--- a/te_macros
+++ b/te_macros
@@ -321,3 +321,9 @@ allow $1 $1_devpts:chr_file { open getattr read write ioctl };
 # Non system_app application set
 #
 define(`non_system_app_set', `{ appdomain -system_app }')
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))