Skip to content
Snippets Groups Projects
Commit bca98efa authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Don't allow permissive SELinux domains on user builds. 

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
parent f25ea5f9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 22 additions and 4 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment