Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b225d8c4 authored by Yi-Yo Chiang's avatar Yi-Yo Chiang Committed by Yi-yo Chiang
Browse files

Verbose warning message for PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT 

I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 added a validation check to
otatools to check the target_files archive for the existence of
userdebug_plat_sepolicy.cil. That check superseded the original
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT product_config.mk check and
is more robust because it can handle not only phone GSI but also car/tv
GSI (downstream of phone GSI).

Modify the check to show a scary wall of text if non-compliance-GSI
products tried to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT,
instead of erroring out immediately.
Also add gsi_car_arm64 & gsi_car_x86_64 to the list of eligible GSI
product names.

After this change, any product can set
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT for development purposes, but
only GSI products that specifies `--allow_gsi_debug_sepolicy` during
image signing can release sign a product built with
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT.

Bug: 188067818
Test: Presubmit
Test: lunch gsi_arm64-userdebug && m nothing  # => no warning
Change-Id: I34ef49af29c7064bea8924b0070793f1e78256bf
parent bff997fd

core/product.mk

+1 −1
Original line number Diff line number Diff line
@@ -445,7 +445,7 @@ _product_single_value_vars += PRODUCT_INSTALL_EXTRA_FLATTENED_APEXES 


# Install a copy of the debug policy to the system_ext partition, and allow

# init-second-stage to load debug policy from system_ext.

# This option is only meant to be set by GSI products.

# This option is only meant to be set by compliance GSI targets.

_product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT



# If set, metadata files for the following artifacts will be generated.

core/product_config.mk

+8 −2
Original line number Diff line number Diff line
@@ -420,9 +420,15 @@ ifneq ($(filter-out 0 1,$(words $(PRODUCT_ADB_KEYS))),) 
  $(error Only one file may be in PRODUCT_ADB_KEYS: $(PRODUCT_ADB_KEYS))

endif



# Show a warning wall of text if non-compliance-GSI products set this option.

ifdef PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT

  ifeq (,$(filter gsi_arm gsi_arm64 gsi_x86 gsi_x86_64,$(PRODUCT_NAME)))

    $(error Only GSI products are allowed to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT)

  ifeq (,$(filter gsi_arm gsi_arm64 gsi_x86 gsi_x86_64 gsi_car_arm64 gsi_car_x86_64,$(PRODUCT_NAME)))

    $(warning PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT is set but \

      PRODUCT_NAME ($(PRODUCT_NAME)) doesn't look like a GSI for compliance \

      testing. This is a special configuration for compliance GSI, so do make \

      sure you understand the security implications before setting this \

      option. If you don't know what this option does, then you probably \

      shouldn't set this.)

  endif

endif