Commit b51f9abf authored Mar 02, 2017 by Alex Klyubin

Include correct type of SELinux policy

This makes the build system include split SELinux policy (three CIL
files and the secilc compiler needed to compile them) if
PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux
policy is included.

Split policy currently adds around 400 ms to boot time (measured on
marlin/sailfish and bullhead) because the policy needs to be compiled
during boot. This is the main reason why we include split policy only
on devices which require it.

Test: Device boots, no additional SELinux denials. This test is
      performed on a device with PRODUCT_FULL_TREBLE set to true, and
      on a device with PRODUCT_FULL_TREBLE set to false.
Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and
      the three *.cil files, but does not contain the sepolicy file.
      Device with PRODUCT_FULL_TREBLE set to false contains sepolicy
      file but does not contain the secilc file or any *.cil files.
Bug: 31363362

Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc

parent 8c354911

init/Android.mk

+18 −0

Original line number	Diff line number	Diff line
		@@ -107,6 +107,24 @@ LOCAL_STATIC_LIBRARIES := \
		libnl \
		libavb

		# Include SELinux policy. We do this here because different modules
		# need to be included based on the value of PRODUCT_FULL_TREBLE. This
		# type of conditional inclusion cannot be done in top-level files such
		# as build/target/product/embedded.mk.
		# This conditional inclusion closely mimics the conditional logic
		# inside init/init.cpp for loading SELinux policy from files.
		ifeq ($(PRODUCT_FULL_TREBLE),true)
		# Use split SELinux policy
		LOCAL_REQUIRED_MODULES += \
		mapping_sepolicy.cil \
		nonplat_sepolicy.cil \
		plat_sepolicy.cil \
		secilc
		else
		# Use monolithic SELinux policy
		LOCAL_REQUIRED_MODULES += sepolicy
		endif

		# Create symlinks.
		LOCAL_POST_INSTALL_CMD := $(hide) mkdir -p $(TARGET_ROOT_OUT)/sbin; \
		ln -sf ../init $(TARGET_ROOT_OUT)/sbin/ueventd; \