Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / core / bb77c544e5d55308a56469297b8827136f089f97^! / . / init / Android.bp
commitbb77c544e5d55308a56469297b8827136f089f97[log] [tgz]
authorYi-Yo Chiang <yochiang@google.com>Thu Sep 23 14:14:16 2021 +0000
committerYi-Yo Chiang <yochiang@google.com>Thu Sep 23 14:26:27 2021 +0000
tree7e2be0b97d29d7bd798c26bc3a6097fc4ccd78cb
parentbe09a1e643d27833c2a49a2523e4f8ec35dc9382 [diff] [blame]
Reland: Add /system_ext/etc/selinux/ to the debug policy search path for GSI

This change only *adds* /system_ext/etc/selinux to the debug policy
search path, and does not change any preconditions to load the debug
policy. The device still needs to be bootloader-unlocked and has the
debug ramdisk flashed to be able to use the debug policy. The only thing
changed is that now the debug policy can be loaded from /system_ext or
/debug_ramdisk when system partition is compliance testing GSI.

The debug policy in the boot ramdisk may be outdated if the system
partition is flashed with a image built from a different revision.
This happens frequently when running the compliance testing VTS, where
the device is flashed with (A) GSI and (B) device vendor image & debug
boot image, and (A) and (B) are built from different git revisions.

To address this, we install a copy of the debug policy under
/system_ext, so that the version desync between (A) & (B) wouldn't be a
problem anymore because (A) no longer relies on the debug policy file
from (B).

Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
  gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: Ibe17eb1ecb0e813309c9596d1f152b7455686b26

diff --git a/init/Android.bp b/init/Android.bp
index 5d09687..a0fe017 100644
--- a/init/Android.bp
+++ b/init/Android.bp

@@ -89,7 +89,19 @@
     "host_init_verifier.cpp",
 ]
 
-cc_defaults {
+soong_config_module_type {
+    name: "libinit_cc_defaults",
+    module_type: "cc_defaults",
+    config_namespace: "ANDROID",
+    bool_variables: [
+        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
+    ],
+    properties: [
+        "cflags",
+    ],
+}
+
+libinit_cc_defaults {
     name: "init_defaults",
     sanitize: {
         misc_undefined: ["signed-integer-overflow"],
@@ -109,6 +121,7 @@
         "-DDUMP_ON_UMOUNT_FAILURE=0",
         "-DSHUTDOWN_ZERO_TIMEOUT=0",
         "-DINIT_FULL_SOURCES",
+        "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0",
     ],
     product_variables: {
         debuggable: {
@@ -137,6 +150,14 @@
             cppflags: ["-DUSER_MODE_LINUX"],
         },
     },
+    soong_config_variables: {
+        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
+            cflags: [
+                "-UINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
+                "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=1",
+            ],
+        },
+    },
     static_libs: [
         "libavb",
         "libc++fs",