Separate system_ext_sepolicy.cil out of system sepolicy
Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: I53984e8a973eff15de0653916203020dbabe9c03
diff --git a/compat.mk b/compat.mk
index 30904ef..9604403 100644
--- a/compat.mk
+++ b/compat.mk
@@ -18,6 +18,13 @@
$(built_vendor_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += \
+ $(built_system_ext_cil) \
+ $(built_system_ext_mapping_cil) \
+
+endif
+
ifdef HAS_PRODUCT_SEPOLICY
all_cil_files += \
$(built_product_cil) \