Extending Board SE Policy

[Dave Smith]

According to the sepolicy project README (http://androidxref.com/5.1.0_r1/xref/external/sepolicy/README), the build system will only union/replace a single file from the provided dirs with the base policy:

"If you have BOARD_SEPOLICY_UNION += widget.te and have 2 instances of widget.te files on BOARD_SEPOLICY_DIRS search path. The first one found (at the first search dir containing the file) gets processed first."

If we are extending an existing board target (which already has additional policies to add) and need to add our own on top of this, how can we achieve it without copying the files? For example, if we have the following in BoardConfig.mk:

# Provided definitions from parent board target

BOARD_SEPOLICY_DIRS += device/manufacturer/common/sepolicy

BOARD_SEPOLICY_UNION += service_contexts

# Our extra definitions

BOARD_SEPOLICY_DIRS += $(TARGET_DEVICE_DIR)/sepolicy

BOARD_SEPOLICY_UNION += service_contexts

Is there a way we can get the policies from both files unioned into the base without creating a copy of the first file to manually augment with the policies from the second?

Thanks!

--

Dave Smith, PE

@devunwired

[Gary Bisson]

Hi Dave

On Wednesday, June 24, 2015 at 5:24:46 AM UTC+2, Dave Smith wrote:

According to the sepolicy project README (http://androidxref.com/5.1.0_r1/xref/external/sepolicy/README), the build system will only union/replace a single file from the provided dirs with the base policy:

"If you have BOARD_SEPOLICY_UNION += widget.te and have 2 instances of widget.te files on BOARD_SEPOLICY_DIRS search path. The first one found (at the first search dir containing the file) gets processed first."

This sentence is, in my opinion, a warning about inclusion order, it says the first one gets processed first but the other one is still processed after.

 

If we are extending an existing board target (which already has additional policies to add) and need to add our own on top of this, how can we achieve it without copying the files? For example, if we have the following in BoardConfig.mk:

# Provided definitions from parent board target

BOARD_SEPOLICY_DIRS += device/manufacturer/common/sepolicy

BOARD_SEPOLICY_UNION += service_contexts

# Our extra definitions

BOARD_SEPOLICY_DIRS += $(TARGET_DEVICE_DIR)/sepolicy

BOARD_SEPOLICY_UNION += service_contexts

Is there a way we can get the policies from both files unioned into the base without creating a copy of the first file to manually augment with the policies from the second?

It already "unionizes" both by default. I am using it extensively without any issue:

https://github.com/boundarydevices/android_device_boundary/blob/boundary-imx-l5.0.0_1.0.0-ga/sepolicy.mk

The best way to make sure of the inclusion is to look at $OUT/obj/ETC/sepolicy_intermediates/policy.conf. This file will detail every policy processed with a comment as to where it got it from. In my case I can see for instance that both untrusted_app.te from the two folders are being processed.

Hope this helps.

Gary

[Dave Smith]

Gary -

Thanks for the sanity check here. You're right, and it was including the policies from both files.

In my case the issue was that $(TARGET_DEVICE_DIR) wasn't expanded yet in BoardConfig.mk, so the directory path was all wrong. Whoops.

Cheers,

Dave Smith, PE

@devunwired