From 731d2473dae1245116562bd1867879b351533cee Mon Sep 17 00:00:00 2001
From: Yi-Yo Chiang <yochiang@google.com>
Date: Tue, 23 Mar 2021 22:11:13 +0800
Subject: [PATCH] Load *_compat_cil_file from system_ext as well

So we can extend platform policies with target specific compat rules.
This use case surface in the context of system only upgrade, when the
vendor policy cannot be updated, then the system_ext partition can
contain target specific compat policies.

Bug: 183362912
Test: Presubmit
Change-Id: Ic6436eb8a269f07f932331dedf7dbaa629538ade
---
 init/selinux.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/init/selinux.cpp b/init/selinux.cpp
index 62c458674..b417396aa 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -372,6 +372,12 @@ bool OpenSplitPolicy(PolicyFile* policy_file) {
         system_ext_mapping_file.clear();
     }
 
+    std::string system_ext_compat_cil_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
+                                           ".compat.cil");
+    if (access(system_ext_compat_cil_file.c_str(), F_OK) == -1) {
+        system_ext_compat_cil_file.clear();
+    }
+
     std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
     if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
         product_policy_cil_file.clear();
@@ -426,6 +432,9 @@ bool OpenSplitPolicy(PolicyFile* policy_file) {
     if (!system_ext_mapping_file.empty()) {
         compile_args.push_back(system_ext_mapping_file.c_str());
     }
+    if (!system_ext_compat_cil_file.empty()) {
+        compile_args.push_back(system_ext_compat_cil_file.c_str());
+    }
     if (!product_policy_cil_file.empty()) {
         compile_args.push_back(product_policy_cil_file.c_str());
     }