Track the move of split SELinux policy CIL files

The three CIL files comprising split sepolicy are being moved from the root directory to system and vendor directories based on whether the file is for platform/system policy or non-platform/vendor policy. Test: Device boots, no additional SELinux denials. This test was run for a device which has split policy and for a device which has monolithic policy. Bug: 31363362 Change-Id: Ica49f0beae56be0f1cea7117e48bf2f6af8b848b
2017-03-02 12:43:10 -08:00 · 2017-03-02 12:43:10 -08:00 · c2a4c9ab9a
commit c2a4c9ab9a
parent 0ab93fdf3a
1 changed files with 3 additions and 2 deletions
--- a/init/init.cpp
+++ b/init/init.cpp
@ -669,7 +669,7 @@ static bool fork_execve_and_wait_for_completion(const char* filename, char* cons
    }
 }

-static constexpr const char plat_policy_cil_file[] = "/plat_sepolicy.cil";
+static constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";

 static bool selinux_is_split_policy_device() { return access(plat_policy_cil_file, R_OK) != -1; }

@ -701,7 +701,8 @@ static bool selinux_load_split_policy() {

    const char* compile_args[] = {"/system/bin/secilc", plat_policy_cil_file, "-M", "true", "-c",
                                  "30",  // TODO: pass in SELinux policy version from build system
-                                  "/mapping_sepolicy.cil", "/nonplat_sepolicy.cil", "-o",
+                                  "/vendor/etc/selinux/mapping_sepolicy.cil",
+                                  "/vendor/etc/selinux/nonplat_sepolicy.cil", "-o",
                                  compiled_sepolicy,
                                  // We don't care about file_contexts output by the compiler
                                  "-f", "/sys/fs/selinux/null",  // /dev/null is not yet available