From 724eda55039888f3ce3d8431167b3eec55e759a5 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 15 Feb 2019 12:13:38 -0800
Subject: [PATCH] selinux: use the policy version defined in sepolicy

In the current setup, init uses the highest policy version supported
by the kernel, instead of the policy version defined in policy. This
results in inconsistency between precompiled (version 30) and
on-device compiled policy (version 30 or 31). Make these consistent.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: I0ce181916f43db17244c4d80f5cf5a91bbb58d3a
---
 init/Android.bp  |  2 +-
 init/Android.mk  |  5 ++++-
 init/selinux.cpp | 11 +----------
 3 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/init/Android.bp b/init/Android.bp
index 639d8d1b9..30b5c021f 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -91,7 +91,7 @@ cc_defaults {
 cc_library_static {
     name: "libinit",
     recovery_available: true,
-    defaults: ["init_defaults"],
+    defaults: ["init_defaults", "selinux_policy_version"],
     srcs: [
         "action.cpp",
         "action_manager.cpp",
diff --git a/init/Android.mk b/init/Android.mk
index 59d7f114e..c7f4de774 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -2,6 +2,8 @@
 
 LOCAL_PATH:= $(call my-dir)
 
+include system/sepolicy/policy_version.mk
+
 # --
 
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
@@ -28,7 +30,8 @@ init_options += \
     -DSHUTDOWN_ZERO_TIMEOUT=0
 endif
 
-init_options += -DLOG_UEVENTS=0
+init_options += -DLOG_UEVENTS=0 \
+    -DSEPOLICY_VERSION=$(POLICYVERS)
 
 init_cflags += \
     $(init_options) \
diff --git a/init/selinux.cpp b/init/selinux.cpp
index ee302c168..09cd1917b 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -299,14 +299,6 @@ bool LoadSplitPolicy() {
 
     LOG(INFO) << "Compiling SELinux policy";
 
-    // Determine the highest policy language version supported by the kernel
-    set_selinuxmnt("/sys/fs/selinux");
-    int max_policy_version = security_policyvers();
-    if (max_policy_version == -1) {
-        PLOG(ERROR) << "Failed to determine highest policy version supported by kernel";
-        return false;
-    }
-
     // We store the output of the compilation on /dev because this is the most convenient tmpfs
     // storage mount available this early in the boot sequence.
     char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
@@ -353,14 +345,13 @@ bool LoadSplitPolicy() {
     if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
         odm_policy_cil_file.clear();
     }
-    const std::string version_as_string = std::to_string(max_policy_version);
+    const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
 
     // clang-format off
     std::vector<const char*> compile_args {
         "/system/bin/secilc",
         plat_policy_cil_file,
         "-m", "-M", "true", "-G", "-N",
-        // Target the highest policy language version supported by the kernel
         "-c", version_as_string.c_str(),
         plat_mapping_file.c_str(),
         "-o", compiled_sepolicy,