diff --git a/init/property_service.cpp b/init/property_service.cpp index 83042ad66..70e26ec9a 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -1175,10 +1175,8 @@ void CreateSerializedPropertyInfo() { LoadPropertyInfoFromFile("/system_ext/etc/selinux/system_ext_property_contexts", &property_infos); } - if (!LoadPropertyInfoFromFile("/vendor/etc/selinux/vendor_property_contexts", - &property_infos)) { - // Fallback to nonplat_* if vendor_* doesn't exist. - LoadPropertyInfoFromFile("/vendor/etc/selinux/nonplat_property_contexts", + if (access("/vendor/etc/selinux/vendor_property_contexts", R_OK) != -1) { + LoadPropertyInfoFromFile("/vendor/etc/selinux/vendor_property_contexts", &property_infos); } if (access("/product/etc/selinux/product_property_contexts", R_OK) != -1) { @@ -1193,10 +1191,7 @@ void CreateSerializedPropertyInfo() { return; } LoadPropertyInfoFromFile("/system_ext_property_contexts", &property_infos); - if (!LoadPropertyInfoFromFile("/vendor_property_contexts", &property_infos)) { - // Fallback to nonplat_* if vendor_* doesn't exist. - LoadPropertyInfoFromFile("/nonplat_property_contexts", &property_infos); - } + LoadPropertyInfoFromFile("/vendor_property_contexts", &property_infos); LoadPropertyInfoFromFile("/product_property_contexts", &property_infos); LoadPropertyInfoFromFile("/odm_property_contexts", &property_infos); } diff --git a/init/selinux.cpp b/init/selinux.cpp index 29c0ff3ba..28cd012e2 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -27,7 +27,7 @@ // file located at /sepolicy and is directly loaded into the kernel SELinux subsystem. // The split policy is for supporting treble devices. It splits the SEPolicy across files on -// /system/etc/selinux (the 'plat' portion of the policy) and /vendor/etc/selinux (the 'nonplat' +// /system/etc/selinux (the 'plat' portion of the policy) and /vendor/etc/selinux (the 'vendor' // portion of the policy). This is necessary to allow the system image to be updated independently // of the vendor image, while maintaining contributions from both partitions in the SEPolicy. This // is especially important for VTS testing, where the SEPolicy on the Google System Image may not be @@ -320,12 +320,12 @@ struct PolicyFile { }; bool OpenSplitPolicy(PolicyFile* policy_file) { - // IMPLEMENTATION NOTE: Split policy consists of three CIL files: + // IMPLEMENTATION NOTE: Split policy consists of three or more CIL files: // * platform -- policy needed due to logic contained in the system image, - // * non-platform -- policy needed due to logic contained in the vendor image, + // * vendor -- policy needed due to logic contained in the vendor image, // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy // with newer versions of platform policy. - // + // * (optional) policy needed due to logic on product, system_ext, or odm images. // secilc is invoked to compile the above three policy files into a single monolithic policy // file. This file is then loaded into the kernel. @@ -404,17 +404,14 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { product_mapping_file.clear(); } - // vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace - // nonplat_sepolicy.cil. - std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil"); std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil"); - if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) { - // For backward compatibility. - // TODO: remove this after no device is using nonplat_sepolicy.cil. - vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil"; - plat_pub_versioned_cil_file.clear(); - } else if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) { + LOG(ERROR) << "Missing " << vendor_policy_cil_file; + return false; + } + + std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil"); + if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) { LOG(ERROR) << "Missing " << plat_pub_versioned_cil_file; return false; }