commit f9f540fb7f8f9734a5cac0896213293ce8baff4c
author Alex Klyubin <klyubin@google.com> Thu Mar 09 10:56:58 2017 -0800
committer Alex Klyubin <klyubin@google.com> Thu Mar 09 11:11:23 2017 -0800
tree ec56dccfdd34c37ccf425110df28f18df189b8ae
parent 440fde2cede73ede451e4c20be5f77537224ba6a

Remove hard-coded policy version from secilc step

This change makes init's SELinux policy compilation step target the
highest SELinux policy language version supported by the kernel.
Prior to this change the version was simply hard-coded in init.

P. S. clang-format (part of presubmit for this change) is being
counter-productive trying to format the section with secilc
parameters. The resulting layout is harder to read. This commit thus
disables clang-format for this section of code and formats the code
for improved readability.

Test: Remove precompiled policy, device boots up, no new denials.
      Added log statement to print out the policy version passed
      into secilc -- it printed 30, as expected.
Bug: 31363362

Change-Id: I151017b5211712861bafb662525e794a44026dd2

init/init.cpp

diff --git a/init/init.cpp b/init/init.cpp
index 38178a7..5ab421b 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -790,6 +790,14 @@
 
     LOG(INFO) << "Compiling SELinux policy";
 
+    // Determine the highest policy language version supported by the kernel
+    set_selinuxmnt("/sys/fs/selinux");
+    int max_policy_version = security_policyvers();
+    if (max_policy_version == -1) {
+        PLOG(ERROR) << "Failed to determine highest policy version supported by kernel";
+        return false;
+    }
+
     // We store the output of the compilation on /dev because this is the most convenient tmpfs
     // storage mount available this early in the boot sequence.
     char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
@@ -799,14 +807,20 @@
         return false;
     }
 
-    const char* compile_args[] = {"/system/bin/secilc", plat_policy_cil_file, "-M", "true", "-c",
-                                  "30",  // TODO: pass in SELinux policy version from build system
-                                  "/vendor/etc/selinux/mapping_sepolicy.cil",
-                                  "/vendor/etc/selinux/nonplat_sepolicy.cil", "-o",
-                                  compiled_sepolicy,
-                                  // We don't care about file_contexts output by the compiler
-                                  "-f", "/sys/fs/selinux/null",  // /dev/null is not yet available
-                                  nullptr};
+    // clang-format off
+    const char* compile_args[] = {
+        "/system/bin/secilc",
+        plat_policy_cil_file,
+        "-M", "true",
+        // Target the highest policy language version supported by the kernel
+        "-c", std::to_string(max_policy_version).c_str(),
+        "/vendor/etc/selinux/mapping_sepolicy.cil",
+        "/vendor/etc/selinux/nonplat_sepolicy.cil",
+        "-o", compiled_sepolicy,
+        // We don't care about file_contexts output by the compiler
+        "-f", "/sys/fs/selinux/null",  // /dev/null is not yet available
+        nullptr};
+    // clang-format on
 
     if (!fork_execve_and_wait_for_completion(compile_args[0], (char**)compile_args, (char**)ENV)) {
         unlink(compiled_sepolicy);