Gotcha: sepolicy for system-as-root devices

For testing a new SELinux policy, it used to be enough to update only the sepolicy binary file in out/target/product/<device>/root/sepolicy and re-pack the boot image. That way, one avoids having to rebuild the whole boot image, which may or may not include rebuilding the kernel, which could take time.

On system-as-root devices - all A/B devices thus far - things are a bit different. sepolicy is still located under /(if the policy is not split, more on that later), but it actually lives on the system partition(under /system_root/). That means that updating sepolicy on such devices means manually copying the new policy to /sepolicy, assuming one has already mounted system_root in rw mode.

Pushing an updated `boot.img` to the device will not update the used sepolicy. The file inside the boot partition is an unused duplicate on system-as-root devices!

On FULL_TREBLE devices, PRODUCT_SEPOLICY_SPLIT is true, which means the sepolicy will no longer be built as a unified binary, but rather pushed as .cil plain-text files under /system/etc/selinux/ and /vendor/etc/selinux/. There is no longer a single sepolicy binary to update in the ramdisk, making GSIs possible.

Published by