From aa9a4a490783f114f224716526cae5c16e0d4a13 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 21 Nov 2023 16:47:42 +0900
Subject: [PATCH] Add CHECK_DEV_TYPE_VIOLATIONS

If PRODUCT_CHECK_DEV_TYPE_VIOLATIONS is set or vendor api level is
greater than V (35), sepolicy dev type test will be run which checks if
all /dev nodes have dev_type attribute.

Bug: 303367345
Test: set PRODUCT_CHECK_DEV_TYPE_VIOLATIONS, see
sepolicy_dev_type_test's build command

Change-Id: Ibf25c1dacb5132ccda5265d6d2ce9fe655ffbc87
---
 core/android_soong_config_vars.mk | 1 +
 core/product.mk                   | 3 +++
 core/product_config.mk            | 9 +++++++++
 3 files changed, 13 insertions(+)

diff --git a/core/android_soong_config_vars.mk b/core/android_soong_config_vars.mk
index 6d64f97780..e731fa368b 100644
--- a/core/android_soong_config_vars.mk
+++ b/core/android_soong_config_vars.mk
@@ -31,6 +31,7 @@ $(call add_soong_config_var,ANDROID,TARGET_DYNAMIC_64_32_DRMSERVER)
 $(call add_soong_config_var,ANDROID,TARGET_ENABLE_MEDIADRM_64)
 $(call add_soong_config_var,ANDROID,BOARD_USES_ODMIMAGE)
 $(call add_soong_config_var,ANDROID,BOARD_USES_RECOVERY_AS_BOOT)
+$(call add_soong_config_var,ANDROID,CHECK_DEV_TYPE_VIOLATIONS)
 $(call add_soong_config_var,ANDROID,PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT)
 
 # Default behavior for the tree wrt building modules or using prebuilts. This
diff --git a/core/product.mk b/core/product.mk
index 3667bb17f3..be5ec47388 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -443,6 +443,9 @@ _product_single_value_vars += PRODUCT_VIRTUAL_AB_COW_VERSION
 # If set, determines whether the build system checks vendor seapp contexts violations.
 _product_single_value_vars += PRODUCT_CHECK_VENDOR_SEAPP_VIOLATIONS
 
+# If set, determines whether the build system checks dev type violations.
+_product_single_value_vars += PRODUCT_CHECK_DEV_TYPE_VIOLATIONS
+
 _product_list_vars += PRODUCT_AFDO_PROFILES
 
 _product_single_value_vars += PRODUCT_NEXT_RELEASE_HIDE_FLAGGED_API
diff --git a/core/product_config.mk b/core/product_config.mk
index 7c55d009b4..500735e71c 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -578,6 +578,15 @@ else ifneq ($(PRODUCT_CHECK_VENDOR_SEAPP_VIOLATIONS),)
 endif
 .KATI_READONLY := CHECK_VENDOR_SEAPP_VIOLATIONS
 
+# Boolean variable determining if selinux labels of /dev are enforced
+CHECK_DEV_TYPE_VIOLATIONS := false
+ifneq ($(call math_gt,$(VSR_VENDOR_API_LEVEL),35),)
+  CHECK_DEV_TYPE_VIOLATIONS := true
+else ifneq ($(PRODUCT_CHECK_DEV_TYPE_VIOLATIONS),)
+  CHECK_DEV_TYPE_VIOLATIONS := $(PRODUCT_CHECK_DEV_TYPE_VIOLATIONS)
+endif
+.KATI_READONLY := CHECK_DEV_TYPE_VIOLATIONS
+
 define product-overrides-config
 $$(foreach rule,$$(PRODUCT_$(1)_OVERRIDES),\
     $$(if $$(filter 2,$$(words $$(subst :,$$(space),$$(rule)))),,\