From b225d8c49904562a26718dde796761efbd2ac817 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Mon, 18 Oct 2021 18:32:46 +0800 Subject: [PATCH] Verbose warning message for PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 added a validation check to otatools to check the target_files archive for the existence of userdebug_plat_sepolicy.cil. That check superseded the original PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT product_config.mk check and is more robust because it can handle not only phone GSI but also car/tv GSI (downstream of phone GSI). Modify the check to show a scary wall of text if non-compliance-GSI products tried to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT, instead of erroring out immediately. Also add gsi_car_arm64 & gsi_car_x86_64 to the list of eligible GSI product names. After this change, any product can set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT for development purposes, but only GSI products that specifies `--allow_gsi_debug_sepolicy` during image signing can release sign a product built with PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT. Bug: 188067818 Test: Presubmit Test: lunch gsi_arm64-userdebug && m nothing # => no warning Change-Id: I34ef49af29c7064bea8924b0070793f1e78256bf --- core/product.mk | 2 +- core/product_config.mk | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/core/product.mk b/core/product.mk index b069dda679..7192226884 100644 --- a/core/product.mk +++ b/core/product.mk @@ -445,7 +445,7 @@ _product_single_value_vars += PRODUCT_INSTALL_EXTRA_FLATTENED_APEXES # Install a copy of the debug policy to the system_ext partition, and allow # init-second-stage to load debug policy from system_ext. -# This option is only meant to be set by GSI products. +# This option is only meant to be set by compliance GSI targets. _product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT # If set, metadata files for the following artifacts will be generated. diff --git a/core/product_config.mk b/core/product_config.mk index 57b7724f13..6fae73ea19 100644 --- a/core/product_config.mk +++ b/core/product_config.mk @@ -420,9 +420,15 @@ ifneq ($(filter-out 0 1,$(words $(PRODUCT_ADB_KEYS))),) $(error Only one file may be in PRODUCT_ADB_KEYS: $(PRODUCT_ADB_KEYS)) endif +# Show a warning wall of text if non-compliance-GSI products set this option. ifdef PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT - ifeq (,$(filter gsi_arm gsi_arm64 gsi_x86 gsi_x86_64,$(PRODUCT_NAME))) - $(error Only GSI products are allowed to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT) + ifeq (,$(filter gsi_arm gsi_arm64 gsi_x86 gsi_x86_64 gsi_car_arm64 gsi_car_x86_64,$(PRODUCT_NAME))) + $(warning PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT is set but \ + PRODUCT_NAME ($(PRODUCT_NAME)) doesn't look like a GSI for compliance \ + testing. This is a special configuration for compliance GSI, so do make \ + sure you understand the security implications before setting this \ + option. If you don't know what this option does, then you probably \ + shouldn't set this.) endif endif