Do not include common SE policies automatically

Automatic additions to BOARD_SEPOLICY_UNION from Android.mk do not
guarantee order or precedence of rules. More often than not, these
rules get included _after_ the device's own, which makes
it impossible for the device to extend them, or even to use types
defined here.

Manually include these in the device's BoardConfig with
"include device/qcom/sepolicy/sepolicy.mk" before
its own specific BOARD_SEPOLICY_DIRS (if any) instead. Or just
include files piecemeal.

Change-Id: I2ce0c3ec325906a46570b26c5f0c2018390d2ec9

Android.mk

@@ -1,100 +1,10 @@
-# Board specific SELinux policy variable definitions
-ifeq ($(call is-vendor-board-platform,QCOM),true)
-BOARD_SEPOLICY_DIRS += \
-       device/qcom/sepolicy \
-       device/qcom/sepolicy/common \
-       device/qcom/sepolicy/test \
-       device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
-
-BOARD_SEPOLICY_UNION += \
-       genfs_contexts \
-       file_contexts \
-       service_contexts \
-       property_contexts \
-       te_macros \
-       device.te \
-       vold.te \
-       ueventd.te \
-       file.te \
-       property.te \
-       untrusted_app.te \
-       drmserver.te \
-       adbd.te \
-       app.te \
-       cnd.te \
-       system_server.te \
-       mediaserver.te \
-       msm_irqbalanced.te \
-       qmuxd.te \
-       netmgrd.te \
-       port-bridge.te \
-       atfwd.te \
-       radio.te \
-       smd_test.te \
-       qmi_ping.te \
-       qmi_test_service.te \
-       irsc_util.te \
-       netd.te \
-       rild.te \
-       diag.te \
-       diag_test.te \
-       audiod.te \
-       service.te \
-       system_app.te \
-       thermal-engine.te \
-       vm_bms.te \
-       system_app.te \
-       bluetooth.te \
-       init_shell.te \
-       mpdecision.te \
-       perfd.te \
-       mm-qcamerad.te \
-       domain.te \
-       init.te \
-       time_daemon.te \
-       rmt_storage.te \
-       rfs_access.te \
-       hvdcp.te \
-       qti.te \
-       qseecomd.te \
-       mcStarter.te \
-       keystore.te \
-       ims.te \
-       healthd.te \
-       charger_monitor.te \
-       surfaceflinger.te \
-       mm-pp-daemon.te \
-       wpa.te \
-       bootanim.te \
-       zygote.te \
-       mdm_helper.te \
-       peripheral_manager.te \
-       qcomsysd.te \
-       usb_uicc_daemon.te \
-       adsprpcd.te \
-       qlogd.te \
-       ipacm.te \
-       dpmd.te \
-       ssr_setup.te \
-       subsystem_ramdump.te \
-       ssr_diag.te \
-       sectest.te \
-       location.te \
-       location_app.te \
-       seapp_contexts \
-       logd.te \
-       installd.te \
-       wcnss_service.te
-
-# Compile sensor pilicy only for SSC targets
-SSC_TARGET_LIST := apq8084
-SSC_TARGET_LIST += msm8226
-SSC_TARGET_LIST += msm8960
-SSC_TARGET_LIST += msm8974
-SSC_TARGET_LIST += msm8994
-
-#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
-BOARD_SEPOLICY_UNION += sensors.te
-BOARD_SEPOLICY_UNION += sensors_test.te
-#endif
-endif
+# Don't recurse into the platform makefiles. We don't care about them, and
+# we don't want to force a reset of BOARD_SEPOLICY_DIRS
+#
+# If you want to use these policies, add a
+# 
+# include device/qcom/sepolicy/sepolicy.mk
+#
+# to your device's BoardConfig. It is highly recommended that in case
+# you have your own BOARD_SEPOLICY_DIRS and BOARD_SEPOLICY_UNION declarations,
+# the inclusion happens _before_ those lines

sepolicy.mk

@@ -0,0 +1,98 @@
+# Board specific SELinux policy variable definitions
+BOARD_SEPOLICY_DIRS += \
+       device/qcom/sepolicy \
+       device/qcom/sepolicy/common \
+       device/qcom/sepolicy/test \
+       device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
+
+BOARD_SEPOLICY_UNION += \
+       genfs_contexts \
+       file_contexts \
+       service_contexts \
+       property_contexts \
+       te_macros \
+       device.te \
+       vold.te \
+       ueventd.te \
+       file.te \
+       property.te \
+       untrusted_app.te \
+       drmserver.te \
+       adbd.te \
+       app.te \
+       cnd.te \
+       system_server.te \
+       mediaserver.te \
+       msm_irqbalanced.te \
+       qmuxd.te \
+       netmgrd.te \
+       port-bridge.te \
+       atfwd.te \
+       radio.te \
+       smd_test.te \
+       qmi_ping.te \
+       qmi_test_service.te \
+       irsc_util.te \
+       netd.te \
+       rild.te \
+       diag.te \
+       diag_test.te \
+       audiod.te \
+       service.te \
+       system_app.te \
+       thermal-engine.te \
+       vm_bms.te \
+       system_app.te \
+       bluetooth.te \
+       init_shell.te \
+       mpdecision.te \
+       perfd.te \
+       mm-qcamerad.te \
+       domain.te \
+       init.te \
+       time_daemon.te \
+       rmt_storage.te \
+       rfs_access.te \
+       hvdcp.te \
+       qti.te \
+       qseecomd.te \
+       mcStarter.te \
+       keystore.te \
+       ims.te \
+       healthd.te \
+       charger_monitor.te \
+       surfaceflinger.te \
+       mm-pp-daemon.te \
+       wpa.te \
+       bootanim.te \
+       zygote.te \
+       mdm_helper.te \
+       peripheral_manager.te \
+       qcomsysd.te \
+       usb_uicc_daemon.te \
+       adsprpcd.te \
+       qlogd.te \
+       ipacm.te \
+       dpmd.te \
+       ssr_setup.te \
+       subsystem_ramdump.te \
+       ssr_diag.te \
+       sectest.te \
+       location.te \
+       location_app.te \
+       seapp_contexts \
+       logd.te \
+       installd.te \
+       wcnss_service.te
+
+# Compile sensor pilicy only for SSC targets
+SSC_TARGET_LIST := apq8084
+SSC_TARGET_LIST += msm8226
+SSC_TARGET_LIST += msm8960
+SSC_TARGET_LIST += msm8974
+SSC_TARGET_LIST += msm8994
+
+#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
+BOARD_SEPOLICY_UNION += sensors.te
+BOARD_SEPOLICY_UNION += sensors_test.te
+#endif