Merge "sepolicy: Fix 'avc denied' issues for the emulators"
diff --git a/core/Makefile b/core/Makefile
index e1b1c05..301e8b29 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -1399,7 +1399,8 @@
$(HOST_LIBRARY_PATH)/libext2_e2p-host$(HOST_SHLIB_SUFFIX) \
$(HOST_LIBRARY_PATH)/libext2_profile-host$(HOST_SHLIB_SUFFIX) \
$(HOST_LIBRARY_PATH)/libext2_quota-host$(HOST_SHLIB_SUFFIX) \
- $(HOST_LIBRARY_PATH)/libext2_uuid-host$(HOST_SHLIB_SUFFIX)
+ $(HOST_LIBRARY_PATH)/libext2_uuid-host$(HOST_SHLIB_SUFFIX) \
+ $(HOST_LIBRARY_PATH)/libconscrypt_openjdk_jni$(HOST_SHLIB_SUFFIX)
.PHONY: otatools
otatools: $(OTATOOLS)
diff --git a/core/binary.mk b/core/binary.mk
index 9ac609c..fb2444c 100644
--- a/core/binary.mk
+++ b/core/binary.mk
@@ -75,7 +75,15 @@
my_ndk_source_root := $(HISTORICAL_NDK_VERSIONS_ROOT)/current/sources
my_ndk_sysroot := $(HISTORICAL_NDK_VERSIONS_ROOT)/current/platforms/android-$(LOCAL_SDK_VERSION)/arch-$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)
my_ndk_sysroot_include := $(my_ndk_sysroot)/usr/include
- ifeq (x86_64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH))
+
+ # x86_64 and and mips64 are both multilib toolchains, so their libraries are
+ # installed in /usr/lib64. Aarch64, on the other hand, is not a multilib
+ # compiler, so its libraries are in /usr/lib.
+ #
+ # Mips32r6 is yet another variation, with libraries installed in libr6.
+ #
+ # For the rest, the libraries are installed simply to /usr/lib.
+ ifneq (,$(filter x86_64 mips64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)))
my_ndk_sysroot_lib := $(my_ndk_sysroot)/usr/lib64
else ifeq (mips32r6,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH_VARIANT))
my_ndk_sysroot_lib := $(my_ndk_sysroot)/usr/libr6
@@ -209,11 +217,13 @@
my_clang := true
endif
endif
-# Add option to make clang the default for device build
-else ifeq ($(USE_CLANG_PLATFORM_BUILD),true)
+# Add option to make gcc the default for device build
+else ifeq ($(USE_CLANG_PLATFORM_BUILD),false)
ifeq ($(my_clang),)
- my_clang := true
+ my_clang := false
endif
+else ifeq ($(my_clang),)
+ my_clang := true
endif
my_cpp_std_version := -std=gnu++14
diff --git a/core/combo/HOST_linux-x86.mk b/core/combo/HOST_linux-x86.mk
index b5efc71..169e2d2 100644
--- a/core/combo/HOST_linux-x86.mk
+++ b/core/combo/HOST_linux-x86.mk
@@ -35,7 +35,7 @@
# We expect SSE3 floating point math.
$(combo_2nd_arch_prefix)HOST_GLOBAL_CFLAGS += -msse3 -mfpmath=sse -m32 -Wa,--noexecstack -march=prescott
-$(combo_2nd_arch_prefix)HOST_GLOBAL_LDFLAGS += -m32 -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now
+$(combo_2nd_arch_prefix)HOST_GLOBAL_LDFLAGS += -m32 -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--no-undefined-version
ifneq ($(strip $(BUILD_HOST_static)),)
# Statically-linked binaries are desirable for sandboxed environment
diff --git a/core/combo/HOST_linux-x86_64.mk b/core/combo/HOST_linux-x86_64.mk
index 9a77324..9766f2b 100644
--- a/core/combo/HOST_linux-x86_64.mk
+++ b/core/combo/HOST_linux-x86_64.mk
@@ -34,7 +34,7 @@
HOST_TOOLCHAIN_FOR_CLANG := prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8
HOST_GLOBAL_CFLAGS += -m64 -Wa,--noexecstack
-HOST_GLOBAL_LDFLAGS += -m64 -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now
+HOST_GLOBAL_LDFLAGS += -m64 -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--no-undefined-version
ifneq ($(strip $(BUILD_HOST_static)),)
# Statically-linked binaries are desirable for sandboxed environment
diff --git a/core/combo/TARGET_linux-arm.mk b/core/combo/TARGET_linux-arm.mk
index 485e48c..b91e072 100644
--- a/core/combo/TARGET_linux-arm.mk
+++ b/core/combo/TARGET_linux-arm.mk
@@ -138,6 +138,7 @@
-Wl,--fatal-warnings \
-Wl,--icf=safe \
-Wl,--hash-style=gnu \
+ -Wl,--no-undefined-version \
$(arch_variant_ldflags)
$(combo_2nd_arch_prefix)TARGET_GLOBAL_CFLAGS += -mthumb-interwork
diff --git a/core/combo/TARGET_linux-arm64.mk b/core/combo/TARGET_linux-arm64.mk
index 1eb3240..fbf8ab0 100644
--- a/core/combo/TARGET_linux-arm64.mk
+++ b/core/combo/TARGET_linux-arm64.mk
@@ -115,6 +115,7 @@
-Wl,-maarch64linux \
-Wl,--hash-style=gnu \
-Wl,--fix-cortex-a53-843419 \
+ -Wl,--no-undefined-version \
$(arch_variant_ldflags)
# Disable transitive dependency library symbol resolving.
diff --git a/core/combo/TARGET_linux-mips.mk b/core/combo/TARGET_linux-mips.mk
index be05302..a70f4f8 100644
--- a/core/combo/TARGET_linux-mips.mk
+++ b/core/combo/TARGET_linux-mips.mk
@@ -107,6 +107,7 @@
-Wl,--build-id=md5 \
-Wl,--warn-shared-textrel \
-Wl,--fatal-warnings \
+ -Wl,--no-undefined-version \
$(arch_variant_ldflags)
# Disable transitive dependency library symbol resolving.
diff --git a/core/combo/TARGET_linux-mips64.mk b/core/combo/TARGET_linux-mips64.mk
index 9704b6b..9e4eaa6 100644
--- a/core/combo/TARGET_linux-mips64.mk
+++ b/core/combo/TARGET_linux-mips64.mk
@@ -113,6 +113,7 @@
-Wl,--build-id=md5 \
-Wl,--warn-shared-textrel \
-Wl,--fatal-warnings \
+ -Wl,--no-undefined-version \
$(arch_variant_ldflags)
# Disable transitive dependency library symbol resolving.
diff --git a/core/combo/TARGET_linux-x86.mk b/core/combo/TARGET_linux-x86.mk
index c4cb0f8..7d2b6de 100644
--- a/core/combo/TARGET_linux-x86.mk
+++ b/core/combo/TARGET_linux-x86.mk
@@ -129,6 +129,7 @@
$(combo_2nd_arch_prefix)TARGET_GLOBAL_LDFLAGS += -Wl,--fatal-warnings
$(combo_2nd_arch_prefix)TARGET_GLOBAL_LDFLAGS += -Wl,--gc-sections
$(combo_2nd_arch_prefix)TARGET_GLOBAL_LDFLAGS += -Wl,--hash-style=gnu
+$(combo_2nd_arch_prefix)TARGET_GLOBAL_LDFLAGS += -Wl,--no-undefined-version
$(combo_2nd_arch_prefix)TARGET_C_INCLUDES := \
$(libc_root)/arch-x86/include \
diff --git a/core/combo/TARGET_linux-x86_64.mk b/core/combo/TARGET_linux-x86_64.mk
index b7ec50b..81fafdd 100644
--- a/core/combo/TARGET_linux-x86_64.mk
+++ b/core/combo/TARGET_linux-x86_64.mk
@@ -138,6 +138,7 @@
TARGET_GLOBAL_LDFLAGS += -Wl,--fatal-warnings
TARGET_GLOBAL_LDFLAGS += -Wl,--gc-sections
TARGET_GLOBAL_LDFLAGS += -Wl,--hash-style=gnu
+TARGET_GLOBAL_LDFLAGS += -Wl,--no-undefined-version
TARGET_C_INCLUDES := \
$(libc_root)/arch-x86_64/include \
diff --git a/core/config.mk b/core/config.mk
index 597b0d7..450c06c 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -453,6 +453,7 @@
AAPT := $(HOST_OUT_EXECUTABLES)/aapt
ZIPALIGN := $(HOST_OUT_EXECUTABLES)/zipalign
SIGNAPK_JAR := $(HOST_OUT_JAVA_LIBRARIES)/signapk$(COMMON_JAVA_PACKAGE_SUFFIX)
+SIGNAPK_JNI_LIBRARY_PATH := $(HOST_OUT_SHARED_LIBRARIES)
LLVM_RS_CC := $(HOST_OUT_EXECUTABLES)/llvm-rs-cc
BCC_COMPAT := $(HOST_OUT_EXECUTABLES)/bcc_compat
@@ -469,6 +470,8 @@
AAPT := $(prebuilt_sdk_tools_bin)/aapt
ZIPALIGN := $(prebuilt_sdk_tools_bin)/zipalign
SIGNAPK_JAR := $(prebuilt_sdk_tools)/lib/signapk$(COMMON_JAVA_PACKAGE_SUFFIX)
+# Use 64-bit libraries unconditionally because 32-bit JVMs are no longer supported
+SIGNAPK_JNI_LIBRARY_PATH := $(prebuilt_sdk_tools)/$(HOST_OS)/lib64
DX := $(prebuilt_sdk_tools)/dx
MAINDEXCLASSES := $(prebuilt_sdk_tools)/mainDexClasses
diff --git a/core/definitions.mk b/core/definitions.mk
index 19365ca..5119d65 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2165,7 +2165,7 @@
#
define sign-package
$(hide) mv $@ $@.unsigned
-$(hide) java -jar $(SIGNAPK_JAR) \
+$(hide) java -Djava.library.path=$(SIGNAPK_JNI_LIBRARY_PATH) -jar $(SIGNAPK_JAR) \
$(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
$(PRIVATE_ADDITIONAL_CERTIFICATES) $@.unsigned $@.signed
$(hide) mv $@.signed $@
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 3b2ce72..ee0cdf9 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -44,6 +44,7 @@
self.search_path = platform_search_path.get(sys.platform, None)
self.signapk_path = "framework/signapk.jar" # Relative to search_path
+ self.signapk_shared_library_path = "lib64" # Relative to search_path
self.extra_signapk_args = []
self.java_path = "java" # Use the one on the path by default.
self.java_args = "-Xmx2048m" # JVM Args
@@ -598,7 +599,12 @@
zip file.
"""
- cmd = [OPTIONS.java_path, OPTIONS.java_args, "-jar",
+ java_library_path = os.path.join(
+ OPTIONS.search_path, OPTIONS.signapk_shared_library_path)
+
+ cmd = [OPTIONS.java_path, OPTIONS.java_args,
+ "-Djava.library.path=" + java_library_path,
+ "-jar",
os.path.join(OPTIONS.search_path, OPTIONS.signapk_path)]
cmd.extend(OPTIONS.extra_signapk_args)
if whole_file:
@@ -718,7 +724,8 @@
try:
opts, args = getopt.getopt(
argv, "hvp:s:x:" + extra_opts,
- ["help", "verbose", "path=", "signapk_path=", "extra_signapk_args=",
+ ["help", "verbose", "path=", "signapk_path=",
+ "signapk_shared_library_path=", "extra_signapk_args=",
"java_path=", "java_args=", "public_key_suffix=",
"private_key_suffix=", "boot_signer_path=", "boot_signer_args=",
"verity_signer_path=", "verity_signer_args=", "device_specific=",
@@ -739,6 +746,8 @@
OPTIONS.search_path = a
elif o in ("--signapk_path",):
OPTIONS.signapk_path = a
+ elif o in ("--signapk_shared_library_path",):
+ OPTIONS.signapk_shared_library_path = a
elif o in ("--extra_signapk_args",):
OPTIONS.extra_signapk_args = shlex.split(a)
elif o in ("--java_path",):
diff --git a/tools/signapk/Android.mk b/tools/signapk/Android.mk
index 620ccb1..da1501b 100644
--- a/tools/signapk/Android.mk
+++ b/tools/signapk/Android.mk
@@ -21,11 +21,16 @@
LOCAL_MODULE := signapk
LOCAL_SRC_FILES := SignApk.java
LOCAL_JAR_MANIFEST := SignApk.mf
-LOCAL_STATIC_JAVA_LIBRARIES := bouncycastle-host bouncycastle-bcpkix-host
+LOCAL_STATIC_JAVA_LIBRARIES := bouncycastle-host bouncycastle-bcpkix-host conscrypt-host
+LOCAL_REQUIRED_MODULES := libconscrypt_openjdk_jni
include $(BUILD_HOST_JAVA_LIBRARY)
ifeq ($(TARGET_BUILD_APPS),)
-# The post-build signing tools need signapk.jar, but we don't
-# need this if we're just doing unbundled apps.
-$(call dist-for-goals,droidcore,$(LOCAL_INSTALLED_MODULE))
+# The post-build signing tools need signapk.jar and its shared libraries,
+# but we don't need this if we're just doing unbundled apps.
+my_dist_files := $(LOCAL_INSTALLED_MODULE) \
+ $(HOST_OUT_SHARED_LIBRARIES)/libconscrypt_openjdk_jni$(HOST_SHLIB_SUFFIX)
+
+$(call dist-for-goals,droidcore,$(my_dist_files))
+my_dist_files :=
endif
diff --git a/tools/signapk/SignApk.java b/tools/signapk/SignApk.java
index 397f8cc..5afb8d1 100644
--- a/tools/signapk/SignApk.java
+++ b/tools/signapk/SignApk.java
@@ -34,6 +34,7 @@
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.encoders.Base64;
+import org.conscrypt.OpenSSLProvider;
import java.io.Console;
import java.io.BufferedReader;
@@ -110,8 +111,6 @@
private static final String OTACERT_NAME = "META-INF/com/android/otacert";
- private static Provider sBouncyCastleProvider;
-
// bitmasks for which hash algorithms we need the manifest to include.
private static final int USE_SHA1 = 1;
private static final int USE_SHA256 = 2;
@@ -451,12 +450,10 @@
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner signer = new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey))
- .setProvider(sBouncyCastleProvider)
.build(privateKey);
gen.addSignerInfoGenerator(
new JcaSignerInfoGeneratorBuilder(
new JcaDigestCalculatorProviderBuilder()
- .setProvider(sBouncyCastleProvider)
.build())
.setDirectSignature(true)
.build(signer, publicKey));
@@ -879,8 +876,13 @@
public static void main(String[] args) {
if (args.length < 4) usage();
- sBouncyCastleProvider = new BouncyCastleProvider();
- Security.addProvider(sBouncyCastleProvider);
+ // Install Conscrypt as the highest-priority provider. Its crypto primitives are faster than
+ // the standard or Bouncy Castle ones.
+ Security.insertProviderAt(new OpenSSLProvider(), 1);
+ // Install Bouncy Castle (as the lowest-priority provider) because Conscrypt does not offer
+ // DSA which may still be needed.
+ // TODO: Stop installing Bouncy Castle provider once DSA is no longer needed.
+ Security.addProvider(new BouncyCastleProvider());
boolean signWholeFile = false;
String providerClass = null;