Move updatable policy into a signed zip file am: 0510dbb81a
Original change: https://android-review.googlesource.com/c/platform/packages/modules/SEPolicy/+/1922757
Change-Id: I809c483e4d6e1afcce7590e444e6c9617031a9b4
diff --git a/API-level-policy/33/Android.bp b/API-level-policy/33/Android.bp
index 972d52e..39c2227 100644
--- a/API-level-policy/33/Android.bp
+++ b/API-level-policy/33/Android.bp
@@ -17,21 +17,74 @@
default_applicable_licenses: ["Android-Apache-2.0"],
}
-android_app {
+genrule {
name: "SEPolicy-33",
- // TODO(jeffv): for now, just include an empty policy. Later this needs
- // to include policy from system/sepolicy/mainline (for example).
- asset_dirs: ["policy"],
- sdk_version: "current",
- apex_available: ["com.android.sepolicy"],
+ defaults: ["sepolicy_create_zip_gen_default"],
+ srcs: [
+ ":apex_file_contexts-33",
+ ":apex_property_contexts-33",
+ ":apex_service_contexts-33",
+ ":apex_seapp_contexts-33",
+ ":apex_sepolicy-33.cil",
+ ":apex_sepolicy.sha256",
+ ":sepolicy_test",
- // Prevent the AndroidManifest.xml from being modified by the build system.
- dex_preopt: {
- enabled: false,
- },
- optimize: {
- enabled: false,
- },
- use_embedded_native_libs: true,
+ ],
+ out: ["SEPolicy-33.zip"],
}
+prebuilt_etc {
+ name: "SEPolicy-33.zip",
+ src: ":SEPolicy-33",
+ installable: false,
+ filename: "SEPolicy-33.zip",
+}
+
+genrule {
+ name: "SEPolicy-33.zip.sig.gen",
+ defaults: ["sepolicy_sig_gen_default"],
+ srcs: [":SEPolicy-33.zip"],
+ out: ["SEPolicy-33.zip.sig.gen"],
+}
+
+prebuilt_etc {
+ name: "SEPolicy-33.zip.sig",
+ src: ":SEPolicy-33.zip.sig.gen",
+ installable: false,
+ filename: "SEPolicy-33.zip.sig",
+}
+
+genrule {
+ name: "SEPolicy-33.zip.fsv_sig.gen",
+ defaults: ["sepolicy_verity_sig_gen_default"],
+ srcs: [":SEPolicy-33.zip"],
+ out: ["SEPolicy-33.zip.fsv_sig.gen"],
+}
+
+prebuilt_etc {
+ name: "SEPolicy-33.zip.fsv_sig",
+ src: ":SEPolicy-33.zip.fsv_sig.gen",
+ installable: false,
+ filename: "SEPolicy-33.zip.fsv_sig",
+}
+
+// Versions of the most up-to-date apex sepolicies are installed on /system.
+prebuilt_etc {
+ name: "SEPolicy.zip",
+ src: ":SEPolicy-33",
+ relative_install_path: "selinux/apex",
+}
+
+prebuilt_etc {
+ name: "SEPolicy.zip.sig",
+ src: ":SEPolicy-33.zip.sig.gen",
+ filename: "SEPolicy.zip.sig",
+ relative_install_path: "selinux/apex",
+}
+
+prebuilt_etc {
+ name: "SEPolicy.zip.fsv_sig",
+ src: ":SEPolicy-33.zip.fsv_sig.gen",
+ filename: "SEPolicy.zip.fsv_sig",
+ relative_install_path: "selinux/apex",
+}
diff --git a/API-level-policy/33/AndroidManifest.xml b/API-level-policy/33/AndroidManifest.xml
deleted file mode 100644
index 6515b19..0000000
--- a/API-level-policy/33/AndroidManifest.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- ~ Copyright (C) 2015 The Android Open Source Project
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
--->
-<!-- This manifest is for LiveTv -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:tools="http://schemas.android.com/tools"
- package="com.android.sepolicy.apk">
-
-</manifest>
diff --git a/API-level-policy/33/policy/mainline.cil b/API-level-policy/33/policy/mainline.cil
deleted file mode 100644
index e69de29..0000000
--- a/API-level-policy/33/policy/mainline.cil
+++ /dev/null
diff --git a/API-level-policy/Android.bp b/API-level-policy/Android.bp
new file mode 100644
index 0000000..87efa91
--- /dev/null
+++ b/API-level-policy/Android.bp
@@ -0,0 +1,55 @@
+//
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+genrule_defaults {
+ name: "sepolicy_sig_gen_default",
+ tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
+ // openssl dgst -sign com.android.sepolicy.pem -keyform PEM -sha256 -out foo.sign
+ // -binary $OUT/apex/com.android.sepolicy/etc/SEPolicy-33/SEPolicy-33.zip
+ cmd: "openssl dgst -sign $(location :SEPolicyKeyPem) -keyform PEM -sha256 " +
+ "-out $(out) -binary $(in)"
+}
+
+genrule_defaults {
+ name: "sepolicy_verity_sig_gen_default",
+ tools: ["fsverity"],
+ tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
+ // Use fsverity tool to generate the signature file which
+ // will be stored in the apex.
+ // https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md
+ cmd: "$(location fsverity) sign $(in) $(out) " +
+ "--key=$(location :SEPolicyKeyPem) " +
+ "--cert=$(location :SEPolicyCertPem) " +
+ "> /dev/null",
+}
+
+genrule_defaults {
+ name: "sepolicy_create_zip_gen_default",
+ tools: ["soong_zip"],
+ cmd: "mkdir $(genDir)/files && " +
+ "cp $(in) $(genDir)/files && " +
+ "$(location soong_zip) -o $(out) -C $(genDir)/files -D $(genDir)/files",
+}
+
+prebuilt_etc {
+ name: "sepolicy_test",
+ src: "sepolicy_test",
+ filename: "apex_test",
+ installable: false,
+}
diff --git a/API-level-policy/sepolicy_test b/API-level-policy/sepolicy_test
new file mode 100644
index 0000000..9daeafb
--- /dev/null
+++ b/API-level-policy/sepolicy_test
@@ -0,0 +1 @@
+test
diff --git a/apex/Android.bp b/apex/Android.bp
index 67fa0e7..8c9129c 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -24,12 +24,16 @@
manifest: "manifest.json",
file_contexts: ":com.android.sepolicy-file_contexts",
key: "com.android.sepolicy.key",
- // TODO(jeffv): Making this platform signed for now for prototyping convencience,
- // but eventually it needs to be signed with the key below.
- certificate: "platform",
-
- apps: ["SEPolicy-33"],
- prebuilts: ["SEPolicy-33.apk.sig", "SEPolicy-33.apk.fsv_sig"],
+ prebuilts: [
+ "SEPolicy-33.zip.sig",
+ "SEPolicy-33.zip.fsv_sig",
+ "SEPolicy-33.zip",
+ ],
+ required: [
+ "SEPolicy.zip.sig",
+ "SEPolicy.zip.fsv_sig",
+ "SEPolicy.zip",
+ ],
}
apex_key {
@@ -48,60 +52,8 @@
srcs: ["com.android.sepolicy.cert.pem"],
}
-// openssl dgst -sign com.android.sepolicy.pem -keyform PEM -sha256 -out foo.sign
-// -binary $OUT/apex/com.android.sepolicy/app/SEPolicy-33/SEPolicy-33.apk
-genrule_defaults {
- name: "sepolicy_sig_gen_default",
- //tools: ["openssl"],
- tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
- cmd: "openssl dgst -sign $(location :SEPolicyKeyPem) -keyform PEM -sha256 " +
- "-out $(out) -binary $(in)"
-}
-
-genrule {
- name: "SEPolicy-33.apk.sig.gen",
- defaults: ["sepolicy_sig_gen_default"],
- srcs: [":SEPolicy-33"],
- out: ["SEPolicy-33.apk.sig.gen"],
-}
-
-prebuilt_etc {
- name: "SEPolicy-33.apk.sig",
- src: ":SEPolicy-33.apk.sig.gen",
- installable: false,
- filename: "SEPolicy-33.apk.sig",
-}
-
-genrule_defaults {
- name: "sepolicy_verity_sig_gen_default",
- tools: ["fsverity"],
- tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
- // Use fsverity tool to generate the signature file which
- // will be stored in the apex.
- // https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md
- cmd: "$(location fsverity) sign $(in) $(out) " +
- "--key=$(location :SEPolicyKeyPem) " +
- "--cert=$(location :SEPolicyCertPem) " +
- "> /dev/null",
-}
-
-genrule {
- name: "SEPolicy-33.apk.fsv_sig.gen",
- defaults: ["sepolicy_verity_sig_gen_default"],
- srcs: [":SEPolicy-33"],
- out: ["SEPolicy-33.apk.fsv_sig.gen"],
-}
-
-prebuilt_etc {
- name: "SEPolicy-33.apk.fsv_sig",
- src: ":SEPolicy-33.apk.fsv_sig.gen",
- installable: false,
- filename: "SEPolicy-33.apk.fsv_sig",
-}
-
prebuilt_etc {
name: "com.android.sepolicy.cert-debug.der",
src: "com.android.sepolicy.cert.der",
sub_dir: "selinux",
}
-