Google Git
Sign in
android / platform / packages / modules / SEPolicy / 05f40d46ee94c8b4a37db12d119f9487e86eaa1f^1..05f40d46ee94c8b4a37db12d119f9487e86eaa1f / .
commit05f40d46ee94c8b4a37db12d119f9487e86eaa1f[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Tue Jan 11 14:06:52 2022 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Tue Jan 11 14:06:52 2022 +0000
treef557bf2850f28fb648455303fef60c4cfc5f1fc8
parent2ebd4908a1fca0b57e3c4c44c8b464b4d6d1519a [diff]
parent0510dbb81ace41d6c31e3421abb937d424a4eea4 [diff]
Move updatable policy into a signed zip file am: 0510dbb81a

Original change: https://android-review.googlesource.com/c/platform/packages/modules/SEPolicy/+/1922757

Change-Id: I809c483e4d6e1afcce7590e444e6c9617031a9b4

diff --git a/API-level-policy/33/Android.bp b/API-level-policy/33/Android.bp
index 972d52e..39c2227 100644
--- a/API-level-policy/33/Android.bp
+++ b/API-level-policy/33/Android.bp

@@ -17,21 +17,74 @@
     default_applicable_licenses: ["Android-Apache-2.0"],
 }
 
-android_app {
+genrule {
     name: "SEPolicy-33",
-    // TODO(jeffv): for now, just include an empty policy. Later this needs
-    // to include policy from system/sepolicy/mainline (for example).
-    asset_dirs: ["policy"],
-    sdk_version: "current",
-    apex_available: ["com.android.sepolicy"],
+    defaults: ["sepolicy_create_zip_gen_default"],
+    srcs: [
+        ":apex_file_contexts-33",
+        ":apex_property_contexts-33",
+        ":apex_service_contexts-33",
+        ":apex_seapp_contexts-33",
+        ":apex_sepolicy-33.cil",
+        ":apex_sepolicy.sha256",
+        ":sepolicy_test",
 
-    // Prevent the AndroidManifest.xml from being modified by the build system.
-    dex_preopt: {
-        enabled: false,
-    },
-    optimize: {
-        enabled: false,
-    },
-    use_embedded_native_libs: true,
+    ],
+    out: ["SEPolicy-33.zip"],
 }
 
+prebuilt_etc {
+    name: "SEPolicy-33.zip",
+    src: ":SEPolicy-33",
+    installable: false,
+    filename: "SEPolicy-33.zip",
+}
+
+genrule {
+    name: "SEPolicy-33.zip.sig.gen",
+    defaults: ["sepolicy_sig_gen_default"],
+    srcs: [":SEPolicy-33.zip"],
+    out: ["SEPolicy-33.zip.sig.gen"],
+}
+
+prebuilt_etc {
+    name: "SEPolicy-33.zip.sig",
+    src: ":SEPolicy-33.zip.sig.gen",
+    installable: false,
+    filename: "SEPolicy-33.zip.sig",
+}
+
+genrule {
+    name: "SEPolicy-33.zip.fsv_sig.gen",
+    defaults: ["sepolicy_verity_sig_gen_default"],
+    srcs: [":SEPolicy-33.zip"],
+    out: ["SEPolicy-33.zip.fsv_sig.gen"],
+}
+
+prebuilt_etc {
+    name: "SEPolicy-33.zip.fsv_sig",
+    src: ":SEPolicy-33.zip.fsv_sig.gen",
+    installable: false,
+    filename: "SEPolicy-33.zip.fsv_sig",
+}
+
+// Versions of the most up-to-date apex sepolicies are installed on /system.
+prebuilt_etc {
+    name: "SEPolicy.zip",
+    src: ":SEPolicy-33",
+    relative_install_path: "selinux/apex",
+}
+
+prebuilt_etc {
+    name: "SEPolicy.zip.sig",
+    src: ":SEPolicy-33.zip.sig.gen",
+    filename: "SEPolicy.zip.sig",
+    relative_install_path: "selinux/apex",
+}
+
+prebuilt_etc {
+    name: "SEPolicy.zip.fsv_sig",
+    src: ":SEPolicy-33.zip.fsv_sig.gen",
+    filename: "SEPolicy.zip.fsv_sig",
+    relative_install_path: "selinux/apex",
+}

diff --git a/API-level-policy/33/AndroidManifest.xml b/API-level-policy/33/AndroidManifest.xml
deleted file mode 100644
index 6515b19..0000000
--- a/API-level-policy/33/AndroidManifest.xml
+++ /dev/null

@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
-  ~ Copyright (C) 2015 The Android Open Source Project
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~      http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
--->
-<!-- This manifest is for LiveTv -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
-     xmlns:tools="http://schemas.android.com/tools"
-     package="com.android.sepolicy.apk">
-
-</manifest>

diff --git a/API-level-policy/33/policy/mainline.cil b/API-level-policy/33/policy/mainline.cil
deleted file mode 100644
index e69de29..0000000
--- a/API-level-policy/33/policy/mainline.cil
+++ /dev/null

diff --git a/API-level-policy/Android.bp b/API-level-policy/Android.bp
new file mode 100644
index 0000000..87efa91
--- /dev/null
+++ b/API-level-policy/Android.bp

@@ -0,0 +1,55 @@
+//
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+genrule_defaults {
+    name: "sepolicy_sig_gen_default",
+    tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
+    // openssl dgst -sign com.android.sepolicy.pem -keyform PEM -sha256 -out foo.sign
+    // -binary $OUT/apex/com.android.sepolicy/etc/SEPolicy-33/SEPolicy-33.zip
+    cmd: "openssl dgst -sign $(location :SEPolicyKeyPem) -keyform PEM -sha256 " +
+        "-out $(out) -binary $(in)"
+}
+
+genrule_defaults {
+    name: "sepolicy_verity_sig_gen_default",
+    tools: ["fsverity"],
+    tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
+    // Use fsverity tool to generate the signature file which
+    // will be stored in the apex.
+    // https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md
+    cmd: "$(location fsverity) sign $(in) $(out) " +
+        "--key=$(location :SEPolicyKeyPem) " +
+        "--cert=$(location :SEPolicyCertPem) " +
+        "> /dev/null",
+}
+
+genrule_defaults {
+    name: "sepolicy_create_zip_gen_default",
+    tools: ["soong_zip"],
+    cmd: "mkdir $(genDir)/files && " +
+        "cp $(in) $(genDir)/files && " +
+        "$(location soong_zip) -o $(out) -C $(genDir)/files -D $(genDir)/files",
+}
+
+prebuilt_etc {
+    name: "sepolicy_test",
+    src: "sepolicy_test",
+    filename: "apex_test",
+    installable: false,
+}

diff --git a/API-level-policy/sepolicy_test b/API-level-policy/sepolicy_test
new file mode 100644
index 0000000..9daeafb
--- /dev/null
+++ b/API-level-policy/sepolicy_test

@@ -0,0 +1 @@
+test

diff --git a/apex/Android.bp b/apex/Android.bp
index 67fa0e7..8c9129c 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp

@@ -24,12 +24,16 @@
     manifest: "manifest.json",
     file_contexts: ":com.android.sepolicy-file_contexts",
     key: "com.android.sepolicy.key",
-    // TODO(jeffv): Making this platform signed for now for prototyping convencience,
-    // but eventually it needs to be signed with the key below.
-    certificate: "platform",
-
-    apps: ["SEPolicy-33"],
-    prebuilts: ["SEPolicy-33.apk.sig", "SEPolicy-33.apk.fsv_sig"],
+    prebuilts: [
+        "SEPolicy-33.zip.sig",
+        "SEPolicy-33.zip.fsv_sig",
+        "SEPolicy-33.zip",
+    ],
+    required: [
+        "SEPolicy.zip.sig",
+        "SEPolicy.zip.fsv_sig",
+        "SEPolicy.zip",
+    ],
 }
 
 apex_key {
@@ -48,60 +52,8 @@
     srcs: ["com.android.sepolicy.cert.pem"],
 }
 
-// openssl dgst -sign com.android.sepolicy.pem -keyform PEM -sha256 -out foo.sign
-// -binary $OUT/apex/com.android.sepolicy/app/SEPolicy-33/SEPolicy-33.apk
-genrule_defaults {
-    name: "sepolicy_sig_gen_default",
-    //tools: ["openssl"],
-    tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
-    cmd: "openssl dgst -sign $(location :SEPolicyKeyPem) -keyform PEM -sha256 " +
-        "-out $(out) -binary $(in)"
-}
-
-genrule {
-    name: "SEPolicy-33.apk.sig.gen",
-    defaults: ["sepolicy_sig_gen_default"],
-    srcs: [":SEPolicy-33"],
-    out: ["SEPolicy-33.apk.sig.gen"],
-}
-
-prebuilt_etc {
-    name: "SEPolicy-33.apk.sig",
-    src: ":SEPolicy-33.apk.sig.gen",
-    installable: false,
-    filename: "SEPolicy-33.apk.sig",
-}
-
-genrule_defaults {
-    name: "sepolicy_verity_sig_gen_default",
-    tools: ["fsverity"],
-    tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
-    // Use fsverity tool to generate the signature file which
-    // will be stored in the apex.
-    // https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md
-    cmd: "$(location fsverity) sign $(in) $(out) " +
-        "--key=$(location :SEPolicyKeyPem) " +
-        "--cert=$(location :SEPolicyCertPem) " +
-        "> /dev/null",
-}
-
-genrule {
-    name: "SEPolicy-33.apk.fsv_sig.gen",
-    defaults: ["sepolicy_verity_sig_gen_default"],
-    srcs: [":SEPolicy-33"],
-    out: ["SEPolicy-33.apk.fsv_sig.gen"],
-}
-
-prebuilt_etc {
-    name: "SEPolicy-33.apk.fsv_sig",
-    src: ":SEPolicy-33.apk.fsv_sig.gen",
-    installable: false,
-    filename: "SEPolicy-33.apk.fsv_sig",
-}
-
 prebuilt_etc {
     name: "com.android.sepolicy.cert-debug.der",
     src: "com.android.sepolicy.cert.der",
     sub_dir: "selinux",
 }
-