apex/Android.bp - platform/packages/modules/SEPolicy - Git at Google

 //
 // Copyright (C) 2021 The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package {
     default_applicable_licenses: ["Android-Apache-2.0"],
 }

 apex {
     name: "com.android.sepolicy",
     // TODO(jeffv): make it updatable
     updatable: false,
     manifest: "manifest.json",
     file_contexts: ":com.android.sepolicy-file_contexts",
     key: "com.android.sepolicy.key",
     // TODO(jeffv): Making this platform signed for now for prototyping convencience,
     // but eventually it needs to be signed with the key below.
     certificate: "platform",

     apps: ["SEPolicy-33"],
     prebuilts: ["SEPolicy-33.apk.sig"],
 }

 apex_key {
     name: "com.android.sepolicy.key",
     public_key: "com.android.sepolicy.avbpubkey",
     private_key: "com.android.sepolicy.pem",
 }

 filegroup {
     name: "SEPolicyKeyPem",
     srcs: ["com.android.sepolicy.pem"],
 }

 filegroup {
     name: "SEPolicyCertPem",
     srcs: ["com.android.sepolicy.cert.pem"],
 }

 genrule_defaults {
     name: "sepolicy_verity_sig_gen_default",
     tools: ["fsverity"],
     tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
     // Use fsverity tool to generate the signature file which
     // will be stored in the apex.
     // https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md
     cmd: "$(location fsverity) sign $(in) $(out) " +
         "--key=$(location :SEPolicyKeyPem) " +
         "--cert=$(location :SEPolicyCertPem) " +
         "> /dev/null",
 }

 genrule {
     name: "SEPolicy-33.apk.fsv_sig",
     defaults: ["sepolicy_verity_sig_gen_default"],
     srcs: [":SEPolicy-33"],
     out: ["SEPolicy-33.apk.fsv_sig"],
 }

 prebuilt_etc {
     name: "SEPolicy-33.apk.sig",
     src: ":SEPolicy-33.apk.fsv_sig",
     installable: false,
     filename: "SEPolicy-33.apk.fsv_sig",
 }

 prebuilt_etc {
     name: "com.android.sepolicy.cert.der",
     src: "com.android.sepolicy.cert.der",
     sub_dir: "security/fsverity",
     filename_from_src: true,
 }
	//
	// Copyright (C) 2021 The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package {
	default_applicable_licenses: ["Android-Apache-2.0"],
	}

	apex {
	name: "com.android.sepolicy",
	// TODO(jeffv): make it updatable
	updatable: false,
	manifest: "manifest.json",
	file_contexts: ":com.android.sepolicy-file_contexts",
	key: "com.android.sepolicy.key",
	// TODO(jeffv): Making this platform signed for now for prototyping convencience,
	// but eventually it needs to be signed with the key below.
	certificate: "platform",

	apps: ["SEPolicy-33"],
	prebuilts: ["SEPolicy-33.apk.sig"],
	}

	apex_key {
	name: "com.android.sepolicy.key",
	public_key: "com.android.sepolicy.avbpubkey",
	private_key: "com.android.sepolicy.pem",
	}

	filegroup {
	name: "SEPolicyKeyPem",
	srcs: ["com.android.sepolicy.pem"],
	}

	filegroup {
	name: "SEPolicyCertPem",
	srcs: ["com.android.sepolicy.cert.pem"],
	}

	genrule_defaults {
	name: "sepolicy_verity_sig_gen_default",
	tools: ["fsverity"],
	tool_files: [":SEPolicyKeyPem", ":SEPolicyCertPem"],
	// Use fsverity tool to generate the signature file which
	// will be stored in the apex.
	// https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md
	cmd: "$(location fsverity) sign $(in) $(out) " +
	"--key=$(location :SEPolicyKeyPem) " +
	"--cert=$(location :SEPolicyCertPem) " +
	"> /dev/null",
	}

	genrule {
	name: "SEPolicy-33.apk.fsv_sig",
	defaults: ["sepolicy_verity_sig_gen_default"],
	srcs: [":SEPolicy-33"],
	out: ["SEPolicy-33.apk.fsv_sig"],
	}

	prebuilt_etc {
	name: "SEPolicy-33.apk.sig",
	src: ":SEPolicy-33.apk.fsv_sig",
	installable: false,
	filename: "SEPolicy-33.apk.fsv_sig",
	}

	prebuilt_etc {
	name: "com.android.sepolicy.cert.der",
	src: "com.android.sepolicy.cert.der",
	sub_dir: "security/fsverity",
	filename_from_src: true,
	}