Merge "Remove support for SEPolicy APEX" into main am: add2b24019
Original change: https://android-review.googlesource.com/c/platform/system/apex/+/2745113
Change-Id: I24cbff81bb2cc04bee3f7261e5c52b7c32be0e59
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/apexd/Android.bp b/apexd/Android.bp
index 3b6cea7..f8789f4 100644
--- a/apexd/Android.bp
+++ b/apexd/Android.bp
@@ -503,7 +503,6 @@
":com.android.apex.compressed.v1_original",
":com.android.apex.compressed.v2",
":com.android.apex.compressed.v2_original",
- ":com.android.sepolicy",
":gen_manifest_mismatch_compressed_apex_v2",
"apexd_testdata/com.android.apex.test_package.avbpubkey",
"apexd_testdata/com.android.apex.compressed.avbpubkey",
@@ -609,7 +608,6 @@
":com.android.apex.compressed.v1_original",
":com.android.apex.compressed.v2",
":com.android.apex.compressed.v2_original",
- ":com.android.sepolicy",
":gen_manifest_mismatch_compressed_apex_v2",
"apexd_testdata/com.android.apex.test_package.avbpubkey",
"apexd_testdata/com.android.apex.compressed.avbpubkey",
diff --git a/apexd/apexd.cpp b/apexd/apexd.cpp
index 8454d44..3fb244b 100644
--- a/apexd/apexd.cpp
+++ b/apexd/apexd.cpp
@@ -706,92 +706,6 @@
namespace {
-// TODO(b/218672709): get the ro.build.version.sdk version of the device.
-const auto kSepolicyLevel = std::to_string(__ANDROID_API_T__);
-const auto kVersionedSepolicyZip = "SEPolicy-" + kSepolicyLevel + ".zip";
-const auto kVersionedSepolicySig = "SEPolicy-" + kSepolicyLevel + ".zip.sig";
-const auto kVersionedSepolicyFsv =
- "SEPolicy-" + kSepolicyLevel + ".zip.fsv_sig";
-
-const auto kSepolicyZip = "SEPolicy.zip";
-const auto kSepolicySig = "SEPolicy.zip.sig";
-
-Result<void> CopySepolicyToMetadata(const std::string& mount_point) {
- LOG(DEBUG) << "Copying SEPolicy files to /metadata/sepolicy/staged.";
- const auto policy_dir = mount_point + "/etc";
-
- // Find SEPolicy zip and signature files.
- std::optional<std::string> sepolicy_zip;
- std::optional<std::string> sepolicy_sig;
- std::optional<std::string> sepolicy_fsv;
- auto status =
- WalkDir(policy_dir, [&sepolicy_zip, &sepolicy_sig, &sepolicy_fsv](
- const std::filesystem::directory_entry& entry) {
- if (!entry.is_regular_file()) {
- return;
- }
- const auto& path = entry.path().string();
- if (base::EndsWith(path, kVersionedSepolicyZip)) {
- sepolicy_zip = path;
- } else if (base::EndsWith(path, kVersionedSepolicySig)) {
- sepolicy_sig = path;
- } else if (base::EndsWith(path, kVersionedSepolicyFsv)) {
- sepolicy_fsv = path;
- }
- });
- if (!status.ok()) {
- return status.error();
- }
- if (sepolicy_zip->empty() || sepolicy_sig->empty() || sepolicy_fsv->empty()) {
- return Error() << "SEPolicy files not found.";
- }
- LOG(INFO) << "SEPolicy files found.";
-
- // Set up staging directory.
- std::error_code ec;
- const auto staged_dir =
- std::string(gConfig->metadata_sepolicy_staged_dir) + "/";
- status = CreateDirIfNeeded(staged_dir, 0755);
- if (!status.ok()) {
- return status.error();
- }
-
- // Clean up after myself.
- auto scope_guard = android::base::make_scope_guard([&staged_dir]() {
- std::error_code ec;
- std::filesystem::remove_all(staged_dir, ec);
- if (ec) {
- LOG(WARNING) << "Failed to clear " << staged_dir << ": " << ec.message();
- }
- });
-
- // Copy files to staged folder.
- const auto stagedSepolicyZip = staged_dir + kSepolicyZip;
- std::map<std::string, std::string> from_to = {
- {*sepolicy_zip, stagedSepolicyZip},
- {*sepolicy_sig, staged_dir + kSepolicySig}};
- for (const auto& [from, to] : from_to) {
- std::filesystem::copy_file(
- from, to, std::filesystem::copy_options::update_existing, ec);
- if (ec) {
- return Error() << "Failed to copy " << from << " to " << to << ": "
- << ec.message();
- }
- }
-
- status = enableFsVerity(stagedSepolicyZip);
- if (!status.ok()) {
- // TODO(b/218672709): once we have a release certificate available, return
- // an error and make the ApexdMountTest#CopySepolicyToMetadata test pass.
- LOG(ERROR) << status.error().message();
- } else {
- LOG(INFO) << "fs-verity enabled on " << stagedSepolicyZip;
- }
-
- scope_guard.Disable();
- return {};
-}
-
template <typename VerifyFn>
Result<void> RunVerifyFnInsideTempMount(const ApexFile& apex,
const VerifyFn& verify_fn,
@@ -929,8 +843,6 @@
return {};
}
-static constexpr auto kSepolicyApexName = "com.android.sepolicy.apex";
-
// A version of apex verification that happens on SubmitStagedSession.
// This function contains checks that might be expensive to perform, e.g. temp
// mounting a package and reading entire dm-verity device, and shouldn't be run
@@ -942,9 +854,6 @@
}
const auto validate_fn = [&apex_file](const std::string& mount_point) {
- if (apex_file.GetManifest().name() == kSepolicyApexName) {
- return CopySepolicyToMetadata(mount_point);
- }
if (IsVendorApex(apex_file)) {
return CheckVendorApexUpdate(apex_file, mount_point);
}
@@ -1689,20 +1598,6 @@
return ErrnoError() << "Cannot find matching package for: " << packageName;
}
-Result<void> DeleteStagedSepolicy() {
- const auto staged_dir =
- std::string(gConfig->metadata_sepolicy_staged_dir) + "/";
- LOG(DEBUG) << "Deleting " << staged_dir;
- std::error_code ec;
- auto removed = std::filesystem::remove_all(staged_dir, ec);
- if (removed == 0) {
- LOG(INFO) << staged_dir << " already deleted.";
- } else if (ec) {
- return Error() << "Failed to clear " << staged_dir << ": " << ec.message();
- }
- return {};
-}
-
/**
* Abort individual staged session.
*
@@ -1714,15 +1609,6 @@
return Error() << "No session found with id " << session_id;
}
- const auto& apex_names = session->GetApexNames();
- if (std::find(std::begin(apex_names), std::end(apex_names),
- kSepolicyApexName) != std::end(apex_names)) {
- const auto result = DeleteStagedSepolicy();
- if (!result.ok()) {
- return result.error();
- }
- }
-
switch (session->GetState()) {
case SessionState::VERIFIED:
[[clang::fallthrough]];
@@ -3064,7 +2950,6 @@
const auto& all_apex = instance.AllApexFilesByName();
// There can be multiple APEX packages with package name X. Determine which
// one to activate.
- // TODO(b/218672709): skip activation of sepolicy APEX during boot.
auto activation_list = SelectApexForActivation(all_apex, instance);
// Process compressed APEX, if any
diff --git a/apexd/apexd.h b/apexd/apexd.h
index e6b5ec0..8e9071b 100644
--- a/apexd/apexd.h
+++ b/apexd/apexd.h
@@ -48,7 +48,6 @@
const char* ota_reserved_dir;
const char* apex_hash_tree_dir;
const char* staged_session_dir;
- const char* metadata_sepolicy_staged_dir;
// Overrides the path to the "metadata" partition which is by default
// /dev/block/by-name/payload-metadata It should be a path pointing the first
// partition of the VM payload disk. So, realpath() of this path is checked if
@@ -66,7 +65,6 @@
kOtaReservedDir,
kApexHashTreeDir,
kStagedSessionsDir,
- kMetadataSepolicyStagedDir,
kVmPayloadMetadataPartitionProp,
"u:object_r:staging_data_file",
};
diff --git a/apexd/apexd_microdroid.cpp b/apexd/apexd_microdroid.cpp
index 267ec3f..d95b8ef 100644
--- a/apexd/apexd_microdroid.cpp
+++ b/apexd/apexd_microdroid.cpp
@@ -34,7 +34,6 @@
nullptr, /* ota_reserved_dir */
nullptr, /* apex_hashtree_dir */
nullptr, /* staged_session_dir */
- nullptr, /* metadata_sepolicy_staged_dir */
android::apex::kVmPayloadMetadataPartitionProp,
nullptr, /* active_apex_selinux_ctx */
};
diff --git a/apexd/apexd_test.cpp b/apexd/apexd_test.cpp
index c1241ae..3001d8a 100644
--- a/apexd/apexd_test.cpp
+++ b/apexd/apexd_test.cpp
@@ -143,8 +143,6 @@
ota_reserved_dir_ = StringPrintf("%s/ota-reserved", td_.path);
hash_tree_dir_ = StringPrintf("%s/apex-hash-tree", td_.path);
staged_session_dir_ = StringPrintf("%s/staged-session-dir", td_.path);
- metadata_sepolicy_staged_dir_ =
- StringPrintf("%s/metadata-sepolicy-staged-dir", td_.path);
sessions_metadata_dir_ =
StringPrintf("%s/metadata-staged-session-dir", td_.path);
@@ -157,7 +155,6 @@
ota_reserved_dir_.c_str(),
hash_tree_dir_.c_str(),
staged_session_dir_.c_str(),
- metadata_sepolicy_staged_dir_.c_str(),
kTestVmPayloadMetadataPartitionProp,
kTestActiveApexSelinuxCtx};
}
@@ -171,9 +168,6 @@
return StringPrintf("%s/session_%d", staged_session_dir_.c_str(),
session_id);
}
- const std::string& GetMetadataSepolicyStagedDir() {
- return metadata_sepolicy_staged_dir_;
- }
ApexSessionManager* GetSessionManager() { return session_manager_.get(); }
std::string GetRootDigest(const ApexFile& apex) {
@@ -252,7 +246,6 @@
ASSERT_EQ(mkdir(ota_reserved_dir_.c_str(), 0755), 0);
ASSERT_EQ(mkdir(hash_tree_dir_.c_str(), 0755), 0);
ASSERT_EQ(mkdir(staged_session_dir_.c_str(), 0755), 0);
- ASSERT_EQ(mkdir(metadata_sepolicy_staged_dir_.c_str(), 0755), 0);
ASSERT_EQ(mkdir(sessions_metadata_dir_.c_str(), 0755), 0);
// We don't really need for all the test cases, but until we refactor apexd
@@ -274,7 +267,6 @@
std::string hash_tree_dir_;
std::string staged_session_dir_;
- std::string metadata_sepolicy_staged_dir_;
std::string sessions_metadata_dir_;
std::unique_ptr<ApexSessionManager> session_manager_;
@@ -4370,42 +4362,6 @@
"duplicate of com.android.apex.compressed found"))));
}
-TEST_F(ApexdMountTest, CopySepolicyToMetadata) {
- std::string file_path = AddPreInstalledApex("com.android.sepolicy.apex");
- ASSERT_THAT(
- ApexFileRepository::GetInstance().AddPreInstalledApex({GetBuiltInDir()}),
- Ok());
- ASSERT_THAT(ActivatePackage(file_path), Ok());
- UnmountOnTearDown(file_path);
- ASSERT_THAT(CreateStagedSession("com.android.sepolicy.apex", 666), Ok());
-
- ASSERT_THAT(
- SubmitStagedSession(666, {}, /* has_rollback_enabled= */ false,
- /* is_rollback= */ false, /* rollback_id= */ -1),
- Ok());
-
- auto staged_dir = GetMetadataSepolicyStagedDir();
- ASSERT_THAT(PathExists(staged_dir + "/SEPolicy.zip"), HasValue(true));
- ASSERT_THAT(PathExists(staged_dir + "/SEPolicy.zip.sig"), HasValue(true));
-}
-
-TEST_F(ApexdMountTest, AbortSepolicyApexInstall) {
- std::string file_path = AddPreInstalledApex("com.android.sepolicy.apex");
- ApexFileRepository::GetInstance().AddPreInstalledApex({GetBuiltInDir()});
- ASSERT_THAT(CreateStagedSession("com.android.sepolicy.apex", 666), Ok());
- ASSERT_THAT(
- SubmitStagedSession(666, {}, /* has_rollback_enabled= */ false,
- /* is_rollback= */ false, /* rollback_id= */ -1),
- Ok());
-
- auto staged_dir = GetMetadataSepolicyStagedDir();
- ASSERT_THAT(PathExists(staged_dir), HasValue(true));
- ASSERT_FALSE(IsEmptyDirectory(staged_dir));
-
- ASSERT_THAT(AbortStagedSession(666), Ok());
- ASSERT_THAT(PathExists(staged_dir), HasValue(false));
-}
-
class ApexActivationFailureTests : public ApexdMountTest {};
TEST_F(ApexActivationFailureTests, BuildFingerprintDifferent) {
