From 702b8fdfe00cfd34b6effe76fc71eeaef2cf4dd4 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Wed, 13 Oct 2021 17:39:33 +0800 Subject: [PATCH] sign_target_files_apks: adding --allow_gsi_debug_sepolicy https://android-review.googlesource.com/q/topic:gsi_debug_policy adds userdebug_plat_sepolicy.cil into the GSI system.img to reduce the steps of repacking a debug ramdisk. This CL checks that the file userdebug_plat_sepolicy.cil shouldn't exist before signing, unless the caller explicitly specifies --allow_gsi_debug_sepolicy to allow it. Note: also fixes the indentation around the block. Bug: 188067818 Bug: 201482141 Test: sign_target_files_apks *-target_files-*.zip signed.zip Change-Id: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 Merged-In: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 (cherry picked from commit 5a73b0ee976dc61fe6fa12e48f15d5ec53f90878) --- tools/releasetools/sign_target_files_apks.py | 23 ++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 0842af9018..936ef888dc 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -136,6 +136,11 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --android_jar_path Path to the android.jar to repack the apex file. + + --allow_gsi_debug_sepolicy + Allow the existence of the file 'userdebug_plat_sepolicy.cil' under + (/system/system_ext|/system_ext)/etc/selinux. + If not set, error out when the file exists. """ from __future__ import print_function @@ -189,6 +194,7 @@ OPTIONS.gki_signing_key = None OPTIONS.gki_signing_algorithm = None OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None +OPTIONS.allow_gsi_debug_sepolicy = False AVB_FOOTER_ARGS_BY_PARTITION = { @@ -658,7 +664,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Updates system_other.avbpubkey in /product/etc/. elif filename in ( "PRODUCT/etc/security/avb/system_other.avbpubkey", - "SYSTEM/product/etc/security/avb/system_other.avbpubkey"): + "SYSTEM/product/etc/security/avb/system_other.avbpubkey"): # Only update system_other's public key, if the corresponding signing # key is specified via --avb_system_other_key. signing_key = OPTIONS.avb_keys.get("system_other") @@ -671,9 +677,19 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Should NOT sign boot-debug.img. elif filename in ( "BOOT/RAMDISK/force_debuggable", - "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): + "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): raise common.ExternalError("debuggable boot.img cannot be signed") + # Should NOT sign userdebug sepolicy file. + elif filename in ( + "SYSTEM_EXT/etc/selinux/userdebug_plat_sepolicy.cil", + "SYSTEM/system_ext/etc/selinux/userdebug_plat_sepolicy.cil"): + if not OPTIONS.allow_gsi_debug_sepolicy: + raise common.ExternalError("debug sepolicy shouldn't be included") + else: + # Copy it verbatim if we allow the file to exist. + common.ZipWriteStr(output_tf_zip, out_info, data) + # A non-APK file; copy it verbatim. else: common.ZipWriteStr(output_tf_zip, out_info, data) @@ -1289,6 +1305,8 @@ def main(argv): OPTIONS.gki_signing_algorithm = a elif o == "--gki_signing_extra_args": OPTIONS.gki_signing_extra_args = a + elif o == "--allow_gsi_debug_sepolicy": + OPTIONS.allow_gsi_debug_sepolicy = True else: return False return True @@ -1339,6 +1357,7 @@ def main(argv): "gki_signing_key=", "gki_signing_algorithm=", "gki_signing_extra_args=", + "allow_gsi_debug_sepolicy", ], extra_option_handler=option_handler)