platform_system_sepolicy/vendor/mac_permissions.xml

<?xml version="1.0" encoding="utf-8"?>
<policy>

<!--

    * A signature is a hex encoded X.509 certificate or a tag defined in
      keys.conf and is required for each signer tag. The signature can
      either appear as a set of attached cert child tags or as an attribute.
    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
    * Each signer/package tag is allowed to contain one seinfo tag. This tag
      represents additional info that each app can use in setting a SELinux security
      context on the eventual process as well as the apps data directory.
    * seinfo assignments are made according to the following rules:
      - Stanzas with package name refinements will be checked first.
      - Stanzas w/o package name refinements will be checked second.
      - The "default" seinfo label is automatically applied.

    * valid stanzas can take one of the following forms:

     // single cert protecting seinfo
     <signer signature="@PLATFORM" >
       <seinfo value="platform" />
     </signer>

     // multiple certs protecting seinfo (all contained certs must match)
     <signer>
       <cert signature="@PLATFORM1"/>
       <cert signature="@PLATFORM2"/>
       <seinfo value="platform" />
     </signer>

     // single cert protecting explicitly named app
     <signer signature="@PLATFORM" >
       <package name="com.android.foo">
         <seinfo value="bar" />
       </package>
     </signer>

     // multiple certs protecting explicitly named app (all certs must match)
     <signer>
       <cert signature="@PLATFORM1"/>
       <cert signature="@PLATFORM2"/>
       <package name="com.android.foo">
         <seinfo value="bar" />
       </package>
     </signer>
-->

    <!-- Vendor dev key in AOSP -->
    <signer signature="@PLATFORM" >
      <seinfo value="platform" />
    </signer>
</policy>
Copying platform seinfo into vendor partition Some vendor apps are using platform key for signing. This moves them to untrusted_app domain when the system partition is switched to a Generic System Image (GSI), because the value of platform's seinfo in /system/etc/selinux/plat_mac_permissions.xml has been changed. Duplicating the device-specific platform seinfo into /vendor/etc/selinux/vendor_mac_permissions.xml to make it self-contained within the vendor partition. Bug: 157141777 Test: boot the device with a GSI, then `adb shell ps -eZ \| grep qtidata` Test: ./build/make/tools/releasetools/sign_target_files_apks \ --default_key_mappings path/to/keydir \ -o out/dist/<lunch>-target_files-*.zip \ signed-tardis-target_files.zip and checks the platform seinfo in /vendor/etc/selinux/vendor_mac_permissions.xml is replaced. Change-Id: Ic9a79780e30f456138e4de67210cc60ac2e490d6 Merged-In: Ic9a79780e30f456138e4de67210cc60ac2e490d6 (cherry picked from commit 8a86424e3404cef78810c40f88fd7683a9182952) 2020-06-02 16:16:12 +02:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<policy>`

			`<!--`

			`* A signature is a hex encoded X.509 certificate or a tag defined in`
			`keys.conf and is required for each signer tag. The signature can`
			`either appear as a set of attached cert child tags or as an attribute.`
			`* A signer tag must contain a seinfo tag XOR multiple package stanzas.`
			`* Each signer/package tag is allowed to contain one seinfo tag. This tag`
			`represents additional info that each app can use in setting a SELinux security`
			`context on the eventual process as well as the apps data directory.`
			`* seinfo assignments are made according to the following rules:`
			`- Stanzas with package name refinements will be checked first.`
			`- Stanzas w/o package name refinements will be checked second.`
			`- The "default" seinfo label is automatically applied.`

			`* valid stanzas can take one of the following forms:`

			`// single cert protecting seinfo`
			`<signer signature="@PLATFORM" >`
			`<seinfo value="platform" />`
			`</signer>`

			`// multiple certs protecting seinfo (all contained certs must match)`
			`<signer>`
			`<cert signature="@PLATFORM1"/>`
			`<cert signature="@PLATFORM2"/>`
			`<seinfo value="platform" />`
			`</signer>`

			`// single cert protecting explicitly named app`
			`<signer signature="@PLATFORM" >`
			`<package name="com.android.foo">`
			`<seinfo value="bar" />`
			`</package>`
			`</signer>`

			`// multiple certs protecting explicitly named app (all certs must match)`
			`<signer>`
			`<cert signature="@PLATFORM1"/>`
			`<cert signature="@PLATFORM2"/>`
			`<package name="com.android.foo">`
			`<seinfo value="bar" />`
			`</package>`
			`</signer>`
			`-->`

			`<!-- Vendor dev key in AOSP -->`
			`<signer signature="@PLATFORM" >`
			`<seinfo value="platform" />`
			`</signer>`
			`</policy>`