2015-02-23 18:37:21 +01:00
|
|
|
This directory contains the core Android SELinux policy configuration.
|
|
|
|
It defines the domains and types for the AOSP services and apps common to
|
|
|
|
all devices. Device-specific policy should be placed under a
|
|
|
|
separate device/<vendor>/<board>/sepolicy subdirectory and linked
|
|
|
|
into the policy build as described below.
|
|
|
|
|
2012-11-13 22:27:48 +01:00
|
|
|
Policy Generation:
|
|
|
|
|
|
|
|
Additional, per device, policy files can be added into the
|
|
|
|
policy build.
|
|
|
|
|
2014-07-22 23:37:41 +02:00
|
|
|
They can be configured through the use of four variables,
|
2012-11-13 22:27:48 +01:00
|
|
|
they are:
|
|
|
|
1. BOARD_SEPOLICY_REPLACE
|
|
|
|
2. BOARD_SEPOLICY_UNION
|
|
|
|
3. BOARD_SEPOLICY_DIRS
|
2013-02-12 05:30:47 +01:00
|
|
|
4. BOARD_SEPOLICY_IGNORE
|
2012-11-13 22:27:48 +01:00
|
|
|
|
|
|
|
The variables should be set in the BoardConfig.mk file in
|
|
|
|
the device or vendor directories.
|
|
|
|
|
|
|
|
BOARD_SEPOLICY_UNION is a list of files that will be
|
|
|
|
"unioned", IE concatenated, at the END of their respective
|
|
|
|
file in external/sepolicy. Note, to add a unique file you
|
|
|
|
would use this variable.
|
|
|
|
|
|
|
|
BOARD_SEPOLICY_REPLACE is a list of files that will be
|
|
|
|
used instead of the corresponding file in external/sepolicy.
|
|
|
|
|
|
|
|
BOARD_SEPOLICY_DIRS contains a list of directories to search
|
|
|
|
for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
|
|
|
|
matters in this list.
|
2013-11-02 00:23:15 +01:00
|
|
|
eg.) If you have BOARD_SEPOLICY_UNION += widget.te and have 2
|
2012-11-13 22:27:48 +01:00
|
|
|
instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
|
|
|
|
The first one found (at the first search dir containing the file)
|
|
|
|
gets processed first.
|
|
|
|
Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
|
|
|
|
will help sort out ordering issues.
|
|
|
|
|
|
|
|
It is an error to specify a BOARD_POLICY_REPLACE file that does
|
|
|
|
not exist in external/sepolicy.
|
|
|
|
|
|
|
|
It is an error to specify a BOARD_POLICY_REPLACE file that appears
|
|
|
|
multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
|
|
|
|
eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
|
|
|
|
BOARD_SEPOLICY_DIRS is set to
|
|
|
|
"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
|
2013-02-12 05:30:47 +01:00
|
|
|
appears in both locations, it is an error. Unless it is in
|
|
|
|
BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
|
|
|
|
for more details.
|
2012-11-13 22:27:48 +01:00
|
|
|
|
|
|
|
It is an error to specify the same file name in both
|
|
|
|
BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
|
|
|
|
|
|
|
|
It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
|
|
|
|
specifying BOARD_SEPOLICY_REPLACE.
|
|
|
|
|
2014-02-03 17:12:27 +01:00
|
|
|
It is an error to specify a BOARD_POLICY_UNION file that
|
|
|
|
doesn't appear in any of the BOARD_SEPOLICY_DIRS locations.
|
|
|
|
|
2013-02-12 05:30:47 +01:00
|
|
|
BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
|
|
|
|
files that are not to be included in the resulting policy. This list
|
|
|
|
is passed to filter-out to remove any paths you may want to ignore. This
|
|
|
|
is useful if you have numerous config directories that contain a file
|
|
|
|
and you want to NOT include a particular file in your resulting
|
|
|
|
policy file, either by UNION or REPLACE.
|
2013-03-27 13:35:39 +01:00
|
|
|
Eg.) Suppose the following:
|
2013-11-02 00:23:15 +01:00
|
|
|
BOARD_SEPOLICY_DIRS += X Y
|
|
|
|
BOARD_SEPOLICY_REPLACE += A
|
|
|
|
BOARD_SEPOLICY_IGNORE += X/A
|
2013-02-12 05:30:47 +01:00
|
|
|
|
|
|
|
Directories X and Y contain A.
|
|
|
|
|
|
|
|
The resulting policy is created by using Y/A only, thus X/A was
|
|
|
|
ignored.
|
|
|
|
|
|
|
|
Example BoardConfig.mk Usage:
|
2012-11-13 22:27:48 +01:00
|
|
|
From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
|
|
|
|
|
2013-11-02 00:23:15 +01:00
|
|
|
BOARD_SEPOLICY_DIRS += \
|
2012-11-13 22:27:48 +01:00
|
|
|
device/samsung/tuna/sepolicy
|
|
|
|
|
2013-11-02 00:23:15 +01:00
|
|
|
BOARD_SEPOLICY_UNION += \
|
2012-11-13 22:27:48 +01:00
|
|
|
genfs_contexts \
|
|
|
|
file_contexts \
|
|
|
|
sepolicy.te
|
2013-03-26 23:19:03 +01:00
|
|
|
|
|
|
|
SPECIFIC POLICY FILE INFORMATION
|
|
|
|
|
|
|
|
mac_permissions.xml:
|
|
|
|
ABOUT:
|
|
|
|
The mac_permissions.xml file is used for controlling the mmac solutions
|
|
|
|
as well as mapping a public base16 signing key with an arbitrary seinfo
|
|
|
|
string. Details of the files contents can be found in a comment at the
|
|
|
|
top of that file. The seinfo string, previously mentioned, is the same string
|
|
|
|
that is referenced in seapp_contexts.
|
|
|
|
|
|
|
|
This file can be replaced through BOARD_SEPOLICY_REPLACE containing the
|
2013-03-27 13:35:39 +01:00
|
|
|
value "mac_permissions.xml", or appended to by using the BOARD_SEPOLICY_UNION
|
|
|
|
variable. It is important to note the final processed version of this file
|
|
|
|
is stripped of comments and whitespace. This is to preserve space on the
|
|
|
|
system.img. If one wishes to view it in a more human friendly format,
|
|
|
|
the "tidy" or "xmllint" command will assist you.
|
2013-03-26 23:19:03 +01:00
|
|
|
|
|
|
|
TOOLING:
|
|
|
|
insertkeys.py
|
|
|
|
Is a helper script for mapping arbitrary tags in the signature stanzas of
|
|
|
|
mac_permissions.xml to public keys found in pem files. This script takes
|
2013-03-27 13:35:39 +01:00
|
|
|
a mac_permissions.xml file(s) and configuration file in order to operate.
|
2013-03-26 23:19:03 +01:00
|
|
|
Details of the configuration file (keys.conf) can be found in the subsection
|
2013-03-27 13:35:39 +01:00
|
|
|
keys.conf. This tool is also responsible for stripping the comments and
|
|
|
|
whitespace during processing.
|
2013-03-26 23:19:03 +01:00
|
|
|
|
|
|
|
keys.conf
|
|
|
|
The keys.conf file is used for controlling the mapping of "tags" found in
|
|
|
|
the mac_permissions.xml signature stanzas with actual public keys found in
|
|
|
|
pem files. The configuration file can be used in BOARD_SEPOLICY_UNION and
|
|
|
|
BOARD_SEPOLICY_REPLACE variables and is processed via m4.
|
|
|
|
|
|
|
|
The script allows for mapping any string contained in TARGET_BUILD_VARIANT
|
|
|
|
with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
|
|
|
|
user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
|
|
|
|
any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
|
|
|
|
and all options are matched lowercase. The options are "tolowered" automatically
|
|
|
|
for the user, it is convention to specify tags and options in all uppercase
|
2013-10-28 21:21:38 +01:00
|
|
|
and tags start with @. The option arguments can also use environment variables
|
|
|
|
via the familiar $VARIABLE syntax. This is often useful for setting a location
|
|
|
|
to ones release keys.
|
2013-03-26 23:19:03 +01:00
|
|
|
|
2013-10-30 17:50:52 +01:00
|
|
|
Often times, one will need to integrate an application that was signed by a separate
|
|
|
|
organization and may need to extract the pem file for the insertkeys/keys.conf tools.
|
|
|
|
Extraction of the public key in the pem format is possible via openssl. First you need
|
|
|
|
to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
|
|
|
|
openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
|
|
|
|
On some occasions CERT.RSA has a different name, and you will need to adjust for that.
|
|
|
|
After extracting the pem, you can rename it, and configure keys.conf and
|
|
|
|
mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
|
|
|
|
editor and strip out anything outside the opening and closing scissor lines. Failure to do
|
|
|
|
so WILL cause a compile time issue thrown by insertkeys.py
|
|
|
|
|
2013-03-26 23:19:03 +01:00
|
|
|
NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
|
|
|
|
and setool all use base16 encodings.
|