Copying platform seinfo into vendor partition
Some vendor apps are using platform key for signing.
This moves them to untrusted_app domain when the system partition is
switched to a Generic System Image (GSI), because the value of
platform's seinfo in /system/etc/selinux/plat_mac_permissions.xml
has been changed.
Duplicating the device-specific platform seinfo into
/vendor/etc/selinux/vendor_mac_permissions.xml to make it
self-contained within the vendor partition.
Bug: 157141777
Test: boot the device with a GSI, then `adb shell ps -eZ | grep qtidata`
Test: ./build/make/tools/releasetools/sign_target_files_apks \
--default_key_mappings path/to/keydir \
-o out/dist/<lunch>-target_files-*.zip \
signed-tardis-target_files.zip and checks the platform seinfo in
/vendor/etc/selinux/vendor_mac_permissions.xml is replaced.
Change-Id: Ic9a79780e30f456138e4de67210cc60ac2e490d6
Merged-In: Ic9a79780e30f456138e4de67210cc60ac2e490d6
(cherry picked from commit 8a86424e34)
This commit is contained in:
Bowgo Tsai
parent
19b3a4408d
commit
3ffd6b3f01
3 changed files with 74 additions and 1 deletions
|
|
@ -122,7 +122,8 @@ $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
|
||||||
$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
|
$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
|
||||||
$(all_vendor_mac_perms_files)
|
$(all_vendor_mac_perms_files)
|
||||||
@mkdir -p $(dir $@)
|
@mkdir -p $(dir $@)
|
||||||
$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
|
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
|
||||||
|
$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
|
||||||
|
|
||||||
vendor_mac_perms_keys.tmp :=
|
vendor_mac_perms_keys.tmp :=
|
||||||
all_vendor_mac_perms_files :=
|
all_vendor_mac_perms_files :=
|
||||||
|
|
|
||||||
19
vendor/keys.conf
vendored
Normal file
19
vendor/keys.conf
vendored
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
#
|
||||||
|
# Maps an arbitrary tag [TAGNAME] with the string contents found in
|
||||||
|
# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
|
||||||
|
# name it after the base file name of the pem file.
|
||||||
|
#
|
||||||
|
# Each tag (section) then allows one to specify any string found in
|
||||||
|
# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
|
||||||
|
# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Some vendor apps are using platform key for signing.
|
||||||
|
# This moves them to untrusted_app domain when the system partition is
|
||||||
|
# switched to a Generic System Image (GSI), because the value of platform's
|
||||||
|
# seinfo in /system/etc/selinux/plat_mac_permissions.xml has been changed.
|
||||||
|
# Duplicating the device-specific platform seinfo into
|
||||||
|
# /vendor/etc/selinux/vendor_mac_permissions.xml to make it self-contained
|
||||||
|
# within the vendor partition.
|
||||||
|
[@PLATFORM]
|
||||||
|
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
|
||||||
53
vendor/mac_permissions.xml
vendored
Normal file
53
vendor/mac_permissions.xml
vendored
Normal file
|
|
@ -0,0 +1,53 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<policy>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
|
||||||
|
* A signature is a hex encoded X.509 certificate or a tag defined in
|
||||||
|
keys.conf and is required for each signer tag. The signature can
|
||||||
|
either appear as a set of attached cert child tags or as an attribute.
|
||||||
|
* A signer tag must contain a seinfo tag XOR multiple package stanzas.
|
||||||
|
* Each signer/package tag is allowed to contain one seinfo tag. This tag
|
||||||
|
represents additional info that each app can use in setting a SELinux security
|
||||||
|
context on the eventual process as well as the apps data directory.
|
||||||
|
* seinfo assignments are made according to the following rules:
|
||||||
|
- Stanzas with package name refinements will be checked first.
|
||||||
|
- Stanzas w/o package name refinements will be checked second.
|
||||||
|
- The "default" seinfo label is automatically applied.
|
||||||
|
|
||||||
|
* valid stanzas can take one of the following forms:
|
||||||
|
|
||||||
|
// single cert protecting seinfo
|
||||||
|
<signer signature="@PLATFORM" >
|
||||||
|
<seinfo value="platform" />
|
||||||
|
</signer>
|
||||||
|
|
||||||
|
// multiple certs protecting seinfo (all contained certs must match)
|
||||||
|
<signer>
|
||||||
|
<cert signature="@PLATFORM1"/>
|
||||||
|
<cert signature="@PLATFORM2"/>
|
||||||
|
<seinfo value="platform" />
|
||||||
|
</signer>
|
||||||
|
|
||||||
|
// single cert protecting explicitly named app
|
||||||
|
<signer signature="@PLATFORM" >
|
||||||
|
<package name="com.android.foo">
|
||||||
|
<seinfo value="bar" />
|
||||||
|
</package>
|
||||||
|
</signer>
|
||||||
|
|
||||||
|
// multiple certs protecting explicitly named app (all certs must match)
|
||||||
|
<signer>
|
||||||
|
<cert signature="@PLATFORM1"/>
|
||||||
|
<cert signature="@PLATFORM2"/>
|
||||||
|
<package name="com.android.foo">
|
||||||
|
<seinfo value="bar" />
|
||||||
|
</package>
|
||||||
|
</signer>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- Vendor dev key in AOSP -->
|
||||||
|
<signer signature="@PLATFORM" >
|
||||||
|
<seinfo value="platform" />
|
||||||
|
</signer>
|
||||||
|
</policy>
|
||||||
Loading…
Reference in a new issue