Copying platform seinfo into vendor partition

Some vendor apps are using platform key for signing. This moves them to untrusted_app domain when the system partition is switched to a Generic System Image (GSI), because the value of platform's seinfo in /system/etc/selinux/plat_mac_permissions.xml has been changed. Duplicating the device-specific platform seinfo into /vendor/etc/selinux/vendor_mac_permissions.xml to make it self-contained within the vendor partition. Bug: 157141777 Test: boot the device with a GSI, then `adb shell ps -eZ | grep qtidata` Test: ./build/make/tools/releasetools/sign_target_files_apks \ --default_key_mappings path/to/keydir \ -o out/dist/<lunch>-target_files-*.zip \ signed-tardis-target_files.zip and checks the platform seinfo in /vendor/etc/selinux/vendor_mac_permissions.xml is replaced. Change-Id: Ic9a79780e30f456138e4de67210cc60ac2e490d6
2020-06-02 22:16:12 +08:00 · 2020-06-02 22:16:12 +08:00 · 8a86424e34
commit 8a86424e34
parent 13cc42dbda
3 changed files with 74 additions and 1 deletions
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@ -122,7 +122,8 @@ $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
 $(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
 $(all_vendor_mac_perms_files)
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
+		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)

 vendor_mac_perms_keys.tmp :=
 all_vendor_mac_perms_files :=
--- a/vendor/keys.conf
+++ b/vendor/keys.conf
@ -0,0 +1,19 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+# Some vendor apps are using platform key for signing.
+# This moves them to untrusted_app domain when the system partition is
+# switched to a Generic System Image (GSI), because the value of platform's
+# seinfo in /system/etc/selinux/plat_mac_permissions.xml has been changed.
+# Duplicating the device-specific platform seinfo into
+# /vendor/etc/selinux/vendor_mac_permissions.xml to make it self-contained
+# within the vendor partition.
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
--- a/vendor/mac_permissions.xml
+++ b/vendor/mac_permissions.xml
@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag. The signature can
+      either appear as a set of attached cert child tags or as an attribute.
+    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+    * Each signer/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process as well as the apps data directory.
+    * seinfo assignments are made according to the following rules:
+      - Stanzas with package name refinements will be checked first.
+      - Stanzas w/o package name refinements will be checked second.
+      - The "default" seinfo label is automatically applied.
+
+    * valid stanzas can take one of the following forms:
+
+     // single cert protecting seinfo
+     <signer signature="@PLATFORM" >
+       <seinfo value="platform" />
+     </signer>
+
+     // multiple certs protecting seinfo (all contained certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <seinfo value="platform" />
+     </signer>
+
+     // single cert protecting explicitly named app
+     <signer signature="@PLATFORM" >
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+
+     // multiple certs protecting explicitly named app (all certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+-->
+
+    <!-- Vendor dev key in AOSP -->
+    <signer signature="@PLATFORM" >
+      <seinfo value="platform" />
+    </signer>
+</policy>