23a929df62
NFC stack is becoming an unbundled apex which embeds the existing NFC APK. Unbundling requires the apex & apk to be signed by non-platform certificates, hence adding new seapp_contexts rule for the NFC stack. The old rule is also left behing to support `-next` config builds where we are still using the platform signed NFC APK. Ignore-AOSP-First: All of the NFC mainline work is only present in internal master. Will cherry-pick this CL once we cherry-pick all its dependencies. Bug: 320583956 Test: Bootup test with signed NFC APK (within NFC apex) Merged-In: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33 Change-Id: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33
77 lines
2.4 KiB
XML
77 lines
2.4 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<policy>
|
|
|
|
<!--
|
|
|
|
* A signature is a hex encoded X.509 certificate or a tag defined in
|
|
keys.conf and is required for each signer tag. The signature can
|
|
either appear as a set of attached cert child tags or as an attribute.
|
|
* A signer tag must contain a seinfo tag XOR multiple package stanzas.
|
|
* Each signer/package tag is allowed to contain one seinfo tag. This tag
|
|
represents additional info that each app can use in setting a SELinux security
|
|
context on the eventual process as well as the apps data directory.
|
|
* seinfo assignments are made according to the following rules:
|
|
- Stanzas with package name refinements will be checked first.
|
|
- Stanzas w/o package name refinements will be checked second.
|
|
- The "default" seinfo label is automatically applied.
|
|
|
|
* valid stanzas can take one of the following forms:
|
|
|
|
// single cert protecting seinfo
|
|
<signer signature="@PLATFORM" >
|
|
<seinfo value="platform" />
|
|
</signer>
|
|
|
|
// multiple certs protecting seinfo (all contained certs must match)
|
|
<signer>
|
|
<cert signature="@PLATFORM1"/>
|
|
<cert signature="@PLATFORM2"/>
|
|
<seinfo value="platform" />
|
|
</signer>
|
|
|
|
// single cert protecting explicitly named app
|
|
<signer signature="@PLATFORM" >
|
|
<package name="com.android.foo">
|
|
<seinfo value="bar" />
|
|
</package>
|
|
</signer>
|
|
|
|
// multiple certs protecting explicitly named app (all certs must match)
|
|
<signer>
|
|
<cert signature="@PLATFORM1"/>
|
|
<cert signature="@PLATFORM2"/>
|
|
<package name="com.android.foo">
|
|
<seinfo value="bar" />
|
|
</package>
|
|
</signer>
|
|
-->
|
|
|
|
<!-- Platform dev key in AOSP -->
|
|
<signer signature="@PLATFORM" >
|
|
<seinfo value="platform" />
|
|
</signer>
|
|
|
|
<!-- Sdk Sandbox key -->
|
|
<signer signature="@SDK_SANDBOX" >
|
|
<seinfo value="sdk_sandbox" />
|
|
</signer>
|
|
|
|
<!-- Bluetooth key in AOSP -->
|
|
<signer signature="@BLUETOOTH" >
|
|
<seinfo value="bluetooth" />
|
|
</signer>
|
|
|
|
<!-- Media key in AOSP -->
|
|
<signer signature="@MEDIA" >
|
|
<seinfo value="media" />
|
|
</signer>
|
|
|
|
<signer signature="@NETWORK_STACK" >
|
|
<seinfo value="network_stack" />
|
|
</signer>
|
|
|
|
<!-- NFC key in AOSP -->
|
|
<signer signature="@NFC" >
|
|
<seinfo value="nfc" />
|
|
</signer>
|
|
</policy>
|