Merge changes from topic "no-more-boot-debug-gki-sc-v2-dev" into sc-v2-dev
* changes:
Stop building boot-(debug|with-debug-ramdisk)-*.img for GSI/GKI
Refactor build logic of boot-debug & vendor_boot-debug
Skip building boot-(test-harness|debug).img if not needed
diff --git a/core/android_soong_config_vars.mk b/core/android_soong_config_vars.mk
index 5e63a25..1b4aeb5 100644
--- a/core/android_soong_config_vars.mk
+++ b/core/android_soong_config_vars.mk
@@ -28,6 +28,7 @@
$(call add_soong_config_var,ANDROID,TARGET_ENABLE_MEDIADRM_64)
$(call add_soong_config_var,ANDROID,BOARD_USES_ODMIMAGE)
+$(call add_soong_config_var,ANDROID,PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT)
ifeq (,$(findstring com.google.android.conscrypt,$(PRODUCT_PACKAGES)))
# Prebuilt module SDKs require prebuilt modules to work, and currently
diff --git a/core/product.mk b/core/product.mk
index db6c577..8b45092 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -429,6 +429,11 @@
_product_single_value_vars += PRODUCT_INSTALL_EXTRA_FLATTENED_APEXES
+# Install a copy of the debug policy to the system_ext partition, and allow
+# init-second-stage to load debug policy from system_ext.
+# This option is only meant to be set by GSI products.
+_product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
+
.KATI_READONLY := _product_single_value_vars _product_list_vars
_product_var_list :=$= $(_product_single_value_vars) $(_product_list_vars)
diff --git a/core/product_config.mk b/core/product_config.mk
index 5c85fb8..679453e 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -350,6 +350,12 @@
$(error Only one file may be in PRODUCT_ADB_KEYS: $(PRODUCT_ADB_KEYS))
endif
+ifdef PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
+ ifeq (,$(filter gsi_arm gsi_arm64 gsi_x86 gsi_x86_64,$(PRODUCT_NAME)))
+ $(error Only GSI products are allowed to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT)
+ endif
+endif
+
ifndef PRODUCT_USE_DYNAMIC_PARTITIONS
PRODUCT_USE_DYNAMIC_PARTITIONS := $(PRODUCT_RETROFIT_DYNAMIC_PARTITIONS)
endif
diff --git a/core/version_defaults.mk b/core/version_defaults.mk
index 1c193ee..40c506c 100644
--- a/core/version_defaults.mk
+++ b/core/version_defaults.mk
@@ -240,7 +240,7 @@
# It must be of the form "YYYY-MM-DD" on production devices.
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2021-12-05
+ PLATFORM_SECURITY_PATCH := 2022-01-05
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 0842af9..936ef88 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -136,6 +136,11 @@
--android_jar_path <path>
Path to the android.jar to repack the apex file.
+
+ --allow_gsi_debug_sepolicy
+ Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
+ (/system/system_ext|/system_ext)/etc/selinux.
+ If not set, error out when the file exists.
"""
from __future__ import print_function
@@ -189,6 +194,7 @@
OPTIONS.gki_signing_algorithm = None
OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None
+OPTIONS.allow_gsi_debug_sepolicy = False
AVB_FOOTER_ARGS_BY_PARTITION = {
@@ -658,7 +664,7 @@
# Updates system_other.avbpubkey in /product/etc/.
elif filename in (
"PRODUCT/etc/security/avb/system_other.avbpubkey",
- "SYSTEM/product/etc/security/avb/system_other.avbpubkey"):
+ "SYSTEM/product/etc/security/avb/system_other.avbpubkey"):
# Only update system_other's public key, if the corresponding signing
# key is specified via --avb_system_other_key.
signing_key = OPTIONS.avb_keys.get("system_other")
@@ -671,9 +677,19 @@
# Should NOT sign boot-debug.img.
elif filename in (
"BOOT/RAMDISK/force_debuggable",
- "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
+ "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
raise common.ExternalError("debuggable boot.img cannot be signed")
+ # Should NOT sign userdebug sepolicy file.
+ elif filename in (
+ "SYSTEM_EXT/etc/selinux/userdebug_plat_sepolicy.cil",
+ "SYSTEM/system_ext/etc/selinux/userdebug_plat_sepolicy.cil"):
+ if not OPTIONS.allow_gsi_debug_sepolicy:
+ raise common.ExternalError("debug sepolicy shouldn't be included")
+ else:
+ # Copy it verbatim if we allow the file to exist.
+ common.ZipWriteStr(output_tf_zip, out_info, data)
+
# A non-APK file; copy it verbatim.
else:
common.ZipWriteStr(output_tf_zip, out_info, data)
@@ -1289,6 +1305,8 @@
OPTIONS.gki_signing_algorithm = a
elif o == "--gki_signing_extra_args":
OPTIONS.gki_signing_extra_args = a
+ elif o == "--allow_gsi_debug_sepolicy":
+ OPTIONS.allow_gsi_debug_sepolicy = True
else:
return False
return True
@@ -1339,6 +1357,7 @@
"gki_signing_key=",
"gki_signing_algorithm=",
"gki_signing_extra_args=",
+ "allow_gsi_debug_sepolicy",
],
extra_option_handler=option_handler)