Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c3c9052bc7bf7f55e66a7560a28800066a6e044b^! / . / Android.mk
commitc3c9052bc7bf7f55e66a7560a28800066a6e044b[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Oct 25 12:25:36 2013 -0700
committerNick Kralevich <nnk@google.com>Mon Oct 28 13:08:14 2013 -0700
treec5faba252d9193d37d5a7417d78b9d0b6edaf349
parent73c5ea722c7ee328f0d10179601afd9d5a054b94 [diff] [blame]
Make DEFAULT_SYSTEM_DEV_CERTIFICATE available in keys.conf

In 9af6f1bd59ee2fb0622db8ff25c4806c5527a0b3, the -d option
was dropped from insertkeys.py. This was done to allow an
Android distribution to replace the default version of
keys.conf distributed in external/sepolicy/keys.conf. keys.conf
was modified to reference the publicly known test keys in
build/target/product/security.

Unfortunately, this broke Google's build of Android. Instead
of incorporating our keys directory, we were using the
default AOSP keys. As a result, apps were getting assigned
to the wrong SELinux domain. (see "Steps to reproduce" below)

This change continues to allow others to replace keys.conf,
but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an
environment variable in case the customized version wants to
make reference to it. This change also modifies the stock
version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE,
which should be appropriate for most Android distributions.
It doesn't make any sense to force each OEM to have a copy of
this file.

Steps to reproduce.

1) Compile and boot Android.
2) Run the following command: "adb shell ps -Z | grep process.media"

Expected:

  $ adb shell ps -Z | grep process.media
  u:r:media_app:s0               u0_a5     1332  202   android.process.media

Actual:

  $ adb shell ps -Z | grep process.media
  u:r:untrusted_app:s0           u0_a5     3617  187   android.process.media

Bug: 11327304
Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822

diff --git a/Android.mk b/Android.mk
index 87cfe61..0121b6e 100644
--- a/Android.mk
+++ b/Android.mk

@@ -179,7 +179,8 @@
 
 $(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
 	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
+	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
+		$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
 
 mac_perms_keys.tmp :=
 ##################################