Support for APEX updatable sepolicy
Builds:
- sepolicy_test - file that init mounts in /dev/selinux to demonstrate
that updatable sepolicy is loaded.
- apex_sepolicy.cil - Initially includes a rule allowing shell
to read sepolicy_test.
- apex_file_contexts - Initially includes mapping of
/dev/selinux/sepolicy_test.
- apex_sepolicy.sha256. Used by init to determine of
precompiled_sepolicy can be used.
- apex_service_contexts - Currently empty.
- apex_property_contexts - Currently empty.
- apex_seapp_contexts - Currently empty.
Bug: 199914227
Test: Build, boot, ls -laZ /dev/selinux/sepolicy_test
Change-Id: I6aa625dda5235c6e7a0cfff777a9e15606084c12
diff --git a/Android.bp b/Android.bp
index 438b13f..fdd97ff 100644
--- a/Android.bp
+++ b/Android.bp
@@ -342,6 +342,21 @@
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
+
+se_policy_conf {
+ name: "apex_sepolicy-33.conf",
+ srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-33.cil",
+ src: ":apex_sepolicy-33.conf",
+ filter_out: [":plat_sepolicy.cil"],
+ installable: false,
+ stem: "apex_sepolicy.cil",
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -659,6 +674,9 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// AND
+// - apex_sepolicy.sha256 equals
+// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -676,6 +694,20 @@
}
genrule {
+ name: "apex_sepolicy.sha256_gen",
+ srcs: [":apex_sepolicy-33.cil"],
+ out: ["apex_sepolicy.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "apex_sepolicy.sha256",
+ filename: "apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ installable: false,
+}
+
+genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -744,6 +776,18 @@
}
//////////////////////////////////
+// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
+// was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy_prebuilts"],
+ name: "precompiled_sepolicy.apex_sepolicy.sha256",
+ filename: "precompiled_sepolicy.apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
@@ -780,6 +824,7 @@
name: "precompiled_sepolicy",
srcs: [
":plat_sepolicy.cil",
+ ":apex_sepolicy-33.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",