Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / edf7b4c861144764d0bc17436064d52e7147f916^! / . / README
commitedf7b4c861144764d0bc17436064d52e7147f916[log] [tgz]
authorGeremy Condra <gcondra@google.com>Tue Mar 26 22:19:03 2013 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Mar 26 22:19:03 2013 +0000
tree8480b4e55e12d0343631c0a101d0aa98e2022f94
parent60d4d71ead9e9ac96e9cb81380c254bac3a9df4f [diff] [blame]
Revert "Revert "Revert "Revert "Dynamic insertion of pubkey to mac_permissions.xml""""

This reverts commit 60d4d71ead9e9ac96e9cb81380c254bac3a9df4f

This should (finally) be fixed in https://android-review.googlesource.com/#/c/54730/

Change-Id: I3dd358560f7236f28387ffbe247fc2b004e303ea

diff --git a/README b/README
index 3cdd01a..135d377 100644
--- a/README
+++ b/README

@@ -75,3 +75,47 @@
         genfs_contexts \
         file_contexts \
         sepolicy.te
+
+SPECIFIC POLICY FILE INFORMATION
+
+mac_permissions.xml:
+  ABOUT:
+    The mac_permissions.xml file is used for controlling the mmac solutions
+    as well as mapping a public base16 signing key with an arbitrary seinfo
+    string. Details of the files contents can be found in a comment at the
+    top of that file. The seinfo string, previously mentioned, is the same string
+    that is referenced in seapp_contexts.
+
+    This file can be replaced through BOARD_SEPOLICY_REPLACE containing the
+    value "mac_permissions.xml", however, appending (UNION) does NOT exist
+    and will cause a build time failure. It is important to note the final
+    processed version of this file is stripped of comments and whitespace.
+    This is to preserve space on the system.img. If one wishes to view it in
+    a more human friendly format, the "tidy" or "xmllint" command will assist
+    you.
+
+  TOOLING:
+    insertkeys.py
+      Is a helper script for mapping arbitrary tags in the signature stanzas of
+      mac_permissions.xml to public keys found in pem files. This script takes
+      a mac_permissions.xml file and configuration file in order to operate.
+      Details of the configuration file (keys.conf) can be found in the subsection
+      keys.conf. This script is also responsible for stipping the comments and
+      whitespace from the xml file.
+
+      keys.conf
+        The keys.conf file is used for controlling the mapping of "tags" found in
+        the mac_permissions.xml signature stanzas with actual public keys found in
+        pem files. The configuration file can be used in BOARD_SEPOLICY_UNION and
+        BOARD_SEPOLICY_REPLACE variables and is processed via m4.
+
+        The script allows for mapping any string contained in TARGET_BUILD_VARIANT
+        with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
+        user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
+        any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
+        and all options are matched lowercase. The options are "tolowered" automatically
+        for the user, it is convention to specify tags and options in all uppercase
+        and tags start with @.
+
+        NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
+              and setool all use base16 encodings.