Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/tags/fp2-sibon-17.07.6 / . / README
blob: 8202c67af808792dacc2b8bd2ae8bc9b215f67cc [file] [log] [blame]
Stephen Smalley68a8f782015-02-23 12:37:21 -0500[diff] [blame]1This directory contains the core Android SELinux policy configuration.
2It defines the domains and types for the AOSP services and apps common to
3all devices. Device-specific policy should be placed under a
4separate device/<vendor>/<board>/sepolicy subdirectory and linked
5into the policy build as described below.
6
William Roberts3f1ed6e2012-11-13 13:27:48 -0800[diff] [blame]7Policy Generation:
8
9Additional, per device, policy files can be added into the
10policy build.
11
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]12They can be configured through the use of the BOARD_SEPOLICY_DIRS
13variable. This variable should be set in the BoardConfig.mk file in
William Roberts3f1ed6e2012-11-13 13:27:48 -0800[diff] [blame]14the device or vendor directories.
15
William Roberts3f1ed6e2012-11-13 13:27:48 -0800[diff] [blame]16BOARD_SEPOLICY_DIRS contains a list of directories to search
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]17for additional policy files. Order matters in this list.
18For example, if you have 2 instances of widget.te files in the
19BOARD_SEPOLICY_DIRS search path, then the first one found (at the
20first search dir containing the file) will be concatenated first.
William Roberts3f1ed6e2012-11-13 13:27:48 -0800[diff] [blame]21Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
22will help sort out ordering issues.
23
William Roberts15b3ced2013-02-12 13:30:47 +0900[diff] [blame]24Example BoardConfig.mk Usage:
William Roberts3f1ed6e2012-11-13 13:27:48 -0800[diff] [blame]25From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
26
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]27BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]28
29SPECIFIC POLICY FILE INFORMATION
30
31mac_permissions.xml:
32 ABOUT:
33 The mac_permissions.xml file is used for controlling the mmac solutions
34 as well as mapping a public base16 signing key with an arbitrary seinfo
35 string. Details of the files contents can be found in a comment at the
36 top of that file. The seinfo string, previously mentioned, is the same string
37 that is referenced in seapp_contexts.
38
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]39 It is important to note the final processed version of this file
Robert Craig7f2392e2013-03-27 08:35:39 -0400[diff] [blame]40 is stripped of comments and whitespace. This is to preserve space on the
41 system.img. If one wishes to view it in a more human friendly format,
42 the "tidy" or "xmllint" command will assist you.
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]43
44 TOOLING:
45 insertkeys.py
46 Is a helper script for mapping arbitrary tags in the signature stanzas of
47 mac_permissions.xml to public keys found in pem files. This script takes
Robert Craig7f2392e2013-03-27 08:35:39 -0400[diff] [blame]48 a mac_permissions.xml file(s) and configuration file in order to operate.
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]49 Details of the configuration file (keys.conf) can be found in the subsection
Robert Craig7f2392e2013-03-27 08:35:39 -0400[diff] [blame]50 keys.conf. This tool is also responsible for stripping the comments and
51 whitespace during processing.
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]52
53 keys.conf
54 The keys.conf file is used for controlling the mapping of "tags" found in
55 the mac_permissions.xml signature stanzas with actual public keys found in
Stephen Smalley8e0ca882015-04-01 10:14:56 -0400[diff] [blame]56 pem files. The configuration file is processed via m4.
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]57
58 The script allows for mapping any string contained in TARGET_BUILD_VARIANT
59 with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
60 user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
61 any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
62 and all options are matched lowercase. The options are "tolowered" automatically
63 for the user, it is convention to specify tags and options in all uppercase
William Robertsfd229222013-10-28 13:21:38 -0700[diff] [blame]64 and tags start with @. The option arguments can also use environment variables
65 via the familiar $VARIABLE syntax. This is often useful for setting a location
66 to ones release keys.
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]67
William Roberts9793a452013-10-30 09:50:52 -0700[diff] [blame]68 Often times, one will need to integrate an application that was signed by a separate
69 organization and may need to extract the pem file for the insertkeys/keys.conf tools.
70 Extraction of the public key in the pem format is possible via openssl. First you need
71 to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
72 openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
73 On some occasions CERT.RSA has a different name, and you will need to adjust for that.
74 After extracting the pem, you can rename it, and configure keys.conf and
75 mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
76 editor and strip out anything outside the opening and closing scissor lines. Failure to do
77 so WILL cause a compile time issue thrown by insertkeys.py
78
Geremy Condraedf7b4c2013-03-26 22:19:03 +0000[diff] [blame]79 NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
80 and setool all use base16 encodings.