Stephen Smalley | 68a8f78 | 2015-02-23 12:37:21 -0500 | [diff] [blame] | 1 | This directory contains the core Android SELinux policy configuration. |
| 2 | It defines the domains and types for the AOSP services and apps common to |
| 3 | all devices. Device-specific policy should be placed under a |
| 4 | separate device/<vendor>/<board>/sepolicy subdirectory and linked |
| 5 | into the policy build as described below. |
| 6 | |
William Roberts | 3f1ed6e | 2012-11-13 13:27:48 -0800 | [diff] [blame] | 7 | Policy Generation: |
| 8 | |
| 9 | Additional, per device, policy files can be added into the |
| 10 | policy build. |
| 11 | |
Stephen Smalley | 8e0ca88 | 2015-04-01 10:14:56 -0400 | [diff] [blame] | 12 | They can be configured through the use of the BOARD_SEPOLICY_DIRS |
| 13 | variable. This variable should be set in the BoardConfig.mk file in |
William Roberts | 3f1ed6e | 2012-11-13 13:27:48 -0800 | [diff] [blame] | 14 | the device or vendor directories. |
| 15 | |
William Roberts | 3f1ed6e | 2012-11-13 13:27:48 -0800 | [diff] [blame] | 16 | BOARD_SEPOLICY_DIRS contains a list of directories to search |
Stephen Smalley | 8e0ca88 | 2015-04-01 10:14:56 -0400 | [diff] [blame] | 17 | for additional policy files. Order matters in this list. |
| 18 | For example, if you have 2 instances of widget.te files in the |
| 19 | BOARD_SEPOLICY_DIRS search path, then the first one found (at the |
| 20 | first search dir containing the file) will be concatenated first. |
William Roberts | 3f1ed6e | 2012-11-13 13:27:48 -0800 | [diff] [blame] | 21 | Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf |
| 22 | will help sort out ordering issues. |
| 23 | |
William Roberts | 15b3ced | 2013-02-12 13:30:47 +0900 | [diff] [blame] | 24 | Example BoardConfig.mk Usage: |
William Roberts | 3f1ed6e | 2012-11-13 13:27:48 -0800 | [diff] [blame] | 25 | From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk |
| 26 | |
Stephen Smalley | 8e0ca88 | 2015-04-01 10:14:56 -0400 | [diff] [blame] | 27 | BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 28 | |
| 29 | SPECIFIC POLICY FILE INFORMATION |
| 30 | |
| 31 | mac_permissions.xml: |
| 32 | ABOUT: |
| 33 | The mac_permissions.xml file is used for controlling the mmac solutions |
| 34 | as well as mapping a public base16 signing key with an arbitrary seinfo |
| 35 | string. Details of the files contents can be found in a comment at the |
| 36 | top of that file. The seinfo string, previously mentioned, is the same string |
| 37 | that is referenced in seapp_contexts. |
| 38 | |
Stephen Smalley | 8e0ca88 | 2015-04-01 10:14:56 -0400 | [diff] [blame] | 39 | It is important to note the final processed version of this file |
Robert Craig | 7f2392e | 2013-03-27 08:35:39 -0400 | [diff] [blame] | 40 | is stripped of comments and whitespace. This is to preserve space on the |
| 41 | system.img. If one wishes to view it in a more human friendly format, |
| 42 | the "tidy" or "xmllint" command will assist you. |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 43 | |
| 44 | TOOLING: |
| 45 | insertkeys.py |
| 46 | Is a helper script for mapping arbitrary tags in the signature stanzas of |
| 47 | mac_permissions.xml to public keys found in pem files. This script takes |
Robert Craig | 7f2392e | 2013-03-27 08:35:39 -0400 | [diff] [blame] | 48 | a mac_permissions.xml file(s) and configuration file in order to operate. |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 49 | Details of the configuration file (keys.conf) can be found in the subsection |
Robert Craig | 7f2392e | 2013-03-27 08:35:39 -0400 | [diff] [blame] | 50 | keys.conf. This tool is also responsible for stripping the comments and |
| 51 | whitespace during processing. |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 52 | |
| 53 | keys.conf |
| 54 | The keys.conf file is used for controlling the mapping of "tags" found in |
| 55 | the mac_permissions.xml signature stanzas with actual public keys found in |
Stephen Smalley | 8e0ca88 | 2015-04-01 10:14:56 -0400 | [diff] [blame] | 56 | pem files. The configuration file is processed via m4. |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 57 | |
| 58 | The script allows for mapping any string contained in TARGET_BUILD_VARIANT |
| 59 | with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either |
| 60 | user, eng or userdebug. Additionally, one can specify "ALL" to map a path to |
| 61 | any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim |
| 62 | and all options are matched lowercase. The options are "tolowered" automatically |
| 63 | for the user, it is convention to specify tags and options in all uppercase |
William Roberts | fd22922 | 2013-10-28 13:21:38 -0700 | [diff] [blame] | 64 | and tags start with @. The option arguments can also use environment variables |
| 65 | via the familiar $VARIABLE syntax. This is often useful for setting a location |
| 66 | to ones release keys. |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 67 | |
William Roberts | 9793a45 | 2013-10-30 09:50:52 -0700 | [diff] [blame] | 68 | Often times, one will need to integrate an application that was signed by a separate |
| 69 | organization and may need to extract the pem file for the insertkeys/keys.conf tools. |
| 70 | Extraction of the public key in the pem format is possible via openssl. First you need |
| 71 | to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute |
| 72 | openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs |
| 73 | On some occasions CERT.RSA has a different name, and you will need to adjust for that. |
| 74 | After extracting the pem, you can rename it, and configure keys.conf and |
| 75 | mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text |
| 76 | editor and strip out anything outside the opening and closing scissor lines. Failure to do |
| 77 | so WILL cause a compile time issue thrown by insertkeys.py |
| 78 | |
Geremy Condra | edf7b4c | 2013-03-26 22:19:03 +0000 | [diff] [blame] | 79 | NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml |
| 80 | and setool all use base16 encodings. |