sign_target_files_apks: adding --allow_gsi_debug_sepolicy
https://android-review.googlesource.com/q/topic:gsi_debug_policy adds userdebug_plat_sepolicy.cil into the GSI system.img to reduce the steps of repacking a debug ramdisk. This CL checks that the file userdebug_plat_sepolicy.cil shouldn't exist before signing, unless the caller explicitly specifies --allow_gsi_debug_sepolicy to allow it. Note: also fixes the indentation around the block. Bug: 188067818 Bug: 201482141 Test: sign_target_files_apks *-target_files-*.zip signed.zip Change-Id: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 Merged-In: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 (cherry picked from commit 5a73b0ee976dc61fe6fa12e48f15d5ec53f90878)
This commit is contained in:
parent
e295d0f5d3
commit
702b8fdfe0
|
@ -136,6 +136,11 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
|
||||||
|
|
||||||
--android_jar_path <path>
|
--android_jar_path <path>
|
||||||
Path to the android.jar to repack the apex file.
|
Path to the android.jar to repack the apex file.
|
||||||
|
|
||||||
|
--allow_gsi_debug_sepolicy
|
||||||
|
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
|
||||||
|
(/system/system_ext|/system_ext)/etc/selinux.
|
||||||
|
If not set, error out when the file exists.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from __future__ import print_function
|
from __future__ import print_function
|
||||||
|
@ -189,6 +194,7 @@ OPTIONS.gki_signing_key = None
|
||||||
OPTIONS.gki_signing_algorithm = None
|
OPTIONS.gki_signing_algorithm = None
|
||||||
OPTIONS.gki_signing_extra_args = None
|
OPTIONS.gki_signing_extra_args = None
|
||||||
OPTIONS.android_jar_path = None
|
OPTIONS.android_jar_path = None
|
||||||
|
OPTIONS.allow_gsi_debug_sepolicy = False
|
||||||
|
|
||||||
|
|
||||||
AVB_FOOTER_ARGS_BY_PARTITION = {
|
AVB_FOOTER_ARGS_BY_PARTITION = {
|
||||||
|
@ -658,7 +664,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||||
# Updates system_other.avbpubkey in /product/etc/.
|
# Updates system_other.avbpubkey in /product/etc/.
|
||||||
elif filename in (
|
elif filename in (
|
||||||
"PRODUCT/etc/security/avb/system_other.avbpubkey",
|
"PRODUCT/etc/security/avb/system_other.avbpubkey",
|
||||||
"SYSTEM/product/etc/security/avb/system_other.avbpubkey"):
|
"SYSTEM/product/etc/security/avb/system_other.avbpubkey"):
|
||||||
# Only update system_other's public key, if the corresponding signing
|
# Only update system_other's public key, if the corresponding signing
|
||||||
# key is specified via --avb_system_other_key.
|
# key is specified via --avb_system_other_key.
|
||||||
signing_key = OPTIONS.avb_keys.get("system_other")
|
signing_key = OPTIONS.avb_keys.get("system_other")
|
||||||
|
@ -671,9 +677,19 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||||
# Should NOT sign boot-debug.img.
|
# Should NOT sign boot-debug.img.
|
||||||
elif filename in (
|
elif filename in (
|
||||||
"BOOT/RAMDISK/force_debuggable",
|
"BOOT/RAMDISK/force_debuggable",
|
||||||
"BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
|
"BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
|
||||||
raise common.ExternalError("debuggable boot.img cannot be signed")
|
raise common.ExternalError("debuggable boot.img cannot be signed")
|
||||||
|
|
||||||
|
# Should NOT sign userdebug sepolicy file.
|
||||||
|
elif filename in (
|
||||||
|
"SYSTEM_EXT/etc/selinux/userdebug_plat_sepolicy.cil",
|
||||||
|
"SYSTEM/system_ext/etc/selinux/userdebug_plat_sepolicy.cil"):
|
||||||
|
if not OPTIONS.allow_gsi_debug_sepolicy:
|
||||||
|
raise common.ExternalError("debug sepolicy shouldn't be included")
|
||||||
|
else:
|
||||||
|
# Copy it verbatim if we allow the file to exist.
|
||||||
|
common.ZipWriteStr(output_tf_zip, out_info, data)
|
||||||
|
|
||||||
# A non-APK file; copy it verbatim.
|
# A non-APK file; copy it verbatim.
|
||||||
else:
|
else:
|
||||||
common.ZipWriteStr(output_tf_zip, out_info, data)
|
common.ZipWriteStr(output_tf_zip, out_info, data)
|
||||||
|
@ -1289,6 +1305,8 @@ def main(argv):
|
||||||
OPTIONS.gki_signing_algorithm = a
|
OPTIONS.gki_signing_algorithm = a
|
||||||
elif o == "--gki_signing_extra_args":
|
elif o == "--gki_signing_extra_args":
|
||||||
OPTIONS.gki_signing_extra_args = a
|
OPTIONS.gki_signing_extra_args = a
|
||||||
|
elif o == "--allow_gsi_debug_sepolicy":
|
||||||
|
OPTIONS.allow_gsi_debug_sepolicy = True
|
||||||
else:
|
else:
|
||||||
return False
|
return False
|
||||||
return True
|
return True
|
||||||
|
@ -1339,6 +1357,7 @@ def main(argv):
|
||||||
"gki_signing_key=",
|
"gki_signing_key=",
|
||||||
"gki_signing_algorithm=",
|
"gki_signing_algorithm=",
|
||||||
"gki_signing_extra_args=",
|
"gki_signing_extra_args=",
|
||||||
|
"allow_gsi_debug_sepolicy",
|
||||||
],
|
],
|
||||||
extra_option_handler=option_handler)
|
extra_option_handler=option_handler)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue