Make 'file_contexts' prop as `android:"path"`
For platform APEXes, file_contexts should point a file under /system/sepolicy. Bug: 144732805 Test: m Change-Id: Ib2d5db715bbebc80a6178d1c42e387b268cc4a0d
This commit is contained in:
Jooyung Han
parent
b2e729d14c
commit
54aca7b3f3
41
apex/apex.go
41
apex/apex.go
|
|
@ -16,6 +16,7 @@ package apex
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strings"
|
||||
|
|
@ -118,16 +119,11 @@ func apexDepsMutator(mctx android.BottomUpMutatorContext) {
|
|||
func apexMutator(mctx android.BottomUpMutatorContext) {
|
||||
if am, ok := mctx.Module().(android.ApexModule); ok && am.CanHaveApexVariants() {
|
||||
am.CreateApexVariations(mctx)
|
||||
} else if a, ok := mctx.Module().(*apexBundle); ok {
|
||||
} else if _, ok := mctx.Module().(*apexBundle); ok {
|
||||
// apex bundle itself is mutated so that it and its modules have same
|
||||
// apex variant.
|
||||
apexBundleName := mctx.ModuleName()
|
||||
mctx.CreateVariations(apexBundleName)
|
||||
|
||||
// collects APEX list
|
||||
if mctx.Device() && a.installable() {
|
||||
addApexFileContextsInfos(mctx, a)
|
||||
}
|
||||
} else if o, ok := mctx.Module().(*OverrideApex); ok {
|
||||
apexBundleName := o.GetOverriddenModuleName()
|
||||
if apexBundleName == "" {
|
||||
|
|
@ -150,14 +146,11 @@ func apexFileContextsInfos(config android.Config) *[]string {
|
|||
}).(*[]string)
|
||||
}
|
||||
|
||||
func addApexFileContextsInfos(ctx android.BaseModuleContext, a *apexBundle) {
|
||||
apexName := proptools.StringDefault(a.properties.Apex_name, ctx.ModuleName())
|
||||
fileContextsName := proptools.StringDefault(a.properties.File_contexts, ctx.ModuleName())
|
||||
|
||||
func addFlattenedFileContextsInfos(ctx android.BaseModuleContext, fileContextsInfo string) {
|
||||
apexFileContextsInfosMutex.Lock()
|
||||
defer apexFileContextsInfosMutex.Unlock()
|
||||
apexFileContextsInfos := apexFileContextsInfos(ctx.Config())
|
||||
*apexFileContextsInfos = append(*apexFileContextsInfos, apexName+":"+fileContextsName)
|
||||
*apexFileContextsInfos = append(*apexFileContextsInfos, fileContextsInfo)
|
||||
}
|
||||
|
||||
func apexFlattenedMutator(mctx android.BottomUpMutatorContext) {
|
||||
|
|
@ -272,10 +265,9 @@ type apexBundleProperties struct {
|
|||
Apex_name *string
|
||||
|
||||
// Determines the file contexts file for setting security context to each file in this APEX bundle.
|
||||
// Specifically, when this is set to <value>, /system/sepolicy/apex/<value>_file_contexts file is
|
||||
// used.
|
||||
// Default: <name_of_this_module>
|
||||
File_contexts *string
|
||||
// For platform APEXes, this should points to a file under /system/sepolicy
|
||||
// Default: /system/sepolicy/apex/<module_name>_file_contexts.
|
||||
File_contexts *string `android:"path"`
|
||||
|
||||
// List of native shared libs that are embedded inside this APEX bundle
|
||||
Native_shared_libs []string
|
||||
|
|
@ -481,6 +473,8 @@ type apexBundle struct {
|
|||
container_certificate_file android.Path
|
||||
container_private_key_file android.Path
|
||||
|
||||
fileContexts android.Path
|
||||
|
||||
// list of files to be included in this apex
|
||||
filesInfo []apexFile
|
||||
|
||||
|
|
@ -1162,6 +1156,23 @@ func (a *apexBundle) GenerateAndroidBuildActions(ctx android.ModuleContext) {
|
|||
a.installDir = android.PathForModuleInstall(ctx, "apex")
|
||||
a.filesInfo = filesInfo
|
||||
|
||||
if a.properties.ApexType != zipApex {
|
||||
if a.properties.File_contexts == nil {
|
||||
a.fileContexts = android.PathForSource(ctx, "system/sepolicy/apex", ctx.ModuleName()+"-file_contexts")
|
||||
} else {
|
||||
a.fileContexts = android.PathForModuleSrc(ctx, *a.properties.File_contexts)
|
||||
if a.Platform() {
|
||||
if matched, err := path.Match("system/sepolicy/**/*", a.fileContexts.String()); err != nil || !matched {
|
||||
ctx.PropertyErrorf("file_contexts", "should be under system/sepolicy, but %q", a.fileContexts)
|
||||
}
|
||||
}
|
||||
}
|
||||
if !android.ExistentPathForSource(ctx, a.fileContexts.String()).Valid() {
|
||||
ctx.PropertyErrorf("file_contexts", "cannot find file_contexts file: %q", a.fileContexts)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// prepare apex_manifest.json
|
||||
a.buildManifest(ctx, provideNativeLibs, requireNativeLibs)
|
||||
|
||||
|
|
|
|||
|
|
@ -263,50 +263,57 @@ func testApexContext(t *testing.T, bp string, handlers ...testCustomizer) (*andr
|
|||
symbol_file: "",
|
||||
native_bridge_supported: true,
|
||||
}
|
||||
|
||||
filegroup {
|
||||
name: "myapex-file_contexts",
|
||||
srcs: [
|
||||
"system/sepolicy/apex/myapex-file_contexts",
|
||||
],
|
||||
}
|
||||
`
|
||||
bp = bp + java.GatherRequiredDepsForTest()
|
||||
|
||||
fs := map[string][]byte{
|
||||
"Android.bp": []byte(bp),
|
||||
"a.java": nil,
|
||||
"PrebuiltAppFoo.apk": nil,
|
||||
"PrebuiltAppFooPriv.apk": nil,
|
||||
"build/make/target/product/security": nil,
|
||||
"apex_manifest.json": nil,
|
||||
"AndroidManifest.xml": nil,
|
||||
"system/sepolicy/apex/myapex-file_contexts": nil,
|
||||
"system/sepolicy/apex/myapex_keytest-file_contexts": nil,
|
||||
"system/sepolicy/apex/otherapex-file_contexts": nil,
|
||||
"system/sepolicy/apex/commonapex-file_contexts": nil,
|
||||
"mylib.cpp": nil,
|
||||
"mylib_common.cpp": nil,
|
||||
"mytest.cpp": nil,
|
||||
"mytest1.cpp": nil,
|
||||
"mytest2.cpp": nil,
|
||||
"mytest3.cpp": nil,
|
||||
"myprebuilt": nil,
|
||||
"my_include": nil,
|
||||
"foo/bar/MyClass.java": nil,
|
||||
"prebuilt.jar": nil,
|
||||
"vendor/foo/devkeys/test.x509.pem": nil,
|
||||
"vendor/foo/devkeys/test.pk8": nil,
|
||||
"testkey.x509.pem": nil,
|
||||
"testkey.pk8": nil,
|
||||
"testkey.override.x509.pem": nil,
|
||||
"testkey.override.pk8": nil,
|
||||
"vendor/foo/devkeys/testkey.avbpubkey": nil,
|
||||
"vendor/foo/devkeys/testkey.pem": nil,
|
||||
"NOTICE": nil,
|
||||
"custom_notice": nil,
|
||||
"testkey2.avbpubkey": nil,
|
||||
"testkey2.pem": nil,
|
||||
"myapex-arm64.apex": nil,
|
||||
"myapex-arm.apex": nil,
|
||||
"frameworks/base/api/current.txt": nil,
|
||||
"framework/aidl/a.aidl": nil,
|
||||
"build/make/core/proguard.flags": nil,
|
||||
"build/make/core/proguard_basic_keeps.flags": nil,
|
||||
"dummy.txt": nil,
|
||||
"Android.bp": []byte(bp),
|
||||
"a.java": nil,
|
||||
"PrebuiltAppFoo.apk": nil,
|
||||
"PrebuiltAppFooPriv.apk": nil,
|
||||
"build/make/target/product/security": nil,
|
||||
"apex_manifest.json": nil,
|
||||
"AndroidManifest.xml": nil,
|
||||
"system/sepolicy/apex/myapex-file_contexts": nil,
|
||||
"system/sepolicy/apex/otherapex-file_contexts": nil,
|
||||
"system/sepolicy/apex/commonapex-file_contexts": nil,
|
||||
"system/sepolicy/apex/com.android.vndk-file_contexts": nil,
|
||||
"mylib.cpp": nil,
|
||||
"mylib_common.cpp": nil,
|
||||
"mytest.cpp": nil,
|
||||
"mytest1.cpp": nil,
|
||||
"mytest2.cpp": nil,
|
||||
"mytest3.cpp": nil,
|
||||
"myprebuilt": nil,
|
||||
"my_include": nil,
|
||||
"foo/bar/MyClass.java": nil,
|
||||
"prebuilt.jar": nil,
|
||||
"vendor/foo/devkeys/test.x509.pem": nil,
|
||||
"vendor/foo/devkeys/test.pk8": nil,
|
||||
"testkey.x509.pem": nil,
|
||||
"testkey.pk8": nil,
|
||||
"testkey.override.x509.pem": nil,
|
||||
"testkey.override.pk8": nil,
|
||||
"vendor/foo/devkeys/testkey.avbpubkey": nil,
|
||||
"vendor/foo/devkeys/testkey.pem": nil,
|
||||
"NOTICE": nil,
|
||||
"custom_notice": nil,
|
||||
"testkey2.avbpubkey": nil,
|
||||
"testkey2.pem": nil,
|
||||
"myapex-arm64.apex": nil,
|
||||
"myapex-arm.apex": nil,
|
||||
"frameworks/base/api/current.txt": nil,
|
||||
"framework/aidl/a.aidl": nil,
|
||||
"build/make/core/proguard.flags": nil,
|
||||
"build/make/core/proguard_basic_keeps.flags": nil,
|
||||
"dummy.txt": nil,
|
||||
}
|
||||
|
||||
for _, handler := range handlers {
|
||||
|
|
@ -1201,6 +1208,7 @@ func TestKeys(t *testing.T) {
|
|||
key: "myapex.key",
|
||||
certificate: ":myapex.certificate",
|
||||
native_shared_libs: ["mylib"],
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
|
||||
cc_library {
|
||||
|
|
@ -1411,7 +1419,6 @@ func TestVndkApexCurrent(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
|
|
@ -1462,7 +1469,6 @@ func TestVndkApexWithPrebuilt(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
|
|
@ -1541,7 +1547,7 @@ func TestVndkApexVersion(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex_v27",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
vndk_version: "27",
|
||||
}
|
||||
|
||||
|
|
@ -1606,13 +1612,13 @@ func TestVndkApexErrorWithDuplicateVersion(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex_v27",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
vndk_version: "27",
|
||||
}
|
||||
apex_vndk {
|
||||
name: "myapex_v27_other",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
vndk_version: "27",
|
||||
}
|
||||
|
||||
|
|
@ -1652,12 +1658,12 @@ func TestVndkApexNameRule(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
apex_vndk {
|
||||
name: "myapex_v28",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
vndk_version: "28",
|
||||
}
|
||||
apex_key {
|
||||
|
|
@ -1683,7 +1689,7 @@ func TestVndkApexSkipsNativeBridgeSupportedModules(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
|
|
@ -1726,7 +1732,7 @@ func TestVndkApexDoesntSupportNativeBridgeSupported(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
native_bridge_supported: true,
|
||||
}
|
||||
|
||||
|
|
@ -1756,7 +1762,7 @@ func TestVndkApexWithBinder32(t *testing.T) {
|
|||
apex_vndk {
|
||||
name: "myapex_v27",
|
||||
key: "myapex.key",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
vndk_version: "27",
|
||||
}
|
||||
|
||||
|
|
@ -1822,7 +1828,7 @@ func TestDependenciesInApexManifest(t *testing.T) {
|
|||
key: "myapex.key",
|
||||
native_shared_libs: ["lib_nodep"],
|
||||
compile_multilib: "both",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
|
||||
apex {
|
||||
|
|
@ -1830,7 +1836,7 @@ func TestDependenciesInApexManifest(t *testing.T) {
|
|||
key: "myapex.key",
|
||||
native_shared_libs: ["lib_dep"],
|
||||
compile_multilib: "both",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
|
||||
apex {
|
||||
|
|
@ -1838,7 +1844,7 @@ func TestDependenciesInApexManifest(t *testing.T) {
|
|||
key: "myapex.key",
|
||||
native_shared_libs: ["libfoo"],
|
||||
compile_multilib: "both",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
|
||||
apex {
|
||||
|
|
@ -1846,7 +1852,7 @@ func TestDependenciesInApexManifest(t *testing.T) {
|
|||
key: "myapex.key",
|
||||
native_shared_libs: ["lib_dep", "libfoo"],
|
||||
compile_multilib: "both",
|
||||
file_contexts: "myapex",
|
||||
file_contexts: ":myapex-file_contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
|
|
@ -2145,6 +2151,7 @@ func TestApexInProductPartition(t *testing.T) {
|
|||
key: "myapex.key",
|
||||
native_shared_libs: ["mylib"],
|
||||
product_specific: true,
|
||||
file_contexts: "myapex_file_contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
|
|
@ -2160,7 +2167,9 @@ func TestApexInProductPartition(t *testing.T) {
|
|||
system_shared_libs: [],
|
||||
stl: "none",
|
||||
}
|
||||
`)
|
||||
`, withFiles(map[string][]byte{
|
||||
"myapex_file_contexts": nil,
|
||||
}))
|
||||
|
||||
apex := ctx.ModuleForTests("myapex", "android_common_myapex_image").Module().(*apexBundle)
|
||||
expected := buildDir + "/target/product/test_device/product/apex"
|
||||
|
|
@ -2170,6 +2179,112 @@ func TestApexInProductPartition(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestFileContexts(t *testing.T) {
|
||||
ctx, _ := testApex(t, `
|
||||
apex {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
name: "myapex.key",
|
||||
public_key: "testkey.avbpubkey",
|
||||
private_key: "testkey.pem",
|
||||
}
|
||||
`)
|
||||
module := ctx.ModuleForTests("myapex", "android_common_myapex_image")
|
||||
apexRule := module.Rule("apexRule")
|
||||
actual := apexRule.Args["file_contexts"]
|
||||
expected := "system/sepolicy/apex/myapex-file_contexts"
|
||||
if actual != expected {
|
||||
t.Errorf("wrong file_contexts. expected %q. actual %q", expected, actual)
|
||||
}
|
||||
|
||||
testApexError(t, `"myapex" .*: file_contexts: should be under system/sepolicy`, `
|
||||
apex {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
file_contexts: "my_own_file_contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
name: "myapex.key",
|
||||
public_key: "testkey.avbpubkey",
|
||||
private_key: "testkey.pem",
|
||||
}
|
||||
`, withFiles(map[string][]byte{
|
||||
"my_own_file_contexts": nil,
|
||||
}))
|
||||
|
||||
testApexError(t, `"myapex" .*: file_contexts: cannot find`, `
|
||||
apex {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
product_specific: true,
|
||||
file_contexts: "product_specific_file_contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
name: "myapex.key",
|
||||
public_key: "testkey.avbpubkey",
|
||||
private_key: "testkey.pem",
|
||||
}
|
||||
`)
|
||||
|
||||
ctx, _ = testApex(t, `
|
||||
apex {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
product_specific: true,
|
||||
file_contexts: "product_specific_file_contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
name: "myapex.key",
|
||||
public_key: "testkey.avbpubkey",
|
||||
private_key: "testkey.pem",
|
||||
}
|
||||
`, withFiles(map[string][]byte{
|
||||
"product_specific_file_contexts": nil,
|
||||
}))
|
||||
module = ctx.ModuleForTests("myapex", "android_common_myapex_image")
|
||||
apexRule = module.Rule("apexRule")
|
||||
actual = apexRule.Args["file_contexts"]
|
||||
expected = "product_specific_file_contexts"
|
||||
if actual != expected {
|
||||
t.Errorf("wrong file_contexts. expected %q. actual %q", expected, actual)
|
||||
}
|
||||
|
||||
ctx, _ = testApex(t, `
|
||||
apex {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
product_specific: true,
|
||||
file_contexts: ":my-file-contexts",
|
||||
}
|
||||
|
||||
apex_key {
|
||||
name: "myapex.key",
|
||||
public_key: "testkey.avbpubkey",
|
||||
private_key: "testkey.pem",
|
||||
}
|
||||
|
||||
filegroup {
|
||||
name: "my-file-contexts",
|
||||
srcs: ["product_specific_file_contexts"],
|
||||
}
|
||||
`, withFiles(map[string][]byte{
|
||||
"product_specific_file_contexts": nil,
|
||||
}))
|
||||
module = ctx.ModuleForTests("myapex", "android_common_myapex_image")
|
||||
apexRule = module.Rule("apexRule")
|
||||
actual = apexRule.Args["file_contexts"]
|
||||
expected = "product_specific_file_contexts"
|
||||
if actual != expected {
|
||||
t.Errorf("wrong file_contexts. expected %q. actual %q", expected, actual)
|
||||
}
|
||||
}
|
||||
|
||||
func TestApexKeyFromOtherModule(t *testing.T) {
|
||||
ctx, _ := testApex(t, `
|
||||
apex_key {
|
||||
|
|
|
|||
|
|
@ -340,19 +340,10 @@ func (a *apexBundle) buildUnflattenedApex(ctx android.ModuleContext) {
|
|||
},
|
||||
})
|
||||
|
||||
fcName := proptools.StringDefault(a.properties.File_contexts, ctx.ModuleName())
|
||||
fileContextsPath := "system/sepolicy/apex/" + fcName + "-file_contexts"
|
||||
fileContextsOptionalPath := android.ExistentPathForSource(ctx, fileContextsPath)
|
||||
if !fileContextsOptionalPath.Valid() {
|
||||
ctx.ModuleErrorf("Cannot find file_contexts file: %q", fileContextsPath)
|
||||
return
|
||||
}
|
||||
fileContexts := fileContextsOptionalPath.Path()
|
||||
|
||||
optFlags := []string{}
|
||||
|
||||
// Additional implicit inputs.
|
||||
implicitInputs = append(implicitInputs, cannedFsConfig, fileContexts, a.private_key_file, a.public_key_file)
|
||||
implicitInputs = append(implicitInputs, cannedFsConfig, a.fileContexts, a.private_key_file, a.public_key_file)
|
||||
optFlags = append(optFlags, "--pubkey "+a.public_key_file.String())
|
||||
|
||||
manifestPackageName, overridden := ctx.DeviceConfig().OverrideManifestPackageNameFor(ctx.ModuleName())
|
||||
|
|
@ -409,7 +400,7 @@ func (a *apexBundle) buildUnflattenedApex(ctx android.ModuleContext) {
|
|||
"manifest_json_full": a.manifestJsonFullOut.String(),
|
||||
"manifest_json": a.manifestJsonOut.String(),
|
||||
"manifest": a.manifestPbOut.String(),
|
||||
"file_contexts": fileContexts.String(),
|
||||
"file_contexts": a.fileContexts.String(),
|
||||
"canned_fs_config": cannedFsConfig.String(),
|
||||
"key": a.private_key_file.String(),
|
||||
"opt_flags": strings.Join(optFlags, " "),
|
||||
|
|
@ -485,6 +476,11 @@ func (a *apexBundle) buildFlattenedApex(ctx android.ModuleContext) {
|
|||
apexName := proptools.StringDefault(a.properties.Apex_name, ctx.ModuleName())
|
||||
a.outputFile = android.PathForModuleInstall(&factx, "apex", apexName)
|
||||
|
||||
if a.installable() {
|
||||
installPath := android.PathForModuleInstall(ctx, "apex", apexName)
|
||||
devicePath := android.InstallPathToOnDevicePath(ctx, installPath)
|
||||
addFlattenedFileContextsInfos(ctx, apexName+":"+devicePath+":"+a.fileContexts.String())
|
||||
}
|
||||
a.buildFilesInfo(ctx)
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue