• Home
Name Date Size #Lines LOC

..--

tools/03-May-2024-3,1512,326

Android.mkD03-May-202410.4 KiB325222

NOTICED03-May-20241 KiB2219

READMED03-May-20246.2 KiB137111

access_vectorsD03-May-20249.2 KiB921808

adbd.teD03-May-20242.5 KiB8564

app.teD03-May-202413.4 KiB358290

attributesD03-May-20241.6 KiB7048

binderservicedomain.teD03-May-2024784 1913

bluetooth.teD03-May-20242.2 KiB6248

bootanim.teD03-May-2024424 1812

clatd.teD03-May-2024841 2318

debuggerd.teD03-May-20241.3 KiB3631

device.teD03-May-20242.1 KiB7065

dex2oat.teD03-May-2024503 1613

dhcp.teD03-May-20241.1 KiB2924

dnsmasq.teD03-May-2024917 2519

domain.teD03-May-202411.9 KiB317255

drmserver.teD03-May-20241.7 KiB5340

dumpstate.teD03-May-20243.4 KiB10680

file.teD03-May-20246.7 KiB178170

file_contextsD03-May-202410.6 KiB255244

fs_useD03-May-2024818 2319

genfs_contextsD03-May-20241.8 KiB3534

global_macrosD03-May-20242.6 KiB4840

gpsd.teD03-May-2024686 2117

hci_attach.teD03-May-2024313 107

healthd.teD03-May-20241.5 KiB4738

hostapd.teD03-May-20241.1 KiB2723

init.teD03-May-20244.3 KiB12094

init_shell.teD03-May-2024455 119

initial_sid_contextsD03-May-2024973 2827

initial_sidsD03-May-2024416 3632

inputflinger.teD03-May-2024280 128

install_recovery.teD03-May-20241,007 3022

installd.teD03-May-20244.2 KiB8874

isolated_app.teD03-May-2024631 2118

kernel.teD03-May-20242.6 KiB6854

keys.confD03-May-2024851 2610

keystore.teD03-May-20241.1 KiB3325

lmkd.teD03-May-20241,003 3827

logd.teD03-May-2024992 3828

mac_permissions.xmlD03-May-20241.3 KiB359

mdnsd.teD03-May-2024118 75

mediaserver.teD03-May-20242.9 KiB8664

mlsD03-May-20244 KiB11286

mls_macrosD03-May-20241.2 KiB5546

mtp.teD03-May-2024288 1310

net.teD03-May-2024852 2621

netd.teD03-May-20242.9 KiB8767

nfc.teD03-May-2024518 2216

platform_app.teD03-May-20241 KiB3026

policy_capabilitiesD03-May-2024122 64

port_contextsD03-May-202477 42

ppp.teD03-May-2024493 1714

property.teD03-May-2024917 2726

property_contextsD03-May-20242.7 KiB6858

racoon.teD03-May-2024874 3324

radio.teD03-May-2024952 3425

recovery.teD03-May-20244 KiB10380

rild.teD03-May-20241.7 KiB4840

rolesD03-May-202429 32

runas.teD03-May-2024962 2822

sdcardd.teD03-May-2024814 2417

seapp_contextsD03-May-20242 KiB4847

security_classesD03-May-20242.6 KiB147114

selinux-network.shD03-May-20241 KiB181

service.teD03-May-2024648 1312

service_contextsD03-May-20249.2 KiB125123

servicemanager.teD03-May-2024632 1814

shared_relro.teD03-May-2024442 118

shell.teD03-May-20241.7 KiB5644

su.teD03-May-20241.5 KiB4539

surfaceflinger.teD03-May-20242.2 KiB7052

system_app.teD03-May-20242.3 KiB7362

system_server.teD03-May-202414.6 KiB411323

te_macrosD03-May-202410.9 KiB361326

tee.teD03-May-2024434 1513

ueventd.teD03-May-20241.2 KiB2624

unconfined.teD03-May-20243.5 KiB9189

uncrypt.teD03-May-2024899 3123

untrusted_app.teD03-May-20243.8 KiB10283

usersD03-May-202455 21

vdc.teD03-May-2024622 2417

vold.teD03-May-20242.9 KiB9273

watchdogd.teD03-May-2024420 109

wpa.teD03-May-20241.1 KiB4031

zygote.teD03-May-20242.4 KiB6156

README

1Policy Generation:
2
3Additional, per device, policy files can be added into the
4policy build.
5
6They can be configured through the use of four variables,
7they are:
81. BOARD_SEPOLICY_REPLACE
92. BOARD_SEPOLICY_UNION
103. BOARD_SEPOLICY_DIRS
114. BOARD_SEPOLICY_IGNORE
12
13The variables should be set in the BoardConfig.mk file in
14the device or vendor directories.
15
16BOARD_SEPOLICY_UNION is a list of files that will be
17"unioned", IE concatenated, at the END of their respective
18file in external/sepolicy. Note, to add a unique file you
19would use this variable.
20
21BOARD_SEPOLICY_REPLACE is a list of files that will be
22used instead of the corresponding file in external/sepolicy.
23
24BOARD_SEPOLICY_DIRS contains a list of directories to search
25for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order
26matters in this list.
27eg.) If you have BOARD_SEPOLICY_UNION += widget.te and have 2
28instances of widget.te files on BOARD_SEPOLICY_DIRS search path.
29The first one found (at the first search dir containing the file)
30gets processed first.
31Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
32will help sort out ordering issues.
33
34It is an error to specify a BOARD_POLICY_REPLACE file that does
35not exist in external/sepolicy.
36
37It is an error to specify a BOARD_POLICY_REPLACE file that appears
38multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS.
39eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and
40BOARD_SEPOLICY_DIRS is set to
41"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te
42appears in both locations, it is an error. Unless it is in
43BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE
44for more details.
45
46It is an error to specify the same file name in both
47BOARD_POLICY_REPLACE and BOARD_POLICY_UNION.
48
49It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when
50specifying BOARD_SEPOLICY_REPLACE.
51
52It is an error to specify a BOARD_POLICY_UNION file that
53doesn't appear in any of the BOARD_SEPOLICY_DIRS locations.
54
55BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of
56files that are not to be included in the resulting policy. This list
57is passed to filter-out to remove any paths you may want to ignore. This
58is useful if you have numerous config directories that contain a file
59and you want to NOT include a particular file in your resulting
60policy file, either by UNION or REPLACE.
61Eg.) Suppose the following:
62     BOARD_SEPOLICY_DIRS += X Y
63     BOARD_SEPOLICY_REPLACE += A
64     BOARD_SEPOLICY_IGNORE += X/A
65
66     Directories X and Y contain A.
67
68     The resulting policy is created by using Y/A only, thus X/A was
69     ignored.
70
71Example BoardConfig.mk Usage:
72From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
73
74BOARD_SEPOLICY_DIRS += \
75        device/samsung/tuna/sepolicy
76
77BOARD_SEPOLICY_UNION += \
78        genfs_contexts \
79        file_contexts \
80        sepolicy.te
81
82SPECIFIC POLICY FILE INFORMATION
83
84mac_permissions.xml:
85  ABOUT:
86    The mac_permissions.xml file is used for controlling the mmac solutions
87    as well as mapping a public base16 signing key with an arbitrary seinfo
88    string. Details of the files contents can be found in a comment at the
89    top of that file. The seinfo string, previously mentioned, is the same string
90    that is referenced in seapp_contexts.
91
92    This file can be replaced through BOARD_SEPOLICY_REPLACE containing the
93    value "mac_permissions.xml", or appended to by using the BOARD_SEPOLICY_UNION
94    variable. It is important to note the final processed version of this file
95    is stripped of comments and whitespace. This is to preserve space on the
96    system.img. If one wishes to view it in a more human friendly format,
97    the "tidy" or "xmllint" command will assist you.
98
99  TOOLING:
100    insertkeys.py
101      Is a helper script for mapping arbitrary tags in the signature stanzas of
102      mac_permissions.xml to public keys found in pem files. This script takes
103      a mac_permissions.xml file(s) and configuration file in order to operate.
104      Details of the configuration file (keys.conf) can be found in the subsection
105      keys.conf. This tool is also responsible for stripping the comments and
106      whitespace during processing.
107
108      keys.conf
109        The keys.conf file is used for controlling the mapping of "tags" found in
110        the mac_permissions.xml signature stanzas with actual public keys found in
111        pem files. The configuration file can be used in BOARD_SEPOLICY_UNION and
112        BOARD_SEPOLICY_REPLACE variables and is processed via m4.
113
114        The script allows for mapping any string contained in TARGET_BUILD_VARIANT
115        with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
116        user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
117        any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
118        and all options are matched lowercase. The options are "tolowered" automatically
119        for the user, it is convention to specify tags and options in all uppercase
120        and tags start with @. The option arguments can also use environment variables
121        via the familiar $VARIABLE syntax. This is often useful for setting a location
122        to ones release keys.
123
124        Often times, one will need to integrate an application that was signed by a separate
125        organization and may need to extract the pem file for the insertkeys/keys.conf tools.
126        Extraction of the public key in the pem format is possible via openssl. First you need
127        to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
128        openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM  -print_certs
129        On some occasions CERT.RSA has a different name, and you will need to adjust for that.
130        After extracting the pem, you can rename it, and configure keys.conf and
131        mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
132        editor and strip out anything outside the opening and closing scissor lines. Failure to do
133        so WILL cause a compile time issue thrown by insertkeys.py
134
135        NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
136              and setool all use base16 encodings.
137