diff --git a/apex/apex.go b/apex/apex.go index 4dfbdb4fa..b35b73e56 100644 --- a/apex/apex.go +++ b/apex/apex.go @@ -16,6 +16,7 @@ package apex import ( "fmt" + "path" "path/filepath" "sort" "strings" @@ -118,16 +119,11 @@ func apexDepsMutator(mctx android.BottomUpMutatorContext) { func apexMutator(mctx android.BottomUpMutatorContext) { if am, ok := mctx.Module().(android.ApexModule); ok && am.CanHaveApexVariants() { am.CreateApexVariations(mctx) - } else if a, ok := mctx.Module().(*apexBundle); ok { + } else if _, ok := mctx.Module().(*apexBundle); ok { // apex bundle itself is mutated so that it and its modules have same // apex variant. apexBundleName := mctx.ModuleName() mctx.CreateVariations(apexBundleName) - - // collects APEX list - if mctx.Device() && a.installable() { - addApexFileContextsInfos(mctx, a) - } } else if o, ok := mctx.Module().(*OverrideApex); ok { apexBundleName := o.GetOverriddenModuleName() if apexBundleName == "" { @@ -150,14 +146,11 @@ func apexFileContextsInfos(config android.Config) *[]string { }).(*[]string) } -func addApexFileContextsInfos(ctx android.BaseModuleContext, a *apexBundle) { - apexName := proptools.StringDefault(a.properties.Apex_name, ctx.ModuleName()) - fileContextsName := proptools.StringDefault(a.properties.File_contexts, ctx.ModuleName()) - +func addFlattenedFileContextsInfos(ctx android.BaseModuleContext, fileContextsInfo string) { apexFileContextsInfosMutex.Lock() defer apexFileContextsInfosMutex.Unlock() apexFileContextsInfos := apexFileContextsInfos(ctx.Config()) - *apexFileContextsInfos = append(*apexFileContextsInfos, apexName+":"+fileContextsName) + *apexFileContextsInfos = append(*apexFileContextsInfos, fileContextsInfo) } func apexFlattenedMutator(mctx android.BottomUpMutatorContext) { @@ -272,10 +265,9 @@ type apexBundleProperties struct { Apex_name *string // Determines the file contexts file for setting security context to each file in this APEX bundle. - // Specifically, when this is set to , /system/sepolicy/apex/_file_contexts file is - // used. - // Default: - File_contexts *string + // For platform APEXes, this should points to a file under /system/sepolicy + // Default: /system/sepolicy/apex/_file_contexts. + File_contexts *string `android:"path"` // List of native shared libs that are embedded inside this APEX bundle Native_shared_libs []string @@ -481,6 +473,8 @@ type apexBundle struct { container_certificate_file android.Path container_private_key_file android.Path + fileContexts android.Path + // list of files to be included in this apex filesInfo []apexFile @@ -1174,6 +1168,23 @@ func (a *apexBundle) GenerateAndroidBuildActions(ctx android.ModuleContext) { a.installDir = android.PathForModuleInstall(ctx, "apex") a.filesInfo = filesInfo + if a.properties.ApexType != zipApex { + if a.properties.File_contexts == nil { + a.fileContexts = android.PathForSource(ctx, "system/sepolicy/apex", ctx.ModuleName()+"-file_contexts") + } else { + a.fileContexts = android.PathForModuleSrc(ctx, *a.properties.File_contexts) + if a.Platform() { + if matched, err := path.Match("system/sepolicy/**/*", a.fileContexts.String()); err != nil || !matched { + ctx.PropertyErrorf("file_contexts", "should be under system/sepolicy, but %q", a.fileContexts) + } + } + } + if !android.ExistentPathForSource(ctx, a.fileContexts.String()).Valid() { + ctx.PropertyErrorf("file_contexts", "cannot find file_contexts file: %q", a.fileContexts) + return + } + } + // prepare apex_manifest.json a.buildManifest(ctx, provideNativeLibs, requireNativeLibs) diff --git a/apex/apex_test.go b/apex/apex_test.go index f4b8e35fe..8d62d2613 100644 --- a/apex/apex_test.go +++ b/apex/apex_test.go @@ -263,50 +263,57 @@ func testApexContext(t *testing.T, bp string, handlers ...testCustomizer) (*andr symbol_file: "", native_bridge_supported: true, } + + filegroup { + name: "myapex-file_contexts", + srcs: [ + "system/sepolicy/apex/myapex-file_contexts", + ], + } ` bp = bp + java.GatherRequiredDepsForTest() fs := map[string][]byte{ - "Android.bp": []byte(bp), - "a.java": nil, - "PrebuiltAppFoo.apk": nil, - "PrebuiltAppFooPriv.apk": nil, - "build/make/target/product/security": nil, - "apex_manifest.json": nil, - "AndroidManifest.xml": nil, - "system/sepolicy/apex/myapex-file_contexts": nil, - "system/sepolicy/apex/myapex_keytest-file_contexts": nil, - "system/sepolicy/apex/otherapex-file_contexts": nil, - "system/sepolicy/apex/commonapex-file_contexts": nil, - "mylib.cpp": nil, - "mylib_common.cpp": nil, - "mytest.cpp": nil, - "mytest1.cpp": nil, - "mytest2.cpp": nil, - "mytest3.cpp": nil, - "myprebuilt": nil, - "my_include": nil, - "foo/bar/MyClass.java": nil, - "prebuilt.jar": nil, - "vendor/foo/devkeys/test.x509.pem": nil, - "vendor/foo/devkeys/test.pk8": nil, - "testkey.x509.pem": nil, - "testkey.pk8": nil, - "testkey.override.x509.pem": nil, - "testkey.override.pk8": nil, - "vendor/foo/devkeys/testkey.avbpubkey": nil, - "vendor/foo/devkeys/testkey.pem": nil, - "NOTICE": nil, - "custom_notice": nil, - "testkey2.avbpubkey": nil, - "testkey2.pem": nil, - "myapex-arm64.apex": nil, - "myapex-arm.apex": nil, - "frameworks/base/api/current.txt": nil, - "framework/aidl/a.aidl": nil, - "build/make/core/proguard.flags": nil, - "build/make/core/proguard_basic_keeps.flags": nil, - "dummy.txt": nil, + "Android.bp": []byte(bp), + "a.java": nil, + "PrebuiltAppFoo.apk": nil, + "PrebuiltAppFooPriv.apk": nil, + "build/make/target/product/security": nil, + "apex_manifest.json": nil, + "AndroidManifest.xml": nil, + "system/sepolicy/apex/myapex-file_contexts": nil, + "system/sepolicy/apex/otherapex-file_contexts": nil, + "system/sepolicy/apex/commonapex-file_contexts": nil, + "system/sepolicy/apex/com.android.vndk-file_contexts": nil, + "mylib.cpp": nil, + "mylib_common.cpp": nil, + "mytest.cpp": nil, + "mytest1.cpp": nil, + "mytest2.cpp": nil, + "mytest3.cpp": nil, + "myprebuilt": nil, + "my_include": nil, + "foo/bar/MyClass.java": nil, + "prebuilt.jar": nil, + "vendor/foo/devkeys/test.x509.pem": nil, + "vendor/foo/devkeys/test.pk8": nil, + "testkey.x509.pem": nil, + "testkey.pk8": nil, + "testkey.override.x509.pem": nil, + "testkey.override.pk8": nil, + "vendor/foo/devkeys/testkey.avbpubkey": nil, + "vendor/foo/devkeys/testkey.pem": nil, + "NOTICE": nil, + "custom_notice": nil, + "testkey2.avbpubkey": nil, + "testkey2.pem": nil, + "myapex-arm64.apex": nil, + "myapex-arm.apex": nil, + "frameworks/base/api/current.txt": nil, + "framework/aidl/a.aidl": nil, + "build/make/core/proguard.flags": nil, + "build/make/core/proguard_basic_keeps.flags": nil, + "dummy.txt": nil, } for _, handler := range handlers { @@ -1201,6 +1208,7 @@ func TestKeys(t *testing.T) { key: "myapex.key", certificate: ":myapex.certificate", native_shared_libs: ["mylib"], + file_contexts: ":myapex-file_contexts", } cc_library { @@ -1411,7 +1419,6 @@ func TestVndkApexCurrent(t *testing.T) { apex_vndk { name: "myapex", key: "myapex.key", - file_contexts: "myapex", } apex_key { @@ -1462,7 +1469,6 @@ func TestVndkApexWithPrebuilt(t *testing.T) { apex_vndk { name: "myapex", key: "myapex.key", - file_contexts: "myapex", } apex_key { @@ -1541,7 +1547,7 @@ func TestVndkApexVersion(t *testing.T) { apex_vndk { name: "myapex_v27", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", vndk_version: "27", } @@ -1606,13 +1612,13 @@ func TestVndkApexErrorWithDuplicateVersion(t *testing.T) { apex_vndk { name: "myapex_v27", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", vndk_version: "27", } apex_vndk { name: "myapex_v27_other", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", vndk_version: "27", } @@ -1652,12 +1658,12 @@ func TestVndkApexNameRule(t *testing.T) { apex_vndk { name: "myapex", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", } apex_vndk { name: "myapex_v28", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", vndk_version: "28", } apex_key { @@ -1683,7 +1689,7 @@ func TestVndkApexSkipsNativeBridgeSupportedModules(t *testing.T) { apex_vndk { name: "myapex", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", } apex_key { @@ -1726,7 +1732,7 @@ func TestVndkApexDoesntSupportNativeBridgeSupported(t *testing.T) { apex_vndk { name: "myapex", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", native_bridge_supported: true, } @@ -1756,7 +1762,7 @@ func TestVndkApexWithBinder32(t *testing.T) { apex_vndk { name: "myapex_v27", key: "myapex.key", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", vndk_version: "27", } @@ -1822,7 +1828,7 @@ func TestDependenciesInApexManifest(t *testing.T) { key: "myapex.key", native_shared_libs: ["lib_nodep"], compile_multilib: "both", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", } apex { @@ -1830,7 +1836,7 @@ func TestDependenciesInApexManifest(t *testing.T) { key: "myapex.key", native_shared_libs: ["lib_dep"], compile_multilib: "both", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", } apex { @@ -1838,7 +1844,7 @@ func TestDependenciesInApexManifest(t *testing.T) { key: "myapex.key", native_shared_libs: ["libfoo"], compile_multilib: "both", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", } apex { @@ -1846,7 +1852,7 @@ func TestDependenciesInApexManifest(t *testing.T) { key: "myapex.key", native_shared_libs: ["lib_dep", "libfoo"], compile_multilib: "both", - file_contexts: "myapex", + file_contexts: ":myapex-file_contexts", } apex_key { @@ -2145,6 +2151,7 @@ func TestApexInProductPartition(t *testing.T) { key: "myapex.key", native_shared_libs: ["mylib"], product_specific: true, + file_contexts: "myapex_file_contexts", } apex_key { @@ -2160,7 +2167,9 @@ func TestApexInProductPartition(t *testing.T) { system_shared_libs: [], stl: "none", } - `) + `, withFiles(map[string][]byte{ + "myapex_file_contexts": nil, + })) apex := ctx.ModuleForTests("myapex", "android_common_myapex_image").Module().(*apexBundle) expected := buildDir + "/target/product/test_device/product/apex" @@ -2170,6 +2179,112 @@ func TestApexInProductPartition(t *testing.T) { } } +func TestFileContexts(t *testing.T) { + ctx, _ := testApex(t, ` + apex { + name: "myapex", + key: "myapex.key", + } + + apex_key { + name: "myapex.key", + public_key: "testkey.avbpubkey", + private_key: "testkey.pem", + } + `) + module := ctx.ModuleForTests("myapex", "android_common_myapex_image") + apexRule := module.Rule("apexRule") + actual := apexRule.Args["file_contexts"] + expected := "system/sepolicy/apex/myapex-file_contexts" + if actual != expected { + t.Errorf("wrong file_contexts. expected %q. actual %q", expected, actual) + } + + testApexError(t, `"myapex" .*: file_contexts: should be under system/sepolicy`, ` + apex { + name: "myapex", + key: "myapex.key", + file_contexts: "my_own_file_contexts", + } + + apex_key { + name: "myapex.key", + public_key: "testkey.avbpubkey", + private_key: "testkey.pem", + } + `, withFiles(map[string][]byte{ + "my_own_file_contexts": nil, + })) + + testApexError(t, `"myapex" .*: file_contexts: cannot find`, ` + apex { + name: "myapex", + key: "myapex.key", + product_specific: true, + file_contexts: "product_specific_file_contexts", + } + + apex_key { + name: "myapex.key", + public_key: "testkey.avbpubkey", + private_key: "testkey.pem", + } + `) + + ctx, _ = testApex(t, ` + apex { + name: "myapex", + key: "myapex.key", + product_specific: true, + file_contexts: "product_specific_file_contexts", + } + + apex_key { + name: "myapex.key", + public_key: "testkey.avbpubkey", + private_key: "testkey.pem", + } + `, withFiles(map[string][]byte{ + "product_specific_file_contexts": nil, + })) + module = ctx.ModuleForTests("myapex", "android_common_myapex_image") + apexRule = module.Rule("apexRule") + actual = apexRule.Args["file_contexts"] + expected = "product_specific_file_contexts" + if actual != expected { + t.Errorf("wrong file_contexts. expected %q. actual %q", expected, actual) + } + + ctx, _ = testApex(t, ` + apex { + name: "myapex", + key: "myapex.key", + product_specific: true, + file_contexts: ":my-file-contexts", + } + + apex_key { + name: "myapex.key", + public_key: "testkey.avbpubkey", + private_key: "testkey.pem", + } + + filegroup { + name: "my-file-contexts", + srcs: ["product_specific_file_contexts"], + } + `, withFiles(map[string][]byte{ + "product_specific_file_contexts": nil, + })) + module = ctx.ModuleForTests("myapex", "android_common_myapex_image") + apexRule = module.Rule("apexRule") + actual = apexRule.Args["file_contexts"] + expected = "product_specific_file_contexts" + if actual != expected { + t.Errorf("wrong file_contexts. expected %q. actual %q", expected, actual) + } +} + func TestApexKeyFromOtherModule(t *testing.T) { ctx, _ := testApex(t, ` apex_key { diff --git a/apex/builder.go b/apex/builder.go index b29bc2c78..c834e3d06 100644 --- a/apex/builder.go +++ b/apex/builder.go @@ -340,19 +340,10 @@ func (a *apexBundle) buildUnflattenedApex(ctx android.ModuleContext) { }, }) - fcName := proptools.StringDefault(a.properties.File_contexts, ctx.ModuleName()) - fileContextsPath := "system/sepolicy/apex/" + fcName + "-file_contexts" - fileContextsOptionalPath := android.ExistentPathForSource(ctx, fileContextsPath) - if !fileContextsOptionalPath.Valid() { - ctx.ModuleErrorf("Cannot find file_contexts file: %q", fileContextsPath) - return - } - fileContexts := fileContextsOptionalPath.Path() - optFlags := []string{} // Additional implicit inputs. - implicitInputs = append(implicitInputs, cannedFsConfig, fileContexts, a.private_key_file, a.public_key_file) + implicitInputs = append(implicitInputs, cannedFsConfig, a.fileContexts, a.private_key_file, a.public_key_file) optFlags = append(optFlags, "--pubkey "+a.public_key_file.String()) manifestPackageName, overridden := ctx.DeviceConfig().OverrideManifestPackageNameFor(ctx.ModuleName()) @@ -409,7 +400,7 @@ func (a *apexBundle) buildUnflattenedApex(ctx android.ModuleContext) { "manifest_json_full": a.manifestJsonFullOut.String(), "manifest_json": a.manifestJsonOut.String(), "manifest": a.manifestPbOut.String(), - "file_contexts": fileContexts.String(), + "file_contexts": a.fileContexts.String(), "canned_fs_config": cannedFsConfig.String(), "key": a.private_key_file.String(), "opt_flags": strings.Join(optFlags, " "), @@ -485,6 +476,11 @@ func (a *apexBundle) buildFlattenedApex(ctx android.ModuleContext) { apexName := proptools.StringDefault(a.properties.Apex_name, ctx.ModuleName()) a.outputFile = android.PathForModuleInstall(&factx, "apex", apexName) + if a.installable() { + installPath := android.PathForModuleInstall(ctx, "apex", apexName) + devicePath := android.InstallPathToOnDevicePath(ctx, installPath) + addFlattenedFileContextsInfos(ctx, apexName+":"+devicePath+":"+a.fileContexts.String()) + } a.buildFilesInfo(ctx) }