Commits

Stephen Smalley committed 731a07b Merge

Merge branch 'intent_mac' into cp_mac

Comments (0)

Files changed (11)

core/base_rules.mk

 ifdef LOCAL_DEX_PREOPT
 installed_odex := $(basename $(LOCAL_INSTALLED_MODULE)).odex
 built_odex := $(basename $(LOCAL_BUILT_MODULE)).odex
-$(installed_odex) : $(built_odex) | $(ACP)
+$(installed_odex) : $(built_odex) $(LOCAL_BUILT_MODULE) | $(ACP)
 	@echo "Install: $@"
 	$(copy-file-to-target)
 

core/combo/TARGET_linux-arm.mk

 			-fstack-protector \
 			-Wa,--noexecstack \
 			-Werror=format-security \
-			-D_FORTIFY_SOURCE=1 \
+			-D_FORTIFY_SOURCE=2 \
 			-fno-short-enums \
 			$(arch_variant_cflags)
 

core/combo/TARGET_linux-mips.mk

 			-funwind-tables \
 			-Wa,--noexecstack \
 			-Werror=format-security \
-			-D_FORTIFY_SOURCE=1 \
+			-D_FORTIFY_SOURCE=2 \
 			$(arch_variant_cflags)
 
 android_config_h := $(call select-android-config-h,linux-mips)

core/combo/TARGET_linux-x86.mk

 			-Ulinux \
 			-Wa,--noexecstack \
 			-Werror=format-security \
-			-D_FORTIFY_SOURCE=1 \
+			-D_FORTIFY_SOURCE=2 \
 			-Wstrict-aliasing=2 \
 			-fPIC -fPIE \
 			-ffunction-sections \

core/dex_preopt.mk

 ####################################
 
 # TODO: replace it with device's BOOTCLASSPATH
-DEXPREOPT_BOOT_JARS := core:okhttp:core-junit:bouncycastle:ext:framework:telephony-common:mms-common:android.policy:services:apache-xml
+DEXPREOPT_BOOT_JARS := core:conscrypt:okhttp:core-junit:bouncycastle:ext:framework:telephony-common:mms-common:android.policy:services:apache-xml
 DEXPREOPT_BOOT_JARS_MODULES := $(subst :, ,$(DEXPREOPT_BOOT_JARS))
 
 DEXPREOPT_BUILD_DIR := $(OUT_DIR)

core/tasks/cts.mk

 endef
 
 CORE_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,core,,COMMON)
+CONSCRYPT_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,conscrypt,,COMMON)
 BOUNCYCASTLE_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,bouncycastle,,COMMON)
 APACHEXML_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,apache-xml,,COMMON)
 OKHTTP_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,okhttp,,COMMON)
 JUNIT_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,core-junit,,COMMON)
 CORETESTS_INTERMEDIATES :=$(call intermediates-dir-for,JAVA_LIBRARIES,core-tests,,COMMON)
 
-GEN_CLASSPATH := $(CORE_INTERMEDIATES)/classes.jar:$(BOUNCYCASTLE_INTERMEDIATES)/classes.jar:$(APACHEXML_INTERMEDIATES)/classes.jar:$(OKHTTP_INTERMEDIATES)/classes.jar:$(JUNIT_INTERMEDIATES)/classes.jar:$(SQLITEJDBC_INTERMEDIATES)/javalib.jar:$(CORETESTS_INTERMEDIATES)/javalib.jar
+GEN_CLASSPATH := $(CORE_INTERMEDIATES)/classes.jar:$(CONSCRYPT_INTERMEDIATES)/classes.jar:$(BOUNCYCASTLE_INTERMEDIATES)/classes.jar:$(APACHEXML_INTERMEDIATES)/classes.jar:$(OKHTTP_INTERMEDIATES)/classes.jar:$(JUNIT_INTERMEDIATES)/classes.jar:$(SQLITEJDBC_INTERMEDIATES)/javalib.jar:$(CORETESTS_INTERMEDIATES)/javalib.jar
 
 CTS_CORE_XMLS := \
 	$(CTS_TESTCASES_OUT)/android.core.tests.libcore.package.dalvik.xml \

target/product/core.mk

     cacerts \
     com.android.location.provider \
     com.android.location.provider.xml \
+    conscrypt \
     core \
     core-junit \
     dalvikvm \
     PRODUCT_PACKAGES += \
         apache-xml-hostdex \
         bouncycastle-hostdex \
+        conscrypt-hostdex \
         core-hostdex \
         okhttp-hostdex \
         libcrypto \

target/product/mini.mk

     cacerts \
     com.android.location.provider \
     com.android.location.provider.xml \
+    conscrypt \
     core \
     core-junit \
     dalvikvm \

tools/releasetools/check_target_files_signatures

 
     for i in to_load:
       f = open(i)
-      cert = ParseCertificate(f.read())
+      cert = common.ParseCertificate(f.read())
       f.close()
       name, _ = os.path.splitext(i)
       name, _ = os.path.splitext(name)
 ALL_CERTS = CertDB()
 
 
-def ParseCertificate(data):
-  """Parse a PEM-format certificate."""
-  cert = []
-  save = False
-  for line in data.split("\n"):
-    if "--END CERTIFICATE--" in line:
-      break
-    if save:
-      cert.append(line)
-    if "--BEGIN CERTIFICATE--" in line:
-      save = True
-  cert = "".join(cert).decode('base64')
-  return cert
-
-
 def CertFromPKCS7(data, filename):
   """Read the cert out of a PKCS#7-format file (which is what is
   stored in a signed .apk)."""
       AddProblem("error reading cert:\n" + err)
       return None
 
-    cert = ParseCertificate(out)
+    cert = common.ParseCertificate(out)
     if not cert:
       AddProblem("error parsing cert output")
       return None

tools/releasetools/common.py

     return PARTITION_TYPES[fstab[mount_point].fs_type], fstab[mount_point].device
   else:
     return None
+
+
+def ParseCertificate(data):
+  """Parse a PEM-format certificate."""
+  cert = []
+  save = False
+  for line in data.split("\n"):
+    if "--END CERTIFICATE--" in line:
+      break
+    if save:
+      cert.append(line)
+    if "--BEGIN CERTIFICATE--" in line:
+      save = True
+  cert = "".join(cert).decode('base64')
+  return cert

tools/releasetools/sign_target_files_apks

   print >> sys.stderr, "Python 2.4 or newer is required."
   sys.exit(1)
 
+import base64
 import cStringIO
 import copy
+import errno
 import os
 import re
 import subprocess
       output_tf_zip.writestr(out_info, data)
 
 
+def ReplaceMMACCerts(input_tf_zip, output_tf_zip):
+  """Replace all occurences of a set of X509 certs with
+  a newer set of X509 certs in MMAC policy files."""
+  for info in input_tf_zip.infolist():
+    if any(info.filename.endswith(x) for x in ('content_permissions.xml',
+                                               'intent_mac.xml',
+                                               'mac_permissions.xml',
+                                               'mmac_types.xml')):
+      data = input_tf_zip.read(info.filename)
+      print "Rewriting %s with new keys." % info.filename
+      for old, new in OPTIONS.key_map.iteritems():
+        try:
+          if OPTIONS.verbose:
+            print "Trying to replace " + old + ".x509.pem with " + new + ".x509.pem"
+          f = open(old + ".x509.pem")
+          old_cert16 = base64.b16encode(common.ParseCertificate(f.read())).lower()
+          f.close()
+          f = open(new + ".x509.pem")
+          new_cert16 = base64.b16encode(common.ParseCertificate(f.read())).lower()
+          f.close()
+          (data, num_subs) = re.subn(old_cert16, new_cert16, data)
+          if OPTIONS.verbose:
+            print "\tReplaced %d occurence(s) of %s.x509.pem with %s.x509.pem" % (num_subs, old, new)
+        except IOError, e:
+          # We have no prior knowledge of the certs in the MMAC files. So we
+          # open and parse each x509 specified from the command line and do a simple
+          # string substitution. This however means that the devkey.x509.pem is always
+          # checked while rarely existing; devkey is one of the 5 default key mappings
+          # used. Instead of reporting that error every time we ignore the reporting
+          # unless in verbose mode. We instead only report on errors with x509 keys
+          # of the 4 normal AOSP keys or those explicitly added with the -k option.
+          if (old.endswith("devkey") and e.errno == errno.ENOENT and not OPTIONS.verbose):
+            continue
+
+          print "\tError trying to access %s. %s. Skipping trying to replace " \
+                "%s.x509.pem with %s.x509.pem." % (e.filename, e.strerror, old, new)
+
+      output_tf_zip.writestr(info, data)
+
+
 def EditTags(tags):
   """Given a string containing comma-separated tags, apply the edits
   specified in OPTIONS.tag_changes and return the updated string."""
   if OPTIONS.replace_ota_keys:
     ReplaceOtaKeys(input_zip, output_zip, misc_info)
 
+  ReplaceMMACCerts(input_zip, output_zip)
+
   input_zip.close()
   output_zip.close()
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.