support overriding the auto-detected "privileged: true" flag in APK modules

2023-03-17 20:48:09 +02:00 · 2023-03-17 20:48:09 +02:00 · 0a0d6add20
commit 0a0d6add20
parent c5a7db6c85
4 changed files with 19 additions and 3 deletions
--- a/src/blobs/build.ts
+++ b/src/blobs/build.ts
@ -161,7 +161,7 @@ export async function generateBuild(
      namespace: true,
    },
    proprietaryBlueprint: {
-      modules: namedModules.values(),
+      modules: Array.from(namedModules.values()),
    },
    modulesMakefile: {
      device,
--- a/src/build/soong.ts
+++ b/src/build/soong.ts
@ -6,6 +6,7 @@ import { SOONG_HEADER } from '../util/headers'
 export const SPECIAL_FILE_EXTENSIONS = new Set(['.so', '.apk', '.jar', '.xml', '.apex'])

 export const TYPE_SHARED_LIBRARY = 'cc_prebuilt_library_shared'
+export const TYPE_APK = 'android_app_import'

 export interface TargetSrcs {
  srcs: Array<string>
@ -120,7 +121,7 @@ export type SoongModule = {
 export interface SoongBlueprint {
  namespace?: boolean

-  modules?: Iterable<SoongModule>
+  modules?: SoongModule[]
 }

 function getRelativeInstallPath(entry: BlobEntry, pathParts: Array<string>, installDir: string) {
@ -263,7 +264,7 @@ export function blobToSoongModule(
    }
  } else if (ext == '.apk') {
    moduleSpecific = {
-      _type: 'android_app_import',
+      _type: TYPE_APK,
      apk: entry.srcPath,
      ...((entry.isPresigned && { presigned: true }) || { certificate: 'platform' }),
      ...(entry.path.startsWith('priv-app/') && { privileged: true }),
--- a/src/config/device.ts
+++ b/src/config/device.ts
@ -54,6 +54,7 @@ export interface DeviceConfig {
    sepolicy_dirs: Filters
    dep_files: Filters
    files: Filters
+    deprivileged_apks: Filters
  }
 }

@ -109,6 +110,7 @@ const DEFAULT_CONFIG_BASE = {
    sepolicy_dirs: structuredClone(EMPTY_FILTERS),
    dep_files: structuredClone(EMPTY_INCLUDE_FILTERS),
    files: structuredClone(EMPTY_FILTERS),
+    deprivileged_apks: structuredClone(EMPTY_INCLUDE_FILTERS),
  },
 }

--- a/src/frontend/generate.ts
+++ b/src/frontend/generate.ts
@ -27,6 +27,8 @@ import {
 import { generateFileContexts } from '../selinux/labels'
 import { exists, readFile, TempState } from '../util/fs'
 import { ALL_SYS_PARTITIONS } from '../util/partitions'
+import {ApkModule, TYPE_APK} from "../build/soong"
+import assert from "assert"

 export interface PropResults {
  stockProps: PartitionProps
@ -358,5 +360,16 @@ export async function generateBuildFiles(
    await fs.writeFile(`${dirs.out}/proprietary-files.txt`, `${fileList}\n`)
  }

+  // Handle deprivileging of APKs
+  for (let m of build.proprietaryBlueprint?.modules ?? []) {
+    if (m._type == TYPE_APK) {
+      let apkModule = m as ApkModule
+      if (filterValue(config.filters.deprivileged_apks, apkModule.apk)) {
+        assert(apkModule.privileged, apkModule.apk + " is already unprivileged")
+        apkModule.privileged = false
+      }
+    }
+  }
+
  await writeBuildFiles(build, dirs)
 }