xref: /aosp_15_r20/system/sepolicy/tools/post_process_mac_perms (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

#!/usr/bin/env python
#
# Copyright (C) 2013 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""
Tool to help modify an existing mac_permissions.xml with additional app
certs not already found in that policy. This becomes useful when a directory
containing apps is searched and the certs from those apps are added to the
policy not already explicitly listed.
"""

import sys
import os
import argparse
from base64 import b16encode, b64decode
import fileinput
import re
import subprocess
import zipfile

PEM_CERT_RE = """-----BEGIN CERTIFICATE-----
(.+?)
-----END CERTIFICATE-----
"""
def collect_certs_for_app(filename):
  app_certs = set()
  with zipfile.ZipFile(filename, 'r') as apkzip:
    for info in apkzip.infolist():
      name = info.filename
      if name.startswith('META-INF/') and name.endswith(('.DSA', '.RSA')):
        cmd = ['openssl', 'pkcs7', '-inform', 'DER',
               '-outform', 'PEM', '-print_certs']
        p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
                             stderr=subprocess.PIPE)
        pem_string, err = p.communicate(apkzip.read(name))
        if err and err.strip():
          raise RuntimeError('Problem running openssl on %s (%s)' % (filename, e))

        # turn multiline base64 to single line base16
        transform = lambda x: b16encode(b64decode(x.replace('\n', ''))).lower()
        results = re.findall(PEM_CERT_RE, pem_string, re.DOTALL)
        certs = [transform(i) for i in results]

        app_certs.update(certs)

  return app_certs

def add_leftover_certs(args):
  all_app_certs = set()
  for dirpath, _, files in os.walk(args.dir):
    transform = lambda x: os.path.join(dirpath, x)
    condition = lambda x: x.endswith('.apk')
    apps = [transform(i) for i in files if condition(i)]

    # Collect certs for each app found
    for app in apps:
      app_certs = collect_certs_for_app(app)
      all_app_certs.update(app_certs)

  if all_app_certs:
    policy_certs = set()
    with open(args.policy, 'r') as f:
      cert_pattern = 'signature="([a-fA-F0-9]+)"'
      policy_certs = re.findall(cert_pattern, f.read())

    cert_diff = all_app_certs.difference(policy_certs)

    # Build xml stanzas
    inner_tag = '<seinfo value="%s"/>' % args.seinfo
    stanza = '<signer signature="%s">%s</signer>'
    new_stanzas = [stanza % (cert, inner_tag) for cert in cert_diff]
    mac_perms_string = ''.join(new_stanzas)
    mac_perms_string += '</policy>'

    # Inline replace with new policy stanzas
    for line in fileinput.input(args.policy, inplace=True):
      sys.stdout.write(line.replace('</policy>', mac_perms_string))

def main(argv):
  parser = argparse.ArgumentParser(description=__doc__)

  parser.add_argument('-s', '--seinfo', dest='seinfo', required=True,
                      help='seinfo tag for each generated stanza')
  parser.add_argument('-d', '--dir', dest='dir', required=True,
                      help='Directory to search for apks')
  parser.add_argument('-f', '--file', dest='policy', required=True,
                      help='mac_permissions.xml policy file')

  parser.set_defaults(func=add_leftover_certs)
  args = parser.parse_args()
  args.func(args)

if __name__ == '__main__':
  main(sys.argv)