See https://source.android.com/security/selinux/device-policy
On Tue, Jul 16, 2019 at 11:22 AM Shilesh Babu <[email protected]> wrote: > Hi guys, > I am not able to add service properly in init.rc, could you please share > any information like how to add and crate selinux policy. > I am doing..... > service testapp /system/bin/testapp //adding in init.rc > > Created policy in /device/../sepolicy/testapp.te > > Working on Android 8, please let me know if you have any inputs. > > On Mon, Jul 15, 2019, 11:40 PM 'Dan Willemsen' via Android Building < > [email protected]> wrote: > >> It looks like you've got some custom sepolicy that is violating >> neverallow rules ( >> https://source.android.com/security/selinux/customize#neverallow): >> >> neverallow check failed at >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4265 >> >> * (neverallow base_typeattr_55_27_0 base_typeattr_56_27_0 (file (execute >> execute_no_trans entrypoint)))* <root> >> allow at >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 >> >> * (allow newtestapp newtestapp_exec (file (read getattr map execute >> entrypoint open)))* >> neverallow check failed at >> out/target/product/N1/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4754 >> from *system/sepolicy/public/domain.te:668* >> >> * (neverallow base_typeattr_55 base_typeattr_56 (file (execute >> execute_no_trans entrypoint)))* <root> >> allow at >> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 >> * (allow newtestapp newtestapp_exec (file (read getattr map execute >> entrypoint open)))* >> >> You'll probably want to remove or limit the execute / entrypoint allows >> for newtestapp -- see any comments around >> system/sepolicy/public/domain.te:668 for more details. >> >> - Dan >> >> On Mon, Jul 15, 2019 at 9:31 AM Shilesh Babu <[email protected]> >> wrote: >> >>> Hi Kun Li, >>> I am facing same issue could you plz suggest anything???? >>> >>> system/core/liblog/include/log/log_main.h:240:52: note: expanded from >>> macro 'ALOGE' >>> #define ALOGE(...) ((void)ALOG(LOG_ERROR, LOG_TAG, __VA_ARGS__)) >>> ^~~~~~~~~~~ >>> system/core/liblog/include/log/log_main.h:306:67: note: expanded from >>> macro 'ALOG' >>> #define ALOG(priority, tag, ...) LOG_PRI(ANDROID_##priority, tag, >>> __VA_ARGS__) >>> >>> ^~~~~~~~~~~ >>> system/core/liblog/include/log/log_main.h:70:69: note: expanded from >>> macro 'LOG_PRI' >>> #define LOG_PRI(priority, tag, ...) android_printLog(priority, tag, >>> __VA_ARGS__) >>> >>> ^~~~~~~~~~~ >>> system/core/liblog/include/log/log_main.h:61:34: note: expanded from >>> macro 'android_printLog' >>> __android_log_print(prio, tag, __VA_ARGS__) >>> ^~~~~~~~~~~ >>> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:849:55: >>> warning: unused parameter 'hComponent' [-Wunused-parameter] >>> OMX_ERRORTYPE omx_test_enc_ebd(OMX_OUT OMX_HANDLETYPE hComponent, >>> ^ >>> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:850:59: >>> warning: unused parameter 'pBuffer' [-Wunused-parameter] >>> OMX_OUT OMX_PTR pAppData, OMX_OUT OMX_BUFFERHEADERTYPE* pBuffer) >>> ^ >>> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:895:55: >>> warning: unused parameter 'hComponent' [-Wunused-parameter] >>> OMX_ERRORTYPE omx_test_enc_fbd(OMX_OUT OMX_HANDLETYPE hComponent, >>> ^ >>> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:945:64: >>> warning: unused parameter 'hComponent' [-Wunused-parameter] >>> OMX_ERRORTYPE omx_test_enc_event_handler(OMX_IN OMX_HANDLETYPE >>> hComponent, >>> ^ >>> vendor/qcom/proprietary/mm-still/codec_v1/omx/test/qomx_jpeg_enc_test.c:950:18: >>> warning: unused parameter 'pEventData' [-Wunused-parameter] >>> OMX_IN OMX_PTR pEventData) >>> ^ >>> 9 warnings generated. >>> [ 8% 372/4315] Copy: out/target/product/N1/obj/lib/libmmjpeg.so >>> [ 8% 373/4315] build >>> out/target/product/N1/obj/SHARED_LIBRARIES/libmmjpeg_intermediates/libmmjpeg.so.toc >>> [ 8% 374/4315] Install: out/target/product/N1/vendor/lib/libmmjpeg.so >>> [ 8% 375/4315] Copy: out/target/product/N1/obj/lib/libmmjpeg.so.toc >>> [ 8% 376/4315] target Executable: mm-qomx-ienc-test >>> (out/target/product/N1/obj/EXECUTABLES/mm-qomx-ienc-test_intermediates/LINKED/mm-qomx-ienc-test) >>> [ 8% 377/4315] target SharedLib: libmmqjpeg_codec >>> (out/target/product/N1/obj/SHARED_LIBRARIES/libmmqjpeg_codec_intermediates/LINKED/libmmqjpeg_codec.so) >>> [ 8% 378/4315] target Pack Relocations: libmmqjpeg_codec >>> (out/target/product/N1/obj/SHARED_LIBRARIES/libmmqjpeg_codec_intermediates/PACKED/libmmqjpeg_codec.so) >>> [ 8% 379/4315] target Unpacked: mm-qomx-ienc-test >>> (out/target/product/N1/obj/EXECUTABLES/mm-qomx-ienc-test_intermediates/PACKED/mm-qomx-ienc-test) >>> [ 8% 380/4315] target Symbolic: libmmqjpeg_codec >>> (out/target/product/N1/symbols/vendor/lib/libmmqjpeg_codec.so) >>> [ 8% 381/4315] target Symbolic: mm-qomx-ienc-test >>> (out/target/product/N1/symbols/system/bin/mm-qomx-ienc-test) >>> [ 8% 382/4315] build >>> out/target/product/N1/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy >>> FAILED: >>> out/target/product/N1/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy >>> >>> /bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 >>> out/target/product/N1/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil >>> out/target/product/N1/obj/ETC/27.0.cil_intermediates/27.0.cil >>> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil >>> -o >>> out/target/product/N1/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy >>> -f /dev/null" >>> neverallow check failed at >>> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4265 >>> (neverallow base_typeattr_55_27_0 base_typeattr_56_27_0 (file (execute >>> execute_no_trans entrypoint))) >>> <root> >>> allow at >>> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 >>> (allow newtestapp newtestapp_exec (file (read getattr map execute >>> entrypoint open))) >>> >>> neverallow check failed at >>> out/target/product/N1/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4754 >>> from system/sepolicy/public/domain.te:668 >>> (neverallow base_typeattr_55 base_typeattr_56 (file (execute >>> execute_no_trans entrypoint))) >>> <root> >>> allow at >>> out/target/product/N1/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:10748 >>> (allow newtestapp newtestapp_exec (file (read getattr map execute >>> entrypoint open))) >>> >>> Failed to generate binary >>> Failed to build policydb >>> >>> >>> >>> >>> >>> >>> On Tuesday, November 7, 2017 at 9:27:49 PM UTC+5:30, Paul Chang wrote: >>>> >>>> You should delete this rule from nonplat_sepolicy.cil: >>>> allow domain sysfs_qemu_trace (file (ioctl read write getattr lock >>>> append map open)) >>>> >>>> 2017-10-13 10:47 GMT+08:00 Kun Li <[email protected]>: >>>> >>>>> I met sepolicy error when build latest android O code >>>>> with car_emu_x86_64-userdebug: >>>>> ------------------ >>>>> [ 82% 60943/73832] build >>>>> out/target/product/.-x86_64/obj/ETC/sepolicy_intermediates/sepolicy >>>>> FAILED: >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy >>>>> /bin/bash -c "(out/host/linux-x86/bin/secilc -m -M true -G -c 30 >>>>> out/target/product/car-x86_64/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil >>>>> out/target/product/car-x86_64/obj/ETC/10000.0.cil_intermediates/10000.0.cil >>>>> out/target/product/car-x86_64/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil >>>>> -o >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.tmp >>>>> -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.tmp >>>>> permissive > >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains >>>>> ) && (if [ \"userdebug\" = \"user\" -a -s >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains >>>>> ]; then echo \"==========\" 1>&2; echo >>>>> \"ERROR: permissive domains not allowed in user builds\" 1>&2; >>>>> echo \"List of invalid domains:\" 1>&2; cat >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains >>>>> 1>&2; exit 1; fi ) && (mv >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy.tmp >>>>> out/target/product/car-x86_64/obj/ETC/sepolicy_intermediates/sepolicy )" >>>>> neverallow check failed at >>>>> out/target/product/car-x86_64/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:11513 >>>>> from system/sepolicy/private/isolated_app.te:113 >>>>> (neverallow isolated_app base_typeattr_290 (file (ioctl read write >>>>> create setattr lock relabelfrom append unlink link rename open))) >>>>> <root> >>>>> allow at >>>>> out/target/product/car-x86_64/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6402 >>>>> (allow domain sysfs_qemu_trace (file (ioctl read write getattr >>>>> lock append map open))) >>>>> >>>>> Failed to generate binary >>>>> Failed to build policydb >>>>> [ 82% 60946/73832] //frameworks/compile/slang:llvm-rs-cc clang++ >>>>> slang_rs_object_ref_count.cpp [linux_glibc] >>>>> ninja: build stopped: subcommand failed. >>>>> 19:10:30 ninja failed with: exit status 1 >>>>> >>>>> >>>>> No idea on this error , anyone met this before ? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> -- >>>>> You received this message because you are subscribed to the "Android >>>>> Building" mailing list. >>>>> To post to this group, send email to [email protected] >>>>> To unsubscribe from this group, send email to >>>>> [email protected] >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/android-building?hl=en >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Android Building" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> -- >>> You received this message because you are subscribed to the "Android >>> Building" mailing list. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/android-building?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Android Building" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/android-building/a513a2c9-2137-4f7e-bc7b-daad78e1529f%40googlegroups.com >>> <https://groups.google.com/d/msgid/android-building/a513a2c9-2137-4f7e-bc7b-daad78e1529f%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> -- >> You received this message because you are subscribed to the "Android >> Building" mailing list. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/android-building?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "Android Building" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/android-building/CALQgHdkvBTr6eK%2Bq8hudt3DN%3DY0o4h%2BU695EUCk2Q_LFyvnhDw%40mail.gmail.com >> <https://groups.google.com/d/msgid/android-building/CALQgHdkvBTr6eK%2Bq8hudt3DN%3DY0o4h%2BU695EUCk2Q_LFyvnhDw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- -- You received this message because you are subscribed to the "Android Building" mailing list. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-building?hl=en --- You received this message because you are subscribed to the Google Groups "Android Building" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/android-building/CABXk95BGHa26sO%2BqO2KrxnAOTHoso%3DK-SERY%2B20Cu1Mfyhah1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
