I'm developing an exercise of defining an AIDL HAL in system_ext, an interface implementation in the vendor image and an i/f consumer in system_ext. I also defined the device manifest and the framework compatibility matrix and all parts communicate beautifully when they run as root. Now I'm writing the sepolicy so they can run without privileges but I'm having a pretty hard time with it.
I'm building AOSP this way: $ repo init \ --verbose \ --manifest-url=https://android.googlesource.com/platform/manifest \ --manifest-branch=android-13.0.0_r61 $ repo sync \ --network-only \ --verbose $ repo sync \ --local-only \ --verbose $ source build/envsetup.sh $ lunch sdk_phone_x86_64-eng $ m The sync and build defined above works fine and the emulator opens. But as soon as I define a hal_attribute() in system_ext, the build fails with an infinite scroll of neverallow rules infringement. The changes I made: $ repo diff project device/generic/goldfish/ diff --git a/vendor.mk b/vendor.mk index f558be35..2ff0ac74 100644 --- a/vendor.mk +++ b/vendor.mk @@ -345,3 +345,5 @@ ifneq ($(EMULATOR_VENDOR_NO_FINGERPRINT), true) PRODUCT_COPY_FILES += \ frameworks/native/data/etc/android.hardware.fingerprint.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.fingerprint.xml endif + +$(call inherit-product-if-exists, vendor/nandsito/goldfish/vendor.mk) $ cat vendor/nandsito/goldfish/vendor.mk SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \ vendor/nandsito/sepolicy/system_ext/public \ $ ls vendor/nandsito/sepolicy/system_ext/public attributes $ cat vendor/nandsito/sepolicy/system_ext/public/attributes hal_attribute(myhal) The generated out/build_error file has 2.2 megabytes. Its head and tail: [//system/sepolicy:system_ext_sepolicy.cil Building cil for system_ext_sepolicy.cil [common] out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.conf/android_common/system_ext_sepolicy.conf && out/host/linux-x86/bin/build_sepolicy filter_out -f out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil -t out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil && grep -v ';;' out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil > out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil.tmp && mv out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil.tmp out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil && out/host/linux-x86/bin/secilc -m -M true -G -c 30 out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil -o /dev/null -f /dev/null # hash of input list: 4ecb6148ab29a9609136580b26806507384683052f53efdc2f3d67593f593e31 neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2733 (neverallow base_typeattr_599 zygote_userfaultfd (anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:29429 (allow zygote zygote_userfaultfd (anon_inode (ioctl read create))) neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2732 (neverallow webview_zygote base_typeattr_600 (service_manager (find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17225 (allow base_typeattr_579 keystore_maintenance_service (service_manager (find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17230 (allow base_typeattr_579 apc_service (service_manager (find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17231 (allow base_typeattr_579 keystore_service (service_manager (find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17232 (allow base_typeattr_579 legacykeystore_service (service_manager (find))) Only first 4 of 5 matching rules shown (use "-v" to show all) neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2731 (neverallow base_typeattr_599 webview_zygote (process (dyntransition))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:15156 (allow runas base_typeattr_530 (process (dyntransition))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:29425 (allow zygote webview_zygote (process (dyntransition))) <root> allow at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:976 (allow runas base_typeattr_533 (process (dyntransition))) ... neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6725 from system/sepolicy/public/apexd.te:8 (neverallow base_typeattr_200 apex_service (service_manager (find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6716 (allow apexd apex_service (service_manager (add find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:27897 (allow system_server apex_service (service_manager (find))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:28842 (allow update_engine apex_service (service_manager (find))) neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6719 from system/sepolicy/public/apexd.te:6 (neverallow base_typeattr_199 apex_service (service_manager (add))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6716 (allow apexd apex_service (service_manager (add find))) neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6690 from system/sepolicy/public/adbd.te:9 (neverallow base_typeattr_197 adbd (process (dyntransition))) <root> allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:15156 (allow runas base_typeattr_530 (process (dyntransition))) <root> allow at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:976 (allow runas base_typeattr_533 (process (dyntransition))) Failed to generate binary Failed to build policydb out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil exited with code: 1 Just out of curiosity, I tried defining the hal_attribute(myhal) in system/sepolicy/public/attributes and system/sepolicy/prebuilts/api/33.0/public/attributes and it built just fine. So I have two questions: is defining an AIDL HAL in system_ext a proper and feasible design? In case it is, what am I doing wrong with the sepolicy definition in system_ext? Thank you -- -- You received this message because you are subscribed to the "Android Building" mailing list. To post to this group, send email to android-building@googlegroups.com To unsubscribe from this group, send email to android-building+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-building?hl=en --- You received this message because you are subscribed to the Google Groups "Android Building" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-building+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/android-building/462a63a1-0ffd-4fdf-ac8c-8cca1d20d400n%40googlegroups.com.
