The policy binary format changed to make xperms more extensible, but unfortunately (and irritatingly) not backwards compatible with Android M which was already under lock down when Paul gave the final OK for upstream submission. This isn't the first time this issue has been raised: http://marc.info/?l=seandroid-list&m=143446867511331&w=2
This issue is the reason why policy analysis tools were added to the source tree. The recommendation is to use tools from the same version of Android as the policy you're analyzing. Sorry, wish I had a more satisfactory answer. On Tue, May 10, 2016 at 12:14 PM Joshua Brindle <[email protected]> wrote: > I have the sepolicy file from a GS7 and using aosp 6.0.1_r43 libsepol > it parses fine: > > $ ./darwin-x86/bin/checkpolicy sepolicy -b -d -M > ./darwin-x86/bin/checkpolicy: loading policy configuration from sepolicy > libsepol.policydb_index_others: security: 1 users, 2 roles, 525 types, 0 > bools > libsepol.policydb_index_others: security: 1 sens, 1024 cats > libsepol.policydb_index_others: security: 87 classes, 4783 rules, 0 cond > rules > ./darwin-x86/bin/checkpolicy: policy configuration loaded > > However, on master it fails in avtab_read. I added a log statement to > print out the key and it is definitely wrong: > > $ ~/master/checkpolicy sepolicy -b -d -M > /Users/brindle/setools/checkpolicy: loading policy configuration from > sepolicy > libsepol.avtab_read_item: more than one specifier > libsepol.avtab_read_item: Entry: 18433 4353 0 35073 has 2 entries > > The format of the log was: > > ERR(fp->handle, "Entry: %d %d %d %d has %d entries", key.source_type, > key.target_type, key.target_class, key.specified, set); > > So that shows specified as 35073 which is definitely wrong. > > The only changes I see in avtab.c from 6.0.1 to master look like > changes from xperms to ops (variable changes). Is there something else > that could cause this? > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
