Hi, I want to perform file read write operation from /hardware <http://androidxref.com/8.0.0_r4/xref/hardware/>/qcom <http://androidxref.com/8.0.0_r4/xref/hardware/qcom/>/audio <http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/>/post_proc <http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/>/ volume_listener.c <http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/volume_listener.c> effect file. I have created directory at /data/vendor/misc/my_dir. So i want to write effect data from volume_listener.c to my directory.
As per my understanding post_proc effect comes under hal_audio_default domain. Then i have added "allow hal_audio_default system_data_file:file { write create };" in hal_audio.te file. But after adding I'm facing following issue while building AOSP NOTE - I'm working on Android Oreo. Error - libsepol.report_failure: neverallow on line 856 of system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated by allow hal_audio_default system_data_file:file { write create }; I hope you understand my issue. please help me to solve this issue. Please find attached build log for more clarity. Regards, Mantesh
mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$ mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$adb logcat -b all -d | audit2allow -p ../../../../../sepolicy/policy - waiting for device - #============= bluetooth ============== allow bluetooth default_android_service:service_manager find; #============= hal_graphics_composer_default ============== allow hal_graphics_composer_default sysfs:file { getattr open read }; #============= hal_usb_default ============== allow hal_usb_default self:capability dac_override; #============= mediaextractor ============== allow mediaextractor sdcardfs:file { getattr read }; #============= platform_app ============== allow platform_app cache_file:lnk_file read; allow platform_app wigig_prop:file { getattr open }; #============= qti_init_shell ============== allow qti_init_shell default_prop:property_service set; allow qti_init_shell sysfs_cpu_boost:file write; #============= qvrd ============== allow qvrd vendor_file:file execute; #============= radio ============== allow radio opengles_prop:file { getattr open read }; allow radio system_app_data_file:dir getattr; #============= surfaceflinger ============== allow surfaceflinger mediacodec:binder call; #============= system_app ============== allow system_app default_android_service:service_manager add; #============= thermal-engine ============== allow thermal-engine sysfs_uio:dir { open read search }; allow thermal-engine sysfs_uio:lnk_file read; allow thermal-engine sysfs_uio_file:dir search; allow thermal-engine sysfs_uio_file:file { getattr open read }; #============= ueventd ============== allow ueventd mba_debug_dev:blk_file { open read }; #============= vendor-qti-testscripts ============== allow vendor-qti-testscripts coresight_prop:file { getattr open read }; mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$ mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$adb logcat -b all -d | audit2allow -p ../../../../../sepolicy/policy adb server version (31) doesn't match this client (39); killing... * daemon started successfully #============= bluetooth ============== allow bluetooth default_android_service:service_manager find; #============= hal_graphics_composer_default ============== allow hal_graphics_composer_default sysfs:file { getattr open read }; #============= hal_usb_default ============== allow hal_usb_default self:capability dac_override; #============= mediaextractor ============== allow mediaextractor sdcardfs:file { getattr read }; #============= platform_app ============== allow platform_app cache_file:lnk_file read; allow platform_app wigig_prop:file { getattr open }; #============= qti_init_shell ============== allow qti_init_shell default_prop:property_service set; allow qti_init_shell sysfs_cpu_boost:file write; #============= qvrd ============== allow qvrd vendor_file:file execute; #============= radio ============== allow radio opengles_prop:file { getattr open read }; allow radio system_app_data_file:dir getattr; #============= surfaceflinger ============== allow surfaceflinger mediacodec:binder call; #============= system_app ============== allow system_app default_android_service:service_manager add; #============= thermal-engine ============== allow thermal-engine sysfs_uio:dir { open read search }; allow thermal-engine sysfs_uio:lnk_file read; allow thermal-engine sysfs_uio_file:dir search; allow thermal-engine sysfs_uio_file:file { getattr open read }; #============= ueventd ============== allow ueventd mba_debug_dev:blk_file { open read }; #============= untrusted_app ============== allow untrusted_app proc:file { getattr open read }; #============= vendor-qti-testscripts ============== allow vendor-qti-testscripts coresight_prop:file { getattr open read }; mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$make [1/1] out/soong/.bootstrap/bin/soong_build out/soong/build.ninja No need to regenerate ninja file [100% 2/2] out/soong/.bootstrap/bin/soong_build out/soong/build.ninja [ 50% 1/2] glob art [ 0% 2/1149] build out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy.conf m4: device/qcom/sepolicy/common/fidodaemon.te: 21: deprecated: unix_socket_connect(fidodaemon, property, init) Please use set_prop(fidodaemon, <property name>) instead. m4: device/qcom/sepolicy/common/hal_factory_qti_default.te: 35: deprecated: unix_socket_connect(hal_factory_qti, property, init) Please use set_prop(hal_factory_qti, <property name>) instead. m4: device/qcom/sepolicy/common/qseecomd.te: 63: deprecated: unix_socket_connect(tee, property, init) Please use set_prop(tee, <property name>) instead. m4: device/qcom/sepolicy/common/qseeproxy.te: 50: deprecated: unix_socket_connect(qseeproxy, property, init) Please use set_prop(qseeproxy, <property name>) instead. m4: device/qcom/sepolicy/test/fidotest.te: 4: deprecated: unix_socket_connect(fidotest, property, init) Please use set_prop(fidotest, <property name>) instead. m4: device/qcom/sepolicy/test/qseeproxysample.te: 31: deprecated: unix_socket_connect(qseeproxysample, property, init) Please use set_prop(qseeproxysample, <property name>) instead. [ 0% 3/1149] build out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf m4: device/qcom/sepolicy/private/wfdservice.te: 72: deprecated: unix_socket_connect(wfdservice, property, init) Please use set_prop(wfdservice, <property name>) instead. m4: device/qcom/sepolicy/common/fidodaemon.te: 21: deprecated: unix_socket_connect(fidodaemon, property, init) Please use set_prop(fidodaemon, <property name>) instead. m4: device/qcom/sepolicy/common/hal_factory_qti_default.te: 35: deprecated: unix_socket_connect(hal_factory_qti, property, init) Please use set_prop(hal_factory_qti, <property name>) instead. m4: device/qcom/sepolicy/common/qseecomd.te: 63: deprecated: unix_socket_connect(tee, property, init) Please use set_prop(tee, <property name>) instead. m4: device/qcom/sepolicy/common/qseeproxy.te: 50: deprecated: unix_socket_connect(qseeproxy, property, init) Please use set_prop(qseeproxy, <property name>) instead. m4: device/qcom/sepolicy/test/fidotest.te: 4: deprecated: unix_socket_connect(fidotest, property, init) Please use set_prop(fidotest, <property name>) instead. m4: device/qcom/sepolicy/test/qseeproxysample.te: 31: deprecated: unix_socket_connect(qseeproxysample, property, init) Please use set_prop(qseeproxysample, <property name>) instead. [ 0% 4/1149] build out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy.conf out/host/linux-x86/bin/checkpolicy: policy configuration loaded out/host/linux-x86/bin/checkpolicy: writing CIL to out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil.tmp [ 0% 5/1149] build out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil Parsing out/target/product/msm8998/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil Parsing out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_raw.cil [ 0% 7/1149] Ensuring Jack server is installed and started Jack server already installed in "/home/mantesh/.jack-server" Server is already running [ 0% 8/1149] build out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy FAILED: out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy /bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy )" libsepol.report_failure: neverallow on line 856 of system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated by allow hal_audio_default system_data_file:file { write create }; libsepol.check_assertions: 1 neverallow failures occurred Error while expanding policy out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/msm8998/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf [ 0% 9/1149] build out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy FAILED: out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/msm8998/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/msm8998/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/msm8998/obj/ETC/sepolicy_intermediates/sepolicy )" neverallow check failed at out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4201 (neverallow base_typeattr_68_27_0 system_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename))) <root> allow at out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:8335 (allow hal_audio_default system_data_file_27_0 (file (write create))) neverallow check failed at out/target/product/msm8998/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4855 from system/sepolicy/public/domain.te:856 (neverallow base_typeattr_68 system_data_file (file (write create setattr relabelfrom append unlink link rename))) <root> allow at out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:8335 (allow hal_audio_default system_data_file_27_0 (file (write create))) Failed to generate binary Failed to build policydb [ 0% 10/1149] build out/target/product/msm8998/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy FAILED: out/target/product/msm8998/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy /bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/msm8998/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/msm8998/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/msm8998/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null" neverallow check failed at out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4201 (neverallow base_typeattr_68_27_0 system_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename))) <root> allow at out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:8335 (allow hal_audio_default system_data_file_27_0 (file (write create))) neverallow check failed at out/target/product/msm8998/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4855 from system/sepolicy/public/domain.te:856 (neverallow base_typeattr_68 system_data_file (file (write create setattr relabelfrom append unlink link rename))) <root> allow at out/target/product/msm8998/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:8335 (allow hal_audio_default system_data_file_27_0 (file (write create))) Failed to generate binary Failed to build policydb [ 0% 11/1149] build out/target/product/msm8998/abl.elf make: Entering directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2' Loading previous configuration from /media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/Conf/BuildEnv.sh WORKSPACE: /media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2 EDK_TOOLS_PATH: /media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools CONF_PATH: /media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/Conf make[1]: Entering directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools' make[1]: warning: -jN forced in submake: disabling jobserver mode. make -C Source/C Attempting to detect ARCH from 'uname -m': x86_64 Detected ARCH of X64 using uname. make[2]: Entering directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools/Source/C' mkdir -p . make -C Common make[3]: Entering directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools/Source/C/Common' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools/Source/C/Common' make -C GnuGenBootSector make[3]: Entering directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools/Source/C/GnuGenBootSector' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools/Source/C/GnuGenBootSector' make -C BootSectImage make[3]: Entering directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/OpenQ-835_Android-O_v2.0/Source_Package/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0/bootable/bootloader/edk2/BaseTools/Source/C/BootSectImage' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/media/mantesh/newhd/project/DTS/intrinsyc/oreo/Open
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.