Re: Failed to perform read/write operation from /hardware/qcom/audio/post_proc/volume_listener.c

[Jeffrey Vander Stoep via Seandroid-list]

source.android.com has a number of resources
https://source.android.com/security/selinux/ including a quick-start guide
on writing device-specific policy for Android
https://source.android.com/security/selinux/device-policy.

On Wed, May 30, 2018 at 7:22 AM Mantesh Eksambe <
mantesh.eksambe@gmail.com> wrote:

> Thank you sir.
>
> I would like to learn in detail about android SELINUX. Could you please
> suggest me  the correct reference for that.
>
>
> On Tue, May 29, 2018 at 7:12 PM, Stephen Smalley 
> wrote:
>
>> On 05/27/2018 09:08 AM, Mantesh Eksambe wrote:
>> > Hi,
>> >
>> > I want to perform file read write operation from /hardware <
>> http://androidxref.com/8.0.0_r4/xref/hardware/>/qcom <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/>/audio <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/>/post_proc <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/>/volume_listener.c
>> <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/volume_listener.c>
>> effect file. I have created directory at /data/vendor/misc/my_dir.
>> > So i want to write effect data from volume_listener.c to my directory.
>> >
>> > As per my understanding post_proc effect comes under hal_audio_default
>> domain. Then i have added "allow hal_audio_default system_data_file:file {
>> write create };" in hal_audio.te file. But after adding I'm facing
>> following issue while building AOSP
>> >
>> > NOTE - I'm working on Android Oreo.
>> >
>> > Error -
>> >
>> > libsepol.report_failure: neverallow on line 856 of
>> system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated by
>> allow hal_audio_default system_data_file:file { write create };
>> >
>> > I hope you understand my issue. please help me to solve this issue.
>> > Please find attached build log for more clarity.
>>
>> You need to define a type other than system_data_file and assign it to
>> your directory via file_contexts so that your process only needs
>> create/write to your own type and not arbitrary system data files.
>>
>>
> ___
> Seandroid-list mailing list
> Seandroid-list@tycho.nsa.gov
> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> seandroid-list-requ...@tycho.nsa.gov.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: Failed to perform read/write operation from /hardware/qcom/audio/post_proc/volume_listener.c

[Mantesh Eksambe]

Thank you sir.

I would like to learn in detail about android SELINUX. Could you please
suggest me  the correct reference for that.


On Tue, May 29, 2018 at 7:12 PM, Stephen Smalley  wrote:

> On 05/27/2018 09:08 AM, Mantesh Eksambe wrote:
> > Hi,
> >
> > I want to perform file read write operation from /hardware <
> http://androidxref.com/8.0.0_r4/xref/hardware/>/qcom <
> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/>/audio <
> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/>/post_proc <
> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/>/volume_listener.c
>  post_proc/volume_listener.c> effect file. I have created directory at
> /data/vendor/misc/my_dir.
> > So i want to write effect data from volume_listener.c to my directory.
> >
> > As per my understanding post_proc effect comes under hal_audio_default
> domain. Then i have added "allow hal_audio_default system_data_file:file {
> write create };" in hal_audio.te file. But after adding I'm facing
> following issue while building AOSP
> >
> > NOTE - I'm working on Android Oreo.
> >
> > Error -
> >
> > libsepol.report_failure: neverallow on line 856 of
> system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated
> by allow hal_audio_default system_data_file:file { write create };
> >
> > I hope you understand my issue. please help me to solve this issue.
> > Please find attached build log for more clarity.
>
> You need to define a type other than system_data_file and assign it to
> your directory via file_contexts so that your process only needs
> create/write to your own type and not arbitrary system data files.
>
>
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: Failed to perform read/write operation from /hardware/qcom/audio/post_proc/volume_listener.c

[Stephen Smalley]

On 05/27/2018 09:08 AM, Mantesh Eksambe wrote:
> Hi,
> 
> I want to perform file read write operation from /hardware 
> /qcom 
> /audio 
> /post_proc 
> /volume_listener.c
>  
> 
>  effect file. I have created directory at /data/vendor/misc/my_dir.
> So i want to write effect data from volume_listener.c to my directory.
> 
> As per my understanding post_proc effect comes under hal_audio_default 
> domain. Then i have added "allow hal_audio_default system_data_file:file { 
> write create };" in hal_audio.te file. But after adding I'm facing following 
> issue while building AOSP
> 
> NOTE - I'm working on Android Oreo.
> 
> Error -
> 
> libsepol.report_failure: neverallow on line 856 of 
> system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated by 
> allow hal_audio_default system_data_file:file { write create };
> 
> I hope you understand my issue. please help me to solve this issue.
> Please find attached build log for more clarity.

You need to define a type other than system_data_file and assign it to your 
directory via file_contexts so that your process only needs create/write to 
your own type and not arbitrary system data files.

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Failed to perform read/write operation from /hardware/qcom/audio/post_proc/volume_listener.c

[Mantesh Eksambe]

Hi,

I want to perform file read write operation from /hardware
/qcom
/audio
/post_proc
/
volume_listener.c

effect file. I have created directory at /data/vendor/misc/my_dir.
So i want to write effect data from volume_listener.c to my directory.

As per my understanding post_proc effect comes under hal_audio_default
domain. Then i have added "allow hal_audio_default system_data_file:file {
write create };" in hal_audio.te file. But after adding I'm facing
following issue while building AOSP

NOTE - I'm working on Android Oreo.

Error -

libsepol.report_failure: neverallow on line 856 of
system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated by
allow hal_audio_default system_data_file:file { write create };

I hope you understand my issue. please help me to solve this issue.
Please find attached build log for more clarity.

Regards,
Mantesh

mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$
mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$adb 
logcat -b all -d | audit2allow -p ../../../../../sepolicy/policy
- waiting for device -


#= bluetooth ==
allow bluetooth default_android_service:service_manager find;

#= hal_graphics_composer_default ==
allow hal_graphics_composer_default sysfs:file { getattr open read };

#= hal_usb_default ==
allow hal_usb_default self:capability dac_override;

#= mediaextractor ==
allow mediaextractor sdcardfs:file { getattr read };

#= platform_app ==
allow platform_app cache_file:lnk_file read;
allow platform_app wigig_prop:file { getattr open };

#= qti_init_shell ==
allow qti_init_shell default_prop:property_service set;
allow qti_init_shell sysfs_cpu_boost:file write;

#= qvrd ==
allow qvrd vendor_file:file execute;

#= radio ==
allow radio opengles_prop:file { getattr open read };
allow radio system_app_data_file:dir getattr;

#= surfaceflinger ==
allow surfaceflinger mediacodec:binder call;

#= system_app ==
allow system_app default_android_service:service_manager add;

#= thermal-engine ==
allow thermal-engine sysfs_uio:dir { open read search };
allow thermal-engine sysfs_uio:lnk_file read;
allow thermal-engine sysfs_uio_file:dir search;
allow thermal-engine sysfs_uio_file:file { getattr open read };

#= ueventd ==
allow ueventd mba_debug_dev:blk_file { open read };

#= vendor-qti-testscripts ==
allow vendor-qti-testscripts coresight_prop:file { getattr open read };
mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$



mantesh@PUNECPU373/APQ8098_LA.UM.6.4.r1-06900-8x98.0_OpenQ835-O_v2.0:$adb 
logcat -b all -d | audit2allow -p ../../../../../sepolicy/policy
adb server version (31) doesn't match this client (39); killing...
* daemon started successfully


#= bluetooth ==
allow bluetooth default_android_service:service_manager find;

#= hal_graphics_composer_default ==
allow hal_graphics_composer_default sysfs:file { getattr open read };

#= hal_usb_default ==
allow hal_usb_default self:capability dac_override;

#= mediaextractor ==
allow mediaextractor sdcardfs:file { getattr read };

#= platform_app ==
allow platform_app cache_file:lnk_file read;
allow platform_app wigig_prop:file { getattr open };

#= qti_init_shell ==
allow qti_init_shell default_prop:property_service set;
allow qti_init_shell sysfs_cpu_boost:file write;

#= qvrd ==
allow qvrd vendor_file:file execute;

#= radio ==
allow radio opengles_prop:file { getattr open read };
allow radio system_app_data_file:dir getattr;

#= surfaceflinger ==
allow surfaceflinger mediacodec:binder call;

#= system_app ==
allow system_app default_android_service:service_manager add;

#= thermal-engine ==
allow thermal-engine sysfs_uio:dir { open read search };
allow thermal-engine sysfs_uio:lnk_file read;
allow thermal-engine sysfs_uio_file:dir search;
allow thermal-engine sysfs_uio_file:file { getattr open read };

#= ueventd ==
allow ueventd mba_debug_dev:blk_file { open read };

#= untrusted_app ==
allow untrusted_app proc:file { getattr open read };

#= vendor-qti-testscripts ==
allow