小贝子编程

需要一些Android SELinux构建错误指南



im目前正试图在RockPi 4上使用Quectel EC25 LTE编译Android 9。但目前我还停留在SELinux的实现上。EC25 RIL指南告诉我修改/添加以下文件到src树。

  • ($Android_src(/system/core/rootdir/ueventd.rc
#quectel port
/dev/ttyUSB* 0660 radio radio
/dev/cdc-wdm* 0660 radio radio
/dev/qcqmi* 0660 radio radio
/dev/cdc-acm* 0660 radio radio
  • ($Android_src(/external/sepolicy/file_contexts
/dev/ttyUSB[0-9]* u:object_r:tty_device:s0
/dev/ttyACM[0-9]* u:object_r:tty_device:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/socket/rild u:object_r:rild_socket:s0
/system/socket/rild-debug u:object_r:rild_debug_socket:s0
/system/bin/pppd u:object_r:pppd_exec:s0
/dev/ppp u:object_r:ppp_device:s0
  • ($Android_src(/external/sepolicy/rild.te
allow rild default_prop:property_service set;
allow rild device:chr_file { read write ioctl open getattr };
allow rild kernel:system module_request;
allow rild net_radio_prop:property_service set;
allow rild ppp_device:chr_file { read write ioctl open };
allow rild ppp_exec:file { read execute open execute_no_trans };
allow rild radio_prop:property_service set;
allow rild self:capability { net_admin setuid };
allow rild shell_exec:file { read execute open execute_no_trans };
allow rild sysfs_wake_lock:file { open read write };
allow rild system_file:file execute_no_trans;
allow rild system_prop:property_service set;

运行后,我得到以下错误:

FAILED: out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c             30 -o out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ "userdebug" = "user" -a -s out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then          echo "==========" 1>&2;               echo "ERROR: permissive domains not allowed in user builds" 1>&2;             echo "List of invalid domains:" 1>&2;               cat out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2;           exit 1;                 fi ) && (mv out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10484 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10370 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[  4% 449/10291] build out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c               30 -o out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10425 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10311 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[  4% 450/10291] //bionic/libc:libc_bionic_ndk clang++ bionic/bionic_systrace.cpp [arm]
ninja: build stopped: subcommand failed.
10:24:06 ninja failed with: exit status 1

我不熟悉Android/SELinux,但我在谷歌上搜索了这个错误,发现设置"neverallow"指令没有任何运气。

如有帮助,将不胜感激

rgds

您的允许规则对于Android来说太通用了。

决不允许的规则有很好的记录。查看错误消息中的system/sepolicy/public/domain.te:532system/sepolicy/public/domain.te:418

# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;

# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };

您需要找出rild必须设置的属性,然后添加一个更具体的允许规则。检查现有的property_contexts文件是否已经为rild所需的属性指定了类型,或者自己创建。对于CCD_ 6想要访问的设备也需要进行同样的操作。

注意system/sepolicy/public/te_macros中有一些宏可以使rild.te更具可读性。示例:将allow rild default_prop:property_service set替换为set_prop(rild, default_prop)

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium