The point of this was so there was a searchable archive of the issue to help others. It would be smart of me to post the link to the patch: https://android-review.googlesource.com/328669
On Jan 28, 2017 08:05, "Nick Kralevich" <n...@google.com> wrote: > Thank you WIlliam! +2d and submitted. > > -- Nick > > On Thu, Jan 26, 2017 at 11:32 AM, Roberts, William C < > william.c.robe...@intel.com> wrote: > >> <snip> >> > > > Building for Hikey (Android) with a type permissive statement on >> > > > hci_attach, yields this error: >> > > > >> > > > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 >> > > > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermedi >> ates/pla >> > > > t_ >> > > > policy_n >> > > > vr.cil >> > > > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_interm >> ediates/ >> > > > ma >> > > > pping >> > > > /current.cil >> > > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_interm >> ediates/ >> > > > no >> > > > nplat_ >> > > > policy_nvr.cil -o >> > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepo >> licy.tmp >> > > > ) && (out/host/linux-x86/bin/sepolicy-analyze >> > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepo >> licy.tmp >> > > > permissive > >> > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepo >> licy.per >> > > > mi ssived omains ) && (if [ \"userdebug\" = \"user\" -a -s >> > > > >> > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepo >> licy.permi >> > > ssived >> > > > omains ]; then echo \"==========\" 1>&2; >> echo >> > > \"ERROR: >> > > > permissive domains not allowed in user builds\" 1>&2; >> echo >> > > \"List of >> > > > invalid domains:\" 1>&2; cat >> > > > >> > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepo >> licy.permi >> > > ssived >> > > > omains 1>&2; exit 1; fi ) && (mv >> > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepo >> licy.tmp >> > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )" >> > > > Symbol not inside parenthesis at line 1239 of >> > > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_interm >> ediates/ >> > > > no >> > > > nplat_ >> > > > policy_nvr.cil >> > > > >> > > > To reproduce apply this patch to device/linaro/hikey: >> > > > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index >> > > > d87f444..1990d54 100644 >> > > > --- a/sepolicy/hci_attach.te >> > > > +++ b/sepolicy/hci_attach.te >> > > > @@ -1,6 +1,8 @@ >> > > > type hci_attach, domain; >> > > > type hci_attach_exec, exec_type, file_type; >> > > > >> > > > +permissive hci_attach; >> > > > + >> > > > init_daemon_domain(hci_attach) >> > > > >> > > > allow hci_attach kernel:system module_request; >> > > > >> > > > and build sepolicy >> > > > >> > > > make -j4 sepolicy >> > > > >> > > > I have no idea what's hgappening, but the statement looks different >> > > > than all the other CIL statements: >> > > > >> > > > Failing CIL snippet: >> > > > >> > > > (type hci_attach) >> > > > (roletype object_r hci_attach) >> > > > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r >> > > > hci_attach_exec) (type hci_attach_tmpfs) >> > > > >> > > > >> > > >> > > Some of things call routines like cil_write_roletype() in write_ast.c, >> > > but some just frpintf(CIL_<CAPS>). Are these features not implemented? >> > > >> > > If I apply this hack it works: >> > > diff --git a/libsepol/cil/src/cil_write_ast.c >> > > b/libsepol/cil/src/cil_write_ast.c >> > > index 4ebda6a..8a25680 100644 >> > > --- a/libsepol/cil/src/cil_write_ast.c >> > > +++ b/libsepol/cil/src/cil_write_ast.c >> > > @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node >> > > *node, uint32_t *finished, void >> > > fprintf(cil_out, "CIL_TYPEBOUNDS "); >> > > break; >> > > case CIL_TYPEPERMISSIVE: >> > > - fprintf(cil_out, "CIL_TYPEPERMISSIVE "); >> > > + fprintf(cil_out, "(typepermissive hci_attach)\n"); >> > > break; >> > > case CIL_TYPEATTRIBUTE: >> > > >> > > The output looks ok from sepolicy-analyze: >> > > >> > > $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su >> > > hci_attach >> > >> > FYI This does not affect upstream SE Linux, it looks like Dan Cashman >> over at >> > Google authored the file, So ill drop common selinux mailing listr on >> further >> > responses. I'll take a look at fixing this today... >> >> <snip> >> That was easy, patch here: >> https://android-review.googlesource.com/#/c/328669/ >> > > > > -- > Nick Kralevich | Android Security | n...@google.com | 650.214.4037 > <(650)%20214-4037> > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
