How to add new rules to SEPOLICY - Pixel 2

[Lorant Polya]

Hello,

I created a kernel module called devtest that gets built into the kernel.  And, I've written a native application to communicate with it via ioctl calls that I push onto my phone to run.  I've also modified init.rc to change the owner of my dev file to system rather than root.  But, I still have to set sepolicy to permissive to be able to communicate with my dev file.  I tried writing rules to allow me to communicate with my modules but they didn't seem to work.

I created a folder called test under device/google/wahoo/sepolicy/ and called it test, then I added this into my BoardConfig.mk with "BOARD_SEPOLICY_DIRS += device/google/wahoo/sepolicy/test"

My file_contexts looks like this:
/dev/devtest                                      u:object_r:test_device:s0

and my test.te looks like
type test_device, dev_type;
type test_domain, domain;

allow test_domain test_device:chr_file { read write getattr ioctl open create append };

Is there anything I am missing?

Thanks

[Colin Cross]

I'm not an selinux expert, but I don't think you want to add a new domain, that would require you to transfer to test_domain when running your native binary.  If you want to be able to run your native binary from the shell you need to allow the shell domain:

allow shell test_device:chr_file { read write getattr ioctl open create append };

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-platfo...@googlegroups.com.
To post to this group, send email to android-...@googlegroups.com.
Visit this group at https://groups.google.com/group/android-platform.
For more options, visit https://groups.google.com/d/optout.

[Lorant Polya]

Thanks for the reply, and I've tried that as well but it doesn't seem to work.  This is the avc message that I get:

avc: denied { read write } for pid=3978 comm="test.exe" name="devtest" dev="tmpfs" ino=19263 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

and my rule is posted above.  From the sources that I've readnad my understanding, it should work.  But, for some reason the rule doesn't seem to do anything.

[Colin Cross]

Your file_contexts isn't working, the message says the file is u:object_r:device:s0 and not u:object_r:test_device:s0.  You can see the file context on your device with ls -Z /dev/devtest.

[Lorant Polya]

Is there a step I'm missing then?  How would I change my implementation to have my defined type show up instead of "device" in the label?

[Haili Wang]

like Colin mentioned, you need to add your "test.exe" to file_contexts. 

To think about this in a higher level, selinux doesn't know about your test.exe program. You need to label your test.exe program and your test device, and then allow test program to access test device with certain operation.