SELinux: halserverdomain never allow udp_socket create
386 views
Skip to first unread message
Vijay Ch
Jun 6, 2018, 3:43:17 PM6/6/18
to android-platform
Hi,
Currently i am writing SELinux Policy for my HAL in which i am trying to create an udp_socket.
Based on avc:denied messsges i am writing SELinux policy to create udp_socket as below.
selinux policy file hal_xxx_default.te looks as below.
##############
type hal_xxx_default, domain, binder_in_vendor_violaters;
hal_server_domain( hal_xxx_default,hal_xxx)
type hal_xxx_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_xxx_default)
allow hal_xxx_default self:udp_socket create_socket_perms;
############
When i compile the SEpolicy i get a build error like "neverallow halserverdomain udp_socket create"
The neverallow rule is defined in hal_neverallow.te as below (https://android.googlesource.com/platform/system/sepolicy/+/master/public/hal_neverallows.te)
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
neverallow {
halserverdomain
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
could someone please tell me how can make the policy to allow socket creation?
Regards,
Vijay
Currently i am writing SELinux Policy for my HAL in which i am trying to create an udp_socket.
Based on avc:denied messsges i am writing SELinux policy to create udp_socket as below.
selinux policy file hal_xxx_default.te looks as below.
##############
type hal_xxx_default, domain, binder_in_vendor_violaters;
hal_server_domain( hal_xxx_default,hal_xxx)
type hal_xxx_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_xxx_default)
allow hal_xxx_default self:udp_socket create_socket_perms;
############
When i compile the SEpolicy i get a build error like "neverallow halserverdomain udp_socket create"
The neverallow rule is defined in hal_neverallow.te as below (https://android.googlesource.com/platform/system/sepolicy/+/master/public/hal_neverallows.te)
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
neverallow {
halserverdomain
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
could someone please tell me how can make the policy to allow socket creation?
Regards,
Vijay
Reply all
Reply to author
Forward
0 new messages