AIDL HAL sepolicy in system_ext issue
84 views
Skip to first unread message
Fernando Ito
Jul 24, 2023, 6:39:09 PMJul 24
to Android Building
I'm developing an exercise of defining an AIDL HAL in system_ext, an interface implementation in the vendor image and an i/f consumer in system_ext. I also defined the device manifest and the framework compatibility matrix and all parts communicate beautifully when they run as root. Now I'm writing the sepolicy so they can run without privileges but I'm having a pretty hard time with it.
I'm building AOSP this way:
$ repo init \
--verbose \
--manifest-url=https://android.googlesource.com/platform/manifest \
--manifest-branch=android-13.0.0_r61
$ repo sync \
--network-only \
--verbose
$ repo sync \
--local-only \
--verbose
$ source build/envsetup.sh
$ lunch sdk_phone_x86_64-eng
$ m
The sync and build defined above works fine and the emulator opens. But as soon as I define a hal_attribute() in system_ext, the build fails with an infinite scroll of neverallow rules infringement.
The changes I made:
$ repo diff
project device/generic/goldfish/
diff --git a/vendor.mk b/vendor.mk
index f558be35..2ff0ac74 100644
--- a/vendor.mk
+++ b/vendor.mk
@@ -345,3 +345,5 @@ ifneq ($(EMULATOR_VENDOR_NO_FINGERPRINT), true)
PRODUCT_COPY_FILES += \
frameworks/native/data/etc/android.hardware.fingerprint.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.fingerprint.xml
endif
+
+$(call inherit-product-if-exists, vendor/nandsito/goldfish/vendor.mk)
$ cat vendor/nandsito/goldfish/vendor.mk
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
vendor/nandsito/sepolicy/system_ext/public \
$ ls vendor/nandsito/sepolicy/system_ext/public
attributes
$ cat vendor/nandsito/sepolicy/system_ext/public/attributes
hal_attribute(myhal)
The generated out/build_error file has 2.2 megabytes. Its head and tail:
[//system/sepolicy:system_ext_sepolicy.cil Building cil for system_ext_sepolicy.cil [common]
out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.conf/android_common/system_ext_sepolicy.conf && out/host/linux-x86/bin/build_sepolicy filter_out -f out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil -t out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil && grep -v ';;' out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil > out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil.tmp && mv out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil.tmp out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil && out/host/linux-x86/bin/secilc -m -M true -G -c 30 out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil -o /dev/null -f /dev/null # hash of input list: 4ecb6148ab29a9609136580b26806507384683052f53efdc2f3d67593f593e31
neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2733
(neverallow base_typeattr_599 zygote_userfaultfd (anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:29429
(allow zygote zygote_userfaultfd (anon_inode (ioctl read create)))
neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2732
(neverallow webview_zygote base_typeattr_600 (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17225
(allow base_typeattr_579 keystore_maintenance_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17230
(allow base_typeattr_579 apc_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17231
(allow base_typeattr_579 keystore_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17232
(allow base_typeattr_579 legacykeystore_service (service_manager (find)))
Only first 4 of 5 matching rules shown (use "-v" to show all)
neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2731
(neverallow base_typeattr_599 webview_zygote (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:15156
(allow runas base_typeattr_530 (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:29425
(allow zygote webview_zygote (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:976
(allow runas base_typeattr_533 (process (dyntransition)))
...
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6725 from system/sepolicy/public/apexd.te:8
(neverallow base_typeattr_200 apex_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6716
(allow apexd apex_service (service_manager (add find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:27897
(allow system_server apex_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:28842
(allow update_engine apex_service (service_manager (find)))
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6719 from system/sepolicy/public/apexd.te:6
(neverallow base_typeattr_199 apex_service (service_manager (add)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6716
(allow apexd apex_service (service_manager (add find)))
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6690 from system/sepolicy/public/adbd.te:9
(neverallow base_typeattr_197 adbd (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:15156
(allow runas base_typeattr_530 (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:976
(allow runas base_typeattr_533 (process (dyntransition)))
Failed to generate binary
Failed to build policydb
out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil
exited with code: 1
Just out of curiosity, I tried defining the hal_attribute(myhal) in system/sepolicy/public/attributes and system/sepolicy/prebuilts/api/33.0/public/attributes and it built just fine.
So I have two questions: is defining an AIDL HAL in system_ext a proper and feasible design? In case it is, what am I doing wrong with the sepolicy definition in system_ext?
Thank you
I'm building AOSP this way:
$ repo init \
--verbose \
--manifest-url=https://android.googlesource.com/platform/manifest \
--manifest-branch=android-13.0.0_r61
$ repo sync \
--network-only \
--verbose
$ repo sync \
--local-only \
--verbose
$ source build/envsetup.sh
$ lunch sdk_phone_x86_64-eng
$ m
The sync and build defined above works fine and the emulator opens. But as soon as I define a hal_attribute() in system_ext, the build fails with an infinite scroll of neverallow rules infringement.
The changes I made:
$ repo diff
project device/generic/goldfish/
diff --git a/vendor.mk b/vendor.mk
index f558be35..2ff0ac74 100644
--- a/vendor.mk
+++ b/vendor.mk
@@ -345,3 +345,5 @@ ifneq ($(EMULATOR_VENDOR_NO_FINGERPRINT), true)
PRODUCT_COPY_FILES += \
frameworks/native/data/etc/android.hardware.fingerprint.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.fingerprint.xml
endif
+
+$(call inherit-product-if-exists, vendor/nandsito/goldfish/vendor.mk)
$ cat vendor/nandsito/goldfish/vendor.mk
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
vendor/nandsito/sepolicy/system_ext/public \
$ ls vendor/nandsito/sepolicy/system_ext/public
attributes
$ cat vendor/nandsito/sepolicy/system_ext/public/attributes
hal_attribute(myhal)
The generated out/build_error file has 2.2 megabytes. Its head and tail:
[//system/sepolicy:system_ext_sepolicy.cil Building cil for system_ext_sepolicy.cil [common]
out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.conf/android_common/system_ext_sepolicy.conf && out/host/linux-x86/bin/build_sepolicy filter_out -f out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil -t out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil && grep -v ';;' out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil > out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil.tmp && mv out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil.tmp out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil && out/host/linux-x86/bin/secilc -m -M true -G -c 30 out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil -o /dev/null -f /dev/null # hash of input list: 4ecb6148ab29a9609136580b26806507384683052f53efdc2f3d67593f593e31
neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2733
(neverallow base_typeattr_599 zygote_userfaultfd (anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:29429
(allow zygote zygote_userfaultfd (anon_inode (ioctl read create)))
neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2732
(neverallow webview_zygote base_typeattr_600 (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17225
(allow base_typeattr_579 keystore_maintenance_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17230
(allow base_typeattr_579 apc_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17231
(allow base_typeattr_579 keystore_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:17232
(allow base_typeattr_579 legacykeystore_service (service_manager (find)))
Only first 4 of 5 matching rules shown (use "-v" to show all)
neverallow check failed at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:2731
(neverallow base_typeattr_599 webview_zygote (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:15156
(allow runas base_typeattr_530 (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:29425
(allow zygote webview_zygote (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:976
(allow runas base_typeattr_533 (process (dyntransition)))
...
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6725 from system/sepolicy/public/apexd.te:8
(neverallow base_typeattr_200 apex_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6716
(allow apexd apex_service (service_manager (add find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:27897
(allow system_server apex_service (service_manager (find)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:28842
(allow update_engine apex_service (service_manager (find)))
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6719 from system/sepolicy/public/apexd.te:6
(neverallow base_typeattr_199 apex_service (service_manager (add)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6716
(allow apexd apex_service (service_manager (add find)))
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:6690 from system/sepolicy/public/adbd.te:9
(neverallow base_typeattr_197 adbd (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:15156
(allow runas base_typeattr_530 (process (dyntransition)))
<root>
allow at out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil:976
(allow runas base_typeattr_533 (process (dyntransition)))
Failed to generate binary
Failed to build policydb
out/soong/.intermediates/system/sepolicy/system_ext_sepolicy.cil/android_common/system_ext_sepolicy.cil
exited with code: 1
Just out of curiosity, I tried defining the hal_attribute(myhal) in system/sepolicy/public/attributes and system/sepolicy/prebuilts/api/33.0/public/attributes and it built just fine.
So I have two questions: is defining an AIDL HAL in system_ext a proper and feasible design? In case it is, what am I doing wrong with the sepolicy definition in system_ext?
Thank you
Reply all
Reply to author
Forward
0 new messages