Need some Guide with a Android SELinux Build Error

#1

im currently trying to compile Android 9 with an Quectel EC25 LTE on the RockPi 4.
But i’m stuck at the SELinux implementation.
The EC25 RIL Guide tells me to modify/add the following Files to the src tree.

  • ($Android_src)/system/core/rootdir/ueventd.rc

    #quectel port
    /dev/ttyUSB* 0660 radio radio
    /dev/cdc-wdm* 0660 radio radio
    /dev/qcqmi* 0660 radio radio
    /dev/cdc-acm* 0660 radio radio

  • ($Android_src)/external/sepolicy/file_contexts

    /dev/ttyUSB[0-9]* u:object_r:tty_device:s0
    /dev/ttyACM[0-9]* u:object_r:tty_device:s0
    /system/bin/rild u:object_r:rild_exec:s0
    /system/socket/rild u:object_r:rild_socket:s0
    /system/socket/rild-debug u:object_r:rild_debug_socket:s0
    /system/bin/pppd u:object_r:pppd_exec:s0
    /dev/ppp u:object_r:ppp_device:s0

  • ($Android_src)/external/sepolicy/rild.te

    allow rild default_prop:property_service set;
    allow rild device:chr_file { read write ioctl open getattr };
    allow rild kernel:system module_request;
    allow rild net_radio_prop:property_service set;
    allow rild ppp_device:chr_file { read write ioctl open };
    allow rild ppp_exec:file { read execute open execute_no_trans };
    allow rild radio_prop:property_service set;
    allow rild self:capability { net_admin setuid };
    allow rild shell_exec:file { read execute open execute_no_trans };
    allow rild sysfs_wake_lock:file { open read write };
    allow rild system_file:file execute_no_trans;
    allow rild system_prop:property_service set;

    after running make i i receive the following Error :slight_smile:slight_smile:

FAILED: out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c “(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ “userdebug” = “user” -a -s out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo “==========” 1>&2; echo “ERROR: permissive domains not allowed in user builds” 1>&2; echo “List of invalid domains:” 1>&2; cat out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy )”
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10484 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10370 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 4% 449/10291] build out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c “(rm -f out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )”
libsepol.report_failure: neverallow on line 532 of system/sepolicy/public/domain.te (or line 10425 of policy.conf) violated by allow rild default_prop:property_service { set };
libsepol.report_failure: neverallow on line 418 of system/sepolicy/public/domain.te (or line 10311 of policy.conf) violated by allow rild device:chr_file { read write open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 4% 450/10291] //bionic/libc:libc_bionic_ndk clang++ bionic/bionic_systrace.cpp [arm]
ninja: build stopped: subcommand failed.
10:24:06 ninja failed with: exit status 1

i’m not familiar with Android/SELinux but i googled about the error and found “neverallow” directives to be set without any luck.

Help would be appreciated,

rgds

#2

system/sepolicy/public/domain.te :523
neverallow { domain -init -vendor_init } default_prop:property_service set;

domain lable can’t allow set default_prop, but init,vendor_init can.
domain is the parent of rild
so you need:
neverallow { domain -init -vendor_init -rild } default_prop:property_service set;

system/sepolicy/public/domain.te :418
neverallow domain device:chr_file { open read write };
change to
neverallow { domain -rild } device:chr_file { open read write };

This change to the CTS may not pass.

#3

Hi Lili,

after adding “-rild” to the lines:

system/sepolicy/public/domain.te :418
neverallow { domain -rild } device:chr_file { open read write };

system/sepolicy/public/domain.te :523
neverallow { domain -init -vendor_init -rild } default_prop:property_service set;

i receive following error:

system/sepolicy/public/domain.te:418:ERROR ‘unknown type rild’ at token ‘;’ on line 10295:
neverallow { domain -rild } device:chr_file { open read write };

as far as i can tellit seems like “rild” is not known.

[ 0% 1/5428] build out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
FAILED: out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
/bin/bash -c “(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf ) && (grep -Fxv -f out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/reqd_policy_mask.cil out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp > out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil )”
system/sepolicy/public/domain.te:418:ERROR ‘unknown type rild’ at token ‘;’ on line 10295:
neverallow { domain -rild } device:chr_file { open read write };
#Rather force a relabel to a more specific type.
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/rk3399/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
[ 0% 16/5428] build TAs
make: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user’
make[1]: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta’
make[2]: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp’
CLEAN .
make[2]: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp’
make[2]: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage’
CLEAN .
make[2]: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage’
make[1]: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta’
make: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user’
make: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user’
make[1]: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta’
make[2]: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp’
/home/toor/rockpi4-android9/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-gcc /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/testapp_ta.o
CPP /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/ta.lds
/home/toor/rockpi4-android9/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-gcc /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/user_ta_header.o
LD /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/8cccf200-2450-11e4-abe20002a5d5c52c.elf
OBJDUMP /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/8cccf200-2450-11e4-abe20002a5d5c52c.dmp
OBJCOPY /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/8cccf200-2450-11e4-abe20002a5d5c52c.stripped.elf
SIGN /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp/8cccf200-2450-11e4-abe20002a5d5c52c.ta
SIGN KEY /home/toor/rockpi4-android9/external/rk_tee_user/export-user_ta/keys/oem_privkey.pem
make[2]: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp’
make[2]: Entering directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage’
CPP /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/ta.lds
/home/toor/rockpi4-android9/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-gcc /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/testapp_storage_ta.o
/home/toor/rockpi4-android9/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-gcc /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/user_ta_header.o
LD /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/8dddf200-2450-11e4-abe20002a5d5c53d.elf
OBJDUMP /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/8dddf200-2450-11e4-abe20002a5d5c53d.dmp
OBJCOPY /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/8dddf200-2450-11e4-abe20002a5d5c53d.stripped.elf
SIGN /home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage/8dddf200-2450-11e4-abe20002a5d5c53d.ta
SIGN KEY /home/toor/rockpi4-android9/external/rk_tee_user/export-user_ta/keys/oem_privkey.pem
make[2]: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta/testapp_storage’
make[1]: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user/ta’
make: Leaving directory ‘/home/toor/rockpi4-android9/external/rk_tee_user’
ninja: build stopped: subcommand failed.
06:24:54 ninja failed with: exit status 1
###failed to build some targets (03:42 (mm:ss)) ####

#4

Public cannot access vendor’s type after android O.
Maybe:

    allow rild default_prop:property_service set;

change to

    set_prop(rild,vendor_default_prop)

you can use:

# Common default properties for vendor and odm.
init.svc.odm.           u:object_r:vendor_default_prop:s0
init.svc.vendor.        u:object_r:vendor_default_prop:s0
ro.hardware.            u:object_r:vendor_default_prop:s0
ro.odm.                 u:object_r:vendor_default_prop:s0
ro.vendor.              u:object_r:vendor_default_prop:s0
odm.                    u:object_r:vendor_default_prop:s0
persist.odm.            u:object_r:vendor_default_prop:s0
persist.vendor.         u:object_r:vendor_default_prop:s0
vendor.

You need to replace char with the chr_file that rild can access.

allow rild device:chr_file { read write ioctl open getattr };

like this:

allow rild rild_device:rild_xxxx_file { read write ioctl open getattr };