diff options
author | Shawn Guo <shawn.guo@linaro.org> | 2018-08-22 14:40:37 +0800 |
---|---|---|
committer | Shawn Guo <shawn.guo@linaro.org> | 2018-08-22 14:40:37 +0800 |
commit | f6edae694f9613627068902387e41d9385c20373 (patch) | |
tree | e52aa23cadb6efd9c266ce3c528d08da5d092700 /sepolicy | |
parent | 741e61d94c0ffa06f2d971aed5b662607f72d0c9 (diff) | |
download | poplar-f6edae694f9613627068902387e41d9385c20373.tar.gz |
Fix sepolicy neverallow failures with hi_overlay_file and vendor_file
Poplar build is broken as below due to the merge of "neverallow fwk access to /vendor"
in system/sepolicy repository.
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow platform_app hi_overlay_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow priv_app vendor_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow bootanim hi_overlay_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow surfaceflinger hi_overlay_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow system_app vendor_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow platform_app vendor_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow priv_app hi_overlay_file:file { read getattr open };
libsepol.report_failure: neverallow on line 1056 of system/sepolicy/public/domain.te (or line 12227 of policy.conf) violated by allow system_app hi_overlay_file:file { read getattr open };
libsepol.check_assertions: 8 neverallow failures occurred
Let's update Poplar sepolicy to fix the failures and get build pass.
Change-Id: I6e47077e2bc36952f897cdace0b90caf2201838b
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/file.te | 2 | ||||
-rw-r--r-- | sepolicy/platform_app.te | 1 | ||||
-rw-r--r-- | sepolicy/priv_app.te | 1 | ||||
-rw-r--r-- | sepolicy/system_app.te | 1 |
4 files changed, 1 insertions, 4 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 266ee3d..a902be7 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,5 +1,5 @@ type sysfs_hisi, fs_type, sysfs_type; type proc_hisi, fs_type, proc_type; #type proc_slabinfo, fs_type, proc_type; -type hi_overlay_file, vendor_file_type, file_type; +type hi_overlay_file, file_type; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index f51833c..b3e20f5 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -1,4 +1,3 @@ allow platform_app mali_device:chr_file { getattr ioctl open read write }; -allow platform_app vendor_file:file { read open getattr }; allow platform_app hi_vfmw_device:chr_file { write read open ioctl getattr}; allow platform_app hi_overlay_file:file { read open getattr }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index d051837..565ca06 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -8,7 +8,6 @@ allow priv_app proc_interrupts:file { open }; allow priv_app proc_modules:file { open }; allow priv_app sysfs_android_usb:file { open }; allow priv_app zygote:dir { search }; -allow priv_app vendor_file:file { read open getattr }; allow priv_app hi_vfmw_device:chr_file { write read open ioctl getattr}; allow priv_app hi_overlay_file:file { read open getattr }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index e80d5ff..28378ca 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -2,7 +2,6 @@ set_prop(system_app, hisi_prop) allow system_app mali_device:chr_file { getattr ioctl open read write }; allow system_app hi_vdec_device:chr_file { getattr read write open ioctl }; -allow system_app vendor_file:file { read open getattr }; allow system_app hi_vfmw_device:file { write read open getattr }; allow system_app hi_vfmw_device:chr_file { write read open getattr }; allow system_app hi_overlay_file:file { read open getattr }; |