Android P系统编译报错SELinux违反Neverallow

一、违反neverallow规则

在文章《Android P关于串口访问权限的问题》讲到了关于SELinux权限问题。

SeLinux的*.te文件路径：
p9.0.0.0\device\fsl\imx8q\sepolicy
p9.0.0.0\system\sepolicy

其中为了给串口增加权限，修改了一些*.te的权限配置文件，修改完之后系统编译报错。

报错信息如下：

FAILED: out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 31 of system/sepolicy/private/domain.te (or line 26746 of policy.conf) violated by allow system_app sysfs:file {  read write create setattr open };
libsepol.report_failure: neverallow on line 507 of system/sepolicy/public/app.te (or line 8383 of policy.conf) violated by allow system_app sysfs:file {  write };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/mek_8q/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

错误分析：system/sepolicy/private/domain.te和system/sepolicy/public/app.te违反了neverallows规则

解决办法：

1.修改system/sepolicy/private/domain.te文件中的：

# /sys
  neverallow { 
    coredomain
    -init
    -ueventd
    -vold
  } sysfs:file no_rw_file_perms;

修改为：

# /sys
  neverallow { 
    coredomain
    -init
    -ueventd
    -vold
    -appdomain        //排除appdomain
  } sysfs:file no_rw_file_perms;

绝对不允许app对sysfs:file进行文件读写操作，改为：可以允许app对sysfs:file进行文件读写操作。

2.修改system\sepolicy\public\app.te文件中的：

# Write to various pseudo file systems.
neverallow {  appdomain -bluetooth -nfc }
    sysfs:dir_file_class_set write;
neverallow appdomain
    proc:dir_file_class_set write;

改为：

# Write to various pseudo file systems.
#neverallow {  appdomain -bluetooth -nfc }
#    sysfs:dir_file_class_set write;
neverallow appdomain
    proc:dir_file_class_set write;

二、system/sepolicy/prebuilts/api/28.0/private和system/sepolicy/private文件不一致

system/sepolicy/prebuilts/api/28.0/private和system/sepolicy/private下面的文件
system/sepolicy/prebuilts/api/28.0/public和system/sepolicy/public下面的文件，必须保持一致

否则会报错误：

[  0% 1/321] build out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
FAILED: out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test 
/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/mek_8q/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
Files system/sepolicy/prebuilts/api/28.0/public/app.te and system/sepolicy/public/app.te differ
[  2% 7/321] Merging KERNEL config
Using /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx/arch/arm64/configs/android_car_defconfig as base
Merging /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx
sed: read error on /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
cat: /home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/vendor/nxp-opensource/kernel_imx: Is a directory
make[1]: Entering directory `/home/sunxl/imx8_p9.0.0_2.1.0_auto_ga/android9.0.0/out/target/product/mek_8q/obj/KERNEL_OBJ'
  GEN     ./Makefile

diff --git a/prebuilts/api/28.0/private/service_contexts b/prebuilts/api/28.0/private/service_contexts
index 5ec45a2..06429cd 100644
--- a/prebuilts/api/28.0/private/service_contexts
+++ b/prebuilts/api/28.0/private/service_contexts
@@ -9,6 +9,7 @@ appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0
 audio                                     u:object_r:audio_service:s0
+mycpuinfo                                 u:object_r:mycpuinfo_service:s0
 autofill                                  u:object_r:autofill_service:s0
 backup                                    u:object_r:backup_service:s0
 batteryproperties                         u:object_r:batteryproperties_service:s0
diff --git a/prebuilts/api/28.0/public/service.te b/prebuilts/api/28.0/public/service.te
index 3526049..fe0474f 100644
--- a/prebuilts/api/28.0/public/service.te
+++ b/prebuilts/api/28.0/public/service.te
@@ -64,6 +64,7 @@ type country_detector_service, app_api_service, ephemeral_app_api_service, syste
 # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
 # with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
 type coverage_service, system_server_service, service_manager_type;
+type mycpuinfo_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 5ec45a2..06429cd 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -9,6 +9,7 @@ appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0
 audio                                     u:object_r:audio_service:s0
+mycpuinfo                                 u:object_r:mycpuinfo_service:s0
 autofill                                  u:object_r:autofill_service:s0
 backup                                    u:object_r:backup_service:s0
 batteryproperties                         u:object_r:batteryproperties_service:s0
diff --git a/public/service.te b/public/service.te
index 3526049..fe0474f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -64,6 +64,7 @@ type country_detector_service, app_api_service, ephemeral_app_api_service, syste
 # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
 # with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
 type coverage_service, system_server_service, service_manager_type;
+type mycpuinfo_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, app_api_service, system_server_service, service_manager_type;

 

里面内容要保持一致