Add /dev/i2c-* to priv_app sepolicy? (Android 8.0.0)

I fixed the init script to set the perms I want on the /dev/i2c files but I can’t seem to get the sepolicy changes to work. I put a priv_app.te file in the device/linaro/hikey/sepolicy dir that contains the following:

allow priv_app i2c_device:chr_file { read write };

But it does not seem to take effect. I dumped the policy file and it seems like it munged my policy up:

allow priv_app_26_0 i2c_device_26_0:chr_file { read write };

where does the _26_0 come from and how can I make it go away?

Thanks,
Mike

I assume this is for compatibility purpose (Android 8.0.0 API 26).
cf system/sepolicy/private/compat/26.0.

Don’t think you need to make it go away, what sepolicy error do you get with this ?

The error I get is:

[ 174.594739] type=1400 audit(1508343759.583:92): avc: denied { write } for pid=3089 comm=“ova.handclouddm” name=“i2c-1” dev=“tmpfs” ino=14339 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:i2c_device:s0 tclass=chr_file permissive=0
[ 175.319686] type=1400 audit(1508343759.583:92): avc: denied { write } for pid=3089 comm=“ova.handclouddm” name=“i2c-1” dev=“tmpfs” ino=14339 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:i2c_device:s0 tclass=chr_file permissive=0

PS: Sorry if this is the wrong place to post an seandroid question, was not sure where to go with this.

Thanks,
Mike

Hi Loic, was wondering if you had a chance to look at this? We are designing a device around the hikey board and need I2C access to work, preferably without making selinux permissive

Thanks!,
Mike

Interesting seems there is a problem with the suffix version generation, I’m going to try on my side.
Could you try to add PRODUCT_FULL_TREBLE_OVERRIDE := true in device/linaro/hikey/hikey.mk and let me know.

Ok, added that to the make file, it seems to cause a compile error? Right now the compile is stuck at 45% and this is the error on my screen:

[ 45% 34291/75024] build out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy
FAILED: out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy
/bin/bash -c “(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/hikey/obj/ETC/26.0.cil_intermediates/26.0.cil out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ “userdebug” = “user” -a -s out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo “==========” 1>&2; echo “ERROR: permissive domains not allowed in user builds” 1>&2; echo “List of invalid domains:” 1>&2; cat out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )”
neverallow check failed at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2477
(neverallow base_typeattr_55_26_0 base_typeattr_56_26_0 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5777
(allow hal_bluetooth_hikey hal_bluetooth_hikey_exec (file (read getattr execute entrypoint open)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5786
(allow hci_attach hci_attach_exec (file (read getattr execute entrypoint open)))

neverallow check failed at out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4423 from system/sepolicy/public/domain.te:672
(neverallow base_typeattr_55 base_typeattr_56 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5777
(allow hal_bluetooth_hikey hal_bluetooth_hikey_exec (file (read getattr execute entrypoint open)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5786
(allow hci_attach hci_attach_exec (file (read getattr execute entrypoint open)))

Failed to generate binary
Failed to build policydb
[ 45% 34299/75024] build out/target/product/hikey/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
FAILED: out/target/product/hikey/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
/bin/bash -c “out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/hikey/obj/ETC/26.0.cil_intermediates/26.0.cil out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/hikey/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null”
neverallow check failed at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2477
(neverallow base_typeattr_55_26_0 base_typeattr_56_26_0 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5777
(allow hal_bluetooth_hikey hal_bluetooth_hikey_exec (file (read getattr execute entrypoint open)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5786
(allow hci_attach hci_attach_exec (file (read getattr execute entrypoint open)))

neverallow check failed at out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4423 from system/sepolicy/public/domain.te:672
(neverallow base_typeattr_55 base_typeattr_56 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5777
(allow hal_bluetooth_hikey hal_bluetooth_hikey_exec (file (read getattr execute entrypoint open)))

allow at out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:5786
(allow hci_attach hci_attach_exec (file (read getattr execute entrypoint open)))

Failed to generate binary
Failed to build policydb

Thanks,
Mike

So the SELinux had some changes with Android 8.0 due to treble:

Device specific rules are automatically versioned with the PLATFORM_SEPOLICY_VERSION build variable. However there is a mapping allowing to link ​the​ ​types​ ​from​ ​the​ ​public​ ​policy​ ​with​ ​the​ ​corresponding​ ​attributes​ ​in​ ​the​ ​vendor policy.

I’ve tested on my side, Accessing i2c dev from terminal app, I added the following rule in device/linaro/hikey/sepolicy/ : allow untrusted_app i2c_device:chr_file { open read write };

These rules are then versioned, but this works. I build for hikey960 but this part is common to hikey.
I suggest you to update to master head and retry.

If this does not work please let me know. You can also try to directly add your priv_app allow rule in system/sepolicy/private/priv_app.te to see if it makes any diff.

I can’t get master to build for hikey. It gives the following error:

python: can't open file 'prebuilts/clang/host/linux-x86/clang-4393122/bin/clang++': [Errno 2] No such file or directory

Can you suggest one of the tags that might work?

Thanks,
Mike

Do you have this file in your AOSP tree ? I’ve just synced master and the above path is safe on my side.

Yeah I just removed and refreshed my tree and I am still getting

python: can’t open file ‘prebuilts/clang/host/linux-x86/clang-4393122/bin/clang++’: [Errno 2] No such file or directory

And yeah, the file is there

Thanks,
Mike

Hi @mpanetta ,
Did you happen to fix the compilation issue. mine’s too stuck at same issue.

Hi @Loic,

PRODUCT_FULL_TREBLE_OVERRIDE := true in device/linaro/hikey/hikey.mk

This change is creating compilation issue. Did it work for you ?
If so , did you make any modification

Thanks

No this change was for debug testing only (related to sepolicy issue). Do not apply this.

I’m curious to know how @mpanetta has fixed his build issue as well.

The “fixes” I did are in this thread: AOSP Master won't build, what am I doing wrong? - #3 by mpanetta

No amount of repo sync had fixed the issue. I had to apply those patches.

Thanks,
Mike