in fact I already add a modprobe.te
under device/linaro/hikey/sepolicy
:
allow modprobe { vendor_file }:system module_load;
allow modprobe vendor_toolbox_exec:file { entrypoint };
in fact I also follow below links to add some policy under /system/sepolicy
:
https://android.googlesource.com/platform/system/sepolicy/+/e41af20%5E!/
https://android.googlesource.com/platform/system/sepolicy/+/53add31%5E!/
https://android.googlesource.com/platform/system/sepolicy/+/d46b5d3%5E!/
after add above all modifications, I tried to compile but get follow error message:
/bin/bash -c "(rm -f out/target/product/hikey960/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/hikey960/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/hikey960/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
libsepol.report_failure: neverallow on line 1090 of system/sepolicy/public/domain.te (or line 12528 of policy.conf) violated by allow modprobe vendor_toolbox_exec:file { read getattr map execute entrypoint open };
libsepol.report_failure: neverallow on line 1061 of system/sepolicy/public/domain.te (or line 12450 of policy.conf) violated by allow modprobe vendor_toolbox_exec:file { execute };
libsepol.check_assertions: 2 neverallow failures occurred
This means currently Hikey have .limitation of the modprobe
in neverallow
part in dowmain.te
:
I past the part the line 1090 and Line 1061 part of the domain.te
:
full_treble_only(`
# Do not allow system components access to /vendor files except for the
# ones whitelisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
-kernel # loads /vendor/firmware
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-shell
-ueventd # reads /vendor/ueventd.rc
} {
vendor_file_type
-same_process_hal_file
-vendor_file
-vendor_app_file
-vendor_configs_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
-vndk_sp_file
}:file *;
')
does this mean the Hikey board forbidden this modprobe
operation for some special reason ?
Or how to fix this conflict error?