Closed
Bug 1190725
Opened 9 years ago
Closed 9 years ago
[Aries-L] SEpolicy checkpolicy failures at build time
Categories
(Firefox OS Graveyard :: GonkIntegration, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
FxOS-S4 (07Aug)
People
(Reporter: gerard-majax, Assigned: gerard-majax)
References
Details
(Keywords: regression, Whiteboard: [systemsfe])
Attachments
(2 files, 1 obsolete file)
This used to work. See attachement. Regresssion from bug 1136032.
Flags: needinfo?(julian.r.hector)
Assignee | ||
Comment 1•9 years ago
|
||
Assignee: nobody → lissyx+mozillians
Status: NEW → ASSIGNED
Attachment #8642881 -
Flags: review?(mwu)
Comment 2•9 years ago
|
||
Comment on attachment 8642881 [details] [review] Manifest PR Why is this a per-device thing? Can't we stick this in base-l-aosp or base-l?
Assignee | ||
Comment 3•9 years ago
|
||
I don't know, I have followed the path of per-device that was taken in bug 1136032.
Comment 4•9 years ago
|
||
Yeah this was bound to happen and aries-l is getting some policies as well (I got a device here), any other device based on L will need policies as well. :mwu, there is some general explanation here: https://wiki.mozilla.org/Security/Sandbox/SELinux, we have generic rules that are the same across devices, those are located in gonk-misc/sepolicy, but some domains need to be whitelisted in some neverallow statements of external/sepolicy/, but different devices use a different commit of the external/sepolicy/ repo, so the whitelisting needs to be done in a branch that is based of the one that the device uses (See Bug 1136032 Comment 67).
Flags: needinfo?(julian.r.hector)
Comment 5•9 years ago
|
||
All devices based on base-l-aosp.xml should be based on the same external/sepolicy repo though.
Comment 6•9 years ago
|
||
They are all using the same repo initially, but each device specific manifest, specifies a line like this: > <default remote="caf" revision="refs/tags/android-5.1.1_r3" sync-j="4"/> or for the flame: > <default remote="caf" revision="LA.BF.1.1.2_rb1.12" sync-j="4"/> so they all use the same repo but different tags/branches which may have different versions of the files. Btw, I gave the PR a quick look and it seems fine, refs/tags/android-5.1.1_r3 (of shinano-l.xml and yukon-l.xml) of external/sepolicy from codeaurora seems to be the same as refs/tags/android-5.1.0_r1
Comment 7•9 years ago
|
||
Yes, but practically speaking, everything based on base-l-aosp.xml use effectively the same default tag and that should not change. caf is a different story, but we're only talking about base-l-aosp based devices here.
Comment 8•9 years ago
|
||
Ok I took look at the manifests, and we have at the moment 4 manifests (some symlinks to those) that use base-l-aosp.xml and all of them base it either on refs/tags/android-5.1.1_r3 or refs/tags/android-5.1.0_r1 which should be the same commit. So it probably works to replace the external/sepolicy repo inside base-l-aosp.xml, but I haven't tested it.
Comment 9•9 years ago
|
||
:mwu, so I don't see a reason why we shouldn't do that in base-l-aosp.xml, do you? If not, we can change the base-l-aosp.xml instead of each device manifest (nexus-5-l.xml, shinano-l.xml, emulator-l.xml, yukon-l.xml)
Flags: needinfo?(mwu)
Comment 11•9 years ago
|
||
This makes all devices based on base-l-aosp use the b2g sepolicy repo which includes the whitelist for the generic b2g domains.
Attachment #8642881 -
Attachment is obsolete: true
Attachment #8642881 -
Flags: review?(mwu)
Attachment #8643217 -
Flags: review?(mwu)
Comment 12•9 years ago
|
||
Comment on attachment 8643217 [details] [review] PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu Looks good.
Attachment #8643217 -
Flags: review?(mwu) → review+
Comment 13•9 years ago
|
||
Build for aries-l was successful and the flash onto the phone as well.
Keywords: checkin-needed
Comment 14•9 years ago
|
||
https://github.com/mozilla-b2g/b2g-manifest/commit/6e5f81d66e8a5556dcf442d396f7deb20ee4251e
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → FxOS-S4 (07Aug)
Updated•9 years ago
|
Whiteboard: [systemsfe]
You need to log in
before you can comment on or make changes to this bug.
Description
•