Created attachment 8642876 [details] error This used to work. See attachement. Regresssion from bug 1136032.
Created attachment 8642881 [details] [review] Manifest PR
Assignee: nobody → lissyx+mozillians
Status: NEW → ASSIGNED
Attachment #8642881 - Flags: review?(mwu)
Comment on attachment 8642881 [details] [review] Manifest PR Why is this a per-device thing? Can't we stick this in base-l-aosp or base-l?
I don't know, I have followed the path of per-device that was taken in bug 1136032.
Yeah this was bound to happen and aries-l is getting some policies as well (I got a device here), any other device based on L will need policies as well. :mwu, there is some general explanation here: https://wiki.mozilla.org/Security/Sandbox/SELinux, we have generic rules that are the same across devices, those are located in gonk-misc/sepolicy, but some domains need to be whitelisted in some neverallow statements of external/sepolicy/, but different devices use a different commit of the external/sepolicy/ repo, so the whitelisting needs to be done in a branch that is based of the one that the device uses (See Bug 1136032 Comment 67).
All devices based on base-l-aosp.xml should be based on the same external/sepolicy repo though.
They are all using the same repo initially, but each device specific manifest, specifies a line like this: > <default remote="caf" revision="refs/tags/android-5.1.1_r3" sync-j="4"/> or for the flame: > <default remote="caf" revision="LA.BF.1.1.2_rb1.12" sync-j="4"/> so they all use the same repo but different tags/branches which may have different versions of the files. Btw, I gave the PR a quick look and it seems fine, refs/tags/android-5.1.1_r3 (of shinano-l.xml and yukon-l.xml) of external/sepolicy from codeaurora seems to be the same as refs/tags/android-5.1.0_r1
Yes, but practically speaking, everything based on base-l-aosp.xml use effectively the same default tag and that should not change. caf is a different story, but we're only talking about base-l-aosp based devices here.
Ok I took look at the manifests, and we have at the moment 4 manifests (some symlinks to those) that use base-l-aosp.xml and all of them base it either on refs/tags/android-5.1.1_r3 or refs/tags/android-5.1.0_r1 which should be the same commit. So it probably works to replace the external/sepolicy repo inside base-l-aosp.xml, but I haven't tested it.
:mwu, so I don't see a reason why we shouldn't do that in base-l-aosp.xml, do you? If not, we can change the base-l-aosp.xml instead of each device manifest (nexus-5-l.xml, shinano-l.xml, emulator-l.xml, yukon-l.xml)
Yeah, we should try it.
Created attachment 8643217 [details] [review] PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu This makes all devices based on base-l-aosp use the b2g sepolicy repo which includes the whitelist for the generic b2g domains.
Comment on attachment 8643217 [details] [review] PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu Looks good.
Attachment #8643217 - Flags: review?(mwu) → review+
Build for aries-l was successful and the flash onto the phone as well.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → FxOS-S4 (07Aug)
You need to log in before you can comment on or make changes to this bug.