[Aries-L] SEpolicy checkpolicy failures at build time



Firefox OS
3 years ago
3 years ago


(Reporter: gerard, Assigned: gerard)


(Blocks: 1 bug, {regression})

FxOS-S4 (07Aug)
Gonk (Firefox OS)
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [systemsfe])


(2 attachments, 1 obsolete attachment)



3 years ago
Created attachment 8642876 [details]

This used to work. See attachement. Regresssion from bug 1136032.
Flags: needinfo?(julian.r.hector)

Comment 1

3 years ago
Created attachment 8642881 [details] [review]
Manifest PR
Assignee: nobody → lissyx+mozillians
Attachment #8642881 - Flags: review?(mwu)

Comment 2

3 years ago
Comment on attachment 8642881 [details] [review]
Manifest PR

Why is this a per-device thing? Can't we stick this in base-l-aosp or base-l?

Comment 3

3 years ago
I don't know, I have followed the path of per-device that was taken in bug 1136032.
Yeah this was bound to happen and aries-l is getting some policies as well (I got a device here), any other device based on L will need policies as well.

:mwu, there is some general explanation here: https://wiki.mozilla.org/Security/Sandbox/SELinux, we have generic rules that are the same across devices, those are located in gonk-misc/sepolicy, but some domains need to be whitelisted in some neverallow statements of external/sepolicy/, but different devices use a different commit of the external/sepolicy/ repo, so the whitelisting needs to be done in a branch that is based of the one that the device uses (See Bug 1136032 Comment 67).
Flags: needinfo?(julian.r.hector)

Comment 5

3 years ago
All devices based on base-l-aosp.xml should be based on the same external/sepolicy repo though.
They are all using the same repo initially, but each device specific manifest, specifies a line like this:

> <default remote="caf" revision="refs/tags/android-5.1.1_r3" sync-j="4"/>

or for the flame:

> <default remote="caf" revision="LA.BF.1.1.2_rb1.12" sync-j="4"/>

so they all use the same repo but different tags/branches which may have different versions of the files.

Btw, I gave the PR a quick look and it seems fine, refs/tags/android-5.1.1_r3 (of shinano-l.xml and yukon-l.xml) of external/sepolicy from codeaurora seems to be the same as refs/tags/android-5.1.0_r1

Comment 7

3 years ago
Yes, but practically speaking, everything based on base-l-aosp.xml use effectively the same default tag and that should not change. caf is a different story, but we're only talking about base-l-aosp based devices here.
Ok I took look at the manifests, and we have at the moment 4 manifests (some symlinks to those) that use base-l-aosp.xml and all of them base it either on refs/tags/android-5.1.1_r3 or refs/tags/android-5.1.0_r1 which should be the same commit.

So it probably works to replace the external/sepolicy repo inside base-l-aosp.xml, but I haven't tested it.
:mwu, so I don't see a reason why we shouldn't do that in base-l-aosp.xml, do you?

If not, we can change the base-l-aosp.xml instead of each device manifest (nexus-5-l.xml, shinano-l.xml, emulator-l.xml, yukon-l.xml)
Flags: needinfo?(mwu)

Comment 10

3 years ago
Yeah, we should try it.
Flags: needinfo?(mwu)
Created attachment 8643217 [details] [review]
PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu

This makes all devices based on base-l-aosp use the b2g sepolicy repo which includes the whitelist for the generic b2g domains.
Attachment #8642881 - Attachment is obsolete: true
Attachment #8642881 - Flags: review?(mwu)
Attachment #8643217 - Flags: review?(mwu)

Comment 12

3 years ago
Comment on attachment 8643217 [details] [review]
PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu

Looks good.
Attachment #8643217 - Flags: review?(mwu) → review+
Build for aries-l was successful and the flash onto the phone as well.
Keywords: checkin-needed
Last Resolved: 3 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → FxOS-S4 (07Aug)
Whiteboard: [systemsfe]


3 years ago
Duplicate of this bug: 1190893
You need to log in before you can comment on or make changes to this bug.