1190725 - [Aries-L] SEpolicy checkpolicy failures at build time

Status: RESOLVED FIXED

(Firefox OS Graveyard :: GonkIntegration, defect)

Description

[:gerard-majax]

Attachment: error

This used to work. See attachement. Regresssion from bug 1136032.

Comment 1

[:gerard-majax]

Attachment: Manifest PR

Comment 2

[Michael Wu [:mwu]]

Comment on attachment 8642881 [details] [review]
Manifest PR

Why is this a per-device thing? Can't we stick this in base-l-aosp or base-l?

Comment 3

[:gerard-majax]

I don't know, I have followed the path of per-device that was taken in bug 1136032.

Comment 4

[Julian Hector [:tedd] [:jhector]]

Yeah this was bound to happen and aries-l is getting some policies as well (I got a device here), any other device based on L will need policies as well.

:mwu, there is some general explanation here: https://wiki.mozilla.org/Security/Sandbox/SELinux, we have generic rules that are the same across devices, those are located in gonk-misc/sepolicy, but some domains need to be whitelisted in some neverallow statements of external/sepolicy/, but different devices use a different commit of the external/sepolicy/ repo, so the whitelisting needs to be done in a branch that is based of the one that the device uses (See Bug 1136032 Comment 67).

Comment 5

[Michael Wu [:mwu]]

All devices based on base-l-aosp.xml should be based on the same external/sepolicy repo though.

Comment 6

[Julian Hector [:tedd] [:jhector]]

They are all using the same repo initially, but each device specific manifest, specifies a line like this:

> <default remote="caf" revision="refs/tags/android-5.1.1_r3" sync-j="4"/>

or for the flame:

> <default remote="caf" revision="LA.BF.1.1.2_rb1.12" sync-j="4"/>

so they all use the same repo but different tags/branches which may have different versions of the files.


Btw, I gave the PR a quick look and it seems fine, refs/tags/android-5.1.1_r3 (of shinano-l.xml and yukon-l.xml) of external/sepolicy from codeaurora seems to be the same as refs/tags/android-5.1.0_r1

Comment 7

[Michael Wu [:mwu]]

Yes, but practically speaking, everything based on base-l-aosp.xml use effectively the same default tag and that should not change. caf is a different story, but we're only talking about base-l-aosp based devices here.

Comment 8

[Julian Hector [:tedd] [:jhector]]

Ok I took look at the manifests, and we have at the moment 4 manifests (some symlinks to those) that use base-l-aosp.xml and all of them base it either on refs/tags/android-5.1.1_r3 or refs/tags/android-5.1.0_r1 which should be the same commit.

So it probably works to replace the external/sepolicy repo inside base-l-aosp.xml, but I haven't tested it.

Comment 9

[Julian Hector [:tedd] [:jhector]]

:mwu, so I don't see a reason why we shouldn't do that in base-l-aosp.xml, do you?

If not, we can change the base-l-aosp.xml instead of each device manifest (nexus-5-l.xml, shinano-l.xml, emulator-l.xml, yukon-l.xml)

Comment 10

[Michael Wu [:mwu]]

Yeah, we should try it.

Comment 11

[Julian Hector [:tedd] [:jhector]]

Attachment: PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu

This makes all devices based on base-l-aosp use the b2g sepolicy repo which includes the whitelist for the generic b2g domains.

Comment 12

[Michael Wu [:mwu]]

Comment on attachment 8643217 [details] [review]
PR b2g-manifest - Use b2g sepolicy repo for all base-l-aosp devices r=mwu

Looks good.

Comment 13

[Julian Hector [:tedd] [:jhector]]

Build for aries-l was successful and the flash onto the phone as well.

Comment 14

[Carsten Book [:Tomcat]]

https://github.com/mozilla-b2g/b2g-manifest/commit/6e5f81d66e8a5556dcf442d396f7deb20ee4251e