1、编译报:
violated by allow avm3d_service avm3d_service_exec:file { read getattr map execute open entrypoint };
定位:没有写任何一条配置,发现不对,检查发现可能跟下面条有关
init_daemon_domain(avm3d_service)
检查发现还真是,这条报错是因为我删除了type的coredomain,看来所有需要init_daemon_domain的都需要加上coredomain
2、编译报:
libsepol.report_failure: neverallow on line 6 of system/sepolicy/public/hal_vehicle.te (or line 20021 of policy.conf) violated by allow avm3d_service hal_vehicle_hwservice:hwservice_manager { find };
居然出现了neverallow,hal_vehicle是android原生的车载服务标签,查看对应的te,发现没有限制。跑去对比其他te发现是需要添加:
hal_client_domain(avm3d_service, hal_vehicle)
即需要跟hal_vehicle进行client绑定
3、编译报:
libsepol.report_failure: neverallow on line 4 of system/sepolicy/public/hal_graphics_allocator.te (or line 17784 of policy.conf) violated by allow avm3d_service hal_graphics_allocator_hwservice:hwservice_manager { find };
hal_graphics_allocator_hwservice从字眼看是应该图层管理的hal,查看报错我te文件发现有一句:
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
继续查看hal_attribute_hwservice的功能,如下
########################################### # hal_attribute_hwservice(attribute, service) # Ability for domain to get a service to hwservice_manager # and find it. It also creates a neverallow preventing # others from adding it. # # Used to pair hal_foo_client with hal_foo_hwservice define(`hal_attribute_hwservice', ` allow $1_client $2:hwservice_manager find; add_hwservice($1_server, $2) build_test_only(` neverallow { domain -$1_client -$1_server } $2:hwservice_manager find; ') ')
发现是限制了其他service的进行find,经过一些列尝试,发现如下可以解决这个问题:
typeattribute avm3d_service hal_graphics_allocator_client;
4、编译报:
libsepol.report_failure: neverallow on line 4 of system/sepolicy/public/hal_configstore.te (or line 17034 of policy.conf) violated by allow avm3d_service hal_configstore_ISurfaceFlingerConfigs:hwservice_manager { find };
跟第三点一样,添加以下语句解决,至于为什么是后面这个名字,要去报错对应的te查看
typeattribute avm3d_service hal_configstore_client;
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)