treble/lineage_patches_unified
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial unified commit for Android 13, with TrebleDroid GSI target, syncing up to 20221111

Browse Source
This commit is contained in:
Andy CrossGate Yan
2022-11-11 12:27:50 +00:00
commit cd68e3dcbc
197 changed files with 127907 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
patches_treble_td/platform_external_selinux/0001-Increase-default-log_level-to-get-actual-selinux-err.patch Normal file
View File

@@ -0,0 +1,26 @@
From 43119ff620379b3710f1411b0e965ed0b10982fc Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Mon, 9 Apr 2018 00:19:49 +0200
Subject: [PATCH 1/8] Increase default log_level to get actual selinux error in
kmsg
---
secilc/secilc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index 80d3583d..a51630b2 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -107,7 +107,7 @@ int main(int argc, char *argv[])
int opt_index = 0;
char *fc_buf = NULL;
size_t fc_size;
- enum cil_log_level log_level = CIL_ERR;
+ enum cil_log_level log_level = CIL_WARN;
static struct option long_opts[] = {
{"help", no_argument, 0, 'h'},
{"verbose", no_argument, 0, 'v'},
--
2.25.1

45
patches_treble_td/platform_external_selinux/0002-Revert-libsepol-Make-an-unknown-permission-an-error-.patch Normal file
View File

@@ -0,0 +1,45 @@
From 1e713fc5860318d2a99f31718fea884c8d461923 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 9 Sep 2020 22:36:42 +0200
Subject: [PATCH 2/8] Revert "libsepol: Make an unknown permission an error in
CIL"
This reverts commit dc4e54126bf25dea4d51820922ccd1959be68fbc.
This is required because some targets calls undefined permissions:
- Realme X2 Pro calls sigcont
- Honor 7X calls perf_event
---
libsepol/cil/src/cil_resolve_ast.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 69a8a2ed..b63c1359 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -136,14 +136,18 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
}
}
if (rc != SEPOL_OK) {
+ struct cil_list *empty_list;
if (class_flavor == CIL_MAP_CLASS) {
cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
- } else {
- cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
+ goto exit;
}
- goto exit;
+ cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+ /* Use an empty list to represent unknown perm */
+ cil_list_init(&empty_list, perm_strs->flavor);
+ cil_list_append(*perm_datums, CIL_LIST, empty_list);
+ } else {
+ cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
}
- cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
} else {
cil_list_append(*perm_datums, curr->flavor, curr->data);
}
--
2.25.1

115
patches_treble_td/platform_external_selinux/0003-Workaround-device-phh-treble-conflict-with-SELinux-p.patch Normal file
View File

@@ -0,0 +1,115 @@
From 383c762e65ba755da5f424cea56f7249fb4aa852 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Wed, 31 Mar 2021 23:32:37 +0200
Subject: [PATCH 3/8] Workaround device/phh/treble conflict with SELinux policy
device/phh/treble defines the following three types (hostapd,
sysfs_usb_supply, rpmb_device)
However, Qualcomm Samsung Android 11 devices export those symbols as
typealias.
Type and typealias are fundamentally not mergeable.
Luckily, Samsung doesn't do anything with those typealias, so we can
simply ignore them.
---
libsepol/cil/src/cil_binary.c | 8 ++++++--
libsepol/cil/src/cil_build_ast.c | 11 +++++++++--
libsepol/cil/src/cil_resolve_ast.c | 15 +++++++++++++--
3 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 53017e2d..7f2c2e68 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -511,13 +511,17 @@ int cil_typealias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alias)
type_datum_init(sepol_alias);
rc = __cil_get_sepol_type_datum(pdb, DATUM(cil_alias->actual), &sepol_type);
- if (rc != SEPOL_OK) goto exit;
+ if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed at %s:%s:%d\n", __FILE__, __FUNCTION__, __LINE__);
+ goto exit;
+ }
sepol_alias->flavor = TYPE_TYPE;
key = cil_strdup(cil_alias->datum.fqn);
rc = symtab_insert(pdb, SYM_TYPES, key, sepol_alias, SCOPE_DECL, 0, NULL);
if (rc != SEPOL_OK) {
+ cil_log(CIL_ERR, "Failed at %s:%s:%d:%d\n", __FILE__, __FUNCTION__, __LINE__, rc);
goto exit;
}
sepol_alias->s.value = sepol_type->s.value;
@@ -3904,7 +3908,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
exit:
if (rc != SEPOL_OK) {
- cil_tree_log(node, CIL_ERR, "Binary policy creation failed");
+ cil_tree_log(node, CIL_ERR, "Binary policy creation failed, for pass = %d, flavor = %d", pass, node->flavor);
}
return rc;
}
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 5f9392d1..90f0fee6 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -116,7 +116,7 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
rc = cil_symtab_insert(symtab, key, datum, node);
if (rc == SEPOL_EEXIST) {
- struct cil_symtab_datum *prev;
+ struct cil_symtab_datum *prev = NULL;
rc = cil_symtab_get_datum(symtab, key, &prev);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Re-declaration of %s %s, but previous declaration could not be found\n",cil_node_to_string(node), key);
@@ -129,7 +129,14 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
cil_node_to_string(node), key);
cil_tree_log(node, CIL_ERR, "Previous declaration of %s",
cil_node_to_string(n));
- return SEPOL_ERR;
+ if(
+ strcmp(key, "sysfs_usb_supply") == 0 ||
+ strcmp(key, "hostapd") == 0 ||
+ strcmp(key, "rpmb_device") == 0) {
+ cil_log(CIL_ERR, "Ignoring...");
+ } else {
+ return SEPOL_ERR;
+ }
}
/* multiple_decls is enabled and works for this datum type, add node */
cil_list_append(prev->nodes, CIL_NODE, node);
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index b63c1359..87db4f81 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -517,7 +517,13 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu
}
if (FLAVOR(alias_datum) != alias_flavor) {
cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
- rc = SEPOL_ERR;
+ if(
+ strcmp(alias_datum->name, "hostapd") == 0 ||
+ strcmp(alias_datum->name, "sysfs_usb_supply") == 0 ||
+ strcmp(alias_datum->name, "rpmb_device") == 0)
+ rc = 0;
+ else
+ rc = SEPOL_ERR;
goto exit;
}
@@ -558,7 +564,12 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f
int limit = 2;
if (alias->actual == NULL) {
- cil_tree_log(current, CIL_ERR, "Alias declared but not used");
+ cil_tree_log(current, CIL_ERR, "Alias %s declared but not used", a1->datum.name);
+ if(
+ strcmp(a1->datum.name, "hostapd") == 0 ||
+ strcmp(a1->datum.name, "sysfs_usb_supply") == 0 ||
+ strcmp(a1->datum.name, "rpmb_device") == 0)
+ return SEPOL_OK;
return SEPOL_ERR;
}
--
2.25.1

43
patches_treble_td/platform_external_selinux/0004-Allow-devices-virtual-block-genfscon-conflict-seen-o.patch Normal file
View File

@@ -0,0 +1,43 @@
From f1ee5e7fb0ef1bbed930d955ce34601f91850762 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 6 Sep 2019 15:07:25 +0200
Subject: [PATCH 4/8] Allow /devices/virtual/block/ genfscon conflict (seen on
Xiaomi Mi 9)
Change-Id: I06e4e9d5b82d61a8aeab595b47e2589249675895
---
libsepol/cil/src/cil_post.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 09c02af9..5c0e99c3 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -491,7 +491,23 @@ int cil_post_genfscon_context_compare(const void *a, const void *b)
{
struct cil_genfscon *a_genfscon = *(struct cil_genfscon**)a;
struct cil_genfscon *b_genfscon = *(struct cil_genfscon**)b;
- return context_compare(a_genfscon->context, b_genfscon->context);
+ int rc = context_compare(a_genfscon->context, b_genfscon->context);
+ if(rc) {
+ fprintf(stderr, "hello %s\n", a_genfscon->fs_str);
+ int bypass = 0;
+ /*
+ * This conflict has been seen on Xiaomi Mi 9:
+ * - AOSP Q says (genfscon sysfs /devices/virtual/block/ (u object_r sysfs_devices_block ((s0) (s0))))
+ * - stock rom says (genfscon sysfs /devices/virtual/block/ (u object_r sysfs_ufs_target ((s0) (s0))))
+ */
+ if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
+ bypass = 1;
+ if(bypass == 1) {
+ fprintf(stderr, "Received conflicting %s vs %s but ignore\n", a_genfscon->path_str, b_genfscon->path_str);
+ return 0;
+ }
+ }
+ return rc;
}
int cil_post_netifcon_context_compare(const void *a, const void *b)
--
2.25.1

44
patches_treble_td/platform_external_selinux/0005-if-service-is-rcs-accept-conflict.-Seen-on-Moto-E5.patch Normal file
View File

@@ -0,0 +1,44 @@
From d023a3be8b43e5539ac5aab02f0fa96c03ed9901 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Thu, 12 Sep 2019 20:37:04 +0200
Subject: [PATCH 5/8] if service is "rcs", accept conflict. Seen on Moto E5
Change-Id: I0cc2d0fad83f403f2b5d7458039b1564ce5ed9dd
---
libselinux/src/label_backends_android.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
index e52b44d4..3b8a2bd8 100644
--- a/libselinux/src/label_backends_android.c
+++ b/libselinux/src/label_backends_android.c
@@ -62,14 +62,24 @@ static int nodups_specs(struct saved_data *data)
curr_spec->property_key)) {
if (strcmp(spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw)) {
- rc = -1;
- errno = EINVAL;
selinux_log
(SELINUX_ERROR,
"Multiple different specifications for %s (%s and %s).\n",
curr_spec->property_key,
spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw);
+ int ignore = 0;
+ /*
+ * This issue has been found on Moto E5
+ * E SELinux : Multiple different specifications for rcs (u:object_r:radio_service:s0 and u:object_r:mot_rcs_service:s0).
+ */
+ if(!strcmp(curr_spec->property_key, "rcs"))
+ ignore = 1;
+
+ if(!ignore) {
+ rc = -1;
+ errno = EINVAL;
+ }
} else {
selinux_log
(SELINUX_WARNING,
--
2.25.1

27
patches_treble_td/platform_external_selinux/0006-Allow-mismatches-of-exfat-genfscon.patch Normal file
View File

@@ -0,0 +1,27 @@
From 9cd3d8a0becbd182f5fe77af64ca7611ceba6fd1 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Sun, 24 May 2020 17:22:22 +0200
Subject: [PATCH 6/8] Allow mismatches of exfat genfscon
---
libsepol/cil/src/cil_post.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 5c0e99c3..97bf54f8 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -502,6 +502,10 @@ int cil_post_genfscon_context_compare(const void *a, const void *b)
*/
if(strcmp(a_genfscon->path_str, "/devices/virtual/block/") == 0)
bypass = 1;
+ if(strcmp(a_genfscon->fs_str, "exfat") == 0 || strcmp(a_genfscon->fs_str, "esdfs") == 0) {
+ if(strcmp(a_genfscon->path_str, "/") == 0)
+ bypass = 1;
+ }
if(bypass == 1) {
fprintf(stderr, "Received conflicting %s vs %s but ignore\n", a_genfscon->path_str, b_genfscon->path_str);
return 0;
--
2.25.1

27
patches_treble_td/platform_external_selinux/0007-Enable-multipl_decls-by-default.-This-is-needed-beca.patch Normal file
View File

@@ -0,0 +1,27 @@
From 81a82adb74c53b1671f24cb69a140a7915707f0f Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 2 Mar 2018 22:49:55 +0100
Subject: [PATCH 7/8] Enable multipl_decls by default. This is needed because
8.0 init doesn't add -m
Change-Id: I43dc661d519f7b8576d72a828d8cbd444592bf5e
---
secilc/secilc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/secilc/secilc.c b/secilc/secilc.c
index a51630b2..d9841ab0 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -94,7 +94,7 @@ int main(int argc, char *argv[])
int target = SEPOL_TARGET_SELINUX;
int mls = -1;
int disable_dontaudit = 0;
- int multiple_decls = 0;
+ int multiple_decls = 1;
int disable_neverallow = 0;
int preserve_tunables = 0;
int qualified_names = 0;
--
2.25.1

84
patches_treble_td/platform_external_selinux/0008-Fix-boot-on-Moto-devices-using-unknown-class.patch Normal file
View File

@@ -0,0 +1,84 @@
From 426de61556334b4b1024f615302dadb1ed6d6ac8 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Fri, 25 Oct 2019 13:29:20 +0200
Subject: [PATCH 8/8] Fix boot on Moto devices using unknown class
vendor sepolicy never contains new class or classorder, and are not
allowed to.
Though this is not tested, and it turns out Moto did it anyway.
This raises an issue, because class need to be ordered, and thus the cil
contains the ordering. This ordering needs to be merged.
Android 10 added new classes, so the ordering can no longer be merged,
and secilc fails on those devices, preventing boot.
Considering vendor are not supposed to declare new class (and thus
declare classorder), this fix ignores class-es/classorder in vendor
SELinux policy.
Since the vendor selinux policy has allows rules based on this context,
those allows will fail since the class doesn't exist.
Workaround this by ignoring rules with the problematic class
( keystore_moto_key )
Lucky us, this new class `keystore_moto_key` is used by Moto for
framework to framework (more accurately priv app to keymaster), since
our own framework doesn't use this class, simply ignoring it fixes the
issue.
Change-Id: I66339857634ebfdba359f12a99dfd0bff709d80b
---
libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 90f0fee6..023fd6c7 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -462,6 +462,14 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct
struct cil_tree_node *perms = NULL;
int rc = SEPOL_ERR;
+ {
+ const char* path = cil_tree_get_cil_path(parse_current);
+ if(strstr(path, "vendor/")) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
if (rc != SEPOL_OK) {
goto exit;
@@ -530,6 +538,14 @@ int cil_gen_classorder(struct cil_db *db, struct cil_tree_node *parse_current, s
struct cil_list_item *head = NULL;
int rc = SEPOL_ERR;
+ {
+ const char* path = cil_tree_get_cil_path(parse_current);
+ if(strstr(path, "vendor/")) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
if (db == NULL || parse_current == NULL || ast_node == NULL) {
goto exit;
}
@@ -2115,6 +2131,14 @@ int cil_gen_avrule(struct cil_tree_node *parse_current, struct cil_tree_node *as
rule->src_str = parse_current->next->data;
rule->tgt_str = parse_current->next->next->data;
+ {
+ const char *classname = parse_current->next->next->next->cl_head->data;
+ if(strcmp(classname, "keystore_moto_key") == 0) {
+ cil_clear_node(ast_node);
+ return SEPOL_OK;
+ }
+ }
+
rc = cil_fill_classperms_list(parse_current->next->next->next, &rule->perms.classperms);
if (rc != SEPOL_OK) {
goto exit;
--
2.25.1