What are the correct sepolicy entries for GPIO access

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

What are the correct sepolicy entries for GPIO access

Dave McLaughlin
I can set the GPIO manually from the command line through the debug port by going to SU mode.

I can't get access to the GPIO from the Android JNI. I get permission denied in the debug output. Setting the GPIO in export works as the new GPIO folder for that pin appears in /sys/class/gpio but any attempt to access the underlying directories to set the direction of value has permission denied.

I've even tried to create the GPIO in the init.rc file and setting suitable access but this still fails to work. Selinux seems to be the culprit.

The following is the output from debug when I try to export GPIO32 and then set direction.

[  532.695168] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[  532.695984] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[  532.696053] type=1400 audit(1590299645.070:44): avc: denied { open } for pid=4246 comm="on.torquelogger" path="/sys/class/gpio/export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

I tried to add the following to untrsusted_app.te but it fails to build. Using the 

allow untrusted_app sysfs:file {read write open};

This gives a build error (neverallow base_typeattr_197 sysfs (file (write))

Any clues on how to create the policy to allow GPIO access from the user program. This will run on dedicated hardware and not user phones. 

--
--
unsubscribe: [hidden email]
website: http://groups.google.com/group/android-porting

---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-porting/1c864b39-9565-42ac-9678-ef05c6076542%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

What are the correct sepolicy entries for GPIO access

Jerry Naidoo
What changes you made to the unit.rc and did you insert them into the "on boot" segment?
Also you may want to add androidboot.selinux=permissive" to kernel command line.

--
--
unsubscribe: [hidden email]
website: http://groups.google.com/group/android-porting

---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-porting/9ee72290-89bf-4a3c-9fc0-b83f89855b46%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: What are the correct sepolicy entries for GPIO access

Leo You
In reply to this post by Dave McLaughlin
The kernel message "permissive=1" shows that the selinux is running in permissive mode, so it may not be selinux that block your operation.

For sepolicy conflict, the build error message should looked like this:

libsepol.report failure: neverallow on line 489 of system/sepolicy/private/app.te (or line 22022 of policy.conf) violated by allow system_app sysfs:file { write ); 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
 
which tells you the exact location of neverallow rules you broke, then you could remove  app domain from the rule if you insist, like this:
neverallow { -appdomain -bluetooth -nfc } sysfs:dir_file_class_set write;

Or just disable selinux for test.


On Tuesday, May 26, 2020 at 10:55:31 PM UTC+8, Dave McLaughlin wrote:
I can set the GPIO manually from the command line through the debug port by going to SU mode.

I can't get access to the GPIO from the Android JNI. I get permission denied in the debug output. Setting the GPIO in export works as the new GPIO folder for that pin appears in /sys/class/gpio but any attempt to access the underlying directories to set the direction of value has permission denied.

I've even tried to create the GPIO in the init.rc file and setting suitable access but this still fails to work. Selinux seems to be the culprit.

The following is the output from debug when I try to export GPIO32 and then set direction.

[  532.695168] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[  532.695984] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[  532.696053] type=1400 audit(1590299645.070:44): avc: denied { open } for pid=4246 comm="on.torquelogger" path="/sys/class/gpio/export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

I tried to add the following to untrsusted_app.te but it fails to build. Using the 

allow untrusted_app sysfs:file {read write open};

This gives a build error (neverallow base_typeattr_197 sysfs (file (write))

Any clues on how to create the policy to allow GPIO access from the user program. This will run on dedicated hardware and not user phones. 

--
--
unsubscribe: [hidden email]
website: http://groups.google.com/group/android-porting

---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-porting/ef880502-66dd-4965-a13a-36de941843da%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: What are the correct sepolicy entries for GPIO access

Dave McLaughlin
Thanks for the reply. I was able to get it working by changing the permissions in the on boot segment for /sys/class/gpio to 0666 instead of 0660 and now I can control the GPIO from user space.

SELINUX was in permissive mode so the messages I was seeing where for debugging only. Didn't spot that at first. Oops.  

I did have an issue with one of the GPIO pins but checking /sys/kernel/debug/gpio I found that the camera was taking that for the flash trigger control. Changing the XML sorted that one out. There is no camera flash anyway. 


On Wednesday, 27 May 2020 22:05:46 UTC+7, Channing You wrote:
The kernel message "permissive=1" shows that the selinux is running in permissive mode, so it may not be selinux that block your operation.

For sepolicy conflict, the build error message should looked like this:

libsepol.report failure: neverallow on line 489 of system/sepolicy/private/app.te (or line 22022 of policy.conf) violated by allow system_app sysfs:file { write ); 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
 
which tells you the exact location of neverallow rules you broke, then you could remove  app domain from the rule if you insist, like this:
neverallow { -appdomain -bluetooth -nfc } sysfs:dir_file_class_set write;

Or just disable selinux for test.


On Tuesday, May 26, 2020 at 10:55:31 PM UTC+8, Dave McLaughlin wrote:
I can set the GPIO manually from the command line through the debug port by going to SU mode.

I can't get access to the GPIO from the Android JNI. I get permission denied in the debug output. Setting the GPIO in export works as the new GPIO folder for that pin appears in /sys/class/gpio but any attempt to access the underlying directories to set the direction of value has permission denied.

I've even tried to create the GPIO in the init.rc file and setting suitable access but this still fails to work. Selinux seems to be the culprit.

The following is the output from debug when I try to export GPIO32 and then set direction.

[  532.695168] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[  532.695984] type=1400 audit(1590299645.070:43): avc: denied { read write } for pid=4246 comm="on.torquelogger" name="export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[  532.696053] type=1400 audit(1590299645.070:44): avc: denied { open } for pid=4246 comm="on.torquelogger" path="/sys/class/gpio/export" dev="sysfs" ino=3800 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

I tried to add the following to untrsusted_app.te but it fails to build. Using the 

allow untrusted_app sysfs:file {read write open};

This gives a build error (neverallow base_typeattr_197 sysfs (file (write))

Any clues on how to create the policy to allow GPIO access from the user program. This will run on dedicated hardware and not user phones. 

--
--
unsubscribe: [hidden email]
website: http://groups.google.com/group/android-porting

---
You received this message because you are subscribed to the Google Groups "android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-porting/ae429a50-8e46-4305-b22a-3f66cdaf3604%40googlegroups.com.