I have 2 errors in logcat.
Function: selinux_android_load_priority [0], There is no sepolicy file
04-11 10:58:13.837: E/SELinux(10101): Function: selinux_android_load_priority , loading version is VE=SEPF_SGH-I337M_4.3_0022
It's not fatal, my app seems to be fine.
Any idea what is the cause, and how do I fix it? Just can have Error Logs in my app!
I don't know how to get rid of those messages. But they do prevent the Android NDK ndk-gdb script from working. I found this question while searching for a way to get the debugger working after getting this error:
ERROR: Could not setup network redirection to gdbserver?
Maybe using --port=<port> to use a different TCP port might help?
This seems to be an issue with some phones - possibly Samsung phones, or at least the one that I am working with is a Samsung Galaxy Note 2. Certain commands (such as run-as) come with these selinux warning messages in stderr output.
The ndk-gdb script parses output from shell commands run on a device to determine facts like the path of the data directory for the package that it is debugging. The selinux messages interfere with that collection. To fix that problem, edit $NDK_HOME/ndk-gdb and make this change:
diff --git a/ndk-gdb b/ndk-gdb
index 537808e..c8561e5 100755
--- a/ndk-gdb
+++ b/ndk-gdb
## -620,7 +620,7 ## else
fi
# Find the <dataDir> of the package on the device
-adb_var_shell2 DATA_DIR run-as $PACKAGE_NAME /system/bin/sh -c pwd
+adb_var_shell DATA_DIR "run-as $PACKAGE_NAME /system/bin/sh -c pwd 2>/dev/null"
if [ $? != 0 -o -z "$DATA_DIR" ] ; then
echo "ERROR: Could not extract package's data directory. Are you sure that"
echo " your installed application is debuggable?"
Related
I am facing troubles for creating the SELinux policies for a sh script (init.myservice.sh) with the following content:
#!/system/bin/sh
/system/bin/am force-stop 'com.myapp.apptest'
/system/bin/tinymix 'Headphone Volume' 35;tinymix 'Capture Input' ADC;tinymix 'DMIC Mux' DMIC2;
/system/bin/am start -n ' com.myapp.apptest/ com.myapp.apptest.MainActivity' -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
/system/bin/my_board_service &
As you can see, this script does the following things:
Stops (and starts) a APK application
Sets few mic and audio settings with tinymix
Starts a binary (my_board_service) which is a C++ compiled program which interacts with the custom board peripherals (GPIOs, I2C, etc...)
I've added into my "init.rc" file the following lines:
on property:sys.boot_completed=1
start init-myservice
service init-myservice /system/bin/sh /system/bin/init.myservice.sh
class main
user root
group root system
disabled
oneshot
I can see the script in the built system under the path "/system/bin" and the binary with the correct permissions (755) and if I launch it manually it works well. But I'm unable to launch it at system boot because (without any policies set) I get this error on the shell:
Command 'start init-myservice' action=sys.boot_completed=1
(/vendor/etc/init/hw/init.freescale.rc:334) took 5ms and failed: Could
not start service: File /system/bin/init.myservice.sh(labeled
"u:object_r:system_file:s0") has incorrect label or no domain
transition from u:r:init:s0 to another SELinux domain defined. Have
you configured your service correctly?
https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials
So I'm trying to generate service policies without any luck. I've tried the following:
The content of my .te file is the following:
# foo service
type foo, domain;
type foo_exec, exec_type, file_type;
init_daemon_domain(foo)
I've added the following line in the "file_contexts" file under this location: "android_build/device/variscite/imx8m/dart_mx8mm/sepolicy/"
/system/bin/init\.myscript\.sh u:object_r:foo_exec:s0
When I build my AOSP project I get few errors like this one:
FAILED:
out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/treble_sepolicy_tests_28.0
/bin/bash -c "(out/host/linux-x86/bin/treble_sepolicy_tests -l
out/host/linux-x86/lib64/libsepolwrap.so -f
out/target/product/dart_mx8mm/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts
-f out/target/product/dart_mx8mm/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -b out/target/product/dart_mx8mm/obj/ETC/built_plat_sepolicy_intermediates/built_plat_sepolicy
-m out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/28.0_mapping.combined.cil
-o out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/built_28.0_plat_sepolicy
-p out/target/product/dart_mx8mm/obj/ETC/sepolicy_intermediates/sepolicy
-u out/target/product/dart_mx8mm/obj/ETC/built_plat_sepolicy_intermediates/base_plat_pub_policy.cil
--fake-treble ) && (touch out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/treble_sepolicy_tests_28.0
)" The following domain(s) must be associated with the "coredomain"
attribute because they are executed off of /system: foo
I recently was able to get what you are describing to work, but there were some differences in our approaches. All of my changes were in "/vendor" on the target. I'm not sure where your init.rc changes were going, but you described your script as being installed in "/system".
Otherwise most of what you are describing is familiar including having issues compiling the SELinux policy. In the end the policy that worked for me looked something like this:
# foo service
type foo, domain;
type foo_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(foo)
# followed by all the particulars of my service.
If you are set on installing your service in "system" instead of "vendor", the wording of the error message seems to be telling you to associate your domain with the "coredomain". I think that means your policy should include the following line somewhere before "init_daemon_domain":
typeattribute foo coredomain;
You should also be aware that I've seen it said that there is a SELinux policy that prohibits mixing "vendor" with "system". I'm not sure, but I think it means that if you modified an init.rc in the /vendor file system to run your script, you are limited to using "stuff" found in the /vendor file system. Your example above shows your script using /system/bin/sh, so if you modified an init.rc in the /vendor file system to start that script, I think that would be a violation.
Using adb shell to run commands on an android device, I get different results when running ls with or without a wildcard ( globbing, i.e * ).
When running ls without a wildcard, the last path is displayed properly. When running ls with a wildcard, the path is displayed with an : in the end of it for some reason. The actual file does not have a : in its path.
My issue is specifically with the last file: /data/data/com.kauf.wrapmyFaceFunphotoeditor/files/DV-com.com.kauf.wrapmyFaceFunphotoeditor-2020-05-17-17-44-30-DEBUG.txt:
it has an : in the end which isn't supposed to be there
Why does using a wildcard in ls add characters to the result path?
Edit, environment details: Windows 10 / Android 7, the code is running on sh. I've ran adb shell to get to this command prompt, and doing it in one line (i.e adb shell su -c ls ...) returns similar results, same for adb shell command ...; also clarified the question.
As described in Why you shouldn't parse the output of ls, ls's behavior is not always well-defined. It's generally safer to use NULs (if you don't have any control or knowledge of filenames) or newlines (if you have reason to be certain that filenames can't contain them) to directly delimit a list of values emitted by the shell. Consider, then:
# output is separated by NULs, which cannot possibly exist in filenames
printf '%s\0' /data/data/com.kauf.wrapmyfacefunphotoeditor/files/DV-*
...or...
# output is separated by newlines; beware of a file named DV-evil<newline>something-else
printf '%s\n' /data/data/com.kauf.wrapmyfacefunphotoeditor/files/DV-*
Note that if you're passing this through extra unescaping layers, it may be necessary to double up your backslashes -- if you see literal 0s or ns separating filenames in your output, that's evidence of same.
Note also that if no matching files exist, a glob will expand to itself, so you can get an output that contains only the literal string /data/data/com.kauf.wrapmyfacefunphotoeditor/files/DV-*; in bash this can be suppressed with shopt -s nullglob, but with /bin/sh (particularly the minimal busybox versions more likely to be available on Android) this may not be available. One way to work around this is with code similar to the following:
# set list of files into $1, $2, etc
set -- /data/data/com.kauf.wrapmyfacefunphotoeditor/files/DV-*
# exit immediately if $1 does not exist
if [ "$#" -le 1 ] && [ ! -e "$1" ]; then
exit
fi
# otherwise, print the list in our desired format
printf '%s\0' "$#"
I've been trying to compile Resurrection Remix Pie for xiaomi mi Max 3 (nitrogen) and am facing an error I am finding myself unable to resolve. After previously fixing some other sepolicy fails, I encounter this one:
FAILED: /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests
/bin/bash -c "(/home/albertoduqe/rr/out/host/linux-x86/bin/sepolicy_tests -l /home/albertoduqe/rr/out/host/linux-x86/lib64/libsepolwrap.so -f /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts -f /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -p /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/sepolicy_intermediates/sepolicy ) && (touch /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )"
The following types on /data/ must be associated with the "core_data_file_type" attribute: fingerprint_data_file
I then go to my device tree, open file.te (in sepolicy/vendor folder in this case), and att the specified type to the given attribute, so that it now looks like this:
type fingerprint_data_file, file_type, data_file_type, core_data_file_type;
And build again. Now it comes the funny part: fails again with this error:
FAILED: /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0
/bin/bash -c "(/home/albertoduqe/rr/out/host/linux-x86/bin/treble_sepolicy_tests -l /home/albertoduqe/rr/out/host/linux-x86/lib64/libsepolwrap.so -f /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts -f /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -b /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/built_plat_sepolicy_intermediates/built_plat_sepolicy -m /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_mapping.combined.cil -o /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/treble_sepolicy_tests_26.0_intermediates/built_26.0_plat_sepolicy -p /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/sepolicy_intermediates/sepolicy --fake-treble ) && (touch /home/albertoduqe/rr/out/target/product/nitrogen/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0 )"
The following types on /data/vendor/ /data/vendor_ce/ /data/vendor_de/ must not be associated with the "core_data_file_type" attribute: fingerprint_data_file
And it all starts all over again.
I am no developer or expert, although I have been compiling custom roms for android devices for a while. I had never encountered something like this.
How come the attribute fingerprint_data_file must have the core_data_file_type in /data/ but not in /data/vendor/ /data/vendor_ce/ /data/vendor_de/? What are those anyway?
Any hint will be most appreciated!
I am building the Android code for Android Go on my ubuntu 14.04 machine.
While building I got some problems with jack server and I ended up uninstalling the jack server (accidentally).
How do I install the Jack Server again ?
I have tried to install the jack server using the following command:
jack-admin install-server jack-launcher.jar jack-server-4.11.ALPHA.jar
However, I get an error:
Jack server installation not found
Kindly help how do I install Jack Server again.
I have also followed guides from Google Search Result but it has not helped so far.
Update -1
After trying the answer from #gaoc I get the following error each time I try to make the build. :
[ 0% 19/82490] Ensuring Jack server is installed and started
FAILED: setup-jack-server
/bin/bash -c "(prebuilts/sdk/tools/jack-admin install-server prebuilts/sdk/tools/jack-launcher.jar prebuilts/sdk/tools/jack-server-4.11.ALPHA.jar 2>&1 || (exit 0) ) && (JACK_SERVER_VM_ARGUMENTS=\"-Dfile.encoding=UTF-8 -XX:+TieredCompilation\" prebuilts/sdk/tools/jack-admin start-server 2>&1 || exit 0 ) && (prebuilts/sdk/tools/jack-admin update server prebuilts/sdk/tools/jack-server-4.11.ALPHA.jar 4.11.ALPHA 2>&1 || exit 0 ) && (prebuilts/sdk/tools/jack-admin update jack prebuilts/sdk/tools/jacks/jack-4.32.CANDIDATE.jar 4.32.CANDIDATE || exit 47 )"
Jack server already installed in "/home/c_sganig/.jack-server"
Communication error with Jack server (3), try 'jack-diagnose' or see Jack server log
Communication error with Jack server 3. Try 'jack-diagnose'
Communication error with Jack server 3. Try 'jack-diagnose'
[ 0% 34/82490] build out/target/product/msm8909go/emmc_appsboot.mbn
make: Entering directory `/home/c_sganig/code/LA.UM.6.7.r1/bootable/bootloader/lk'
including app/aboot dev/fbcon dev/gcdb/display dev/keys dev/pmic/pm8x41 dev/pmic/pmi8994 dev/qpnp_haptic dev/vib lib/debug lib/heap lib/libc lib/libfdt lib/openssl lib/ptable
including lib/openssl/crypto lib/zlib_inflate
make[1]: Entering directory `/home/c_sganig/code/LA.UM.6.7.r1/bootable/bootloader/lk'
generating ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/config.h
generating ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/system-onesegment.ld
linking ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk
../../../prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-ld: warning: /home/c_sganig/code/LA.UM.6.7.r1/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/../lib/gcc/arm-eabi/4.8/libgcc.a(bpabi.o) uses 32-bit enums yet the output is to use variable-size enums; use of enum values across objects may fail
../../../prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-ld: warning: /home/c_sganig/code/LA.UM.6.7.r1/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/../lib/gcc/arm-eabi/4.8/libgcc.a(_divdi3.o) uses 32-bit enums yet the output is to use variable-size enums; use of enum values across objects may fail
../../../prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-ld: warning: /home/c_sganig/code/LA.UM.6.7.r1/prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/../lib/gcc/arm-eabi/4.8/libgcc.a(_udivdi3.o) uses 32-bit enums yet the output is to use variable-size enums; use of enum values across objects may fail
generating image: ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk.bin
generating listing: ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk.lst
generating symbols: ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk.sym
generating listing: ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk.debug.lst
text data bss dec hex filename
367924 200272 202520 770716 bc29c ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk
../../../prebuilts/gcc/linux-x86/arm/arm-eabi-4.8/bin/arm-eabi-objcopy -O binary ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk.bin
generating size map: ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk.size
generating stripped elf: ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk_s.elf
cp -f ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/build-msm8909/lk_s.elf ../../../out/target/product/msm8909go/obj/EMMC_BOOTLOADER_OBJ/../../emmc_appsboot.mbn
make[1]: Leaving directory `/home/c_sganig/code/LA.UM.6.7.r1/bootable/bootloader/lk'
make: Leaving directory `/home/c_sganig/code/LA.UM.6.7.r1/bootable/bootloader/lk'
ninja: build stopped: subcommand failed.
11:47:18 ninja failed with: exit status 1
#### failed to build some targets (45 seconds) ####
Show the list of removed packages:
$ awk '$3 == "remove" { print $1, $2, $4 }' /var/log/dpkg.log | tee list
If you can find the removed package in the list, then reinstall:
$ sudo apt-get install --reinstall nameofpackage
Following is the solution that helped me with jack server issue:
Delete ~/.jack-server directory and ~/.jack.settings file. This will be recreated when we run make command, so nothing to worry about that.
Sync repo again using this command (takes about 30-40 minutes):
repo sync -c --no-clone-bundle --no-tags -j4
This -c option with sync command will tell the git about branch you really need instead of all repositories. -jn (-j4 in my case) , here n refers to the number of threads you want.
Now build environment , lunch and make as usual.
I will also share another link to Google Group which has some significant information regarding this issue. : https://issuetracker.google.com/issues/37070263
I am working on one project requires obtaining the complete app package name inside kernel mode. I realized the package name is also the process name inside kernel. However, the task_struct->comm (process name) can only give me 15 characters long.
Also, fs/proc/base.c proc_get_cmdline() can return the full process name but it is private function. I try to export proc_get_cmdline() to public and invoke from my loadable kernel module, but it always crash when I invoke the public proc_get_cmdline().
Is there any way I can get the complete package name inside kernel? Like read from proc/pid/cmdline, read from mm_struct, etc. Appreciate any code example.
You are not supposed to call proc_pid_cmdline().
It is a non-public function in fs/proc/base.c:
static int proc_pid_cmdline(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
However, what it does is simple:
get_cmdline(task, m->buf, PAGE_SIZE);
That is not likely to return the full path though and it will not be possible to determine the full path in every case. The arg[0] value may be overwritten, the file could be deleted or moved, etc. A process may exec() in a way which obscures the original command line, and all kinds of other maladies.
A scan of my opensuse 12.3 system /proc/*/cmdline turns up all kinds of less-than-useful results:
/proc/1/cmdline
/sbin/init showopts
/proc/10/cmdline
/proc/11/cmdline
/proc/1163/cmdline
/sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclient6.eth0.pid -q eth0
/proc/12/cmdline
/proc/13/cmdline
/proc/14/cmdline
/proc/15/cmdline
/proc/16/cmdline
/proc/17/cmdline
/proc/1710/cmdline
/sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h del1-dhp-32429 eth0
/proc/172/cmdline
/proc/185/cmdline
/proc/186/cmdline
/proc/187/cmdline
/proc/19/cmdline
/proc/2/cmdline
/proc/20/cmdline
/proc/21/cmdline
/proc/22/cmdline
/proc/23/cmdline
/proc/25/cmdline
/proc/254/cmdline
/proc/255/cmdline
/proc/26/cmdline
/proc/2671/cmdline
/usr/lib/upower/upowerd
/proc/2674/cmdline
/usr/lib/polkit-1/polkitd --no-debug
/proc/27/cmdline
/proc/2727/cmdline
/usr/lib/udisks2/udisksd --no-debug
/proc/28/cmdline
/proc/285/cmdline
/usr/lib/systemd/systemd-journald
/proc/286/cmdline
/proc/288/cmdline
/proc/29/cmdline
/proc/2913/cmdline
/usr/sbin/cron -n
/proc/2924/cmdline
/usr/sbin/sshd -D
/proc/3/cmdline
/proc/3023/cmdline
/usr/lib/postfix/master
/proc/3090/cmdline
pickup -l -t fifo -u
/proc/3091/cmdline
qmgr -l -t fifo -u
/proc/31/cmdline
/proc/311/cmdline
/usr/lib/systemd/systemd-udevd
/proc/3132/cmdline
/usr/lib/vmware/bin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
/proc/3168/cmdline
/usr/sbin/vmware-authdlauncher
/proc/32/cmdline
Works for me in openSUSE 12.3:
for I in /proc/*/cmdline; do echo $I; cat $I | tr '\000' ' '; echo; done