Escaping colon character in Android selinux
Question
I'm trying to create a custom selinux policy for my AOSP build wherein untrusted apps can write to /sys/class/leds/led:flash_torch/brightness thereby controlling the flashlight.
To do this, I edited the following files in external/sepolicy
domain.te
allow domain sys_flashlight:file rw_file_perms;
file.te
type sys_flashlight, fs_type;
untrusted_app.te
allow untrusted_app sys_flashlight:file rw_file_perms;
Now, the final piece of the puzzle is the file genfs_contexts . Ideally, I would want to change this file to contain something like:
genfscon proc /sys/class/leds/led:flash_torch/brightness u:object_r:sys_flashlight:s0
First, bear in mind that the above statement is wrong . genfscon proc is meant to only be used with procfs . Ignoring that, Since the file path contains the : character, the build process complains by stating:
external/sepolicy/genfs_contexts:11:ERROR 'syntax error' at token ':' on line 12972:
genfscon proc /sys/class/leds/led:flash_torch/brightness u:object_r:sysfs_flashlight:s0
genfscon proc /foreground u:object_r:proc_foreground:s0
checkpolicy: error(s) encountered while parsing configuration
make: *** [out/target/product/hammerhead/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....
How can I escape the : character while writing the selinux policies?
edit : I've already tried quoting the path and using \\ to try and escape the : with no luck
1 answers
solution1
0 2016-06-13 19:12:19
Looking at the parser statements for checkpolicy:
policy_parse.y:139:%token GENFSCON
policy_parse.y:750:genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
policy_parse.y:752: | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
policy_parse.y:754: | GENFSCON filesystem path
We see GENFSCON's path token is what is expanding, which is defined as:
policy_scan.l:252:"/"({alnum}|[_\.\-/])* { return(PATH); }
Thus : is not valid in the set.
This seems like a bug that the character set does not include these.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.