网络上大量资料都是说audit2allow 要这样用
audit2allow -i avc.log
其实这样是用ubuntu 上的sepolicy去检测 avc.log 中的avc
会报一些莫名其妙的问题:
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert u:r:net_recovery:s0 to sid
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert u:r:net_recovery:s0 to sid
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert u:r:net_recovery:s0 to sid
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert u:r:net_recovery:s0 to sid
我们可以加-p参数,让audit2allow用我们编出来的sepolicy
audit2allow -i avc.log -p ./sepolicy
#============= xxx ==============
#!!!! This avc is allowed in the current policy
allow xxx self:udp_socket { create ioctl };
sepolicy 文件在: LINUX/android/out/target/product/xxx/recovery/root/sepolicy