Skip to content

Fix build with modern NDK and policy parsing on newer Android devices#19

Open
datalocaltmp wants to merge 1 commit into
xmikos:masterfrom
datalocaltmp:master
Open

Fix build with modern NDK and policy parsing on newer Android devices#19
datalocaltmp wants to merge 1 commit into
xmikos:masterfrom
datalocaltmp:master

Conversation

@datalocaltmp
Copy link
Copy Markdown

@datalocaltmp datalocaltmp commented Mar 29, 2026

NDK build fixes:

  • Application.mk: drop deprecated ABIs (armeabi, mips, mips64) and bump APP_PLATFORM to android-21, required by NDK r23+
  • libapol/util.c: guard swab() definition with #ifndef BIONIC since newer Bionic already defines it as an inline in <unistd.h>
  • libapol/render.c: add #include <unistd.h> so the Bionic inline swab() is visible at compile time (fixes linker error in render.c)

Policy parsing fixes:

  • libsepol/avtab.h: add AVTAB_XPERMS_NLMSG (0x03) for netlink message extended permissions added in newer kernels
  • libsepol/avtab.c: add AVTAB_NEVERALLOW and AVTAB_XPERMS_NEVERALLOW to spec_order[] so runtime-neverallow policy entries are accepted; extend XPERMS read branch to cover AVTAB_XPERMS_NEVERALLOW; add AVTAB_XPERMS_NLMSG to the Android-M compat heuristic exclusion list so policies containing nlmsg xperms entries are not mistakenly parsed in compat mode (which consumed one fewer byte per entry, desyncing the entire avtab stream)

@datalocaltmp @claude
Fix build with modern NDK and policy parsing on newer Android devices
04ee5d4 
NDK build fixes:
- Application.mk: drop deprecated ABIs (armeabi, mips, mips64) and bump
  APP_PLATFORM to android-21, required by NDK r23+
- libapol/util.c: guard swab() definition with #ifndef __BIONIC__ since
  newer Bionic already defines it as an inline in <unistd.h>
- libapol/render.c: add #include <unistd.h> so the Bionic inline swab()
  is visible at compile time (fixes linker error in render.c)

Policy parsing fixes:
- libsepol/avtab.h: add AVTAB_XPERMS_NLMSG (0x03) for netlink message
  extended permissions added in newer kernels
- libsepol/avtab.c: add AVTAB_NEVERALLOW and AVTAB_XPERMS_NEVERALLOW to
  spec_order[] so runtime-neverallow policy entries are accepted; extend
  XPERMS read branch to cover AVTAB_XPERMS_NEVERALLOW; add AVTAB_XPERMS_NLMSG
  to the Android-M compat heuristic exclusion list so policies containing
  nlmsg xperms entries are not mistakenly parsed in compat mode (which
  consumed one fewer byte per entry, desyncing the entire avtab stream)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@datalocaltmp