Android R(11)给Service配置selinux权限
假设你有一个service.rc服务,在init进程会被启动,service.rc如下所示:
service vendor.XXXX.secure_element@1.2-service /vendor/bin/hw/vendor.XXXX.secure_element@1.2-service
class hal
user system
group system
如果你没有配置service的linux权限,那么在init进程启动时会没有权限,服务无法自动运行。
步骤1:在device/msepolicy路径添加hal_secure_element_default.te文件
type hal_secure_element_default, domain;
hal_server_domain(hal_secure_element_default, hal_secure_element);
type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_secure_element_default);
allow hal_secure_element_default hwservicemanager_prop:file { read open getattr map};
allow hal_secure_element_default hwservicemanager:binder { call transfer };
allow hal_secure_element_default hal_secure_element_hwservice:hwservice_manager { find add };
allow hal_secure_element_default hidl_base_hwservice:hwservice_manager { add };
allow hal_secure_element_default block_device:dir { search write open read };
以上赋予的权限全部是根据avc denied的log缺什么一步一步补什么来的。
步骤2:在device/msepolicy路径file_contexts映射域
# add this
/(vendor|system/vendor)/bin/hw/vendor\.XXX\.hardware\.secure_element@1\.2-service u:object_r:hal_secure_element_default_exec:s0
步骤3:在device/msepolicy路径修改hwservice_contexts
vendor.sprd.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
以上service服务就可以自动运行了,如果你还需要读取dev设备需要在步骤1增加读取设备节点权限
allow hal_secure_element_unisoc block_device:dir { search write open read };
allow hal_secure_element_unisoc isedata_block_device:chr_file { open read write ioctl };
allow hal_secure_element_unisoc isedata_block_device:blk_file { open read write ioctl };
allow hal_secure_element_unisoc apdu_device:chr_file { open read write ioctl map };
allow hal_secure_element_unisoc ion_device:chr_file { open read write ioctl };
附一个写的比较好的博主链接:https://blog.csdn.net/FPGASOPC/article/details/83545775?ops_request_misc=&request_id=&biz_id=102&utm_term=blk_file&utm_medium=distribute.pc_search_result.none-task-blog-2allsobaiduweb~default-0-83545775.142v7control,157v4control&spm=1018.2226.3001.4187