1.添加用户组(1015)
--- a/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
+++ b/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
@@ -759,7 +759,7 @@ public class ZygoteInit {
String args[] = {
"--setuid=1000",
"--setgid=1000",
- "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,"
+ "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1015,1018,1021,1023,"
+ "1024,1032,1065,3001,3002,3003,3006,3007,3009,3010",
"--capabilities=" + capabilities + "," + capabilities,
"--nice-name=system_server",
2.配置selinux
diff --git a/system/sepolicy/prebuilts/api/29.0/private/system_server.te b/system/sepolicy/prebuilts/api/29.0/private/system_server.te
index 5bec849..66233f5 100644
--- a/system/sepolicy/prebuilts/api/29.0/private/system_server.te
+++ b/system/sepolicy/prebuilts/api/29.0/private/system_server.te
@@ -522,11 +522,11 @@ allow system_server {
}:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
+allow system_server media_rw_data_file:dir { search getattr write open read r_dir_perms write remove_name rmdir };
# Receive and use open /data/media files passed over binder IPC.
# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
+allow system_server media_rw_data_file:file { getattr read write append open setattr rename create unlink rw_file_perms };
# System server needs to setfscreate to packages_list_file when writing
# /data/system/packages.list
@@ -637,6 +637,9 @@ get_prop(system_server, gsid_prop)
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+#setprop
+allow system_server default_prop:property_service { set };
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -775,7 +778,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server sdcard_type:dir { create_dir_perms rw_file_perms };
+allow system_server sdcard_type:file { create_file_perms rw_file_perms };
+
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
@@ -808,7 +813,7 @@ allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open create unlink write };
+allow system_server configfs:file { getattr open create unlink write read };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
@@ -915,8 +920,8 @@ get_prop(system_server, time_prop)
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+# neverallow system_server sdcard_type:dir { open read write };
+# neverallow system_server sdcard_type:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
diff --git a/system/sepolicy/prebuilts/api/29.0/public/domain.te b/system/sepolicy/prebuilts/api/29.0/public/domain.te
index 105bebb..4ecc6ba 100644
--- a/system/sepolicy/prebuilts/api/29.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/29.0/public/domain.te
@@ -522,12 +522,12 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } default_prop:property_service set;
-neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init -system_server } default_prop:property_service set;
+neverallow { domain -init -vendor_init -system_server } mmc_prop:property_service set;
compatible_property_only(`
- neverallow { domain -init } default_prop:property_service set;
- neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -system_server } default_prop:property_service set;
+ neverallow { domain -init -system_server } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init } exported2_default_prop:property_service set;
diff --git a/system/sepolicy/private/system_server.te b/system/sepolicy/private/system_server.te
index 5bec849..66233f5 100644
--- a/system/sepolicy/private/system_server.te
+++ b/system/sepolicy/private/system_server.te
@@ -522,11 +522,11 @@ allow system_server {
}:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
+allow system_server media_rw_data_file:dir { search getattr write open read r_dir_perms write remove_name rmdir };
# Receive and use open /data/media files passed over binder IPC.
# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
+allow system_server media_rw_data_file:file { getattr read write append open setattr rename create unlink rw_file_perms };
# System server needs to setfscreate to packages_list_file when writing
# /data/system/packages.list
@@ -637,6 +637,9 @@ get_prop(system_server, gsid_prop)
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+#setprop
+allow system_server default_prop:property_service { set };
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -775,7 +778,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server sdcard_type:dir { create_dir_perms rw_file_perms };
+allow system_server sdcard_type:file { create_file_perms rw_file_perms };
+
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
@@ -808,7 +813,7 @@ allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open create unlink write };
+allow system_server configfs:file { getattr open create unlink write read };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
@@ -915,8 +920,8 @@ get_prop(system_server, time_prop)
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+# neverallow system_server sdcard_type:dir { open read write };
+# neverallow system_server sdcard_type:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 105bebb..4ecc6ba 100644
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -522,12 +522,12 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } default_prop:property_service set;
-neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init -system_server } default_prop:property_service set;
+neverallow { domain -init -vendor_init -system_server } mmc_prop:property_service set;
compatible_property_only(`
- neverallow { domain -init } default_prop:property_service set;
- neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -system_server } default_prop:property_service set;
+ neverallow { domain -init -system_server } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init } exported2_default_prop:property_service set;