(1)权限确认&示例
avc: denied { 操作权限 } for pid=7201 comm=“进程名” scontext=u:r:源类型:s0 tcontext=u:r:目标类型:s0 tclass=访问类别 permissive=0
Kenel log:
avc: denied { execheap } for pid=7201 comm="com.baidu.input" scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=process permissive=0
Logcat log:
com.baidu.input: type=1400audit(0.0:29): avc: denied { execheap } for scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=process permissive=0
```java
type=1400 audit(0.0:2060): avc: denied { read } for name="version" dev="proc" ino=4026532098 scontext=u:r:untrusted_app_29:s0:c145,c256,c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=0 app=com.tencent.mm
type=1400 audit(0.0:2061): avc: denied { getattr } for path="/proc/10286/net/dev" dev="proc" ino=4026532082 scontext=u:r:untrusted_app_29:s0:c145,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.tencent.mm
type=1400 audit(0.0:2062): avc: denied { search } for name="ppm" dev="proc" ino=4026531936 scontext=u:r:untrusted_app_29:s0:c145,c256,c512,c768 tcontext=u:object_r:proc_ppm:s0 tclass=dir permissive=0 app=com.tencent.mm
(2)Cmd关闭和打开权限
//(1)
adb shell getenforce
Enforcing //权限打开
Permissive //权限关闭
//(2)
adb shell setenforce 0 //权限关闭
adb shell setenforce 1 //权限打开
(3)Code当中关闭权限
//(1)/kernel-4.19/arch/arm64/configs/xxx_defconfig(gki_defconfig)
CONFIG_SECURITY_SELINUX=y
//(2)/system/core/init/selinux.cpp
void SelinuxInitialize() {
bool kernel_enforcing = (security_getenforce() == 1);
bool is_enforcing = IsEnforcing();
++ is_enforcing = false;
if (kernel_enforcing != is_enforcing) {
if (security_setenforce(is_enforcing)) {
}
}
}
bool IsEnforcing() {
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
}
(4)在sepolicy中添加相应权限
(A)Log信息
avc: denied { 操作权限 } for pid=7201 comm=“进程名” scontext=u:r:源类型:s0 tcontext=u:r:目标类型:s0 tclass=访问类别 permissive=0
(B)找相应的“源类型.te ”文件
/system/sepolicy/private/untrusted_app_29.te
/device/mediatek/sepolicy/bsp/non_plat/untrusted_app_29.te
(C)按如下格式在该文件中添加:
allow 源类型 目标类型:访问类别 {权限};
(D)举例
avc: denied { execheap } for pid=7201 comm="com.baidu.input" scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=process permissive=0
allow untrusted_app untrusted_app:process { execheap };
//这个例子中,由于源类型和目标类型都是untreated_app, 所以也可以写成:
allow untrusted_app self:process { execheap };
(5)使用audio2allow来生成添加项
使用如下命令用来获得添加列表:
cat 2.txt | grep avc: | audit2allow
//eg result
#============= mtk_hal_camera ==============
allow mtk_hal_camera default_prop:file read;
allow mtk_hal_camera sysfs:file write;
执行完结果见上图,其中#============= mtk_hal_camera ==============代表你要添加的te文件,这里我们需要找到mtk_hal_camera.te文件,然后添加allow mtk_hal_camera default_prop:file read;即可。
(6) 添加权限后的neverallowed冲突
部分权限添加后会出现编译报错:neverallow on line xxx of system/sepolicy / public/domain.te ……
原因:
新添加的sepolicy项目违反了domain.te 中规定的的总策略原则。所以该条权限策略不能添加,如果强行添加的话有CTS测试失败的风险。
eg:
遇到一个avc报错:
avc: denied { read } for name="libnative-api.so" dev="dm-8" ino=2495 scontext=u:r:untrusted_app_29:s0:c114,c256,c512,c768 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=0 app=com.qualcomm.qti.qms.service.trustzoneaccess
(A)
先按上面方法添加untrusted_app_29.te文件
allow untrusted_app_29 vendor_file:file read;
(B)
提示system/sepolicy/public/domain.te里面,编译出现neverallow问题
(C)在system/sepolicy/public/domain.te的neverallow中去掉untrusted_app_29