目录
4.自定义Native层系统服务如何跟随系统ROM一起编译并烧录到设备且开机自启动
SELinux权限的基础理论
https://blog.csdn.net/Innost/article/details/19299937
https://blog.csdn.net/Innost/article/details/19641487
简单理解:系统运行时权限的控制,进程/线程的权限, MAC
1.为设备节点添加SELinux权限
https://blog.csdn.net/u012719256/article/details/52586198
2.为JAVA层的系统服务添加SELinux权限
自定义了一个Java层的self_service系统服务,供应用程序层通过SelfManager管理器调用
diff --git a/sepolicy/service.te b/sepolicy/service.te
index 4866804..23a0115 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -121,3 +121,5 @@ type wifip2p_service, app_api_service, system_server_service, service_manager_ty
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
+type self_service, system_api_service, system_server_service, service_manager_type;
+
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 5b5570c..0b36f81 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -156,3 +156,5 @@ zhidao.mcu.ICarMcuManager u:object_r:mcu_service_service:s0
zhidao.mcu.CarKeyService u:object_r:mcu_service_service:s0
zhidao.mcu.ICarKeyManager u:object_r:mcu_service_service:s0
* u:object_r:default_android_service:s0
+self u:object_r:self_service:s0
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
index 35c811c..6e8bb07 100644
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
@@ -78,6 +78,8 @@ allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
+allow untrusted_app self_service:service_manager find;
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
注意如果是在普通应用程序层访问这个Java的服务则需要给 untrusted_app.te 添加权限,如果是系统应用程序本来就有系统权限就没有必要在这里添加权限了
3.为Native层的系统服务添加SELinux权限
自定义了一个Native层的custom_camera系统服务,供应用程序层调用
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index 586599c..a3558db 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te
@@ -285,6 +285,7 @@ neverallow {
-service_install
-rtk_demo
+ -custom_camera
} { file_type -system_file -exec_type -postinstall_file }:file execute;
neverallow {
domain
@@ -483,6 +484,7 @@ neverallow {
-service_install
-rtk_demo
+ -custom_camera
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index b76c96c..0e8dd81 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -223,7 +223,7 @@
/system/bin/mcuservice u:object_r:mcu_service_exec:s0
-
+/system/bin/custom_camera u:object_r:custom_camera_service_exec:s0
#############################
# Vendor files
#
diff --git a/sepolicy/service.te b/sepolicy/service.te
index 4866804..23a0115 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -121,3 +121,5 @@ type wifip2p_service, app_api_service, system_server_service, service_manager_ty
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
+type self_service, system_api_service, system_server_service, service_manager_type;
+
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 5b5570c..0b36f81 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -156,3 +156,5 @@ zhidao.mcu.ICarMcuManager u:object_r:mcu_service_service:s0
zhidao.mcu.CarKeyService u:object_r:mcu_service_service:s0
zhidao.mcu.ICarKeyManager u:object_r:mcu_service_service:s0
* u:object_r:default_android_service:s0
+custom_camera u:object_r:custom_camera_service:s0
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
index 35c811c..6e8bb07 100644
--- a/sepolicy/untrusted_app.te
+++ b/sepolicy/untrusted_app.te
@@ -78,6 +78,8 @@ allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
+allow untrusted_app custom_camera_service:service_manager find;
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
注意如果是在普通应用程序层访问这个Native的服务则需要给 untrusted_app.te 添加权限,如果是系统应用程序本来就有系统权限就没有必要在这里添加权限了
custom_camera服务对应的te文件也即是 custom_camera.te
type custom_camera_service_exec, exec_type, file_type;
#type xdja_etc_data_file, file_type, data_file_type;
type custom_camera, domain;
type custom_camera_service, service_manager_type;
domain_auto_trans(init, custom_camera_service_exec, custom_camera)
net_domain(custom_camera)
allow custom_camera servicemanager:binder {call transfer};
allow custom_camera custom_camera_service:service_manager { add find };
allow servicemanager custom_camera:dir create_dir_perms;
allow servicemanager custom_camera:file create_file_perms;
allow servicemanager custom_camera:process *;
allow servicemanager custom_camera:file create_file_perms;
4.自定义Native层系统服务如何跟随系统ROM一起编译并烧录到设备且开机自启动
这里以我司添加的MCUService为例,在device目录下的mk文件中把新建的vendor目录下的mk文件添加进来,跟随系统一起编译,然后在启动脚本init.target.rc配置为开启启动即可
diff --git a/qcom/msm8953_64/init.target.rc b/qcom/msm8953_64/init.target.rc
index 9f19080..c6caf93 100755
--- a/qcom/msm8953_64/init.target.rc
+++ b/qcom/msm8953_64/init.target.rc
@@ -164,6 +164,8 @@ on boot
insmod /system/lib/modules/adsprpc.ko
# access permission for secure touch
chmod 0777 /system/bin/uartd
+ chmod 0777 /system/bin/mcuservice
chmod 0660 /sys/devices/soc.0/78b7000.i2c/i2c-3/3-0020/input/input0/secure_touch_enable
chmod 0440 /sys/devices/soc.0/78b7000.i2c/i2c-3/3-0020/input/input0/secure_touch
chmod 0660 /sys/devices/soc.0/78b8000.i2c/i2c-4/4-0020/input/input0/secure_touch_enable
@@ -184,6 +186,12 @@ service uartd /system/bin/uartd
user root
group root
oneshot
+
+service mcuservice /system/bin/mcuservice
+ class core
+ user root
+ group root
service imsqmidaemon /system/bin/imsqmidaemon
class main
diff --git a/qcom/msm8953_64/msm8953_64.mk b/qcom/msm8953_64/msm8953_64.mk
index 5d028e6..01d63e8 100755
--- a/qcom/msm8953_64/msm8953_64.mk
+++ b/qcom/msm8953_64/msm8953_64.mk
@@ -157,3 +157,8 @@ endif
#FEATURE_OPENGLES_EXTENSION_PACK support string config file
PRODUCT_COPY_FILES += \
frameworks/native/data/etc/android.hardware.opengles.aep.xml:system/etc/permissions/android.hardware.opengles.aep.xml
+
+-include vendor/zhidao/zhidao.mk
+#PRODUCT_COPY_FILES += \
+ $(call find-copy-subdir-files,*,device/qcom/common/zhidao/system,system)