在开发中遇到的selinux问题处理
错误如下:
[ 11.814595] type=1400 audit(3178201.239:7): avc: denied { read } for uid=0 pid=563 comm="applypatch" name="mmcblk0p40" dev="tmpfs" ino=12934 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
[ 12.754855] type=1400 audit(3178202.179:9): avc: denied { read } for uid=0 pid=791 comm="applypatch" name="mmcblk0p40" dev="tmpfs" ino=12934 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
[ 12.755410] type=1400 audit(3178202.179:10): avc: denied { read } for uid=0 pid=791 comm="applypatch" name="mmcblk0p39" dev="tmpfs" ino=12930 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
根据错误,添加selinux权限
在对应的项目中添加出现问题进程的selinux的权限
1) device/xxx/common/sepolicy/sepolicy.mk
...
BOARD_SEPOLICY_UNION += install_recovery.te
....
2) 添加新文件install_recovey.te
allow install_recovery block_device:blk_file { open read write getattr };
3) android/external/sepolicy目录里
修改domain.te语句,添加-install_recovery主权限
neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
本地调试ok,提交代码时,secure team人review不过,因为我们修改到了external/sepolicy的配置,会导致android cts无法通过。这样我们得沟通新的block设备点来开放权限。
修改如下:
在device/xxx/common/sepolicy/file_contexts里添加对应block设备的设备
/dev/block/bootdevice/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/bootdevice/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/soc/7824900.sdhci/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/7824900.sdhci/by-name/boot u:object_r:boot_block_device:s0
对应开的权限也需要更换访问的设备
allow install_recovery recovery_block_device:blk_file { open read write getattr };
allow install_recovery boot_block_device:blk_file { open read };