以sensor为例
-
system/sepolicy/public/attributes
hal_attribute(sensors);
-
system/sepolicy/vendor/file_contexts
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
-
system/sepolicy/vendor/hal_sensors_default.te
#定义名为hal_sensosde type 关联到domain属性,system分区必须加coredomain type hal_sensors_default, domain; # 把hal_sensors_default 设置为hal_sensors的server domain hal_sensors在hal_sensors中定义 hal_server_domain(hal_sensors_default, hal_sensors) # 定义hal_sensors_default_exec 具有exec_type, vendor_file_type, file_type;属性 type hal_sensors_default_exec, exec_type, vendor_file_type, file_type; # 令domain从init转换到hal_sensos_default,使之可以执行 hal daemon 进程启动的二进制文件 init_daemon_domain(hal_sensors_default) allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find; allow hal_sensors_default input_device:dir r_dir_perms; allow hal_sensors_default input_device:chr_file r_file_perms; # Allow sensor hals to access and use gralloc memory allocated by # android.hardware.graphics.allocator allow hal_sensors_default hal_graphics_allocator_default:fd use; allow hal_sensors_default ion_device:chr_file r_file_perms; allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms; # allow sensor hal to use lock for keeping system awake for wake up # events delivery. wakelock_use(hal_sensors_default); # allow sensor hal to use ashmem fd from system_server. allow hal_sensors_default system_server:fd use;
-
system/sepolicy/public/hal_sensors.te
# HwBinder IPC from client to server binder_call(hal_sensors_client, hal_sensors_server) hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice) # Allow sensor hals to access ashmem memory allocated by apps allow hal_sensors { appdomain -isolated_app }:fd use; # Allow sensor hals to access ashmem memory allocated by android.hidl.allocator # fd is passed in from framework sensorservice HAL. allow hal_sensors hal_allocator:fd use; # allow to run with real-time scheduling policy allow hal_sensors self:global_capability_class_set sys_nice; add_service(hal_sensors_server, hal_sensors_service) binder_call(hal_sensors_server, servicemanager) allow hal_sensors_client hal_sensors_service:service_manager find;
-
system/sepolicy/private/service_contexts
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
-
system/sepolicy/public/service.te
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
- 查看安全上下文
- ps -AZ
- ls -Z
https://source.android.com/docs/core/architecture/aidl/aidl-hals#sepolicy
public/attributes:
// define hal_foo, hal_foo_client, hal_foo_server
hal_attribute(foo)
public/service.te
// define hal_foo_service
type hal_foo_service, hal_service_type, protected_service, service_manager_type
public/hal_foo.te:
// allow binder connection from client to server
binder_call(hal_foo_client, hal_foo_server)
// allow client to find the service, allow server to register the service
hal_attribute_service(hal_foo, hal_foo_service)
// allow binder communication from server to service_manager
binder_use(hal_foo_server)
private/service_contexts:
// bind an AIDL service name to the selinux type
android.hardware.foo.IFooXxxx/default u:object_r:hal_foo_service:s0
private/<some_domain>.te:
// let this domain use the hal service
binder_use(some_domain)
hal_client_domain(some_domain, hal_foo)
vendor/<some_hal_server_domain>.te
// let this domain serve the hal service
hal_server_domain(some_hal_server_domain, hal_foo)