文章描述了Android设备中与SecureElement服务相关的问题,包括连接状态、访问规则以及权限设置。通过修改系统属性和服务配置,特别是更新HAL到1.2版本并处理SELinux策略,最终实现了对SE公交数据的读取权限。
正确的se状态:
# dumpsys secure_element
SECURE ELEMENT SERVICE TERMINAL: eSE1
mIsConnected:true
List of open channels:
SecureElement-AccessControlEnforcer:
mUseArf: false
mUseAra: false
mInitialChannelAccess:
com.android.se.security.ChannelAccess
[mPackageName=com.example.omapiaccessese, mAccess=ALLOWED, mApduAccess=ALLOWED, mUseApduFilter=false, mApduFilter=null, mCallingPid=0, mReason=, mNFCEventAllowed=ALLOWED]
SecureElement-AccessRuleCache:
Current refresh tag is: <null>
Rules:
---------------------------------------------------------------------------
$ dumpsys secure_element
SECURE ELEMENT SERVICE TERMINAL: eSE1
mIsConnected:true
List of open channels:
SecureElement-AccessControlEnforcer:
mUseArf: false
mUseAra: false
mInitialChannelAccess:
com.android.se.security.ChannelAccess
[mPackageName=, mAccess=ALLOWED, mApduAccess=ALLOWED, mUseApduFilter=false, mApduFilter=null, mCallingPid=0, mReason=, mNFCEventAllowed=ALLOWED]
SecureElement-AccessRuleCache:
Current refresh tag is: <null>
Rules:
-------------------------------------------------------------------
有问题的:
nanopc-t4:/ $ dumpsys secure_element
SECURE ELEMENT SERVICE TERMINAL: eSE1
mIsConnected:true
List of open channels:
SecureElement-AccessControlEnforcer:
mUseArf: false
mUseAra: false
mInitialChannelAccess:
com.android.se.security.ChannelAccess
[mPackageName=, mAccess=DENIED, mApduAccess=DENIED, mUseApduFilter=false, mApduFilter=null, mCallingPid=0, mReason=OpenLogicalChannel() failed, mNFCEventAllowed=DENIED, mPrivilegeAccess=UNDEFINED]
SecureElement-AccessRuleCache:
Current refresh tag is: <null>
Rules:
Carrier Privilege:
---------------------------------------------------------------------
需要改:
$ su
# setprop persist.service.seek fullaccess
# getprop persist.service.seek
fullaccess
修改prop后:
# dumpsys secure_element
SECURE ELEMENT SERVICE TERMINAL: eSE1
mIsConnected:true
List of open channels:
SecureElement-AccessControlEnforcer:
mUseArf: false
mUseAra: false
mInitialChannelAccess:
com.android.se.security.ChannelAccess
[mPackageName=, mAccess=ALLOWED, mApduAccess=ALLOWED, mUseApduFilter=false, mApduFilter=null, mCallingPid=0, mReason=, mNFCEventAllowed=ALLOWED, mPrivilegeAccess=UNDEFINED]
SecureElement-AccessRuleCache:
Current refresh tag is: <null>
Rules:
Carrier Privilege:
--------------可以读取se公交数据-----------------
1: se hal服务注册
下面log 需要在系统manifest中增加1.2的支持
07-19 08:18:03.362 154 154 I hwservicemanager: getTransport: Cannot find entry android.hardware.secure_element@1.2::ISecureElement/eSE1 in either framework or device manifest.
07-19 08:18:03.363 691 691 D SecureElement-Terminal-eSE1: SE Hal V1.2 is not supported
-------------------------------------
manifest.xml
<!--
<hal format="hidl">
<name>android.hardware.secure_element</name>
<transport>hwbinder</transport>
<impl level="generic"></impl>
<version>1.1</version>
<interface>
<name>ISecureElement</name>
<instance>eSE1</instance>
</interface>
</hal>
-->
<hal format="hidl">
<name>android.hardware.secure_element</name>
<transport>hwbinder</transport>
<impl level="generic"></impl>
<version>1.2</version>
<interface>
<name>ISecureElement</name>
<instance>eSE1</instance>
</interface>
</hal>
----------------------------------------
2:
[ 20.390267] init: Received control message 'interface_start' for 'android.hardware.secure_element@1.2::ISecureElement/eSE1' from pid: 159 (/system/bin/hwservicemanager)
[ 20.391081] init: Could not ctl.interface_start for 'android.hardware.secure_element@1.2::ISecureElement/eSE1': File /vendor/bin/hw/android.hardware.secure_element@1.2-service(labeled "u:object_r:vendor_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined. Have you configured your service correctly? https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials
[ 21.392411] init: Received control message 'interface_start' for 'android.hardware.secure_element@1.2::ISecureElement/eSE1' from pid: 159 (/system/bin/hwservicemanager)
[ 21.393156] init: Could not ctl.interface_start for 'android.hardware.secure_element@1.2::ISecureElement/eSE1': File /vendor/bin/hw/android.hardware.secure_element@1.2-service(labeled "u:object_r:vendor_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined. Have you configured your service correctly? https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials
[ 22.395126] init: Received control message 'interface_start' for 'android.hardware.secure_element@1.2::ISecureElement/eSE1' from pid: 159 (/system/bin/hwservicemanager)
修改
vendor/nxp/pn8xt/sepolicy$ grep "1" -rHn
file_contexts:10:/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.1-service u:object_r:hal_secure_element_default_exec:s0
--》
file_contexts:10:/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service u:object_r:hal_secure_element_default_exec:s0
file_contexts:11:/(vendor|system/vendor)/bin/hw/android\.hardware\.wired_se@1\.0-service u:object_r:hal_wired_se_default_exec:s0
3:在framework/base/core/res/AndroidManifest.xml 中新增
<!-- @SystemApi Allows an internal user to use privileged SecureElement APIs.
@hide -->
<permission android:name="android.permission.SECURE_ELEMENT_PRIVILEGED"
android:protectionLevel="signature|privileged" />
<!-- @SystemApi Allows an internal user to use privileged SecureElement APIs.
Applications holding this permission can access OMAPI reset system API
and bypass OMAPI AccessControlEnforcer.
<p>Not for use by third-party applications.
@hide -->
<permission android:name="android.permission.SECURE_ELEMENT_PRIVILEGED_OPERATION"
android:protectionLevel="signature|privileged" />
NORMAL ./base/core/res/AndroidManifest.xml
1045
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
