Android O selinux违反Neverallow解决办法

因工作需要移植fastmmi到Android O,其中会涉及selinux权限配置,现将自己的理解总结如下:

1、Android O selinux相关配置文件所在路径

      system/sepolicy/*                      AOSP device和APPS相关selinux配置

      device/qcom/sepolicy/*            平台和板卡相关selinux配置

2、修改selinux权限时,注意不要违反谷歌规定的Neverallow规则,否则编译报错

例如:kernel log中提示“avc: denied { read write } for pid=867 comm="mmi" name="binder" dev="tmpfs" ino=10501 scontext=u:r:mmi:s0 tcontext=u:object_r:binder_device:s0 tclass=chr_file permissive=0”

如果直接在mmi.te文件中添加:allow mmi  binder_device : chr_file  rw_file_perms,就可能导致违反谷歌规定的Neverallow规则而编译报错: 

system/sepolicy/public/domain.te

neverallow {
  domain
  -coredomain
  -appdomain
  -binder_in_vendor_violators 

binder_device:chr_file rw_file_perms;

如果这时直接修改neverallow规则,可以通过编译,但是可能会导致CTS测试失败,所以这时就要想办法绕过neverallow规则,

上面有一个binder_in_vendor_violators貌似和binder有关,那我们就先看下这个东东如何定义的吧?

system/sepolicy/public/attributes

attribute binder_in_vendor_violators;

expandattribute binder_in_vendor_violators false;

system/sepolicy/private/binder_in_vendor_violators.te

allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;

从中可以看出这个东东具有读写binder_device权限,那我们能否利用这个?如果可以,又该如何利用?

 其实很简单,只要做如下修改即可:

device/qcom/sepolicy/common/mmi.te

typeattribute mmi binder_in_vendor_violators;

将mmi domain关联到这个东东,问题就可以解决了

但是,但是凡事还有个但是,如果attribute找不到相应的属性,那怎么办呢  ,答案是自己添加节点
例如  我之前项目中配置GOTA是遇到一个neverallow问题 而且domain.te 不允许添加规则。

大致情况如下:
报错如下:

11-05 19:06:25.676 1236 1236 I update_engine: [INFO:delta_performer.cc(657)] Starting to apply update payload operations
11-05 19:06:25.679 1236 1236 I update_engine: [INFO:delta_performer.cc(385)] Opening /dev/block/bootdevice/by-name/recovery_b partition without O_DSYNC
11-05 19:06:25.670 1236 1236 W update_engine: type=1400 audit(0.0:960): avc: denied { read } for name="mmcblk0p18" dev="tmpfs" ino=10343 scontext=u:r:update_engine:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
11-05 19:06:25.683 1236 1236 E update_engine: [ERROR:utils.cc(626)] Opening block device /dev/block/bootdevice/by-name/recovery_b: Permission denied (13)
11-05 19:06:25.690 1236 1236 I update_engine: [INFO:delta_performer.cc(128)] Caching writes.
11-05 19:06:25.680 1236 1236 W update_engine: type=1400 audit(0.0:961): avc: denied { read write } for name="mmcblk0p18" dev="tmpfs" ino=10343 scontext=u:r:update_engine:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
11-05 19:06:25.694 1236 1236 E update_engine: [ERROR:delta_performer.cc(139)] Unable to open file /dev/block/bootdevice/by-name/recovery_b: Permission denied (13)
11-05 19:06:25.698 1236 1236 E update_engine: [ERROR:delta_performer.cc(390)] Unable to open target partition recovery on slot B, file /dev/block/bootdevice/by-name/recovery_b
11-05 19:06:25.701 1236 1236 E update_engine: [ERROR:download_action.cc(336)] Error ErrorCode::kInstallDeviceOpenError (7) in DeltaPerformer's Write method when processing the received payload -- Terminating processing

按道理需要在undate_engine.te中添加
allow update_engine block_device:blk_file {read write}
但是domain.te中写到:
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read  write};

观察log发现
是update_engine 对recovery分区么权限
11-05 19:06:25.670 1236 1236 W update_engine: type=1400 audit(0.0:960): avc: denied { read } for name="mmcblk0p18" dev="tmpfs" ino=10343 scontext=u:r:update_engine:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
于是找到一台userdebug机器   root后观察/dev/block/by-name显示的节点
发现
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_a -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_b -> /dev/block/mmcblk0p18

lrwxrwxrwx 1 root root 21 1970-03-06 18:56 abl_a -> /dev/block/mmcblk0p33
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 abl_b -> /dev/block/mmcblk0p34
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 apdp -> /dev/block/mmcblk0p57
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 bluetooth_a -> /dev/block/mmcblk0p36
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 bluetooth_b -> /dev/block/mmcblk0p37
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 boot_a -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 boot_b -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 catecontentfv -> /dev/block/mmcblk0p73
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 catefv -> /dev/block/mmcblk0p72
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cateloader -> /dev/block/mmcblk0p64
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib64_a -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib64_b -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib_a -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib_b -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 ddr -> /dev/block/mmcblk0p35
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 devcfg_a -> /dev/block/mmcblk0p50
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 devcfg_b -> /dev/block/mmcblk0p51
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 devinfo -> /dev/block/mmcblk0p58
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dip -> /dev/block/mmcblk0p56
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dsp_a -> /dev/block/mmcblk0p31
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dsp_b -> /dev/block/mmcblk0p32
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dtbo_a -> /dev/block/mmcblk0p39
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dtbo_b -> /dev/block/mmcblk0p40
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 elableinfo -> /dev/block/mmcblk0p47
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 frp -> /dev/block/mmcblk0p54
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 fsc -> /dev/block/mmcblk0p78
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 fsg -> /dev/block/mmcblk0p77
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 hyp_a -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 hyp_b -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 imagefv_a -> /dev/block/mmcblk0p41
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 imagefv_b -> /dev/block/mmcblk0p42
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 keymaster_a -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 keymaster_b -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 keystore -> /dev/block/mmcblk0p49
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 limits -> /dev/block/mmcblk0p61
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 logdump -> /dev/block/mmcblk0p65
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 logfs -> /dev/block/mmcblk0p63
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtp_a -> /dev/block/mmcblk0p27
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtp_b -> /dev/block/mmcblk0p28
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtpsecapp_a -> /dev/block/mmcblk0p25
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtpsecapp_b -> /dev/block/mmcblk0p26
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 metadata -> /dev/block/mmcblk0p46
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 misc -> /dev/block/mmcblk0p48
lrwxrwxrwx 1 root root 18 1970-03-06 18:56 mmcblk0 -> /dev/block/mmcblk0
lrwxrwxrwx 1 root root 22 1970-03-06 18:56 mmcblk0rpmb -> /dev/block/mmcblk0rpmb
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modem_a -> /dev/block/mmcblk0p29
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modem_b -> /dev/block/mmcblk0p30
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modemst1 -> /dev/block/mmcblk0p75
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modemst2 -> /dev/block/mmcblk0p76
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 multiimgoem -> /dev/block/mmcblk0p69
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 multiimgqti -> /dev/block/mmcblk0p70
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 oemowninfo -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 persist -> /dev/block/mmcblk0p45
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 qupfw_a -> /dev/block/mmcblk0p52
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 qupfw_b -> /dev/block/mmcblk0p53
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 rawdump -> /dev/block/mmcblk0p55
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_a -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_b -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 rpm_a -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 rpm_b -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 secdata -> /dev/block/mmcblk0p71
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 splash -> /dev/block/mmcblk0p60
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 spunvm -> /dev/block/mmcblk0p59
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 ssd -> /dev/block/mmcblk0p38
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 storsec -> /dev/block/mmcblk0p68
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 super -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 toolsfv -> /dev/block/mmcblk0p62
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 tz_a -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 tz_b -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 uefisecapp_a -> /dev/block/mmcblk0p43
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 uefisecapp_b -> /dev/block/mmcblk0p44
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 uefivarstore -> /dev/block/mmcblk0p74
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 userdata -> /dev/block/mmcblk0p79
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_a -> /dev/block/mmcblk0p66
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_b -> /dev/block/mmcblk0p67
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_system_a -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_system_b -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_a -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_b -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_config_a -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_config_b -> /dev/block/mmcblk0p4
FelixMa:/dev/block/by-name #

于是作出如下修改即可解决问题
prebuilts/api/30.0/private/file_contexts  private/file_contexts
+/dev/block/mmcblk0p17 u:object r:recovery_block_device:s0
+/dev/block/mmcblk0p18 u:object r:recovery_block_device:s0


prebuilts/api/30.0/public/update_engine.te  public/update_engine.te
+allow update_engine recovery_block_device:blk_file {read write}


prebuilts/api/30.0/public/device.te   public/device.te
+ type recovery_block_device, dev_type

  • 4
    点赞
  • 14
    收藏
    觉得还不错? 一键收藏
  • 4
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值