因工作需要移植fastmmi到Android O,其中会涉及selinux权限配置,现将自己的理解总结如下:
1、Android O selinux相关配置文件所在路径
system/sepolicy/* AOSP device和APPS相关selinux配置
device/qcom/sepolicy/* 平台和板卡相关selinux配置
2、修改selinux权限时,注意不要违反谷歌规定的Neverallow规则,否则编译报错
例如:kernel log中提示“avc: denied { read write } for pid=867 comm="mmi" name="binder" dev="tmpfs" ino=10501 scontext=u:r:mmi:s0 tcontext=u:object_r:binder_device:s0 tclass=chr_file permissive=0”
如果直接在mmi.te文件中添加:allow mmi binder_device : chr_file rw_file_perms,就可能导致违反谷歌规定的Neverallow规则而编译报错:
system/sepolicy/public/domain.te
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators
} binder_device:chr_file rw_file_perms;
如果这时直接修改neverallow规则,可以通过编译,但是可能会导致CTS测试失败,所以这时就要想办法绕过neverallow规则,
上面有一个binder_in_vendor_violators貌似和binder有关,那我们就先看下这个东东如何定义的吧?
system/sepolicy/public/attributes
attribute binder_in_vendor_violators;
expandattribute binder_in_vendor_violators false;
system/sepolicy/private/binder_in_vendor_violators.te
allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
从中可以看出这个东东具有读写binder_device权限,那我们能否利用这个?如果可以,又该如何利用?
其实很简单,只要做如下修改即可:
device/qcom/sepolicy/common/mmi.te
typeattribute mmi binder_in_vendor_violators;
将mmi domain关联到这个东东,问题就可以解决了
但是,但是凡事还有个但是,如果attribute找不到相应的属性,那怎么办呢 ,答案是自己添加节点
例如 我之前项目中配置GOTA是遇到一个neverallow问题 而且domain.te 不允许添加规则。
大致情况如下:
报错如下:
11-05 19:06:25.676 1236 1236 I update_engine: [INFO:delta_performer.cc(657)] Starting to apply update payload operations
11-05 19:06:25.679 1236 1236 I update_engine: [INFO:delta_performer.cc(385)] Opening /dev/block/bootdevice/by-name/recovery_b partition without O_DSYNC
11-05 19:06:25.670 1236 1236 W update_engine: type=1400 audit(0.0:960): avc: denied { read } for name="mmcblk0p18" dev="tmpfs" ino=10343 scontext=u:r:update_engine:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
11-05 19:06:25.683 1236 1236 E update_engine: [ERROR:utils.cc(626)] Opening block device /dev/block/bootdevice/by-name/recovery_b: Permission denied (13)
11-05 19:06:25.690 1236 1236 I update_engine: [INFO:delta_performer.cc(128)] Caching writes.
11-05 19:06:25.680 1236 1236 W update_engine: type=1400 audit(0.0:961): avc: denied { read write } for name="mmcblk0p18" dev="tmpfs" ino=10343 scontext=u:r:update_engine:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
11-05 19:06:25.694 1236 1236 E update_engine: [ERROR:delta_performer.cc(139)] Unable to open file /dev/block/bootdevice/by-name/recovery_b: Permission denied (13)
11-05 19:06:25.698 1236 1236 E update_engine: [ERROR:delta_performer.cc(390)] Unable to open target partition recovery on slot B, file /dev/block/bootdevice/by-name/recovery_b
11-05 19:06:25.701 1236 1236 E update_engine: [ERROR:download_action.cc(336)] Error ErrorCode::kInstallDeviceOpenError (7) in DeltaPerformer's Write method when processing the received payload -- Terminating processing
按道理需要在undate_engine.te中添加
allow update_engine block_device:blk_file {read write}
但是domain.te中写到:
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write};
观察log发现
是update_engine 对recovery分区么权限
11-05 19:06:25.670 1236 1236 W update_engine: type=1400 audit(0.0:960): avc: denied { read } for name="mmcblk0p18" dev="tmpfs" ino=10343 scontext=u:r:update_engine:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
于是找到一台userdebug机器 root后观察/dev/block/by-name显示的节点
发现
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_a -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_b -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 abl_a -> /dev/block/mmcblk0p33
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 abl_b -> /dev/block/mmcblk0p34
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 apdp -> /dev/block/mmcblk0p57
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 bluetooth_a -> /dev/block/mmcblk0p36
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 bluetooth_b -> /dev/block/mmcblk0p37
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 boot_a -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 boot_b -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 catecontentfv -> /dev/block/mmcblk0p73
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 catefv -> /dev/block/mmcblk0p72
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cateloader -> /dev/block/mmcblk0p64
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib64_a -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib64_b -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib_a -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 cmnlib_b -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 ddr -> /dev/block/mmcblk0p35
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 devcfg_a -> /dev/block/mmcblk0p50
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 devcfg_b -> /dev/block/mmcblk0p51
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 devinfo -> /dev/block/mmcblk0p58
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dip -> /dev/block/mmcblk0p56
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dsp_a -> /dev/block/mmcblk0p31
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dsp_b -> /dev/block/mmcblk0p32
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dtbo_a -> /dev/block/mmcblk0p39
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 dtbo_b -> /dev/block/mmcblk0p40
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 elableinfo -> /dev/block/mmcblk0p47
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 frp -> /dev/block/mmcblk0p54
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 fsc -> /dev/block/mmcblk0p78
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 fsg -> /dev/block/mmcblk0p77
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 hyp_a -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 hyp_b -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 imagefv_a -> /dev/block/mmcblk0p41
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 imagefv_b -> /dev/block/mmcblk0p42
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 keymaster_a -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 keymaster_b -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 keystore -> /dev/block/mmcblk0p49
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 limits -> /dev/block/mmcblk0p61
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 logdump -> /dev/block/mmcblk0p65
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 logfs -> /dev/block/mmcblk0p63
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtp_a -> /dev/block/mmcblk0p27
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtp_b -> /dev/block/mmcblk0p28
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtpsecapp_a -> /dev/block/mmcblk0p25
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 mdtpsecapp_b -> /dev/block/mmcblk0p26
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 metadata -> /dev/block/mmcblk0p46
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 misc -> /dev/block/mmcblk0p48
lrwxrwxrwx 1 root root 18 1970-03-06 18:56 mmcblk0 -> /dev/block/mmcblk0
lrwxrwxrwx 1 root root 22 1970-03-06 18:56 mmcblk0rpmb -> /dev/block/mmcblk0rpmb
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modem_a -> /dev/block/mmcblk0p29
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modem_b -> /dev/block/mmcblk0p30
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modemst1 -> /dev/block/mmcblk0p75
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 modemst2 -> /dev/block/mmcblk0p76
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 multiimgoem -> /dev/block/mmcblk0p69
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 multiimgqti -> /dev/block/mmcblk0p70
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 oemowninfo -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 persist -> /dev/block/mmcblk0p45
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 qupfw_a -> /dev/block/mmcblk0p52
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 qupfw_b -> /dev/block/mmcblk0p53
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 rawdump -> /dev/block/mmcblk0p55
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_a -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 recovery_b -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 rpm_a -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 rpm_b -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 secdata -> /dev/block/mmcblk0p71
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 splash -> /dev/block/mmcblk0p60
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 spunvm -> /dev/block/mmcblk0p59
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 ssd -> /dev/block/mmcblk0p38
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 storsec -> /dev/block/mmcblk0p68
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 super -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 toolsfv -> /dev/block/mmcblk0p62
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 tz_a -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 tz_b -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 uefisecapp_a -> /dev/block/mmcblk0p43
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 uefisecapp_b -> /dev/block/mmcblk0p44
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 uefivarstore -> /dev/block/mmcblk0p74
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 userdata -> /dev/block/mmcblk0p79
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_a -> /dev/block/mmcblk0p66
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_b -> /dev/block/mmcblk0p67
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_system_a -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root 21 1970-03-06 18:56 vbmeta_system_b -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_a -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_b -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_config_a -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 20 1970-03-06 18:56 xbl_config_b -> /dev/block/mmcblk0p4
FelixMa:/dev/block/by-name #
于是作出如下修改即可解决问题
prebuilts/api/30.0/private/file_contexts private/file_contexts
+/dev/block/mmcblk0p17 u:object r:recovery_block_device:s0
+/dev/block/mmcblk0p18 u:object r:recovery_block_device:s0
prebuilts/api/30.0/public/update_engine.te public/update_engine.te
+allow update_engine recovery_block_device:blk_file {read write}
prebuilts/api/30.0/public/device.te public/device.te
+ type recovery_block_device, dev_type