平台:
RK3288 + android 5.11
修改selinux模式为enforcing (默认为 permissive)
主要修改parameter:
FIRMWARE_VER:5.1.1
MACHINE_MODEL:rk3288
...
#private 6GB, System 512MB, Data 3GB, origin 512MB
CMDLINE:console=ttyFIQ0 androidboot.selinux=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00040000@0x00050000(cache),0x00002000@0x00090000(kpanic),0x00400000@0x00092000(system),0x00008000@0x00492000(metadata),0x00C00000@0x0049A000(private),0x0012C000@0x0109A000(origin),0x00600000@0x011C6000(userdata),0x00020000@0x017C6000(radical_update),-@0x017E6000(user)
- 1
- 2
- 3
- 4
- 5
重点在:androidboot.selinux=enforcing
在系统启动后, 可以通过getenforce 查看是否设置成功
#adb shell getenforce
Enforcing
- 1
- 2
问题1:
自定义服务无法正常启动, 导致android 不停重启, LOG 如下:
01-02 02:17:00.313 I/ActivityManagerService( 3003): Start proc 3581:com.android.settings/1000 for broadcast com.android.settings/.HdmiReceiver
01-02 02:17:00.322 D/SystemControlerService( 3003): ALog onServiceConnected
01-02 02:17:00.322 E/SELinux ( 171): avc: denied { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager( 171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:17:00.323 D/SystemControlerService( 3538): ALog android.net.wifi.WIFI_STATE_CHANGED
01-02 02:17:00.323 D/AndroidRuntime( 3003): Shutting down VM
01-02 02:17:00.323 E/AndroidRuntime( 3003): *** FATAL EXCEPTION IN SYSTEM PROCESS: main
01-02 02:17:00.323 E/AndroidRuntime( 3003): java.lang.SecurityException
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.BinderProxy.transactNative(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.server.os.SystemControlerService.access$000(SystemControlerService.java:51)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.server.os.SystemControlerService$1.onServiceConnected(SystemControlerService.java:80)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1208)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1225)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.Handler.handleCallback(Handler.java:739)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.Handler.dispatchMessage(Handler.java:95)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at android.os.Looper.loop(Looper.java:135)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.server.SystemServer.run(SystemServer.java:274)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at java.lang.reflect.Method.invoke(Native Method)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:17:00.323 E/AndroidRuntime( 3003): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:17:00.328 E/ActivityManagerService( 3003): warning: could NOT find SYSTEMCTRL_SERVICE service
01-02 02:17:00.521 W/art ( 3003): Long monitor contention event with owner method=boolean com.android.server.am.ActivityManagerService.unbindService(android.app.IServiceConnection) from ActivityManagerService.java:15763 waiters=0 for 192ms
01-02 02:17:00.522 E/AndroidRuntime( 3003): Error reporting crash
01-02 02:17:00.522 E/AndroidRuntime( 3003): java.lang.NullPointerException: Attempt to read from field 'android.content.pm.ApplicationInfo com.android.server.am.ProcessRecord.info' on a null object reference
01-02 02:17:00.522 E/AndroidRuntime( 3003): at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11969)
01-02 02:17:00.522 E/AndroidRuntime( 3003): at com.android.server.am.ActivityManagerService.handleApplicationCrash(ActivityManagerService.java:11945)
01-02 02:17:00.522 E/AndroidRuntime( 3003): at com.android.internal.os.RuntimeInit$UncaughtHandler.uncaughtException(RuntimeInit.java:89)
01-02 02:17:00.522 E/AndroidRuntime( 3003): at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:693)
01-02 02:17:00.522 E/AndroidRuntime( 3003): at java.lang.ThreadGroup.uncaughtException(ThreadGroup.java:690)
01-02 02:17:00.522 I/Process ( 3003): Sending signal. PID: 3003 SIG: 9
01-02 02:17:00.587 I/ServiceManager( 171): service 'display' died
01-02 02:17:00.588 W/AudioFlinger( 2778): power manager service died !!!
01-02 02:17:00.590 E/WifiManager( 3108): Channel connection lost
01-02 02:17:00.591 D/SurfaceFlinger( 174): Set power mode=2, type=0 flinger=0xb7b91550
01-02 02:17:00.591 D/SurfaceFlinger( 174): Screen type=0 is already mode=2
01-02 02:17:00.599 I/ServiceManager( 171): service 'hardware' died
01-02 02:17:00.600 E/BufferQueueProducer( 174): [StatusBar] queueBuffer: BufferQueue has been abandoned
01-02 02:17:00.600 E/Surface ( 3108): queueBuffer: error queuing buffer to SurfaceTexture, -19
01-02 02:17:00.600 F/OpenGLRenderer( 3108): Encountered EGL error 12299 EGL_BAD_NATIVE_WINDOW during rendering
01-02 02:17:00.601 F/libc ( 3108): Fatal signal 6 (SIGABRT), code -6 in tid 3526 (RenderThread)
01-02 02:17:00.603 I/ServiceManager( 171): service 'webviewupdate' died
01-02 02:17:00.604 I/ServiceManager( 171): service 'consumer_ir' died
01-02 02:17:00.604 I/ServiceManager( 171): service 'user' died
01-02 02:17:00.604 I/ServiceManager( 171): service 'sensorservice' died
01-02 02:17:00.604 I/ServiceManager( 171): service 'batterystats' died
01-02 02:17:00.604 I/ServiceManager( 171): service 'appops' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'power' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'device_policy' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'input' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'input_method' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'clipboard' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'account' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'entropy' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'vibrator' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'cpuinfo' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'procstats' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'mount' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'telephony.registry' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'devicestoragemonitor' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'content' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'gfxinfo' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'package' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'statusbar' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'meminfo' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'dbinfo' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'permission' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'activity' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'servicediscovery' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'netstats' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'wifip2p' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'usagestats' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'textservices' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'scheduling_policy' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'battery' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'alarm' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'lock_settings' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'accessibility' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'window' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'bluetooth_manager' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'network_score' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'netpolicy' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'network_management' died
01-02 02:17:00.605 I/ServiceManager( 171): service 'search' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'country_detector' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'wifiscanner' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'wifi' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'ethernet' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'location' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'rttmanager' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'connectivity' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'updatelock' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'notification' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'dreams' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'wallpaper' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'dropbox' died
01-02 02:17:00.606 I/ServiceManager( 171): service 'DockObserver' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'media_session' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'audio' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'usb' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'assetatlas' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'uimode' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'jobscheduler' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'samplingprofiler' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'voiceinteraction' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'appwidget' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'commontime_management' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'backup' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'serial' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'diskstats' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'media_router' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'display_device_management' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'media_projection' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'fingerprint' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'trust' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'restrictions' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'print' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'imms' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'launcherapps' died
01-02 02:17:00.608 I/ServiceManager( 171): service 'telecom' died
01-02 02:17:00.702 E/DEBUG ( 189): Failed to find a valid tombstone, default to using tombstone 0.
01-02 02:17:00.702 E/DEBUG ( 189): failed to open tombstone file '/data/tombstones/tombstone_00': No such file or directory
01-02 02:17:00.702 I/DEBUG ( 189): Skipping tombstone write, nothing to do.
01-02 02:17:00.726 I/BootAnimation( 3601): boot_animation_process start, built at '18:49:46', on 'Sep 21 2017'.
再如:
01-02 02:25:23.372 I/SystemServiceManager( 495): Starting com.android.server.pppoe.PppoeService
01-02 02:25:23.373 I/PppoeServiceImpl( 495): Creating PppoeServiceImpl
01-02 02:25:23.375 I/PppoeService( 495): Registering service pppoe
01-02 02:25:23.376 E/SELinux ( 171): avc: denied { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager( 171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 W/SystemServer( 495): ***********************************************
01-02 02:25:23.377 F/SystemServer( 495): BOOT FAILURE start PppoeService error
01-02 02:25:23.377 F/SystemServer( 495): java.lang.RuntimeException: Failed to start service com.android.server.pppoe.PppoeService: onStart threw an exception
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:111)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:65)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemServer.startOtherServices(SystemServer.java:709)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemServer.run(SystemServer.java:261)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemServer.main(SystemServer.java:175)
01-02 02:25:23.377 F/SystemServer( 495): at java.lang.reflect.Method.invoke(Native Method)
01-02 02:25:23.377 F/SystemServer( 495): at java.lang.reflect.Method.invoke(Method.java:372)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:963)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:758)
01-02 02:25:23.377 F/SystemServer( 495): Caused by: java.lang.SecurityException
01-02 02:25:23.377 F/SystemServer( 495): at android.os.BinderProxy.transactNative(Native Method)
01-02 02:25:23.377 F/SystemServer( 495): at android.os.BinderProxy.transact(Binder.java:496)
01-02 02:25:23.377 F/SystemServer( 495): at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:150)
01-02 02:25:23.377 F/SystemServer( 495): at android.os.ServiceManager.addService(ServiceManager.java:89)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemService.publishBinderService(SystemService.java:172)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemService.publishBinderService(SystemService.java:164)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.pppoe.PppoeService.onStart(PppoeService.java:40)
01-02 02:25:23.377 F/SystemServer( 495): at com.android.server.SystemServiceManager.startService(SystemServiceManager.java:109)
01-02 02:25:23.377 F/SystemServer( 495): ... 8 more
01-02 02:25:23.377 I/SystemServer( 495): Connectivity Service
01-02 02:25:23.380 D/ConnectivityService( 495): ConnectivityService starting up
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
关键看LOG:
01-02 02:17:00.322 E/SELinux ( 171): avc: denied { add } for service=systemctrl_service scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:17:00.323 E/ServiceManager( 171): add_service('systemctrl_service',60) uid=1000 - PERMISSION DENIED
01-02 02:25:23.376 E/SELinux ( 171): avc: denied { add } for service=pppoe scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
01-02 02:25:23.376 E/ServiceManager( 171): add_service('pppoe',38) uid=1000 - PERMISSION DENIED
- 1
- 2
- 3
- 4
- 5
————解决————–
$ git diff device/rockchip/common/sepolicy/service_contexts
diff --git a/device/rockchip/common/sepolicy/service_contexts b/device/rockchip/common/sepolicy/service_contexts
old mode 100644
new mode 100755
index 216f6b8..5cc9fd3
--- a/device/rockchip/common/sepolicy/service_contexts
+++ b/device/rockchip/common/sepolicy/service_contexts
@@ -2,3 +2,5 @@
fmradioservice u:object_r:radio_service:s0
oemtelephony u:object_r:radio_service:s0
msm.registry u:object_r:system_app_service:s0
+systemctrl u:object_r:system_server_service:s0
+pppoe u:object_r:system_server_service:s0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
PS:
SELinux的相关的源码有两处:
|–device/rockchip/common/sepolicy/
|–external/sepolicy/
编译及生效:
mmm external/sepolicy/ && ./mkimage.sh
- 1
再通过工具烧录 boot.img 和 recovery.img(可选)
问题二:
文件访问权限无权限, 如读取文件夹, 查看文件信息, 无法创建文件, 无法写入等等.
自定义private 分区, 目录为/private
通常, 错误的LOG为:
#type=1400 audit(0.0:64): avc: denied { search } for name="/" dev="sda1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
表明: system_server 无法访问 vfat 的 dir, 操作 search.
修改方法为, 在TE中加入:
+allow system_server vfat:dir {search};
#type=1400 audit(0.0:8): avc: denied { execute } for path="/data/data/com.xxx/cache/slice-slice_9-classes.dex" dev="mmcblk0p14" ino=115000 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
+allow system_app system_app_data_file:file{ execute };
其它的问题修改类似.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
为system_app赋与读写权限:
diff --git a/device/rockchip/common/sepolicy/file.te b/device/rockchip/common/sepolicy/file.te
old mode 100644
new mode 100755
index 371e1dc..1cd6326
--- a/device/rockchip/common/sepolicy/file.te
+++ b/device/rockchip/common/sepolicy/file.te
@@ -26,10 +26,11 @@ type rpc_send_socket, file_type;
type rpc_reg_socket, file_type;
type metadata_file, file_type;
+type private_file, file_type;
diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
old mode 100644
new mode 100755
index fc55766..118ed6b
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -11,6 +11,9 @@
# Bluetooth
/dev/ttyBT(.*) u:object_r:tty_device:s0
# logcat
/system/bin/logcat u:object_r:logcat_exec:s0
@@ -127,6 +130,7 @@
/system/bin/akmd u:object_r:akmd_exec:s0
/metadata(/.*)? u:object_r:metadata_file:s0
+/private(/.*)? u:object_r:private_file:s0
+++ b/device/rockchip/common/sepolicy/system_app.te
@@ -18,6 +18,39 @@ allow system_app cache_file:file create_file_perms;
allow system_app thermal_file:file rw_file_perms;
allow system_app pekallfmrserver:binder { call transfer };
allow system_app default_prop:property_service { set };
+#private
+allow system_app private_file:dir rw_dir_perms;
+allow system_app private_file:file execute;
+allow system_app private_file:file rw_file_perms;
+allow system_app private_file:dir { append create open write getattr setattr rename execute};
+allow system_app private_file:file { append unlink create open write getattr setattr rename execute};
+allow system_app toolbox_exec:file { read open getattr execute execute_no_trans};
+allow system_app su_exec:file { read open getattr execute execute_no_trans};
+
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
如USB, 串口访问:
为ttyACM 定义
|–device/rockchip/common/sepolicy/file_contexts
# ACM
/dev/ttyACM[0-9]* u:object_r:tty_device:s0
- 1
- 2
|–device/rockchip/common/sepolicy/system_app.te
+allow system_app usb_device:dir rw_dir_perms;
+allow system_app tty_device:dir rw_dir_perms;
+allow system_app usb_device:chr_file {lock open read write ioctl};
+allow system_app tty_device:chr_file {lock open read write ioctl};
- 1
- 2
- 3
- 4
问题3:
当加入某些权限与原本定义产生冲突时编译失败:
mmm external/sepolicy/
libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
libsepol.check_assertions: 1 neverallow failures occurred
libsepol.report_failure: neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf) violated by allow system_app sysfs:file { write };
Error while expanding policy
make: *** [out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy] 错误 1
make: *** 正在等待未完成的任务....
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
关键看这一句:
neverallow on line 342 of external/sepolicy/app.te (or line 4327 of policy.conf)
- 1
直接去看下policy.conf文件里面写着什么:
|–out/target/product/rk3288/obj/ETC/sepolicy_intermediates/policy.conf
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
- 1
- 2
- 3
原因是我尝试在system_app.te中加入 system app对设备节点文件的读写操作:
allow system_app sysfs:file { read write getattr open };
//这里的定义会与|--external/sepolicy/app.te中的定义冲突:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
sysfs:dir_file_class_set write;
- 1
- 2
- 3
- 4
- 5
解决:
|–external/sepolicy/app.te
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
sysfs:dir_file_class_set write;
//改为:
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app}
sysfs:dir_file_class_set write;
- 1
- 2
- 3
- 4
- 5
- 6
- 7
有用的几个命令:
1.getenforce setenforce
查看和设置模式
2. ls -Z 文件
查看文件的selinux权限
3. ps -Z
查看进程selinux 权限
I.SELinux文件类型确定
查看文件的安全上下文并做修改
1、到相关目录中去查看
root@Z00T:/cd system/bin/
root@Z00T:/ls -Z | grep demo
- 1
- 2
- 3
PS:demo替换成所需查看的文件名
一般情况下,由于没有设置demo的selinux权限,一般会默认它为文件系统中的文件
demo u:object_r:system_file:s0
2、添加定义文件类型的策略文件
1)添加所需的策略文件demo.te(这里demo以可执行程序为例)
在device/qcom/sepolicy/common中,新建demo.te文件
type demo, domain;
type demo_exec, exec_type, file_type;
init_daemon_domain(demo)
- 1
- 2
- 3
- 4
定义了demo是domain(领域),demo_exec为可执行程序
2)对文件匹配进行设定
在device/qcom/sepolicy/common/file_contexts中,加入匹配字段
/system/bin/demo u:object_r:demo_exec:s0
- 1
- 2
PS:上文中的demo均可替换成所需文件名
此时再进行第1步看是否生效,注意demo文件不能使用push进去的文件,以免file_context不识别。这时的kernel所报的log才是需要加权限的log
编译是否生效:查看out/target/product/<>/root/file_contexts文件及 out/target/product/<>/obj/ETC/file_contexts_intermediates/file_contexts文件
PS:如demo仅仅是资源文件,可以直接在file_context做匹配字段,在device/qcom/sepolicy/common/file.te上可以看到所有的文件类型
demo u:object_r:system_file:s0 system_file换成所需文件类型即可
II.SELinux加入权限
根据内核log所报的错误权限信息,加入权限即可。
比如内核报这样的错:
# cat /dev/kmsg
[ 172.554381] type=1400 audit(22611.739:4): avc: denied { getattr } for pid=257 comm="demo" path="/system/rfs" dev="mmcblk0p42" ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
[ 173.287498] type=1400 audit(22612.479:5): avc: denied { relabelfrom } for pid=257 comm="demo" name="rfs" dev="mmcblk0p42" ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
- 1
- 2
- 3
- 4
一般可以在comm下面看到domain的信息,知道我们所需要修改的te文件
在相应的te、文件中增加语句,语句格式为
allow sourcecontext targetcontext:class 许可 ;
例如
[ 172.554381] type=1400 audit(22611.739:4): avc: denied { getattr } for pid=257 comm=”update_binary” path=”/system/rfs” dev=”mmcblk0p42” ino=2070 scontext=u:r:recovery:s0 tcontext=u:object_r:rfs_system_file:s0 tclass=dir permissive=0
中
sourcecontext指的是“scontext=u:r:recovery:s0”的recovery,targetcontext 指的是“tcontext=u:object_r:rfs_system_file:s0 ” 中的rfs_system_file, class指的是“tclass=dir”中的dir,许可指的是“{}”中的getattr,
所以增加语句
allow recovery rfs_system_file:dir getattr;
III.解决编译报错问题
访问block device超过权限问题
对block device访问时,会因为neverallow,导致编译不过,此时不可以去修改/external/sepolicy/domain.te文件,这样会使cts跑不过,因而给domain特定的block device访问权限。
可以在device/qcom/sepolicy/msm89xx/file_context定义相关block device,如果仍发现编译报错,报错原因是相关的block device没有定义,可以到/external/sepolicy/device.te做定义。然后再根据第II步所示,继续修改。
访问default property超过权限
有时会碰到访问default property的访问权限被neverallow,导致编译不过,同理不可修改domain.te,可以在device/qcom/sepolicy/common/property.te中 定义一类property
type demo_prop, property_type;
- 1
- 2
在device/qcom/sepolicy/common/property_context上匹配所需要访问的property
adb.on u:object_r:demo_prop:s0
- 1
- 2
然后再根据第II步所示,继续修改。
操作访问
当需要手动进行一定的操作的时候,可以 cat /dev/kmsg,看需要什么样的权限,然后找到特定的te文件,进行操作
如在mout某分区时
avc: denied { associate } for pid=4256 comm="mount" scontext=u:-Object_r:fac_file:S0 (file:S0) (file:S0 (file:S0)) tcontext=u:-Object_r:fac_file:S0 (file:S0) (file:S0 (file:S0)) tclass=filesystem permissive=0
- 1
- 2
说明mount没有相关的权限,可以在init.te中加入相关的权限。