1.创建文件
public boolean createFile() throws RemoteException {
android.util.Log.d(TAG,"createFile... ");
Boolean bool=false;
String filenameTemp="/data/system/net_rule.list";
File file = new File(filenameTemp);
try {
if(!file.exists()){
file.createNewFile();
bool=true;
android.util.Log.d(TAG,"[ToolService] createFile...path="+ filenameTemp);
}else{
android.util.Log.d(TAG,"[ToolService] createFile...文件已存在...");
}
} catch (Exception e) {
e.printStackTrace();
android.util.Log.d(TAG,"[ToolService] createFile...e="+ e);
}
return bool;
}
public boolean writeFileContent(String str) throws RemoteException {
Boolean bool = false;
String filein = str+"\r\n";//新写入的行,换行
String temp = "";
FileInputStream fis = null;
InputStreamReader isr = null;
BufferedReader br = null;
FileOutputStream fos = null;
PrintWriter pw = null;
try {
File file = new File("/data/system/net_rule.list");//文件路径(包括文件名称)
//将文件读入输入流
fis = new FileInputStream(file);
isr = new InputStreamReader(fis);
br = new BufferedReader(isr);
StringBuffer buffer = new StringBuffer();
//文件原有内容
for(int i=0;(temp =br.readLine())!=null;i++){
buffer.append(temp);
// 行与行之间的分隔符 相当于“\n”
buffer = buffer.append(System.getProperty("line.separator"));
}
buffer.append(filein);
fos = new FileOutputStream(file);
pw = new PrintWriter(fos);
pw.write(buffer.toString().toCharArray());
pw.flush();
bool = true;
android.util.Log.d(TAG,"[ToolService] writeFileContent...数据写入成功...");
} catch (Exception e) {
android.util.Log.d(TAG,"[ToolService] writeFileContent...catch...e="+e);
e.printStackTrace();
}finally {
try{
if (pw != null) {
pw.close();
}
if (fos != null) {
fos.close();
}
if (br != null) {
br.close();
}
if (isr != null) {
isr.close();
}
if (fis != null) {
fis.close();
}
}catch (Exception e) {
android.util.Log.d(TAG,"[ToolService] writeFileContent......e="+e);
}
}
return bool;
}
2.创建失败报错
3.关闭slinux权限
4.再次点击创建文件会报
2022-08-17 15:50:35.156 2287-2287/com.kte.interfacesettings I/Binder:2287_2: type=1400 audit(0.0:82): avc: denied { add_name } for name="net_rule.list" scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
2022-08-17 15:50:35.156 2287-2287/com.kte.interfacesettings I/Binder:2287_2: type=1400 audit(0.0:83): avc: denied { create } for name="net_rule.list" scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
2022-08-17 15:50:35.156 2287-2287/com.kte.interfacesettings I/Binder:2287_2: type=1400 audit(0.0:84): avc: denied { write open } for path="/data/system/net_rule.list" dev="dm-6" ino=2687263 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
5.对avc权限的说明
scontext:source context
tcontext:target context
tclass:file(文件) dir(目录)
6.查看创建的文件的具体权限(权限由两部分构成,一部分是文件的权限,一部分是slinux权限)
7…因为不确定net_rule.list是具体的文件还是文件夹,所以对slinux添加权限如下:
--- a/system/sepolicy/prebuilts/api/31.0/private/system_app.te
+++ b/system/sepolicy/prebuilts/api/31.0/private/system_app.te
@@ -37,6 +37,11 @@ allow system_app tombstone_data_file:file r_file_perms;
allow system_app mnt_vendor_file:file rw_file_perms;
allow system_app mnt_vendor_file:dir rw_dir_perms;
+#add start
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+#add end
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
--- a/system/sepolicy/private/system_app.te
+++ b/system/sepolicy/private/system_app.te
@@ -37,6 +37,11 @@ allow system_app tombstone_data_file:file r_file_perms;
allow system_app mnt_vendor_file:file rw_file_perms;
allow system_app mnt_vendor_file:dir rw_dir_perms;
+#add start
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+#add end
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
8.添加权限后编译报错
9.解决报错:
--- a/system/sepolicy/public/app.te
+++ b/system/sepolicy/public/app.te
@@ -478,7 +478,7 @@ neverallow appdomain exec_type:file
# This is the default type for anything under /data not otherwise
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
+neverallow { appdomain -system_app } system_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
--- a/system/sepolicy/private/system_app.te
+++ b/system/sepolicy/private/system_app.te
@@ -37,6 +37,11 @@ allow system_app tombstone_data_file:file r_file_perms;
allow system_app mnt_vendor_file:file rw_file_perms;
allow system_app mnt_vendor_file:dir rw_dir_perms;
+#add start
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+#add end
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
10.关于rw_file_perms的定义(system/sepolicy/prebuilts/api/31.0/public/global_macros)
11.完成以上修改,再执行发现文件已经可以创建和写入了
12关于6中权限第一部分的授权(本例不需要,记录一下思路,未验证)