1. 进程间通过设置属性进行交互
Android 系统开发中经常需要通过属性在各个进程间传递信息,通过一个进程 set_property,另一个进程 get_property 达到进程间通信的需求。
属性获取没有限制,但是如果需要进程可以进行设置属性操作,则需要做一些处理。因为在 init 进程属性设置处理过程中会进行 selinux 权限的检查,如果不通过的话,设置属性的请求会被拒绝。
报错 fail 如下:
W libc : Unable to set property "use_xxx" to "1": connection failed; errno=13 (Permission denied)
以一个进程为例,如果 a 进程需要在运行过程中设置属性,则需要添加在 device/xxx/common/sepolicy/a.te 文件中添加:
allow mediacodec default_prop:property_service set;
(该命令可以通过 audit2allow 命令生成)
添加成功之后,重新编译 system/sepolicy/。
2. android 8.1(及以上版本)系统设置权限限制
这种方法在 8.1 以前的系统都可以通用,但是 Android 8.1 及以上版本系统添加了权限限制,不允许普通进程设置系统属性,编译错误如下:
FAILED: out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy
/bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/xxxx/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy )"
neverallow check failed at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2614
(neverallow base_typeattr_4_27_0 default_prop_27_0 (property_service (set)))
<root>
allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
(allow mediacodec_27_0 default_prop_27_0 (property_service (set)))
neverallow check failed at out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4287 from system/sepolicy/public/domain.te:447
(neverallow base_typeattr_4 default_prop (property_service (set)))
<root>
allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
(allow mediacodec_27_0 default_prop_27_0 (property_service (set)))
Failed to generate binary
Failed to build policydb
[ 34% 23/66] build out/target/product/xxxx/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
FAILED: out/target/product/xxxx/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
/bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/xxxx/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/xxxx/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null"
neverallow check failed at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2614
(neverallow base_typeattr_4_27_0 default_prop_27_0 (property_service (set)))
<root>
allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
(allow mediacodec_27_0 default_prop_27_0 (property_service (set)))
neverallow check failed at out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4287 from system/sepolicy/public/domain.te:447
(neverallow base_typeattr_4 default_prop (property_service (set)))
<root>
allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
(allow mediacodec_27_0 default_prop_27_0 (property_service (set)))
Failed to generate binary
Failed to build policydb
ninja: build stopped: subcommand failed.
20:55:56 ninja failed with: exit status 1
#### failed to build some targets (02:13 (mm:ss)) ####
修正解决方案 1
允许 mediacodec 进程设置 use_xxx 属性
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 3530bec..a3a0c38 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -5,4 +5,8 @@ allow mediacodec media_prop:file { open read getattr };
allow mediacodec system_file:dir { open read };
allow mediacodec sysfs:file { read open getattr };
allow mediacodec sysfs:dir { read open getattr };
get_prop(mediacodec,ctsgts_prop);
+set_prop(mediacodec,use_mpp_mode_prop);
diff --git a/sepolicy/property.te b/sepolicy/property.te
index c71f976..5912a09 100755
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -2,5 +2,6 @@ type graphic_prop, property_type;
type drm_prop, property_type, mlstrustedsubject;
type media_prop, property_type, mlstrustedsubject;
type ctsgts_prop, property_type, mlstrustedsubject;
+type use_xxx_prop, property_type, mlstrustedsubject;
type secureboot_prop, property_type;
type tee_supplicant_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index cd31e89..af47380 100755
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -5,6 +5,7 @@ media. u:object_r:media_prop:s0
mediaplayer. u:object_r:media_prop:s0
cts_gts. u:object_r:ctsgts_prop:s0
persist.cts_gts. u:object_r:ctsgts_prop:s0
+use_xxx u:object_r:use_xxx_prop:s0
pppoe. u:object_r:dhcp_prop:s0
persist.ppp u:object_r:dhcp_prop:s0
ro.secureboot u:object_r:secureboot_prop:s0
修正解决方案 2
非系统域的属性设置则没有如上限制,可以将 use_xxx 属性修改为 vendor.use_xxx 改为 vender 域的属性