为service编写sepolicy
由init启动的service服务要在各自的selinux domain中运行。具体flow如下:
init.devices.rc中声明service,将在init时启动:
Note:seclabel标签用作设定service运行domain,如果设置了如下的init_daemon_domain便不需要该标签,该标签的优先级比init_daemon_domain要高
1 创建一个新的domain及file type
创建sepolicy文件device/manufacturer/device-name/sepolicy/mt_wlan_dongle_detect.te
内容如下:
Note:不是一定要使用目录device/manufacturer/device-name/sepolicy,以BOARD_SEPOLICY_DIRS宏为准 指定device sepolicy目录
L1 创建mt_wlan_dongle_detect domain
L2 创建mt_wlan_dongle_detect_exec file type
L3 声明为init的 service domain
init_daemin_damain实现如下, 主要是设置selinux,在init执行service bin时,允许由init domain自动转到service对应的domain:
/system/sepolicy/prebuilts/api/30.0/public/te_macros
#####################################
159 # init_daemon_domain(domain)
160 # Set up a transition from init to the daemon domain
161 # upon executing its binary.
162 define(`init_daemon_domain', `
163 domain_auto_trans(init, $1_exec, $1)
164 ')
#####################################
24 # domain_auto_trans(olddomain, type, newdomain)
25 # Automatically transition from olddomain to newdomain
26 # upon executing a file labeled with type.
27 #
28 define(`domain_auto_trans', `
29 # Allow the necessary permissions.
30 domain_trans($1,$2,$3)
31 # Make the transition occur by default.
32