一、需求描述
项目上需要在 Android 8.1
上实现开机自动调用可执行文件 /system/bin/baipess.sh
,并将处理后的文件保存为 /data/ect/rk3399robot
#!/system/bin/sh
echo "copy start"
mkdir /data/etc
echo "mkdir end"
cp -r system/etc/rk3399_robot /data/etc/rk3399_robot
echo "copy end"
二、实现思路
- 编写一个脚本sh文件复制目录到data/etc/目录下。
- 在 system/sepolicy/vendor/添加 te文件和配置file_contexts。
- sepolicy 解决权限问题。
- 快速编译
- 烧写vendor.img文件
1、编写一个脚本sh文件复制到data/etc/目录下,脚本如下:
#!/system/bin/sh
echo "copy start"
mkdir /data/etc
echo "mkdir end"
cp -r system/etc/rk3399_robot /data/etc/rk3399_robot
echo "copy end"
在PRODUCT产品中添中复制脚本,例如:rk3399_robot.mk
PRODUCT_COPY_FILES += device/rockchip/rk3399/rk3399_robot/baipess.sh:/system/bin/baipess.sh
2、在 system/sepolicy/vendor/添加 te文件和配置file_contexts
(1) 添加文件 baipess.te
##
# baipess
#
type baipess,domain,coredomain;
type baipess_exec,exec_type,file_type;
permissive baipess;
init_daemon_domain(baipess);
allow baipess system_file:file { read open getattr };
allow baipess self:capability{ chown fowner fsetid setuid setgid dac_override };
allow baipess shell_exec:file { read open getattr };
allow baipess toolbox_exec:file { read open getattr execute execute_no_trans };
allow baipess system_data_file:dir{ write read create open add_name };
allow baipess system_file:dir { read open getattr };
allow baipess system_data_file:file{ write read create open };
注意:bug版本添加permissive baipess 查询警告添加权限。
(2)配置file_contexts
/system/bin/baipess.sh u:object_r:baipess_exec:s0
3、sepolicy 解决权限问题
(1) avc: denied { read write } for pid=410 comm="light@2.0-servi" name="brightness" dev="sysfs" ino=25578 scontext=u:r:baipess:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=0
规则: allow <scontext> <tcontext>:<tclass> <operation>
allow baipess system_file:file { read write }
4、快速编译:
source bulid/envsetup.sh
lunch 9
make selinux_policy -j24
make vendorimage -j32
5、烧写vendor.img文件