服务service
service xxx_bin /vendor/bin/xxx <param>
class late_start
oneshot
disabled
user system
group root shell system
property触发
on property:persist.vendor.xxx=*
start xxx_bin
selinux权限配置;
参考https://source.android.google.cn/docs/security/features/selinux/device-policy?hl=zh-cn#label_new_services_and_address_denials
新增作用域vendor_xxx.te文件,从init切换到vendor_xxx
type vendor_xxx, domain;
type vendor_xxx_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_xxx)
//以下为执行时提示其他需要的权限allow
allow vendor_xxx vendor_pps_socket:sock_file write;
allow vendor_xxx hal_graphics_composer_default:unix_stream_socket connectto;
allow shell vendor_xxx_exec:file getattr;
在file_contexts添加路径可执行标签:vendor_xxx_exec
/vendor/bin/xxx u:object_r:vendor_xxx_exec:s0
因为我是在system_app中控制触发这个服务service,所以会提示缺少的system_app.te权限,以及system_app无法触发persist.vendor相关property属性(notallow),property_type标签作用域无法编译问题:
system_app.te:
get_prop(system_app, vendor_xxx_prop)
set_prop(system_app, vendor_xxx_prop)
allow system_app vendor_xxx_prop :property_service set ;
property_contexts.te:
persist.vendor.batter_ppd u:object_r:vendor_xxx_prop:s0
property.te:
type vendor_xxx_prop, property_type,extended_core_property_type;
/system/sepolicy/public/property.te:
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
coredomain
-init
-system_writes_vendor_properties_violators
} {
property_type
-system_property_type
-extended_core_property_type
}:property_service set;
')
以上添加后,编译验证
若是其他app或服务触发,可以在platform_app,system_service中添加以下:
get_prop(platform_app/system_service, vendor_xxx_prop)
set_prop(platform_app/system_service, vendor_xxx_prop)
allow platform_app/system_service vendor_xxx_prop :property_service set ;