https://blog.csdn.net/tung214/article/details/72734086
https://blog.csdn.net/qq_28648425/article/details/86691949
https://blog.csdn.net/m0_52481422/article/details/109812319
https://blog.csdn.net/weixin_42300040/article/details/112201596
Selinux当前状态
selinux有下面三种状态,可通过adb shell getenforce命令查看返回的结果:
(1)Disabled selinux未启用
(2)Enforcing selinux 处于开启状态(强制模式) < adb shell setenforce 1 >
(3)Permissive selinux 处于关闭状态(宽容模式) < adb shell setenforce 0 >
如何选择Selinux目录
Google Original:
alps/system/sepolicy
MTK Plaform:
alps/device/mediatek/common/sepolicy/bsp
alps/device/mediatek/common/sepolicy/basic
alps/device/xxx/ProjectConfig.mk
查看版本定义的MTK_BSP_PACKAGE以及MTK_BASIC_PACKAGE决定sepolicy的目录
TK | MTK_BASIC_PACKAGE=no MTK_BSP_PACKAGE=no | MTK App | MTK Framework |
---|---|---|---|
BSP | MTK_BSP_PACKAGE=yes | Google App | MTK Framework |
BASIC | MTK_BASIC_PACKAGE=yes | Google App | Google Framework |
alps/device/mediatek/common/BoardConfig.mk
#SELinux Policy File Configuration
ifeq ($(strip $(MTK_BASIC_PACKAGE)), yes)
BOARD_SEPOLICY_DIRS := \
device/mediatek/sepolicy/basic/non_plat
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
device/mediatek/sepolicy/basic/plat_public
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
device/mediatek/sepolicy/basic/plat_private
ifeq ($(strip $(HAVE_MTK_DEBUG_SEPOLICY)), yes)
BOARD_SEPOLICY_DIRS += \
device/mediatek/sepolicy/basic/debug/non_plat
BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
device/mediatek/sepolicy/basic/debug/plat_public
BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
device/mediatek/sepolicy/basic/debug/plat_private
endif
endif
ifeq ($(strip $(MTK_BSP_PACKAGE)), yes)
BOARD_SEPOLICY_DIRS := \
device/mediatek/sepolicy/basic/non_plat \
device/mediatek/sepolicy/bsp/non_plat
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
device/mediatek/sepolicy/basic/plat_public \
device/mediatek/sepolicy/bsp/plat_public
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
device/mediatek/sepolicy/basic/plat_private \
device/mediatek/sepolicy/bsp/plat_private
ifeq ($(strip $(HAVE_MTK_DEBUG_SEPOLICY)), yes)
BOARD_SEPOLICY_DIRS += \
device/mediatek/sepolicy/basic/debug/non_plat \
device/mediatek/sepolicy/bsp/debug/non_plat
BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
device/mediatek/sepolicy/basic/debug/plat_public \
device/mediatek/sepolicy/bsp/debug/plat_public
BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
device/mediatek/sepolicy/basic/debug/plat_private \
device/mediatek/sepolicy/bsp/debug/plat_private
endif
endif
...
SELINUX的属性组成
Violation when shell(subject) want to access cci(object)
Subject information (process)
PID, scontext, comm
Object information (file, sockets, pipes)
name*, dev*, path*, ino, tcontext
denied event is {write}
allow system_server system_prop:property_service set
allow [domain][type]:property_service set;
domain: source context
type: target context
property_service: class
set: permission
avc报错示例:
avc: denied { search } for pid=1582 comm="ip" name="net" dev="mmcblk1p16" ino=16 scontext=u:r:sysCfg:s0
tcontext=u:object_r:net_data_file:s0 tclass=dir permissive=0
如上可以拆分出:
(1)subject: sysCfg (2)object: net_data_file
(3)class: dir (4)denied event: search
针对search权限在alps/device/rockchip/common/sepolicy/sysCfg.te 进行如下修改
allow sysCfg net_data_file:dir search;
或者使用定义在alps/system/sepolicy/global_macros 的全局宏进行修改
define(`r_dir_perms', `{ open getattr read search ioctl lock }')
define(`w_dir_perms', `{ open search write add_name remove_name lock }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
(1)allow sysCfg net_data_file:dir r_dir_perms
(2)allow sysCfg net_data_file:dir rw_dir_perms
SELINUX的属性权限的添加
non_plat - PLAT_VENDOR_POLICY, 厂商规则, 可引用public的规则, 不能引用private的规则(vendor)
plat_public - PLAT_PUBLIC_POLICY, 平台公开规则, 会被导出给其他非平台相关的规则
plat_private - PLAT_PRIVATE_POLICY, 平台私有规则, 不会向vendor部分暴露(system)
non_plat/cameraserver.te
set_prop(cameraserver, system_mtk_packageName_prop)
//cameraserver中set_prop vendor_public_prop等属性声明的变量会导致编译报错
get_prop(cameraserver, system_mtk_packageName_prop)
non_plat/mtk_hal_camera.te
set_prop(mtk_hal_camera, system_mtk_packageName_prop)
get_prop(mtk_hal_camera, system_mtk_packageName_prop)
plat_private/property_contexts
vendor.camera.packageName u:object_r:system_mtk_packageName_prop:s0
plat_public/property.te
system_public_prop(system_mtk_packageName_prop)
alps/frameworks/av/services/camera/libcameraservice/Cameraservice.cpp
if(!(ret = makeClient(this, cameraCb, clientPackageName, clientFeatureId,
cameraId, api1CameraId, facing,
clientPid, clientUid, getpid(),
halVersion, deviceVersion, effectoveApiLevel,
/*out*/&tmp)).isOK){
return ret;
}
...
//char packageName[PROPERTY_VALUE_MAX];
property_set("vendor.camera.packageName",clientName8.string());
添加系统属性的值
对应需要的权限可参考如上添加,添加白名单的方法有:
alps/device/mediatek/system/common/system.prop
vendor.camera.aux.packagelist= com.tencent.ttpic
alps/device/mediatek/common/device.mk
PRODUCT_PROPERTY_OVERRIDES += \
vendor.camera.aux.packagelist= com.tencent.ttpic 添加或者覆盖原有系统属性的值