0.文章参考
- https://blog.csdn.net/xiaoxiangyuhai/article/details/76270294
- https://blog.csdn.net/u014341735/article/details/51244258
1. 需求
App 中进行读写Linux下的文件节点
- /sys/class/power_supply/battery/coulomb_count
- /sys/devices/platform/battery/chg_enable
其中需求加 0666 权限 /device/mediatek/mt6763/init.mt6763.rc
chmod 0666 /sys/devices/platform/battery/chg_enable
2. 现象
APP内如果不加权限的化,一般会有如下 avc 报错
2019-03-05 20:05:39.380 6791-6791/com.fadi.batteryinfotest W/batteryinfotest: type=1400 audit(0.0:2491): avc: denied { search } for name="battery" dev="sysfs" ino=7033 scontext=u:r:untrusted_app:s0:c103,c256,c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
2019-03-05 21:24:57.700 10300-10300/com.fadi.batteryinfotest I/batteryinfotest: type=1400 audit(0.0:2716): avc: denied { read } for name="charge_counter" dev="sysfs" ino=23843 scontext=u:r:untrusted_app:s0:c103,c256,c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
2018-01-04 05:00:46.890 3010-3010/com.fadi.cty.kuluncount W/.cty.kuluncount: type=1400 audit(0.0:2436): avc: denied { search } for name="power_supply" dev="sysfs" ino=26573 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_power_supply:s0 tclass=dir permissive=0
2019-01-01 10:04:53.802 3413-3413/com.fadi.cty.kuluncount W/.cty.kuluncount: type=1400 audit(0.0:692): avc: denied { search } for name="battery" dev="sysfs" ino=12364 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
3. 错误的配置方法
如果直接根据上述的avc进行配置
- untrusted_app_27.te
allow untrusted_app_27 sysfs_batteryinfo:dir{search};
allow untrusted_app_27 sysfs_batteryinfo:file{read};
allow untrusted_app_27 sysfs_batteryinfo:file{getattr}
- system_app.te
allow system_app apk_data_file:dir { read open write getattr };
allow system_app apk_data_file:file { read open write getattr };
allow system_app sysfs_batteryinfo:dir { read open write getattr };
allow system_app sysfs_batteryinfo:file { read open write getattr };
一般会报如下 neverallow 异常,因为上述配置的节点都是 sysfs_batteryinfo默认不允许访问的,故我们需要配置节点域
libsepol.check_assertion_helper: neverallow on line xxx ofexternal/sepolicy/domain.te ……
Se-Linux 配置-文件节点域配置方法
1 配置 *_context
由于我们是给Linux的文件节点配置 SE-linux,故需要先在 *_context 中定义
- /home/huazhi.su/device/mediatek/sepolicy/basic/non_plat/genfs_contexts
genfs_contexts 的原因是很多/sys/**/目录下的文件都在这里定义,故添加如下类型
genfscon sysfs /devices/platform/battery/chg_enable u:object_r:sysfs_chg_enable:s0
genfscon sysfs /class/power_supply/battery/coulomb_count u:object_r:sysfs_coulomb_count:s0
2 配置 file.te
注意这里的 fs_type, sysfs_type 不要漏掉
type sysfs_chg_enable, fs_type, sysfs_type;
type sysfs_coulomb_count, fs_type, sysfs_type;
3 配置运行时报的avc问题
SE-LINUX 配置公式
avc: denied { 操作权限 } for pid=7201 comm=“进程名” scontext=u:r:源类型:s0 tcontext=u:r:目标类型:s0 tclass=访问类别 permissive=0
源类型.te 文件,新增如下语句
allow 源类型 目标类型:访问类别 {权限};
3.1 avc 日志 1
avc 报错日志
avc: denied { read } for pid=8548 comm="owercurrenttest" name="chg_enable" dev="sysfs" ino=26104 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_chg_enable:s0 tclass=file permissive=0
完整配置,在 system_app.te配置如下
allow system_app sysfs_chg_enable:file { read write open getattr };
3.2 avc 日志 2
avc 报错日志
06-27 01:55:05.304000 9318 9318 I .cty.kuluncount: type=1400 audit(0.0:1174): avc: denied { search } for name="battery" dev="sysfs" ino=12400 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
06-27 01:55:05.308000 9318 9318 I .cty.kuluncount: type=1400 audit(0.0:1177): avc: denied { getattr } for path="/sys/devices/platform/battery/power_supply/battery/coulomb_count" dev="sysfs" ino=26050 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
完整配置,在 untrusted_app_27.te配置如下
allow untrusted_app_27 sysfs_batteryinfo:dir search;
allow untrusted_app_27 sysfs_batteryinfo:file { getattr open read };```
4 查看配置情况
可以查看 policy.conf 内容,查看SE-linux的配置情况
huazhi.su@HZCS18:~/root$ find ./out/target/product/k63v1us_64_bsp/obj/ -name "policy.conf"
./out/target/product/k63v1us_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
- grep -irn “chg_enable” ./out/target/product/k63v1us_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
huazhi.su@HZCS18:~/root grep -irn "chg_enable" ./out/target/product/k63v1us_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
52203:type sysfs_chg_enable, fs_type, sysfs_type;
63219:allow system_app sysfs_chg_enable:file { read write open getattr };
79911:genfscon sysfs /devices/platform/battery/chg_enable u:object_r:sysfs_chg_enable:s0
5 验证测试
下述中可以正常进行文件节点的读写
Line 3394: 06-26 09:15:15.845106 10273 10273 D SU_DEBUG: writeNodeState nodeType = NODE_TYPE_BATTERY_CHARGING_ENABLED, value = 0
Line 3395: 06-26 09:15:15.845650 10273 10273 D SU_DEBUG: writeFile: start>>>>>>>>>>>>>>>>>>
Line 3397: 06-26 09:15:15.854321 10273 10273 D SU_DEBUG: getChargingEnable value = 0
Line 3398: 06-26 09:15:15.854956 10273 10273 D SU_DEBUG: writeNodeState getChargingEnable = 0
Line 3489: 06-26 09:15:17.356138 10273 10273 D SU_DEBUG: getNodeState nodeType = NODE_TYPE_BATTERY_CHARGING_ENABLED
Line 3490: 06-26 09:15:17.360332 10273 10273 D SU_DEBUG: getChargingEnable value = 0
Line 3491: 06-26 09:15:17.361708 10273 10273 D SU_DEBUG: writeNodeState nodeType = NODE_TYPE_BATTERY_CHARGING_ENABLED, value = 1
Line 3492: 06-26 09:15:17.361872 10273 10273 D SU_DEBUG: writeFile: start>>>>>>>>>>>>>>>>>>
Line 3493: 06-26 09:15:17.371975 10273 10273 D SU_DEBUG: getChargingEnable value = 1
Line 3494: 06-26 09:15:17.372573 10273 10273 D SU_DEBUG: writeNodeState getChargingEnable = 1
559
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
