RK3399 Android 7.1.2 添加.sh的开机服务
Android init.rc 添加开机服务,这里添加文件是device/rockchip/rk3399/rk3399_firefly_box/init.rc
在init.rc 添加服务,需要的话加上触发条件
+service ip_route /system/bin/ip_route.sh
+ user root
+ group root
+ oneshot
+on property:persist.sys.netok=1
+ start ip_route
拷贝文件到 /system/bin/ 目录
PRODUCT_COPY_FILES += \
device/rockchip/rk3399/ip_route.sh:system/bin/ip_route.sh
满足条件 persist.sys.netok=1 就可以触发了, 这里可以自由定义有效值,开机完成的属性值也可以。4.4的版本可以这么做,但是5.0 之后Android 系统强化了SELINUX 功能,涉及到许多权限问题, 就需要比较更多的工作了。下面记录在7.1.2上添加脚本运行的过程。按照如上方法添加,开机满足条件发现没有启动,查看串口信息(注意不是logcat的信息,是串口信息),我们会看到“init: Warning! Service ip_route needs a SELinux domain defined; please fix!”这样警告。这是因为我们没有为service ip_route定义SELinux的权限规则。
参考其他的blog https://blog.csdn.net/wince_lover/article/details/50164969
https://blog.csdn.net/u011341111/article/details/79458480?utm_source=blogkpcl4
添加 ip_route.te 文件
device/rockchip/common/sepolicy/ip_route.te
type ip_route, domain;
type ip_route_exec, exec_type, file_type;
permissive ip_route;
init_daemon_domain(ip_route)
device/rockchip/common/sepolicy/file_contexts
@@ -163,3 +163,6 @@
+#ip_route
+/system/bin/ip_route.sh u:object_r:ip_route_exec:s0
init.rc 中加上 seclabel u:r:ip_route:s0
+service ip_route /system/bin/ip_route.sh
+ user root
+ group root
+ oneshot
+ seclabel u:r:ip_route:s0
查看执行权限
permissive ip_route;init_daemon_domain(ip_route) 这两句是允许输出打印信息,先加上,后面可以去掉。
这样修改之后,服务仍然没有正常启动,但是有打印. 在adb shell ,使用 setprop ctl.start ip_route 手动运行服务,dmesg 会看到关于ip_route 的打印, 保存下来 dmesg | grep avc > /data/avc_log.txt 这里会打印出来为么没有启动成功。在linux 下使用命令 audit2allow -i avc_log.txt,可以看到系统的服务还需要什么权限。
#============= ip_route ==============
allow ip_route init:unix_stream_socket connectto;
allow ip_route net_data_file:file { read getattr open };
allow ip_route property_socket:sock_file write;
allow ip_route rootfs:lnk_file getattr;
allow ip_route self:capability net_admin;
allow ip_route self:netlink_route_socket { write getattr setopt nlmsg_write read bind create };
allow ip_route shell_exec:file { read getattr };
allow ip_route system_file:file { entrypoint execute_no_trans };
allow ip_route system_prop:property_service set;
allow ip_route toolbox_exec:file { read getattr open execute execute_no_trans };
把这块都加入 ip_route.te 文件中
type ip_route, domain;
type ip_route_exec, exec_type, file_type;
#permissive ip_route;
#init_daemon_domain(ip_route)
allow ip_route init:unix_stream_socket connectto;
allow ip_route net_data_file:file { read getattr open };
allow ip_route property_socket:sock_file write;
allow ip_route rootfs:lnk_file getattr;
allow ip_route self:capability net_admin;
allow ip_route self:netlink_route_socket { write getattr setopt nlmsg_write read bind create };
allow ip_route shell_exec:file { read getattr };
allow ip_route system_file:file { entrypoint execute_no_trans };
allow ip_route system_prop:property_service set;
allow ip_route toolbox_exec:file { read getattr open execute execute_no_trans };
添加权限与系统兼容问题,导致编译失败
使用make bootimage 编译 发现有个错误,
[ 0% 2/233] build out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy
FAILED: /bin/bash -c "(out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/policy.conf ) && (out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates//sepolicy.dontaudit out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/policy.conf.dontaudit ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/rk3399_firefly_box/obj/ETC/sepolicy_intermediates/sepolicy )"
libsepol.report_failure: neverallow on line 237 of system/sepolicy/domain.te (or line 9035 of policy.conf) violated by allow ip_route system_file:file { entrypoint };
其中关键是这句 。,查看 line 237 of system/sepolicy/domain.te
neverallow on line 237 of system/sepolicy/domain.te (or line 9035 of policy.conf) violated by allow ip_route system_file:file { entrypoint };
不允许请求这个权限, 那我们就要改成允许,添加 -ip_route 例外。
+++ b/system/sepolicy/domain.te
@@ -234,7 +234,7 @@ neverallow { domain -init } kernel:security setsecparam;
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+neverallow { -ip_route } { file_type -exec_type -postinstall_file }:file entrypoint;
之后就能编译通过,烧录后可以正常启动了。
附上 ip_route.sh 的内容 ,这个是添加网络路由策略的命令,需要的权限比较多,按要求添加即可。
1 #!/system/bin/sh
2
3 ip rule add from all lookup main pref 9999
4 setprop persist.sys.netok 0
5 echo "ip rule add from all lookup main pref 9999"
~
1242
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
