MLS
Selinux MLS 相关的在 国内Andoriod 官网未找到,只有博客的说明。
源码在 system/sepolicy/private/mls
,
截取部分,
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
典型场景
MLS 的典型场景是 :
- 已经添加了 Selinux 权限,并且编译未报错,但是验证无效。
- log 里有类似 s0:c512,c768 的关键字 ,如 u:r:platform_app:s0:c512,c768 。
项目中,我对串口进行读写操作,会提示 Selinux 权限问题,
12-08 03:25:07.124 6914 6914 I ndroid.systemui: type=1400 audit(0.0:3006): avc: denied { read } for name="ttyS2" dev="tmpfs" ino=716 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:ttyS_device:s0 tclass=chr_file permissive=1 app=com.android.systemui
12-08 03:25:07.124 6914 6914 I ndroid.systemui: type=1400 audit(0.0:3007): avc: denied { write } for name="ttyS2" dev="tmpfs" ino=716 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:ttyS_device:s0 tclass=chr_file permissive=1 app=com.android.systemui
setenforce 0
暂时关闭 Selinux 权限后是 OK 的。说明只需要添加对应权限即可。
在源码的 platform_app.te
文件里添加,
+allow platform_app ttyS_device:chr_file rw_file_perms;
编译验证还是 NG 的,只有 read 权限,没有 write 权限,log 提示,
12-14 06:18:26.276 3164 3164 W i:kgznSysSerial: type=1400 audit(0.0:390): avc: denied { write } for name="ttyS2" dev="tmpfs" ino=751 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:ttyS_device:s0 tclass=chr_file permissive=0 app=com.android.systemui
12-14 06:18:26.276 3164 3164 W i:kgznSysSerial: type=1400 audit(0.0:391): avc: denied { write } for name="ttyS2" dev="tmpfs" ino=751 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:ttyS_device:s0 tclass=chr_file permissive=0 app=com.android.systemui
解决办法
添加如下,
typeattribute platform_app mlstrustedsubject;
allow platform_app ttyS_device:chr_file rw_file_perms;
把 platform_app 指定为 mlstrustedsubject 。
问题解决,
但是带出了新的问题,出现其他应用无法访问数据库和 data 目录的情况,这个无解,没找到解决办法。
行 9773: 12-09 01:05:03.507 2246 2246 W ContextImpl: Failed to ensure /data/user/0/com.xxx.weather/files: mkdir failed: EACCES (Permission denied)
行 9778: 12-09 01:05:03.510 2246 2246 W ContextImpl: Failed to ensure /data/user/0/com.xxx.weather/cache: mkdir failed: EACCES (Permission denied)
行 14937: 12-09 01:05:19.625 2937 2956 E SQLiteDatabase: Failed to open database '/data/user/0/com.xxx.weather/no_backup/androidx.work.workdb'.
去掉了【把 platform_app 指定为 mlstrustedsubject】 的操作。
最终修改为,
-type ttyS_device, dev_type;
+type ttyS_device, dev_type, mlstrustedobject;
-typeattribute platform_app mlstrustedsubject;
+# typeattribute platform_app mlstrustedsubject;
+allow platform_app ttyS_device:chr_file rw_file_perms;
参考:
SEAndroid的MLS相关知识以及配置方法
Android SELinux 权限问题(二)—添加权限后不生效