Selinux调试工具 audio2allow 使用
androdi开发中的Selinux调试 可以借助工具 audio2allow 来自动生成allow规则。本文记录工具使用的过程
准备条件
- 首先你要有root权限来安装此工具
- 熟悉selinux的格式与log
- 应该了解如何调试selinux
简单描述就是关闭selinux ,程序运行的时候会记录相关deny但不会阻止程序运行。 根据记录修改selinux的规则
安装
-
在linux下安装 policycoreutils
直接执行audio2allow命令会有提示安装 policycoreutils
sudo apt-get install policycoreutils
如果一切顺利 ,安装完成即可。 但是人间事情不如意有八九 -
额外的解决环境问题
正在读取软件包列表... 完成 正在分析软件包的依赖关系树 正在读取状态信息... 完成 没有可用的软件包 policycoreutils,但是它被其它的软件包引用了。 这可能意味着这个缺失的软件包可能已被废弃, 或者只能在其他发布源中找到 E: 软件包 policycoreutils 没有可安装候选
这属于计划外的问题
本文使用的事Ubuntu16.0.4 通过如下方法解决
# vi /etc/apt/sources.list # 添加国内源
# apt update # 更新本地 apt 源
使用的国内源如下:
# deb cdrom:[Ubuntu 16.04.5 LTS _Xenial Xerus_ - Release amd64 (20180731)]/ xenial main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial main restricted
## Major bug fix updates produced after the final release of the
## distribution.
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial universe
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial multiverse
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb-src http://cn.archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu xenial partner
# deb-src http://archive.canonical.com/ubuntu xenial partner
# deb-src http://security.ubuntu.com/ubuntu xenial-security main restricted
# deb-src http://security.ubuntu.com/ubuntu xenial-security universe
# deb-src http://security.ubuntu.com/ubuntu xenial-security multiverse
# deb cdrom:[Ubuntu 16.04 LTS _Xenial Xerus_ - Release amd64 (20160420.1)]/ xenial main restricted
deb-src http://archive.ubuntu.com/ubuntu xenial main restricted #Added by software-properties
deb http://mirrors.aliyun.com/ubuntu/ xenial main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial main restricted multiverse universe #Added by software-properties
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted multiverse universe #Added by software-properties
deb http://mirrors.aliyun.com/ubuntu/ xenial universe
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe
deb http://mirrors.aliyun.com/ubuntu/ xenial multiverse
deb http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse
deb http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse #Added by software-properties
deb http://archive.canonical.com/ubuntu xenial partner
deb-src http://archive.canonical.com/ubuntu xenial partner
deb http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted multiverse universe #Added by software-properties
deb http://mirrors.aliyun.com/ubuntu/ xenial-security universe
deb http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse
工具使用
- logcat中过滤的avc log如下
08-17 11:12:40.109 1103 1103 W HwBinder:1103_2: type=1400 audit(0.0:41): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=20871 scontext=u:r:mediacodec:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
08-17 11:12:42.759 1069 1069 W Binder:1069_3: type=1400 audit(0.0:42): avc: denied { read } for name="u:object_r:vendor_media_sdm660_version_prop:s0" dev="tmpfs" ino=20979 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_media_sdm660_version_prop:s0 tclass=file permissive=0
08-17 11:13:41.679 3812 3812 I om.ubx.scandemo: type=1400 audit(0.0:47): avc: denied { write } for name="ScanDemo" dev="mmcblk0p14" ino=339 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
08-17 11:13:42.639 3812 3812 I om.ubx.scandemo: type=1400 audit(0.0:48): avc: denied { read write } for name="i2c-7" dev="tmpfs" ino=21076 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:i2c_device:s0 tclass=chr_file permissive=1
08-17 11:13:42.639 3812 3812 I om.ubx.scandemo: type=1400 audit(0.0:50): avc: denied { ioctl } for path="/dev/i2c-7" dev="tmpfs" ino=21076 ioctlcmd=707 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:i2c_device:s0 tclass=chr_file permissive=1
08-17 11:13:43.169 1619 1619 I android.bg: type=1400 audit(0.0:51): avc: denied { write } for name="ScanDemo" dev="mmcblk0p14" ino=339 scontext=u:r:system_server:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
08-17 11:13:51.809 3812 3812 I om.ubx.scandemo: type=1400 audit(0.0:52): avc: denied { ioctl } for path="/dev/i2c-7" dev="tmpfs" ino=21076 ioctlcmd=707 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:i2c_device:s0 tclass=chr_file permissive=1
08-17 11:13:51.989 3812 3812 I Thread-2: type=1400 audit(0.0:53): avc: denied { search } for name="leds" dev="sysfs" ino=26711 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
- audio2allow工具使用
我们先看一下工具的help
Usage: audit2allow [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-b, --boot audit messages since last boot conflicts with -i
-a, --all read input from audit log - conflicts with -i
-p POLICY, --policy=POLICY
Policy file to use for analysis
-d, --dmesg read input from dmesg - conflicts with --all and
--input
-i INPUT, --input=INPUT
read input from <input> - conflicts with -a
-l, --lastreload read input only after the last reload
-r, --requires generate require statements for rules
-m MODULE, --module=MODULE
set the module name - implies --requires
-M MODULE_PACKAGE, --module-package=MODULE_PACKAGE
generate a module package - conflicts with -o and -m
-o OUTPUT, --output=OUTPUT
append output to <filename>, conflicts with -M
-D, --dontaudit generate policy with dontaudit rules
-R, --reference generate refpolicy style output
-N, --noreference do not generate refpolicy style output
-v, --verbose explain generated output
-e, --explain fully explain generated output
-t TYPE, --type=TYPE only process messages with a type that matches this
regex
--perm-map=PERM_MAP file name of perm map
--interface-info=INTERFACE_INFO
file name of interface information
--debug leave generated modules for -M
-w, --why Translates SELinux audit messages into a description
of why the access was denied
- 生成结果
运行命令
audit2allow -i input.txt - o out.txt
输出结果如下所示
#============= mediaserver ==============
allow mediaserver vendor_media_sdm660_version_prop:file read;
#============= platform_app ==============
allow platform_app i2c_device:chr_file { read write ioctl };
allow platform_app sysfs_leds:dir search;
allow platform_app system_file:dir write;
#============= system_server ==============
allow system_server system_file:dir write;
总结
这个工具可以简化工作流程 减少工作量 点赞