android12 添加自定义APK的selinux权限
平台:RK3399,android12。
现象:我们自己的测试工具autoTest 无法在user版本下面识别com口,SN号,MAC地址。
调试记录:
使用userdebug版本,关闭selinux,确认工具是能识别到com口,SN号,MAC地址。所以是selinux权限问题,给这个apk增加权限。
暂时关闭selinx 的指令: setenforce 0
抓取相关log: adb shell "logcat | grep avc"
02-18 00:49:52.050 5971 5971 W al.autotest.all: type=1400 audit(0.0:92): avc: denied { search } for name="mmc0" dev="sysfs" ino=21489 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_mmc:s0 tclass=dir permissive=0
02-18 00:49:52.146 5971 5971 W al.autotest.all: type=1400 audit(0.0:93): avc: denied { open } for path="/proc/tty/drivers" dev="proc" ino=4026531852 scontext=u:r:system_app:s0 tcontext=u:object_r:proc_tty_drivers:s0 tclass=file permissive=0
02-18 00:49:52.486 481 481 W HwBinder:481_1: type=1400 audit(0.0:94): avc: denied { search } for name="bluetooth" dev="dm-38" ino=44 scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:bluetooth_data_file:s0 tclass=dir permissive=0
02-18 00:49:52.500 481 481 W HwBinder:481_1: type=1400 audit(0.0:95): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=10903 scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
02-18 00:49:52.500 481 481 W HwBinder:481_1: type=1400 audit(0.0:96): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=10903 scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
02-18 00:49:52.500 481 481 W HwBinder:481_1: type=1400 audit(0.0:97): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=10903 scontext=u:r:hal_bluetooth_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
02-18 00:49:55.386 5971 5971 W al.autotest.all: type=1400 audit(0.0:99): avc: denied { open } for path="/dev/__properties__/u:object_r:serialno_prop:s0" dev="tmpfs" ino=11015 scontext=u:r:system_app:s0 tcontext=u:object_r:serialno_prop:s0 tclass=file permissive=0
根据log,添加对应的selinux权限。此处以下面例子举例:
02-18 00:49:52.050 5971 5971 W al.autotest.all: type=1400 audit(0.0:92): avc: denied { search } for name="mmc0" dev="sysfs" ino=21489 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_mmc:s0 tclass=dir permissive=0
缺少什么权限: 缺少 search 权限
谁缺少权限: system_app
对哪个节点缺少权限: sysfs_mmc
什么类型的文件:dir
最后输入的命令: allow system_app sysfs_mmc:dir search;
在RK的 device/rockchip/common/sepolicy/vendor/system_app.te 文件中添加 allow system_app sysfs_mmc:dir search;
注意:谁缺少的文件,就去device/rockchip/common/sepolicy/vendor 目录下查找对应的.te文件。没有就新建对应的政策文件。
按照此方法,把log中对应的权限添加完成。
重新编译。我这里报如下错误:
libsepol.report_failure: neverallow on line 579 of system/sepolicy/public/domain.te (or line 12244 of policy.conf) violated by allow system_app serialno_prop:file { read };
libsepol.report_failure: neverallow on line 489 of system/sepolicy/public/app.te (or line 10164 of policy.conf) violated by allow system_app apk_data_file:dir { write };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
ninja: build stopped: subcommand failed.
这是添加的权限与system下面的权限有冲突。修改对应的文件权限,补丁如下:
Index: system/sepolicy/public/app.te
===================================================================
--- system/sepolicy/public/app.te (revision 3598)
+++ system/sepolicy/public/app.te (revision 3600)
@@ -484,7 +484,7 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
Index: system/sepolicy/public/domain.te
===================================================================
--- system/sepolicy/public/domain.te (revision 3598)
+++ system/sepolicy/public/domain.te (revision 3600)
@@ -575,6 +575,7 @@
-recovery
-shell
-system_server
+ -system_app
-vendor_init
} serialno_prop:file r_file_perms;
在次编译报如下错误:
[ 98% 10992/11174] build out/target/product/rk3399_Android12/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test FAILED: out/target/product/rk3399_Android12/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test /bin/bash -c "(diff -rq -x bug_map system/sepolicy/prebuilts/api/32.0/public system/sepolicy/public ) && (diff -rq -x bug_map system/sepolicy/prebuilts/api/32.0/private system/sepolicy/private ) && (touch out/target/product/rk3399_Android12/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )" Files system/sepolicy/prebuilts/api/32.0/public/app.te and system/sepolicy/public/app.te differ Files system/sepolicy/prebuilts/api/32.0/public/domain.te and system/sepolicy/public/domain.te differ 11:45:46 ninja failed with: exit status 1
需要把 system/sepolicy/prebuilts/api/32.0/public/domain.te 和 system/sepolicy/public/domain.te 文件保持一致,app.te 同理。
补丁如下:
Index: system/sepolicy/prebuilts/api/32.0/public/app.te
===================================================================
--- system/sepolicy/prebuilts/api/32.0/public/app.te (revision 3598)
+++ system/sepolicy/prebuilts/api/32.0/public/app.te (revision 3600)
@@ -484,7 +484,7 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
Index: system/sepolicy/prebuilts/api/32.0/public/domain.te
===================================================================
--- system/sepolicy/prebuilts/api/32.0/public/domain.te (revision 3598)
+++ system/sepolicy/prebuilts/api/32.0/public/domain.te (revision 3600)
@@ -575,6 +575,7 @@
-recovery
-shell
-system_server
+ -system_app
-vendor_init
} serialno_prop:file r_file_perms;
通过反复编译添加权限,最后autoTest能够识别到com口,MAC地址和SN号。
