需求
MTK Android 11
test是一个system APP, 涉及到许多个selinux的权限,不想影响所有的system APP的权限,需要单独为test设定selinux
方法
- domain
device/mediatek/sepolicy/bsp/non_plat/seapp_contexts
添加
user=system seinfo=platform name=com.test domain=test_app type=system_app_data_file levelFrom=user
其中com.test为test的包名, domain值则是后面会用到的。
- 新增se文件
device/mediatek/sepolicy/basic/non_plat/test_app.te
type test_app, domain;
app_domain(test_app)
typeattribute test_app mlstrustedsubject;
allow test_app vendor_file:file {r_file_perms execute execute_no_trans};
allow test_app sysfs_leds:dir { search };
allow test_app sysfs:file { getattr open read };
allow test_app sysfs:dir { search };
allow test_app proc:file { getattr open read };
# ....其他内容省略
这样就单独配置了test的selinux权限。
问题
在编译过程,如果test_ap.te文件内容不对,或者是与其他的配置冲突,则会报出错误。
- 错误violated by allow
libsepol.report_failure: neverallow on line 79 of device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te (or line 108092 of policy.conf) violated by allow test_app proc:file { read getattr open };
libsepol.report_failure: neverallow on line 15 of device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te (or line 107995 of policy.conf) violated by allow test_app sysfs:file { read getattr open };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
这个原因是test_app.te中的配置与device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te冲突了
解决:
diff --git a/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te b/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
index b4de8ec3db..56cd694293 100644
--- a/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
+++ b/device/mediatek/sepolicy/basic/neverallows/non_plat/neverallows.te
@@ -36,6 +36,7 @@ full_treble_only(`
ueventd
vendor_init
vold
+ test_app
} sysfs:file *;
neverallow {
@@ -90,6 +91,7 @@ full_treble_only(`
system_server
vendor_init
vold
+ test_app
} proc:file *;
neverallow {
@@ -152,6 +154,7 @@ full_treble_only(`
-hal_drm_widevine
-merged_hal_service
-tee
+ -test_app
} system_data_file:file *;
neverallow ~{
- avc: denied
这种错误是因为test_app.te中缺少对应的selinux配置
修改方法是根据错误往test_app.te中添加。
2023-03-14 21:48:47.992 3089-3089/com.sprd.validationtools W/validationtools: type=1400 audit(0.0:219): avc: denied { call } for scontext=u:r:test_app:s0:c512,c768 tcontext=u:r:gpuservice:s0 tclass=binder permissive=0
allow test_app gpuservice:binder { call };
2023-03-14 21:48:48.016 3089-3089/com.sprd.validationtools W/validationtools: type=1400 audit(0.0:220): avc: denied { read } for name=“alarm” dev=“tmpfs” ino=14599 scontext=u:r:test_app:s0:c512,c768 tcontext=u:object_r:alarm_device:s0 tclass=chr_file permissive=0
allow test_app alarm_device:chr_file { read write open ioctl };
avc: denied { write } for name=“com.sprd.validationtools-NR-zFzD7HSKx5PgVT0uGLQ==” dev=“dm-6” ino=6381570 scontext=u:r:test_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0
allow test_app apk_data_file:dir { getattr search read open add_name remove_name create write setattr };
audit(0.0:221): avc: denied { search } for name=“/” dev=“sdc9” ino=2 scontext=u:r:test_app:s0:c512,c768 tcontext=u:object_r:nvcfg_file:s0 tclass=dir permissive=0
type=1400 audit(0.0:248): avc: denied { ioctl } for path=“/mnt/vendor/nvcfg/mmitest.db” dev=“sdc9” ino=17 ioctlcmd=0xf50c scontext=u:r:test_app:s0:c512,c768 tcontext=u:object_r:nvcfg_file:s0:c512,c768 tclass=file permissive=0
avc: denied { lock } for path=“/mnt/vendor/nvcfg/mmitest.db” dev=“sdc9” ino=17 scontext=u:r:test_app:s0:c512,c768 tcontext=u:object_r:nvcfg_file:s0:c512,c768 tclass=file permissive=0
allow test_app nvcfg_file:dir { getattr search read open add_name remove_name create write setattr };
allow test_app nvcfg_file:file { read write open create getattr setattr append unlink map ioctl lock };
作者:帅得不出门