Native服务添加可参考如下博客:
https://blog.csdn.net/weixin_41028555/article/details/130322366?spm=1001.2014.3001.5502
hal服务添加请参考:
https://blog.csdn.net/weixin_41028555/article/details/130424627?spm=1001.2014.3001.5502
另如果对节点添加seLinux权限,需要对该节点的所有超链接目录都添加相应的selinux才可以。
节点在此目录添加定义:genfs_contexts
本权限是 customizemanagerserver native服务访问hal服务customizehidl,并且与system_server互相通信。
本次权限添加服务是可以自启动的,如只要自启动相关权限,可自行过滤。
// service服务标签定义
generic/private/service_contexts
customizemanagerserver u:object_r:customizemanager_service:s0
//service服务声明
generic/private/service.te
type customizemanager_service, app_api_service, service_manager_type;
//service的可执行文件标签定义
generic/private/file_contexts
/system/bin/customizemanagerserver u:object_r:customizemanager_exec:s0
/system_ext/lib(64)?/vendor\.qti\.hardware\.customizehidl@1\.0\.so u:object_r:system_lib_file:s0//这条是因为customizemanager既要访问domain的hal服务,又要访问coredomain的system_server
generic/public/customizemanager.te
type customizemanager, domain, coredomain;
//这个是hal服务的域声明
generic/public/hal_customizehidl.te
type hal_customizehidl, domain;
//这里就是customizemanager服务的所有权限了,
generic/private/customizemanager .te
typeattribute customizemanager coredomain;
//customizemanager服务可执行文件的域声明
type customizemanager_exec, exec_type, system_file_type, file_type;
//域转换
init_daemon_domain(customizemanager)
//允许customizemanager find和add customizemanager_service
add_service(customizemanager, customizemanager_service)
//主要用于ServiceManager对customizemanager的一些权限
binder_use(customizemanager);
//system_server调用customizemanager
binder_call(system_server, customizemanager)binder_service(customizemanager)
//customizemanager调用system_server
binder_call(customizemanager, system_server)
get_prop(customizemanager, hwservicemanager_prop);//要与hal服务进行通信需要加的权限
hwbinder_use(customizemanager);
allow customizemanager same_process_hal_file:file { open read getattr execute map };
allow customizemanager system_lib_file:file { open read getattr execute map };
allow customizemanager hal_customizehidl_hwservice:hwservice_manager { find };
allow customizemanager hal_customizehidl:binder { call };//与system_server通信需要添加的权限
allow system_server customizemanager_service:service_manager { find };
binder_use定义如下:
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# Allow servicemanager to send out callbacks
allow servicemanager $1:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
binder_service定义如下:
# binder_service(domain) # Mark a domain as being a Binder service domain. # Used to allow binder IPC to the various system services. define(`binder_service', ` typeattribute $1 binderservicedomain; ')
binder_call定义如下
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
# Receive and use open files from the server.
allow $1 $2:fd use;
')
hwbinder_use定义如下
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')