自定义Hal服务selinux权限添加

 自定义hal服务添加可参考HIDL Service创建流程 - 基于Android 12 S分析_加油干(◍＞∇＜◍)ﾉﾞ的博客-CSDN博客

以下部分添加缺一不可，都有可能导致服务无法自启动

generic/vendor/common/file_contexts

/vendor/bin/hw/vendor\.qti\.hardware\.customizehidl@1\.0-service    u:object_r:hal_customizehidl_exec:s0

generic/vendor/common/hwservice_contexts

vendor.qti.hardware.customizehidl::ICustomizeHidl  u:object_r:hal_customizehidl_hwservice:s0

generic/vendor/common/service_contexts

vendor.qti.hardware.customizehidl.ICustomizeHidl/default   u:object_r:hal_customizehidl_service:s0

generic/public/file.te

type hal_customizehidl_exec, exec_type, vendor_file_type, file_type;

generic/public/hwservice.te

type hal_customizehidl_hwservice, hwservice_manager_type, protected_hwservice;

generic/public/service.te

type hal_customizehidl_service, vendor_service, protected_service, service_manager_type;

以下部分添加缺一不可，都有可能导致服务无法自启动

generic/vendor/common/hal_customizehidl.te

type hal_customizehidl, domain;

hwbinder_use(hal_customizehidl)
init_daemon_domain(hal_customizehidl);

add_hwservice(hal_customizehidl, hal_customizehidl_hwservice)
get_prop(hal_customizehidl, hwservicemanager_prop)
hwbinder_use(hal_customizehidl)
add_service(hal_customizehidl, hal_customizehidl_service)
binder_use(hal_customizehidl)

如果遇到如下错误，应该是漏了添加hwservice_contexts和hwservice.te中的相关定义和声明，添加上即可。

05-30 12:39:35.856   370  4561 I hwservicemanager: Tried to start [email protected]::ICustomizeHidl/default as a lazy service, but was unable to. Usually this happens when a service is not installed, but if the service is intended to be used as a lazy service, then it may be configured incorrectly.

---

为了方便理解，以下添加一些上面权限的说明

hwbinder_use(hal_customizehidl)中hwbinder_use定义如下

define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')

 add_hwservice(hal_customizehidl, hal_customizehidl_hwservice)中add_hwservice定义如下

define(`add_hwservice', `
  allow $1 $2:hwservice_manager { add find };
  allow $1 hidl_base_hwservice:hwservice_manager add;
  neverallow { domain -$1 } $2:hwservice_manager add;
')

get_prop(hal_customizehidl, hwservicemanager_prop)中get_prop定义如下

define(`get_prop', `
allow $1 $2:file { getattr open read map };
')

add_service(hal_customizehidl, hal_customizehidl_service)中add_service定义如下

define(`add_service', `
  allow $1 $2:service_manager { add find };
  neverallow { domain -$1 } $2:service_manager add;
')

binder_use(hal_customizehidl) 中binder_use定义如下

define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# Allow servicemanager to send out callbacks
allow servicemanager $1:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')