51工具盒子公司人力吃紧,特别缺少C开发的同学,只能是我是一块砖,哪里需要哪里搬!记录一次Android系统完整的配置开启启动应用,并配置Selinux权限的过程!
1、添加应用程序在vendor目录,编译生成可执行文件test_abc在/system/bin/中;
这里开始是参考网上的修改,但发现编译后并不能将test_abc可执行文件打包到/system/bin中;
aaa@abc-0C:~/work/ATOS_Q/vendor/test$ cat Android.mk
LOCAL_PATH := $(call my-dir)
PRODUCT_PACKAGES += \
test_abc
include $(call all-makefiles-under,$(LOCAL_PATH))
test_abc\目录下的文件:
Android.mk
test_abc.c
Android.mk文件:
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES:=
test_abc.c
LOCAL_SHARED_LIBRARIES :=
libcutils
libutils
LOCAL_C_INCLUDES +=
bionic \
LOCAL_MODULE := test_abc
LOCAL_MODULE_TAGS := optional
LOCAL_MULTILIB := 64
include $(BUILD_EXECUTABLE)
test_abc.c中就是一个main方法,操作文件和socket;
解决test_abc不能打包到system/bin路径下的方法是将test_abc整个路径都移到了qcom的厂家路径下:
aaa@abc-0C:~/work/ATOS_Q/vendor/qcom/bonito/test_abc$ pwd
/home1/gwb/work/ATOS_Q/vendor/qcom/bonito/test_abc
aaa@abc-0C:~/work/ATOS_Q/vendor/qcom/bonito/test_abc$ ls
Android.mk test_abc.c
23 #lyz add for test
24 include vendor/xdja/test_abc/Android.mk
2、添加test_abc的权限定义:
aaa@abc-0C:~/work/ATOS_Q$ vi device/google/bonito-sepolicy/vendor/qcom/sdm710/file_contexts
60 #lyz add for test
61 /system/bin/test_abc u:object_r:test_abc_exec:s0
3、添加开机启动,修改./system/core/rootdir/init.rc
#lyz add for test
service test_abc /system/bin/test_abc
class main
oneshot
seclabel u:r:test_abc:s0
4、添加te文件:
aaa@abc-0C:~/work/ATOS_Q$ cat device/google/bonito-sepolicy/vendor/qcom/common/test_abc.te
type test_abc, domain, coredomain;
type test_abc_exec, file_type, system_file_type, exec_type;
init_daemon_domain(test_abc)
5、编译验证,查看dmesg开机日志:
[ 9.191761] init: cannot setexeccon('u:r:test_abc_exec:s0') for test_abc: Invalid argument
问题应该是test_abc.te的路径不对,导致init启动时并不认识标签"u:r:test_abc_exec:s0"
修改第四步,将test_abc.te文件移到路径下/device/google/bonito-sepolicy/private 路径下,重新编译版本,下载启动;
aaa@xdja-0C:~/work/ATOS_Q/device/google/bonito-sepolicy/private$ pwd
/home1/gwb/work/ATOS_Q/device/google/bonito-sepolicy/private
6、查看dmesg开机日志,终于出来期望的deny日志:
Line 2077: [ 9.178268] type=1400 audit(258.270:14): avc: denied { dac_override } for comm="test_abc" capability=1 scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=capability permissive=0
Line 2078: [ 9.178488] type=1400 audit(258.273:16): avc: denied { dac_override } for comm="test_abc" capability=1 scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=capability permissive=0 duplicate messages suppressed
Line 2079: [ 9.178500] type=1400 audit(258.273:17): avc: denied { create } for comm="test_abc" scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=tcp_socket permissive=0
Line 2158: [ 9.609626] type=1400 audit(258.273:17): avc: denied { create } for comm="test_abc" scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=tcp_socket permissive=0
7、修改test_abc.te 增加test_abc的相关权限,编译版本,重新进行验证:
#============= test_abc ==============
allow test_abc self:capability dac_override;
allow test_abc self:tcp_socket create;
8、解决/system不能root的问题:
E:\source\dual_os>adb root
restarting adbd as root
E:\source\dual_os>adb remount
W Disabling verity for /system
E Skipping /system
W Disabling verity for /vendor
E Skipping /vendor
W Disabling verity for /product
E Skipping /product
W No partitions to remount
/system/bin/remount exited with status 7
remount failed
system路径root失败!
解决:
首先进入开发者模式,开启OEM选项,
然后adb reboot bootloader
然后fastboot flashing unlock
然后fastboot getvar unlocked
等待结果一般会出现yes,如果不是yes可能又需要百度解决这个问题
之后重启,然后adb root , adb disable-verity, 然后重启 adb remount就可以挂载了
adb remount失败,可以使用diable-verity
C:\Users\li>adb disable-verity
verity is already disabled
using overlayfs
Now reboot your device for settings to take effect
E:\source\dual_os>adb root
restarting adbd as root
E:\source\dual_os>adb remount
remount succeeded
E:\source\dual_os>
E:\source\dual_os>adb push E:\source\dual_os\test_abc /system/bin
120 KB/s (11560 bytes in 0.093s)
E:\source\dual_os>adb shell reboot
E:\source\dual_os>
Selinux的概念甚多,理解起来还是很费劲的!并且需要有Linux内核的基础知识,总归来说是打通任督二脉的一件事,多多学习总是没有坏处的!
----------------------------------2021/12/09-----------------
修改never allow规则:
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -1191,6 +1191,7 @@ neverallow {
-init
-runas
-zygote
- -abc_service
} shell:process { transition dyntransition };
/system/sepolicy# cat public/abc_service.te
type abc_service, domain;
type abc_service_exec, system_file_type, exec_type, file_type;
system/sepolicy# cat private/abc_service.te
typeattribute abc_service coredomain;
init_daemon_domain(abc_service)
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: prebuilts/api/29.0/private/file_contexts
modified: prebuilts/api/29.0/public/domain.te
modified: private/compat/26.0/26.0.ignore.cil
modified: private/compat/27.0/27.0.ignore.cil
modified: private/compat/28.0/28.0.ignore.cil
modified: private/file_contexts
modified: public/domain.te
Untracked files:
(use "git add <file>..." to include in what will be committed)
prebuilts/api/29.0/private/abc_service.te
prebuilts/api/29.0/public/abc_service.te
private/abc_service.te
public/abc_service.te
--- a/system/sepolicy/private/compat/27.0/27.0.ignore.cil
+++ b/system/sepolicy/private/compat/27.0/27.0.ignore.cil
@@ -187,6 +187,8 @@
wm_trace_data_file
wpantund
wpantund_exec
-
abc_service
-
abc_service_exec
wpantund_service
wpantund_tmpfs))
参考 :
https://source.android.google.cn/security/selinux/customize
https://www.cnblogs.com/schips/p/android_add_custom_service_when_system_init.html
