Android 8.1 非系統程序設定系統域屬性問題
阿新 • • 發佈:2018-12-07
1. 程序間通過設定屬性進行互動
Android 系統開發中經常需要通過屬性在各個程序間傳遞資訊,通過一個程序 set_property,另一個程序 get_property 達到程序間通訊的需求。
屬性獲取沒有限制,但是如果需要程序可以進行設定屬性操作,則需要做一些處理。因為在 init 程序屬性設定處理過程中會進行 selinux 許可權的檢查,如果不通過的話,設定屬性的請求會被拒絕。
報錯 fail 如下:
W libc : Unable to set property "use_xxx" to "1": connection failed; errno=13 (Permission denied)
以一個程序為例,如果 a 程序需要在執行過程中設定屬性,則需要新增在 device/xxx/common/sepolicy/a.te 檔案中新增:
allow mediacodec default_prop:property_service set;
(該命令可以通過 audit2allow 命令生成)
新增成功之後,重新編譯 system/sepolicy/。
2. android 8.1(及以上版本)系統設定許可權限制
這種方法在 8.1 以前的系統都可以通用,但是 Android 8.1 及以上版本系統添加了許可權限制,不允許普通程序設定系統屬性,編譯錯誤如下:
FAILED: out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/rk3288/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/rk3288/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/rk3288/obj/ETC/sepolicy_intermediates/sepolicy )" neverallow check failed at out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2614 (neverallow base_typeattr_4_27_0 default_prop_27_0 (property_service (set))) <root> allow at out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713 (allow mediacodec_27_0 default_prop_27_0 (property_service (set))) neverallow check failed at out/target/product/rk3288/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4287 from system/sepolicy/public/domain.te:447 (neverallow base_typeattr_4 default_prop (property_service (set))) <root> allow at out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713 (allow mediacodec_27_0 default_prop_27_0 (property_service (set))) Failed to generate binary Failed to build policydb [ 34% 23/66] build out/target/product/rk3288/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy FAILED: out/target/product/rk3288/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy /bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/rk3288/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/rk3288/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/rk3288/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null" neverallow check failed at out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2614 (neverallow base_typeattr_4_27_0 default_prop_27_0 (property_service (set))) <root> allow at out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713 (allow mediacodec_27_0 default_prop_27_0 (property_service (set))) neverallow check failed at out/target/product/rk3288/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4287 from system/sepolicy/public/domain.te:447 (neverallow base_typeattr_4 default_prop (property_service (set))) <root> allow at out/target/product/rk3288/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713 (allow mediacodec_27_0 default_prop_27_0 (property_service (set))) Failed to generate binary Failed to build policydb ninja: build stopped: subcommand failed. 20:55:56 ninja failed with: exit status 1 #### failed to build some targets (02:13 (mm:ss)) ####
修正解決方案 1
允許 mediacodec 程序設定 use_xxx 屬性
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te index 3530bec..a3a0c38 100644 --- a/sepolicy/mediacodec.te +++ b/sepolicy/mediacodec.te @@ -5,4 +5,8 @@ allow mediacodec media_prop:file { open read getattr }; allow mediacodec system_file:dir { open read }; allow mediacodec sysfs:file { read open getattr }; allow mediacodec sysfs:dir { read open getattr }; get_prop(mediacodec,ctsgts_prop); +set_prop(mediacodec,use_mpp_mode_prop); diff --git a/sepolicy/property.te b/sepolicy/property.te index c71f976..5912a09 100755 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -2,5 +2,6 @@ type graphic_prop, property_type; type drm_prop, property_type, mlstrustedsubject; type media_prop, property_type, mlstrustedsubject; type ctsgts_prop, property_type, mlstrustedsubject; +type use_xxx_prop, property_type, mlstrustedsubject; type secureboot_prop, property_type; type tee_supplicant_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index cd31e89..af47380 100755 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -5,6 +5,7 @@ media. u:object_r:media_prop:s0 mediaplayer. u:object_r:media_prop:s0 cts_gts. u:object_r:ctsgts_prop:s0 persist.cts_gts. u:object_r:ctsgts_prop:s0 +use_xxx u:object_r:use_xxx_prop:s0 pppoe. u:object_r:dhcp_prop:s0 persist.ppp u:object_r:dhcp_prop:s0 ro.secureboot u:object_r:secureboot_prop:s0
修正解決方案 2
非系統域的屬性設定則沒有如上限制,可以將 use_xxx 屬性修改為 vendor.use_xxx 改為 vender 域的屬性