2. 程式人生 > >Android 9.0 (P版本) SystemServer中的服務配置se linux許可權

Android 9.0 (P版本) SystemServer中的服務配置se linux許可權

阿新 發佈:2018-12-11

## 1. SystemServer 的服務定義 Android P_9.0\frameworks\base\services\java\com\android\server\SystemServer.java

    /**
     * Starts a miscellaneous grab bag of stuff that has yet to be refactored
     * and organized.
     */
    private void startOtherServices() {
        try {
            fadiWakeupWatcherService fadiWakeupWatcherService = new fadiWakeupWatcherService();
            ServiceManager.addService("fadi_wakeupwatcher", fadiWakeupWatcherService.asBinder());
        } catch (Throwable e) {
            Slog.e(TAG, "Failure starting fadiWakeupWatcherService", e);
        }

## 2. 沒有配置Se-Linux許可權的報錯日誌

01-01 00:05:05.381284   933   933 E SystemServer: Failure starting fadiAppLockService
01-01 00:05:05.381284   933   933 E SystemServer: java.lang.SecurityException
01-01 00:05:05.381284   933   933 E SystemServer: 	at android.os.BinderProxy.transactNative(Native Method)
01-01 00:05:05.381284   933   933 E SystemServer: 	at android.os.BinderProxy.transact(Binder.java:1127)
01-01 00:05:05.381284   933   933 E SystemServer: 	at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)
01-01 00:05:05.381284   933   933 E SystemServer: 	at android.os.ServiceManager.addService(ServiceManager.java:184)
01-01 00:05:05.381284   933   933 E SystemServer: 	at android.os.ServiceManager.addService(ServiceManager.java:155)
01-01 00:05:05.381284   933   933 E SystemServer: 	at com.android.server.SystemServer.startOtherServices(SystemServer.java:2000)
01-01 00:05:05.381284   933   933 E SystemServer: 	at com.android.server.SystemServer.run(SystemServer.java:456)
01-01 00:05:05.381284   933   933 E SystemServer: 	at com.android.server.SystemServer.main(SystemServer.java:311)
01-01 00:05:05.381284   933   933 E SystemServer: 	at java.lang.reflect.Method.invoke(Native Method)
01-01 00:05:05.381284   933   933 E SystemServer: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
01-01 00:05:05.381284   933   933 E SystemServer: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)
01-01 00:05:05.383128   933   933 E SystemServer: Failure starting fadiWakeupWatcherService
01-01 00:05:05.383128   933   933 E SystemServer: java.lang.SecurityException
01-01 00:05:05.383128   933   933 E SystemServer: 	at android.os.BinderProxy.transactNative(Native Method)
01-01 00:05:05.383128   933   933 E SystemServer: 	at android.os.BinderProxy.transact(Binder.java:1127)
01-01 00:05:05.383128   933   933 E SystemServer: 	at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)
01-01 00:05:05.383128   933   933 E SystemServer: 	at android.os.ServiceManager.addService(ServiceManager.java:184)
01-01 00:05:05.383128   933   933 E SystemServer: 	at android.os.ServiceManager.addService(ServiceManager.java:155)
01-01 00:05:05.383128   933   933 E SystemServer: 	at com.android.server.SystemServer.startOtherServices(SystemServer.java:2008)
01-01 00:05:05.383128   933   933 E SystemServer: 	at com.android.server.SystemServer.run(SystemServer.java:456)
01-01 00:05:05.383128   933   933 E SystemServer: 	at com.android.server.SystemServer.main(SystemServer.java:311)
01-01 00:05:05.383128   933   933 E SystemServer: 	at java.lang.reflect.Method.invoke(Native Method)
01-01 00:05:05.383128   933   933 E SystemServer: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
01-01 00:05:05.383128   933   933 E SystemServer: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)

隨著Android系統對安全的要求越來越高,不斷加強SE-LINUX的管理,有些服務我們需要進行定製配置才能正常使用

上述是表徵服務服務啟動,我們需要根據原始碼配置進行,關鍵字檢索,查詢"fadi_applock"和"fadi_wakeupwatcher"關鍵字

查詢"fadi_applock"和"fadi_wakeupwatcher"關鍵字
01-01 00:05:05.382320   324   324 E SELinux : avc:  denied  { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

上述日誌有一個配置公式,這裡舉個demo,但是我們目前還沒對該服務進行SE-LINUX定義,故配置公式暫時不需要,故這裡介紹9.0的配置方法

01-01 00:05:05.382320   324   324 E SELinux : avc:  denied  { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

allow system_server fadi_wakeupwatcher :service_manager { add };

01-01 00:05:05.380074   324   324 E SELinux : avc:  denied  { add } for service=fadi_applock pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
01-01 00:05:05.380221   324   324 E ServiceManager: add_service('fadi_applock',8f) uid=1000 - PERMISSION DENIED

allow system_server fadi_applock :service_manager { add };

4.demo
01-03 10:31:35.585148 331 331 E SELinux : avc: denied { find } for service=xxx_applock pid=5499 uid=10087 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:xxx_applock_service:s0 tclass=service_manager permissive=1

allow untrusted_app_25 xxx_applock_service:service_manager { find };

## 3. Andorid 9.0 配置SE LINUX許可權

3.1 定義SE-Linux

分別在下面2個檔案進行配置

  • Android P_9.0\system\sepolicy\public\service.te
# fadi SE-Linux
type fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;
type fadi_applock_service, system_api_service, system_server_service, service_manager_type;
type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
  • Android P_9.0\system\sepolicy\private\service_contexts
# fadi SE-Linux
fadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0
fadi_applock                              u:object_r:fadi_applock_service:s0
fadi_longshot                             u:object_r:fadi_longshot_service:s0

然後編譯一下

3.2 編譯報錯1 解決

FAILED: out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
檔案 system/sepolicy/prebuilts/api/28.0/public/service.te 和 system/sepolicy/public/service.te 不同

將system/sepolicy/prebuilts/api/28.0/public 和system/sepolicy/public對應的檔案內容保持一致即可

繼續make -j24 2>&1 |tee build.log編譯

3.3 編譯報錯2 解決

根據報錯提示,進行檔案新增與補充

[ 43% 179/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0

[ 43% 180/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0

新增對應的許可權定義 Android P_9.0\system\sepolicy\private\compat\26.0\26.0.cil

(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))

Android P\Android P_9.0\system\sepolicy\private\compat\27.0\27.0.cil

(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))

繼續make -j24 2>&1 |tee build.log編譯

3.4 編譯報錯3 解決

報錯日誌

FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat
/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30              out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/26.0/26.0.cil 
system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil 

-o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat -f /dev/null"
Failed to resolve typeattributeset statement at system/sepolicy/private/compat/26.0/26.0.cil:764
Failed to compile cildb: -2
[  1% 11/693] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat
/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30              out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/27.0/27.0.cil system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil -o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat -f /dev/null"
Failed to resolve typeattributeset statement at system/sepolicy/private/compat/27.0/27.0.cil:1486
Failed to compile cildb: -2
[  1% 12/693] build tinysys-scp-configheader

解決方法 解決方法:將nonplat_sepolicy.cil配置完畢

  • \Android P_9.0\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)
(roletype object_r fadi_wakeupwatcher_service_26_0)
(typeattribute fadi_applock_service_26_0)
(roletype object_r fadi_applock_service_26_0)
(typeattribute fadi_longshot_service_26_0)
(roletype object_r fadi_longshot_service_26_0)
  • Android P_9.0\system\sepolicy\prebuilts\api\27.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)
(roletype object_r fadi_wakeupwatcher_service_27_0)
(typeattribute fadi_applock_service_27_0)
(roletype object_r fadi_applock_service_27_0)
(typeattribute fadi_longshot_service_27_0)
(roletype object_r fadi_longshot_service_27_0)

繼續make -j24 2>&1 |tee build.log編譯

3.5 編譯OK,刷機驗證日誌

服務中日誌正常列印了

09-21 04:17:00.560: D/fadiDisplayHelp(2157): UI show packageName = com.google.android.packageinstaller, className = com.android.packageinstaller.permission.ui.GrantPermissionsActivity
09-21 04:17:59.365: D/fadiDisplayHelp(2157): UI show packageName = com.android.launcher3, className = com.android.launcher3.Launcher

09-21 04:16:08.027: D/fadiKillAppManager(2157): updateRestrictList new = WakeUpInfo [packageName=com.android.bankabc, bootReceviers=com.feinno.teatalk.receiver.FastBootReceiver;com.xiaomi.push.service.receivers.NetworkStatusReceiver;com.feinno.teatalk.receiver.NetWorkChangeReceiver;com.huawei.android.pushagent.PushBootReceiver;com.feinno.teatalk.receiver.PushReceiver;com.huawei.android.pushagent.PushEventReceiver;com.feinno.teatalk.receiver.MiPushReceiver;com.xiaomi.push.service.receivers.PingReceiver;, pushServices=com.baidu.location.f;com.xiaomi.push.service.XMPushService;com.xiaomi.mipush.sdk.PushMessageHandler;com.xiaomi.mipush.sdk.MessageHandleService;, deny=0]

4. 本次SE-Linux的配置清單

[email protected]:~/9.1/system/sepolicy$ git status
# Not currently on any branch.
# Changes not staged for commit:
#   (use "git add <file>..." to update what will be committed)
#   (use "git checkout -- <file>..." to discard changes in working directory)
#
#       modified:   prebuilts/api/26.0/nonplat_sepolicy.cil
#       modified:   prebuilts/api/27.0/nonplat_sepolicy.cil
#       modified:   prebuilts/api/28.0/private/compat/26.0/26.0.cil
#       modified:   prebuilts/api/28.0/private/compat/27.0/27.0.cil
#       modified:   prebuilts/api/28.0/private/service_contexts
#       modified:   prebuilts/api/28.0/public/service.te
#       modified:   private/compat/26.0/26.0.cil
#       modified:   private/compat/27.0/27.0.cil
#       modified:   private/service_contexts
#       modified:   public/service.te

具體新增如下如下

  1. prebuilts/api/26.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)
(roletype object_r fadi_wakeupwatcher_service_26_0)
(typeattribute fadi_applock_service_26_0)
(roletype object_r fadi_applock_service_26_0)
(typeattribute fadi_longshot_service_26_0)
(roletype object_r fadi_longshot_service_26_0)
  1. prebuilts/api/27.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)
(roletype object_r fadi_wakeupwatcher_service_27_0)
(typeattribute fadi_applock_service_27_0)
(roletype object_r fadi_applock_service_27_0)
(typeattribute fadi_longshot_service_27_0)
(roletype object_r fadi_longshot_service_27_0)
  1. prebuilts/api/28.0/private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
  1. prebuilts/api/28.0/private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
  1. prebuilts/api/28.0/private/service_contexts
# fadi SE-Linux
fadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0
fadi_applock                              u:object_r:fadi_applock_service:s0
fadi_longshot                             u:object_r:fadi_longshot_service:s0
  1. prebuilts/api/28.0/public/service.te
# fadi SE-Linux
type fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;
type fadi_applock_service, system_api_service, system_server_service, service_manager_type;
type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
  1. private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
  1. private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
  1. private/service_contexts(核心)
# fadi SE-Linux
fadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0
fadi_applock                              u:object_r:fadi_applock_service:s0
fadi_longshot                             u:object_r:fadi_longshot_service:s0
  1. public/service.te(核心)
# fadi SE-Linux
type fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;
type fadi_applock_service, system_api_service, system_server_service, service_manager_type;
type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;

相關推薦

Android 9.0 (P版本) SystemServer服務配置se linux許可權

## 1. SystemServer 的服務定義 Android P_9.0\frameworks\base\services\java\com\android\server\SystemServer.java /** * Starts a m

Android 9.0 (P版本) MTK平臺原生的待機智慧省電功能

1. 原生介面UI 2. 原始碼檢視 2.1 字串 Z:\9.1\vendor\mediatek\proprietary\packages\apps\MtkSettings_Eclipse\res_ext\values-zh-rCN\mtk_strings.x

Android 9.0 (P版本) 亮度進度條變化等級更新

1. 現象 使用命令進行設定 adb shell settings put system screen_brightness x, 發現亮度進度條不再為 x/255 = n% 的關係了 實際測試的一些數值 設定亮度值 Android O 是否滿足 value / 255 An

Android 9.0 (P版本) 亮度控制介面變更

1. Android 9.0 之前的亮度控制介面 import android.os.IPowerManager; import android.provider.Settings; import android.content.Context; /

Android 9.0/P http 網路請求的問題

Google表示,為保證使用者資料和裝置的安全,針對下一代 Android 系統(Android P) 的應用程式,將要求預設使用加密連線,這意味著 Android P 將禁止 App 使用所有未加密的連線,因此執行 Android P 系統的安卓裝置無論是接收或者傳送流量,未來都不能明碼傳輸,需要使用下一代

學習 :Android 9.0/P http 網路請求的問題

今天在網上看文章的時候看到了這一篇文章,說是Android9.0網路請求會有問題,然後好奇就仔細看了一下。看完之後感覺對自己以後可能有用處就寫這篇文章來記錄一下。以後用到的話可以拿來用一下。 為什麼特意注意了一下這篇文章呢,因為我們公司的請求一直用的是Http而不是用的Https,所以感覺以後升

Android : 為系統服務新增 SeLinux 許可權 (Android 9.0)

一、SElinux在Android 8.0後的差異:   從Android 4.4到Android 7.0的SELinux策略構建方式合併了所有sepolicy片段(平臺和非平臺),然後在根目錄生成單一檔案,而Android 8.0開始關於selinux架構也類似於HIDL想把系統平臺的selinux策略和

android 9.0 關於OTA 升級的注意事項

droid 分割槽檢視 emcc 7.x 8.x   一、要確定有多少個分割槽? 詳細解析: major 表示主裝置號  minor 表示次裝置號  #blocks 表示的是block的數目  name 是指的裝置名稱

從源碼剖析PopupWindow 兼容Android 6.0以上版本點擊外部不消失

並且 gif upd 兼容 addview 初始 一個地方 || ping PopupWindow可以說是Google坑最多的一個控件,使用PopupWindow的時候沒有遇到幾個坑你都不好意思說你用過它,說一個可能大多數人都遇到過的一個坑:那就是我們想觸摸PopupWin

java在線聊天項目0.4版本 制作服務端接收連接,客戶端連接功能 新增客戶端窗口打開時光標指向下邊文本域功能,使用WindowListener監聽WindowAdapter

內部 frame visible [] one exit eve awt dap 建一個服務端類ChatServer,用於設置端口接收連接 package com.swift; import java.io.IOException; import java.net.Se

代碼快速“檢”“修”不是夢,阿裏雲MaxCompute Studio 2.9.0版本發布

流行 mic 代碼 IV max -c img http 離開 摘要: 阿裏雲MaxCompute Studio 2.9.0 新版本發布,此次發布的新版本,在原有功能的基礎上增加了新功能,分別是支持代碼檢查和快速修復;支持graph開發及調試。近日,阿裏雲大數據計算服務 M

Android 9.0新特性

進入 估算 電話 定制化 看電影 時間 體驗 cati adapt 1、全面屏支持,Android P加入了對劉海屏的支持,谷歌稱之為凹口屏幕(display with a cutout)。借助最新的提供的DisplayCutout類,開發者可以找到非功能區域的位置和形狀,

Android 9.0更新

調用 附近 drm 字節 解碼 產品 emf NPU 2018年 北京時間2018年8月7日上午,Google 發布了 Android 9.0 操作系統。並宣布系統版本 Android P 被正式命名為代號“Pie”。 Android 9.0 利用人工智能技術,讓手機變得更

Microsoft Dynamics CRM 9.0 OP 版本 安裝 的那些 雷

天天講安裝過程好無聊了,還是搞點有營養的東西來,那麼後面來說說剛出來的MSCRM OP 9.0 版本安裝的那些雷: 雷1:作業系統要求Windows 2016 Server         這點還好,因為之前安裝MSCRM 2016時就基本都安裝在OS 2016了

Microsoft Dynamics CRM 9.0 OP 版本 移動端

本次OP 版本做了架調整,新的移動端基本可以滿足客戶需求,其內容自己可配置選擇,滿足了一般企業的應用處理。 具體操作如下: 1、登入APP選擇應用(我使用手機瀏覽器)   2、開啟預設應用,現在就一個木得選擇。可以檢視儀表盤。   3、點進選單按鈕,你那麼聰明一定知道是

Android 7.0 移除設定的某些項(輔助功能、流量使用情況、位置資訊)(MTK)

--- a/packages/apps/Settings/src/com/android/settings/SettingsActivity.java +++ b/packages/apps/Settings/src/com/android/settings/SettingsActivity.jav

[電池]Android 9.0 電池未充電與充電字串提示資訊

1. 電池電量提醒 1.1 未充電提醒 若沒有預估時間,則提示顯示電池百分比 若預估時間小於7分鐘,則提示手機可能即將關機 若預估時間小於15分鐘,則提示剩餘電池續航時間不到15分鐘 若15分鐘<預估時間<1天,則提示估計大約還能用到xx h

Android 6.0以上版本使用 Localsocket 與 ParcelFileDescriptor 獲取視訊流導致MediaRecorder start failed的問題

因為這段時間一直在搞Android音視訊相關的問題,遇到一個需求就是需要獲取實時的錄影資料,所以就需要獲取MediaRecorder的流資料,因為之前一直未做過相關需求,所以最後Google了一番,發現可以使用Localsocket和ParcelFileDescriptor 來獲取,但是設定之後發現

Android 9.0 功能和 API概覽(中文版)

Android 9 功能和 API 官方搬運: Android 9(API 級別 28)為使用者和開發者引入了眾多新特性和新功能。 本文重點介紹面向開發者的新功能。 利用 Wi-Fi RTT 進行室內定位 Android 9 添加了對 IEEE 802.1

Android 8.0之後版本新增Hidl Service

原址 本文以LED為例在aosp上新增HIDL,以熟悉整個過程。 1. 編寫hal檔案並編譯     在hardware/interfaces/目錄下建立led資料夾和基版本1.0,這個版本號分為兩部分,major.minor。major版本不變得話,