#文章目錄

• #前言

• #SELinux來(lái)源

• #SELinux基本框架

• #SELinux 在不同版本的表現(xiàn)

• #使用audit2allow工具生成SELinux 權(quán)限

• #完整代碼

#前言

先推薦下之前的SELinux文章，但是那個(gè)是7.1的，在9.0上已經(jīng)在差別很大的了。

Android7.1 在init.rc 添加shell服務(wù)

題外話~

在企業(yè)里面做項(xiàng)目和在大學(xué)里面做有比較大的差別，企業(yè)需要把技術(shù)轉(zhuǎn)變成產(chǎn)品，然后把產(chǎn)品拿出去賣來(lái)賺錢。所以就不得不考慮到研發(fā)周期，采購(gòu)成本，還有銷售渠道。如果研發(fā)花費(fèi)了很大的力氣都搞不定，或者硬件設(shè)計(jì)上本身存在非常大的風(fēng)險(xiǎn)和研發(fā)周期，那可能對(duì)項(xiàng)目會(huì)是致命性的。銷售可以不斷的吹牛，但是吹牛的時(shí)間越長(zhǎng)，誠(chéng)信成本就越大，要不然賈老板的車千呼萬(wàn)喚始出來(lái)之后為啥那么多問(wèn)題。

#SELinux來(lái)源

SELinux 即Security-Enhanced Linux, 由美國(guó)國(guó)家安全局(NSA)發(fā)起, Secure Computing Corporation (SCC) 和 MITRE 直接參與開(kāi)發(fā), 以及很多研究機(jī)構(gòu)(如猶他大學(xué))一起參與的強(qiáng)制性安全審查機(jī)制, 該系統(tǒng)最初是作為一款通用訪問(wèn)軟件，發(fā)布于 2000 年 12 月(代碼采用 GPL 許可發(fā)布)。并在Linux Kernel 2.6 版本后, 有直接整合進(jìn)入SELinux, 搭建在Linux Security Module(LSM)基礎(chǔ)上, 目前已經(jīng)成為最受歡迎，使用最廣泛的安全方案。

#SELinux基本框架

SELinux 是典型的MAC-Mandatory Access Controls 實(shí)現(xiàn), 對(duì)系統(tǒng)中每個(gè)對(duì)象都生成一個(gè)安全上下文(Security Context), 每一個(gè)對(duì)象訪問(wèn)系統(tǒng)的資源都要進(jìn)行安全上下文審查。審查的規(guī)則包括類型強(qiáng)制檢測(cè)(type enforcement), 多層安全審查(Multi-Level Security), 以及基于角色的訪問(wèn)控制(RBAC: Role Based Access Control).

SELinux 搭建在Linux Security Module(LSM)基礎(chǔ)上, 關(guān)于 LSM 架構(gòu)的詳細(xì)描述請(qǐng)參見(jiàn)文章 “Linux Security Modules: General Security Support for the Linux Kernel”, 該文章在 2002 年的 USENIX Security 會(huì)議上發(fā)表。有完整的實(shí)現(xiàn)LSM 的所有hook function. SELinux 的整體結(jié)構(gòu)如下圖所示:

#SELinux 在不同版本的表現(xiàn)

安卓在很早就已經(jīng)執(zhí)行了SELinux了，但是在不同的安卓版本，使用起來(lái)還是有些差別，現(xiàn)在我們用到了安卓9.0，可以說(shuō)是最嚴(yán)格的權(quán)限了。以前修改一個(gè)allow的編譯問(wèn)題，如果不可以，就去domain.te里面把neverallow相關(guān)的添加進(jìn)去，9.0上已經(jīng)不行了，必須要嚴(yán)格安卓標(biāo)準(zhǔn)來(lái)聲明和申請(qǐng)。

#使用audit2allow工具生成SELinux 權(quán)限

這個(gè)工具決定是一個(gè)神器，這個(gè)工具可以在SDK里面找到，有了這個(gè)工具后，再把SELinux的錯(cuò)誤保存到一個(gè)文件里面，這樣就可以使用工具來(lái)生成allow的權(quán)限問(wèn)題了。

工具位置：

./external/selinux/prebuilts/bin/audit2allow

應(yīng)用具體截圖：

參考：

https://blog.csdn.net/q1183345443/article/details/90438283

#完整代碼

我們項(xiàng)目需要開(kāi)啟一個(gè)服務(wù)，這個(gè)服務(wù)就是幾個(gè)腳本的事情，這個(gè)腳本可以直接寫在init.rc里面。不過(guò)呢，我考慮到直接寫在init.rc里面總是出現(xiàn)各種問(wèn)題，替換起來(lái)也比較麻煩，還有一點(diǎn)是寫成可執(zhí)行文件服務(wù)和init.rc里面執(zhí)行的服務(wù)，在SELinux的權(quán)限要求還有差別。

這個(gè)問(wèn)題跟幾個(gè)大牛也討論過(guò)，因?yàn)檫@個(gè)問(wèn)題我們鄧總還加班給我搞，可惜的是還是沒(méi)有搞定，主要是方向沒(méi)有找對(duì)，第二天我自己再看了下代碼，覺(jué)得我應(yīng)該是那個(gè)萬(wàn)中無(wú)一的男人，然后我也沒(méi)干啥，在SELinux的file_context文件里面找了一個(gè)一樣需要exec服務(wù)的東東，然后打開(kāi)source insight，先全局搜索一下，按照這個(gè)東東依次添加進(jìn)去。特別要注意的是，因?yàn)樵趕ource insight里面修改不會(huì)加回車，需要在Linux里面再修改回來(lái)一次，要不然導(dǎo)致的問(wèn)題是編譯不通過(guò)。

再然后就是編譯了，如果還是局部編譯可能還是有問(wèn)題，因?yàn)橹皝y改的很多東西對(duì)環(huán)境有影響了，然后我刪了out全局編譯。燒錄后使用top命令看了看服務(wù)，驚訝的發(fā)現(xiàn)，服務(wù)已經(jīng)起來(lái)了。

開(kāi)機(jī)的時(shí)候，還是會(huì)看到很多SELinux的權(quán)限問(wèn)題，這個(gè)就需要使用我們上面的工具來(lái)修改下了。

這套完整代碼，只適合在android9.0上去用，如果是其他安卓版本的話，只能作為參考，但是在低版本上肯定比9.0容易得多。

diff --git a/device/mediatek/sepolicy/basic/plat_private/file_contexts b/device/mediatek/sepolicy/basic/plat_private/file_contexts index f306119717..3271d2b624 100644 --- a/device/mediatek/sepolicy/basic/plat_private/file_contexts +++ b/device/mediatek/sepolicy/basic/plat_private/file_contexts @@ -42,3 +42,5 @@/sys/devices/platform/vibrator@0/leds/vibrator(/.*)? u:object_r:sysfs_vibrator:s0/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0 +/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0 + diff --git a/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te new file mode 100755 index 0000000000..94c23d7ec3 --- /dev/null +++ b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te @@ -0,0 +1,20 @@ +#typeattribute zigbee_service coredomain; +#type zigbee_service, domain; +#type zigbee_service_exec, exec_type, file_type; +#permissive zigbee_service; +#init_daemon_domain(zigbee_service) + +# New added for move to /system +typeattribute zigbee_service coredomain; +type zigbee_service_exec , exec_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(zigbee_service) +allow zigbee_service shell_exec:file execute; +#allow zigbee_service zigbee_service_exec:file { getattr read open execute execute_no_trans}; +#allow zigbee_service shell_exec:file { getattr read open execute execute_no_trans}; +#allow zigbee_service system_file:file { getattr read open execute execute_no_trans}; +#allow zigbee_service system_data_file:file { getattr read open execute execute_no_trans}; diff --git a/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te new file mode 100644 index 0000000000..b3d94d5cf8 --- /dev/null +++ b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te @@ -0,0 +1,2 @@ +type zigbee_service ,domain; +allow zigbee_service shell_exec:file execute; diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts index 9d6963909b..e3ac5ea245 100755 --- a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts +++ b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts @@ -38,3 +38,5 @@# For boot type/sys/devices/virtual/BOOT/BOOT/boot/boot_type(/.*)? u:object_r:sysfs_boot_type:s0 +/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0 + diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te new file mode 100644 index 0000000000..b3d94d5cf8 --- /dev/null +++ b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te @@ -0,0 +1,2 @@ +type zigbee_service ,domain; +allow zigbee_service shell_exec:file execute; diff --git a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil index aac1622a40..d3db9d1acc 100755 --- a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil +++ b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil @@ -539,6 +539,7 @@(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater)) +(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec)) diff --git a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil index ba093e7885..d92414362c 100755 --- a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil +++ b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil @@ -562,6 +562,7 @@(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater)) +(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec)) diff --git a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil index 90d6baea41..a21e182ce3 100755 --- a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil +++ b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil @@ -565,6 +565,7 @@(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater)) +(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec)) diff --git a/device/mediateksample/aiv8167sm3_bsp/device.mk b/device/mediateksample/aiv8167sm3_bsp/device.mk index 3e5ad76a99..e8cfdfba8c 100644 --- a/device/mediateksample/aiv8167sm3_bsp/device.mk +++ b/device/mediateksample/aiv8167sm3_bsp/device.mk @@ -47,10 +47,10 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:mendif# for zigbee -PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/Z3GatewayHost:system/bin/Z3GatewayHost -PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto:system/bin/mosquitto -PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto.conf:system/bin/mosquitto.conf -PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto_passwd:system/bin/mosquitto_passwd +PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/Z3GatewayHost:data/gateway/Z3GatewayHost +PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto:data/gateway/mosquitto +PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto.conf:data/gateway/mosquitto.conf +PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto_passwd:data/gateway/mosquitto_passwd# Add FlashTool needed files#PRODUCT_COPY_FILES += $(LOCAL_PATH)/EBR1:EBR1 @@ -219,7 +219,8 @@ PRODUCT_PACKAGES += \i2cset \tinymix \tinyplay \ - tinypcminfo + tinypcminfo \ + zigbee_service# add CarBTDemoPRODUCT_PACKAGES += CarBTDemo diff --git a/device/mediateksample/aiv8167sm3_bsp/init.project.rc b/device/mediateksample/aiv8167sm3_bsp/init.project.rc index 75b1e7aa28..1a9d073db2 100644 --- a/device/mediateksample/aiv8167sm3_bsp/init.project.rc +++ b/device/mediateksample/aiv8167sm3_bsp/init.project.rc @@ -82,6 +82,9 @@ on post-fs-datamkdir /data/vendor/wifi/wpa 0770 wifi wifimkdir /data/vendor/wifi/wpa/sockets 0770 wifi wifi+#Zigbee + mkdir /data/gateway/ -p +on boot# Wlan @@ -94,6 +97,28 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \disabledoneshot+#zigbee service zigbee /system/bin/zigbee_service /data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d +service zigbee_service /system/bin/zigbee_service + user root + group root + class main + oneshot + +on property:sys.boot_completed=1 + touch /data/gateway/log + echo "=== weiqifa === zigbee service#1 start" >> /data/gateway/log + write /dev/ttyMT0 "=== weiqifa === start zigbee service#1\n" + chmod 777 /data/gateway/Z3GatewayHost + chmod 777 /data/gateway/mosquitto + chmod 777 /data/gateway/mosquitto.conf + chmod 777 /data/gateway/mosquitto_passwd + chown system:system /data/gateway/Z3GatewayHost + chown system:system /data/gateway/mosquitto + chown system:system /data/gateway/mosquitto.conf + chown system:system /data/gateway/mosquitto_passwd + start zigbee_service + echo "=== weiqifa === zigbee service#1 end" >> /data/gateway/log +service hdmi /system/bin/hdmiclass mainuser system @@ -112,3 +137,4 @@ on initservice fuse_usbotg /system/bin/sdcard -u 1023 -g 1023 -w 1023 -d /mnt/media_rw/usbotg /storage/usbotgclass late_startdisabled + diff --git a/external/zigbee-service/Android.mk b/external/zigbee-service/Android.mk new file mode 100755 index 0000000000..b38c2de48f --- /dev/null +++ b/external/zigbee-service/Android.mk @@ -0,0 +1,8 @@ +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) +LOCAL_MODULE := zigbee_service +LOCAL_SRC_FILES := zigbee-service.c +LOCAL_MODULE_TAGS := optional + +include $(BUILD_EXECUTABLE) \ No newline at end of file diff --git a/external/zigbee-service/zigbee-service.c b/external/zigbee-service/zigbee-service.c new file mode 100755 index 0000000000..264c3d07ac --- /dev/null +++ b/external/zigbee-service/zigbee-service.c @@ -0,0 +1,19 @@ +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <linux/ioctl.h> +#include <unistd.h> + +int main(int argc, char * const argv[]) +{ + + printf("=== weiqifa ===Zigbee start ...\n"); + printf("argc:%d\n",argc); + printf("argv[0]:%s",argv[0]); + system("/data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d"); + printf("=== weiqifa ===Zigbee end ...\n"); + return (0); +} \ No newline at end of file

? 回復(fù)「?籃球的大肚子」進(jìn)入技術(shù)群聊

回復(fù)「1024」獲取1000G學(xué)習(xí)資料

總結(jié)

以上是生活随笔為你收集整理的安卓9.0添加服务修改SELinux的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。