[英]Add native service to aosp
I am trying to add a native service written in C++ to the AOSP build. 我试图将用C ++编写的本机服务添加到AOSP构建中。
The first thing I did was to create a native service and client to the AOSP build. 我要做的第一件事是为AOSP构建创建本机服务和客户端。
This worked as expected. 这按预期工作。 I could start the service within an adb shell and call it via binder on a adb shell.
我可以在adb shell中启动该服务,然后通过adb shell上的活页夹调用它。
The trouble started when I wanted to start my service with init. 当我想使用init启动服务时,麻烦就开始了。
I added a .rc file to my build 我在构建中添加了.rc文件
service myp /system/bin/myp_service
class main
This did the the trick so that init tried to start it but it failed because of SELinux policies. 这样做成功了,所以init尝试启动它,但是由于SELinux策略而失败。
So I added a file_contexts
to my device tree and added: 因此,我在设备树中添加了一个
file_contexts
并添加了:
/system/bin/myp_service u:object_r:myp_exec:s0
Next I added a myp.te file and added: 接下来,我添加了myp.te文件并添加了:
type myp, domain;
type myp_exec, exec_type, file_type;
type myp_service, service_manager_type;
init_daemon_domain(myp)
net_domain(myp)
binder_use(myp)
binder_service(myp)
add_service(myp, myp_service)
binder_call(myp, binderservicedomain)
binder_call(myp, appdomain)
allow myp myp_service:service_manager add;
And finally I added a service_contexts
file with: 最后,我添加了一个
service_contexts
文件:
myp u:object_r:myp_service:s0
This finally made my service successfully start at boot time. 这最终使我的服务在启动时成功启动。 Unfortunalty I cannot use binder against this service.
不幸的是,我不能对本服务使用活页夹。 When I try to connect to the service with my client the call
当我尝试与客户连接到服务时,电话
defaultServiceManager()->getService(String16("Demo"))
returns a null pointer. 返回一个空指针。
I cannot find any hints in the dmesg
. 我在
dmesg
找不到任何提示。 So I assume I am still missing something for the SElinux but I have no clue what I am missing. 所以我认为我仍然缺少SElinux的东西,但是我不知道我缺少什么。
If I shutdown the SELinux with setenforce
and restart the service then it works fine. 如果我使用
setenforce
关闭SELinux并重新启动服务,则它可以正常工作。
Can anyone give me a hint what I am missing for SELinux or where I can get more information about which policy blocked something? 谁能给我一个提示,我对于SELinux缺少什么,或者在哪里可以获得有关哪些策略阻止了某些内容的更多信息?
You could see the denials like this: 您会看到这样的拒绝:
adb logcat | grep "SELinux : avc" > /tmp/logs
adb pull sepolicy
. adb pull sepolicy
。 audit2allow
(located in AOSP source code: external/selinux/prebuilts/bin/audit2allow or in SDK tools. Do this: cat /tmp/logs | .external/selinux/prebuilts/bin/audit2allow -p sepolicy
audit2allow
(位于AOSP源代码: external / selinux / prebuilts / bin / audit2allow或SDK工具中。执行以下操作: cat /tmp/logs | .external/selinux/prebuilts/bin/audit2allow -p sepolicy
The audit2allow tool will tell you what permission you are missing for the logcat extracted and the current sepolicy file, watch-out because you could need to do this several times since fixing some permissions will show the next ones required. audit2allow工具将告诉您所提取的logcat和当前sepolicy文件缺少哪些权限,请当心 ,因为您可能需要执行几次此操作,因为修复某些权限将显示下一个所需的权限。
If you have a userdebug kind of build you could get setenforce 0
, logcat with it and all the denials will be in logcat even if you will be permited to do the operation desired. 如果您使用的是userdebug类型的构建,则可以获取
setenforce 0
,logcat以及所有拒绝,即使您被允许执行所需的操作,也都将包含在logcat中。 This will leave the audit2allow iterations required in 1. 这将保留1中所需的audit2allow迭代。
For anyone who came across this problem, please make sure your service_contexts
file is successfully merged with stock service_contexts
file. 对于遇到此问题的任何人,请确保您的
service_contexts
文件已成功与service_contexts
文件合并。 If you're building your service for Android O or later, please put this file inside a folder and refer to it in your Makefile by BOARD_PLAT_PRIVATE_SEPOLICY_DIR
1 . 如果您要为Android O或更高版本构建服务,请将该文件放在文件夹中,并通过
BOARD_PLAT_PRIVATE_SEPOLICY_DIR
1在Makefile中进行BOARD_PLAT_PRIVATE_SEPOLICY_DIR
。 And you don't need to add allow myp default_android_service:service_manager add
if the build system does pick up your service_contexts
. 如果构建系统确实选择了
service_contexts
则无需添加allow myp default_android_service:service_manager add
。
Also, about the domain.te
violation problem, you probably want to attach one of the coredomain
or appdomain
attribute to your domain 2 with typeattribute <your_domain> <attribute>;
另外,关于
domain.te
违规问题,您可能想将coredomain
或appdomain
属性之一附加到您的域2中 , typeattribute <your_domain> <attribute>;
. 。
Finally, please double check the following built files to make sure you don't leave any sepolicy configurations out in the final build: 最后,请仔细检查以下构建文件,以确保在最终构建中不会遗漏任何Sepolicy配置:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.