将本地服务添加到aosp

Question

I am trying to add a native service written in C++ to the AOSP build.
The first thing I did was to create a native service and client to the AOSP build.
This worked as expected. I could start the service within an adb shell and call it via binder on a adb shell.

The trouble started when I wanted to start my service with init.
I added a .rc file to my build

service myp /system/bin/myp_service
    class main

This did the the trick so that init tried to start it but it failed because of SELinux policies.

So I added a file_contexts to my device tree and added:

/system/bin/myp_service     u:object_r:myp_exec:s0

Next I added a myp.te file and added:

type myp, domain;
type myp_exec, exec_type, file_type;
type myp_service, service_manager_type;

init_daemon_domain(myp)
net_domain(myp)

binder_use(myp)
binder_service(myp)
add_service(myp, myp_service)
binder_call(myp, binderservicedomain)
binder_call(myp, appdomain)

allow myp myp_service:service_manager add;

And finally I added a service_contexts file with:

myp     u:object_r:myp_service:s0

This finally made my service successfully start at boot time. Unfortunalty I cannot use binder against this service. When I try to connect to the service with my client the call

defaultServiceManager()->getService(String16("Demo"))

returns a null pointer.

I cannot find any hints in the dmesg . So I assume I am still missing something for the SElinux but I have no clue what I am missing.
If I shutdown the SELinux with setenforce and restart the service then it works fine.
Can anyone give me a hint what I am missing for SELinux or where I can get more information about which policy blocked something?

Answer 1

You could see the denials like this:

1. adb logcat | grep "SELinux : avc" > /tmp/logs
2. Get sepolicy current file. (Can be taken from device this way adb pull sepolicy .
3. Using audit2allow (located in AOSP source code: external/selinux/prebuilts/bin/audit2allow or in SDK tools. Do this: cat /tmp/logs | .external/selinux/prebuilts/bin/audit2allow -p sepolicy

The audit2allow tool will tell you what permission you are missing for the logcat extracted and the current sepolicy file, watch-out because you could need to do this several times since fixing some permissions will show the next ones required.

If you have a userdebug kind of build you could get setenforce 0 , logcat with it and all the denials will be in logcat even if you will be permited to do the operation desired. This will leave the audit2allow iterations required in 1.

Answer 2

For anyone who came across this problem, please make sure your service_contexts file is successfully merged with stock service_contexts file. If you're building your service for Android O or later, please put this file inside a folder and refer to it in your Makefile by BOARD_PLAT_PRIVATE_SEPOLICY_DIR 1 . And you don't need to add allow myp default_android_service:service_manager add if the build system does pick up your service_contexts .

Also, about the domain.te violation problem, you probably want to attach one of the coredomain or appdomain attribute to your domain 2 with typeattribute <your_domain> <attribute>; .

Finally, please double check the following built files to make sure you don't leave any sepolicy configurations out in the final build:

1. $(AOSP_ROOT)/out/target/product//obj/ETC/file_contexts.bin_intermediates/file_contexts.*
2. $(AOSP_ROOT)/out/target/product/potter/obj/ETC/plat_service_contexts_intermediates/service_contexts.*
3. $(AOSP_ROOT)/out/target/product/potter/obj/ETC/sepolicy_neverallows_intermediates/policy.conf