设置 shell 脚本 Android SELinux 策略以在系统引导时启动它已完成
[英]Set shell script Android SELinux policies for starting it at sys boot completed
问题描述
I am facing troubles for creating the SELinux policies for a sh script (init.myservice.sh) with the following content:
我在为具有以下内容的 sh 脚本 (init.myservice.sh) 创建 SELinux 策略时遇到了麻烦:
#!/system/bin/sh
/system/bin/am force-stop 'com.myapp.apptest'
/system/bin/tinymix 'Headphone Volume' 35;tinymix 'Capture Input' ADC;tinymix 'DMIC Mux' DMIC2;
/system/bin/am start -n ' com.myapp.apptest/ com.myapp.apptest.MainActivity' -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
/system/bin/my_board_service &
As you can see, this script does the following things:如您所见,此脚本执行以下操作:
- Stops (and starts) a APK application停止(和启动)APK 应用程序
- Sets few mic and audio settings with tinymix使用 tinymix 设置一些麦克风和音频设置
- Starts a binary (my_board_service) which is a C++ compiled program which interacts with the custom board peripherals (GPIOs, I2C, etc...)启动一个二进制文件 (my_board_service),它是一个 C++ 编译程序,它与自定义板外设(GPIO、I2C 等)交互
I've added into my "init.rc" file the following lines:我在“init.rc”文件中添加了以下几行:
on property:sys.boot_completed=1
start init-myservice
service init-myservice /system/bin/sh /system/bin/init.myservice.sh
class main
user root
group root system
disabled
oneshot
I can see the script in the built system under the path "/system/bin" and the binary with the correct permissions (755) and if I launch it manually it works well.我可以在路径“/system/bin”下看到构建系统中的脚本和具有正确权限(755)的二进制文件,如果我手动启动它,它运行良好。 But I'm unable to launch it at system boot because (without any policies set) I get this error on the shell:但我无法在系统启动时启动它,因为(没有设置任何策略)我在 shell 上收到此错误:
Command 'start init-myservice' action=sys.boot_completed=1 (/vendor/etc/init/hw/init.freescale.rc:334) took 5ms and failed: Could not start service: File /system/bin/init.myservice.sh(labeled "u:object_r:system_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined.
So I'm trying to generate service policies without any luck.所以我试图在没有任何运气的情况下生成服务策略。 I've tried the following: The content of my.te file is the following:我尝试了以下方法: my.te 文件的内容如下:
# foo service
type foo, domain;
type foo_exec, exec_type, file_type;
init_daemon_domain(foo)
I've added the following line in the "file_contexts" file under this location: "android_build/device/variscite/imx8m/dart_mx8mm/sepolicy/"我在此位置下的“file_contexts”文件中添加了以下行:“android_build/device/variscite/imx8m/dart_mx8mm/sepolicy/”
/system/bin/init\.myscript\.sh u:object_r:foo_exec:s0
When I build my AOSP project I get few errors like this one:当我构建我的 AOSP 项目时,我很少遇到这样的错误:
FAILED: out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/treble_sepolicy_tests_28.0 /bin/bash -c "(out/host/linux-x86/bin/treble_sepolicy_tests -l
out/host/linux-x86/lib64/libsepolwrap.so -f out/target/product/dart_mx8mm/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts -f out/target/product/dart_mx8mm/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -b out/target/product/dart_mx8mm/obj/ETC/built_plat_sepolicy_intermediates/built_plat_sepolicy -m out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/28.0_mapping.combined.cil -o out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/built_28.0_plat_sepolicy -p out/target/product/dart_mx8mm/obj/ETC/sepolicy_intermediates/sepolicy -u out/target/product/dart_mx8mm/obj/ETC/built_plat_sepolicy_intermediates/base_plat_pub_policy.cil --fake-treble ) && (touch out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/treble_sepolicy_tests_28.0 )" The following domain(s) must be associated with the "coredomain" attribute because they are executed off of /system: foo
1 个解决方案
解决方案1
0 2020-11-17 21:04:43
I recently was able to get what you are describing to work, but there were some differences in our approaches.我最近能够得到你所描述的工作,但我们的方法存在一些差异。 All of my changes were in "/vendor" on the target.我所有的更改都在目标的“/vendor”中。 I'm not sure where your init.rc changes were going, but you described your script as being installed in "/system".我不确定您的 init.rc 更改在哪里,但您将脚本描述为安装在“/system”中。
Otherwise most of what you are describing is familiar including having issues compiling the SELinux policy.否则,您所描述的大部分内容都很熟悉,包括在编译 SELinux 策略时遇到问题。 In the end the policy that worked for me looked something like this:最后,对我有用的政策看起来像这样:
# foo service
type foo, domain;
type foo_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(foo)
# followed by all the particulars of my service.
If you are set on installing your service in "system" instead of "vendor", the wording of the error message seems to be telling you to associate your domain with the "coredomain".如果您设置在“系统”而不是“供应商”中安装服务,则错误消息的措辞似乎是在告诉您将您的域与“核心域”相关联。 I think that means your policy should include the following line somewhere before "init_daemon_domain":我认为这意味着您的策略应在“init_daemon_domain”之前的某处包含以下行:
typeattribute foo coredomain;
You should also be aware that I've seen it said that there is a SELinux policy that prohibits mixing "vendor" with "system".您还应该知道,我已经看到它说有一个 SELinux 政策禁止将“供应商”与“系统”混合。 I'm not sure, but I think it means that if you modified an init.rc in the /vendor file system to run your script, you are limited to using "stuff" found in the /vendor file system.我不确定,但我认为这意味着如果你修改了 /vendor 文件系统中的 init.rc 来运行你的脚本,那么你只能使用 /vendor 文件系统中的“stuff”。 Your example above shows your script using /system/bin/sh, so if you modified an init.rc in the /vendor file system to start that script, I think that would be a violation.上面的示例显示了使用 /system/bin/sh 的脚本,因此如果您修改 /vendor 文件系统中的 init.rc 以启动该脚本,我认为这将是违规行为。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.