SELinux policy definition for Android system service: how to setup?

Question

I had earlier written a standalone daemon to access a custom device (/dev/mydev0). Looking at AOSP source, I figured I needed setup policies in following files to make it work:

new file device.te containing:

type mydev_device, dev_type;

new file mydevsrvc.te containing

# service flash_recovery in init.rc
type mydevsrvc_type, domain;
type mydevsrvc_type_exec, exec_type, file_type;

init_daemon_domain(mydevsrvc_type)

allow mydevsrvc_type mydev_device:chr_file rw_file_perms;

edited file_contexts to add:

/dev/mydev[0-9]*    u:object_r:mydev_device:s0

edited service_contexts to add:

mydevsrvc                  u:object_r:mydevsrvc_type:s0

And started the daemon by editing init.flo.rc to include these lines:

service mydevsrvc /system/bin/mydevsrvc
    class main
    user system
    group system
    seclabel u:r:mydevsrvc_type:s0
    oneshot

Now, I need to access the device in android apps, so I must change the daemon into an android system service.

I can startup the service (thread) using BOOT_COMPLETED intent as explained in a previous question

I am not able to figure out how to setup SELinux policies so that this java service is also able to access the dev file.

[Update] I have continued using privileged daemon for this purpose. My java service connects to daemon through sockets. I don't have a better solution.

Answer 1

I finally figured out the answer. Posting it here, because there sure will be SEPolicy noobs like me looking for similar answers.

For this work, I needed to be able to access my device file from my java app that implements my service.

I needed to add following rule in my sepolicy directory, in a new file:

allow system_app mydev_device:chr_file rw_file_perms;

Also, needed to make my service app run in system_app domain. For this, I need to:

1. Install in priv_app during Android build.
2. Sign it with platform key
3. Declare shared user id in manifest: android.uid.system . I found that without this, app runs in platform-app domain and wasn't able to access my device file even with corresponding change in SEPolicy rule. Not sure why though, I didn't bother to debug.

It might also be possible to run my Service app in mydevsrvc_type domain. I didn't find out how to do that, or whether that will work.

Answer 2

Here is a brief summary of the steps needed to implement SELinux on your Android device:

Add SELinux support in the kernel and configuration. Grant each service (process or daemon) started from init its own domain. Identify these services by: Reviewing the init..rc file and finding all services. Examining warnings of the form init: Warning! Service name needs a SELinux domain defined; please fix! in dmesg output. Checking ps -Z | grep init output to see which services are running in the init domain. Label all new processes, drivers, sockets, etc. All objects need to be labeled properly to ensure they interact properly with the policies you apply. See the labels used in AOSP for examples to follow in label name creation. Institute security policies that fully cover all labels and restrict permissions to their absolute minimum. Ideally, OEMs start with the policies in the AOSP and then build upon them for their own customizations.

for more https://source.android.com/security/selinux/implement.html

Answer 3

可能在您的ueventd.rc文件或特定项目中添加一行以授予权限

Answer 4

In response of your question to start service from init rc you can just write one rc file like below. Where it will start your service on receiving of boot_completed

 on property:sys.boot_completed=1 start mydevsrvc

for reference http://androidxref.com/9.0.0_r3/xref/device/generic/qemu/init.ranchu.rc#60