更新 Android 9 SELinux 策略以允許系統應用程序進行 OTA 更新

Question

我目前正在參與在 Android 9 自定義操作系統上開發系統信息亭應用程序。 我們在嘗試 OTA 更新時注意到與此問題類似的問題： https://stackoverflow.com/a/55748901

總而言之，SElinux 策略似乎阻止系統應用程序（作為系統進程運行）執行 OTA 更新所需的某些任務。 由於源代碼完全在我們的控制之下，我希望修改 SELinux 策略以允許以下拒絕：

avc: denied { remove_name } for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied { getattr } for path="/cache/recovery/uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied { dac_read_search } for capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1

到目前為止，我已經更新了設備 system_app.te 文件以將列出的操作添加到允許列表中，但我在嘗試重建時遇到了一長串與 SELinux 相關的構建錯誤。

system_app.te：

typeattribute system_app system_writes_vendor_properties_violators;

set_prop(system_app, vendor_bluetooth_prop)
get_prop(system_app, vendor_default_prop)

allow system_app system_app_data_file:notdevfile_class_set rw_file_perms;
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
allow system_app cache_file:dir { rw_file_perms add_name create search };
allow system_app cache_file:file  { rw_file_perms create };
allow system_app caam_device:chr_file  rw_file_perms;
allow system_app net_radio_prop:property_service  { set };
allow system_app net_radio_prop:property_service  { set };
allow system_app ctl_default_prop:property_service  { set };
allow system_app dhcp_prop:property_service  { set };
allow system_app net_dns_prop:property_service  { set };
allow system_app http_proxy_prop:property_service  { set };
allow system_app net_dns_prop:file { read } ;
allow system_app update_engine:binder { call transfer };
allow system_app vendor_file:file { read open getattr };
allow system_app fs_bpf:dir { search };
allow system_app sysfs_leds:dir search;
allow system_app sysfs_slate:file { getattr open read write };
allow system_app slate_crs_device:chr_file { open read write };
allow system_app selinuxfs:file { read open };
allow system_app config_gz:file { read open getattr };
allow system_app proc:file { open read };

AOSP 構建產生的錯誤日志：

[ 29% 18768/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c        30 -o out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42513:
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 29% 18769/64380] build out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
FAILED: out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy 
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c         30 -o out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then       echo \"==========\" 1>&2;       echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;         echo \"List of invalid domains:\" 1>&2;         cat out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2;       exit 1;         fi ) && (mv out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42942:
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 29% 18770/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy:  policy configuration loaded
out/host/linux-x86/bin/checkpolicy:  writing CIL to out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[ 29% 18771/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_output_stream.cc
[ 29% 18772/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_data.cc
[ 29% 18773/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/readable_font_data.cc
[ 29% 18774/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/port/memory_input_stream.cc
[ 29% 18775/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/growable_memory_byte_array.cc
ninja: build stopped: subcommand failed.
21:53:56 ninja failed with: exit status 1

#### failed to build some targets (20:25 (mm:ss)) ####

感謝有關如何正確自定義這些策略的 go 的任何建議。

Answer 1

根據你的否認，政策應該是

allow system_app cache_recovery_file:dir create_dir_perms;
allow system_app cache_recovery_file:file create_file_perms;

請參閱此處定義的全局宏

解決 SELinux 拒絕的一個好方法是在 github 上搜索它們，看看其他人是如何解決的。 看看這個例子，它與你的拒絕相似