Android 12 S 自定义Hal服务selinux权限添加

如果遇到如下错误，应该是漏了添加。自定义hal服务添加可参考。

加油干(◍＞∇＜◍)ﾉﾞ

2879人浏览 · 2023-06-13 17:08:41

加油干(◍＞∇＜◍)ﾉﾞ · 2023-06-13 17:08:41 发布

系列文章

Android 12 S ServiceManager原理

Android 12 S Native Service的创建流程

Android 12 S Binder原理之BpBinder，BnBinder以及IInterface介绍

Android 12 S HIDL Service创建流程

Android 12 S 自定义Hal服务selinux权限添加

Android 12 S 自定义Native服务selinux权限添加

Android 12 S java服务调用native服务

Android 12 S 自定义native服务访问java服务

自定义hal服务添加可参考HIDL Service创建流程 - 基于Android 12 S分析_加油干(◍＞∇＜◍)ﾉﾞ的博客-CSDN博客

其实hal权限的配置主要还是根据兼容矩阵来的

在dvendor_compatibility_matrix.xml中:
<hal format="hidl" optional="true">
<name>vendor.qti.hardware.customizehidl</name>
<transport>hwbinder</transport>
<version>1.0</version>
<interface>
<name>ICustomizeHidl</name>
<instance>default</instance>
</interface>

根据兼容矩阵的配置，权限如下

以下部分添加缺一不可，都有可能导致服务无法自启动

device/qcom/sepolicy_vndr/generic/vendor/common/file_contexts

/vendor/bin/hw/vendor\.qti\.hardware\.customizehidl@1\.0-service u:object_r:hal_customizehidl_exec:s0

device/qcom/sepolicy_vndr/generic/vendor/common/hwservice_contexts

vendor.qti.hardware.customizehidl::ICustomizeHidl u:object_r:hal_customizehidl_hwservice:s0

device/qcom/sepolicy_vndr/generic/vendor/common/service_contexts

vendor.qti.hardware.customizehidl.ICustomizeHidl/default u:object_r:hal_customizehidl_service:s0

device/qcom/sepolicy_vndr/generic/vendor/common//file.te

type hal_customizehidl_exec, exec_type, vendor_file_type, file_type;

device/qcom/sepolicy_vndr/generic/vendor/common//hwservice.te

type hal_customizehidl_hwservice, hwservice_manager_type, protected_hwservice;

device/qcom/sepolicy_vndr/generic/vendor/common//service.te

type hal_customizehidl_service, vendor_service, protected_service, service_manager_type;

以下部分添加缺一不可，都有可能导致服务无法自启动

device/qcom/sepolicy_vndr/generic/vendor/common/hal_customizehidl.te

type hal_customizehidl, domain;//一定要和hal_customizehidl_exec的前缀一致

//域转换，会对hal_customizehidl_exec进行域转换，转换后的标签为hal_customizehidl

init_daemon_domain(hal_customizehidl);

add_hwservice(hal_customizehidl, hal_customizehidl_hwservice)
hwbinder_use(hal_customizehidl)

get_prop(hal_customizehidl, hwservicemanager_prop)

add_service(hal_customizehidl, hal_customizehidl_service)
binder_use(hal_customizehidl)

-----------------------------------------------------------------------------------------------

特别说明：

如果想要framework侧可以访问到hal服务，则需要在

device/qcom/sepolicy/generic/public/hal_customizehidl.te

type hal_customizehidl, domain;

并在device/qcom/sepolicy/generic/private/compat/下的api中xxx.ignore.cil文件中添加这个新增的标签名

如：

31.0/31.0.ignore.cil

( new_objects

...

hal_customizehidl

...

)

如果遇到如下错误，应该是漏了添加hwservice_contexts和hwservice.te中的相关定义和声明，添加上即可。

05-30 12:39:35.856 370 4561 I hwservicemanager: Tried to start vendor.qti.hardware.customizehidl@1.0::ICustomizeHidl/default as a lazy service, but was unable to. Usually this happens when a service is not installed, but if the service is intended to be used as a lazy service, then it may be configured incorrectly.

为了方便理解，以下添加一些上面权限的说明

init_daemon_domain(hal_customizehidl)定义如下

# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
')

define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')

define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute map };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr map };
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')

hwbinder_use(hal_customizehidl)中hwbinder_use定义如下

define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')

add_hwservice(hal_customizehidl, hal_customizehidl_hwservice)中add_hwservice定义如下

define(`add_hwservice', `
  allow $1 $2:hwservice_manager { add find };
  allow $1 hidl_base_hwservice:hwservice_manager add;
  neverallow { domain -$1 } $2:hwservice_manager add;
')

get_prop(hal_customizehidl, hwservicemanager_prop)中get_prop定义如下

define(`get_prop', `
allow $1 $2:file { getattr open read map };
')

add_service(hal_customizehidl, hal_customizehidl_service)中add_service定义如下

define(`add_service', `
  allow $1 $2:service_manager { add find };
  neverallow { domain -$1 } $2:service_manager add;
')

binder_use(hal_customizehidl) 中binder_use定义如下

define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# Allow servicemanager to send out callbacks
allow servicemanager $1:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')