Android 12 S 自定义Native服务selinux权限添加
节点在此目录添加定义:genfs_contexts。并且与system_server互相通信。native服务访问hal服务。
系列文章
Android 12 S Native Service的创建流程
Android 12 S Binder原理之BpBinder,BnBinder以及IInterface介绍
Android 12 S 自定义Hal服务selinux权限添加
Android 12 S 自定义Native服务selinux权限添加
Android 12 S 自定义native服务访问java服务
另如果对节点添加seLinux权限,需要对该节点的所有超链接目录都添加相应的selinux才可以。
节点在此目录添加定义:genfs_contexts
本权限是 customizemanagerserver native服务访问hal服务customizehidl,并且与system_server互相通信。
本次权限添加服务是可以自启动的,如只要自启动相关权限,可自行过滤。
// service服务标签定义
device/qcom/sepolicy/generic/private/service_contexts
customizemanagerserver u:object_r:customizemanager_service:s0
//service服务声明
device/qcom/sepolicy/generic/private/service.te
type customizemanager_service, app_api_service, service_manager_type;
//service的可执行文件标签定义
device/qcom/sepolicy/generic/private/file_contexts
/system/bin/customizemanagerserver u:object_r:customizemanager_exec:s0
/system_ext/lib(64)?/vendor\.qti\.hardware\.customizehidl@1\.0\.so u:object_r:system_lib_file:s0//这条是因为customizemanager既要访问domain的hal服务,又要访问coredomain的system_server
device/qcom/sepolicy/generic/public/customizemanager.te
type customizemanager, domain, coredomain;
//这个是hal服务的域声明
device/qcom/sepolicy/generic/public/hal_customizehidl.te
type hal_customizehidl, domain;
//这里就是customizemanager服务的所有权限了,
device/qcom/sepolicy/generic/private/customizemanager .te
typeattribute customizemanager coredomain;
//customizemanager服务可执行文件的域声明
type customizemanager_exec, exec_type, system_file_type, file_type;
//域转换
init_daemon_domain(customizemanager)
//允许customizemanager find和add customizemanager_service
add_service(customizemanager, customizemanager_service)
//主要用于ServiceManager对customizemanager的一些权限
binder_use(customizemanager);
//system_server调用customizemanager
binder_call(system_server, customizemanager)binder_service(customizemanager)
//customizemanager调用system_server
binder_call(customizemanager, system_server)
get_prop(customizemanager, hwservicemanager_prop);//要与hal服务进行通信需要加的权限
hwbinder_use(customizemanager);
allow customizemanager same_process_hal_file:file { open read getattr execute map };
allow customizemanager system_lib_file:file { open read getattr execute map };
allow customizemanager hal_customizehidl_hwservice:hwservice_manager { find };
allow customizemanager hal_customizehidl:binder { call };//与system_server通信需要添加的权限
allow system_server customizemanager_service:service_manager { find };
init_daemon_domain定义如下
define(`init_daemon_domain', ` domain_auto_trans(init, $1_exec, $1) ')define(`domain_auto_trans', ` # Allow the necessary permissions. domain_trans($1,$2,$3) # Make the transition occur by default. type_transition $1 $2:process $3; ')define(`domain_trans', ` # Old domain may exec the file and transition to the new domain. allow $1 $2:file { getattr open read execute map }; allow $1 $3:process transition; # New domain is entered by executing the file. allow $3 $2:file { entrypoint open read execute getattr map }; # New domain can send SIGCHLD to its caller. ifelse($1, `init', `', `allow $3 $1:process sigchld;') # Enable AT_SECURE, i.e. libc secure mode. dontaudit $1 $3:process noatsecure; # XXX dontaudit candidate but requires further study. allow $1 $3:process { siginh rlimitinh }; ')
binder_use定义如下:
# binder_use(domain) # Allow domain to use Binder IPC. define(`binder_use', ` # Call the servicemanager and transfer references to it. allow $1 servicemanager:binder { call transfer }; # Allow servicemanager to send out callbacks allow servicemanager $1:binder { call transfer }; # servicemanager performs getpidcon on clients. allow servicemanager $1:dir search; allow servicemanager $1:file { read open }; allow servicemanager $1:process getattr; # rw access to /dev/binder and /dev/ashmem is presently granted to # all domains in domain.te. ')
binder_service定义如下:
# binder_service(domain) # Mark a domain as being a Binder service domain. # Used to allow binder IPC to the various system services. define(`binder_service', ` typeattribute $1 binderservicedomain; ')
binder_call定义如下
# binder_call(clientdomain, serverdomain) # Allow clientdomain to perform binder IPC to serverdomain. define(`binder_call', ` # Call the server domain and optionally transfer references to it. allow $1 $2:binder { call transfer }; # Allow the serverdomain to transfer references to the client on the reply. allow $2 $1:binder transfer; # Receive and use open files from the server. allow $1 $2:fd use; ')
hwbinder_use定义如下
# hwbinder_use(domain) # Allow domain to use HwBinder IPC. define(`hwbinder_use', ` # Call the hwservicemanager and transfer references to it. allow $1 hwservicemanager:binder { call transfer }; # Allow hwservicemanager to send out callbacks allow hwservicemanager $1:binder { call transfer }; # hwservicemanager performs getpidcon on clients. allow hwservicemanager $1:dir search; allow hwservicemanager $1:file { read open map }; allow hwservicemanager $1:process getattr; # rw access to /dev/hwbinder and /dev/ashmem is presently granted to # all domains in domain.te. ')
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
2
0- 0
已为社区贡献8条内容
所有评论(0)