Android 8.0 添加开机启动服务
Android 8.0 添加开机启动服务,主要涉及两个部分,一个是服务的添加,另一个是Sepolicy规则的添加。
服务的添加:
1.这边添加一脚本做为服务,定时读取芯片温控节点,获取在不同运行情况芯片的温度情况:
monitor.sh
#!/vendor/bin/sh
j=1
jmax=800000000
while [ $j -lt $jmax ];
do
cpu0=`cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq`
cpu4=`cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq`
cpu0temp=`cat /sys/devices/virtual/thermal/thermal_zone0/temp`
cpu4temp=`cat /sys/devices/virtual/thermal/thermal_zone1/temp`
echo "monitor:$j,$cpu0,$cpu4,$cpu0temp,$cpu4temp"
echo "$j,$cpu0,$cpu4,$cpu0temp,$cpu4temp" >> /mnt/sdcard/temp.txt #演示测试写到sdcard
sleep 10
j=$((j+1))
done2.在生成固件时,自动拷贝此文件到对应的目录:
PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/../../monitor.sh:/vendor/bin/monitor.sh3.在init.rc中添加此服务:
service monitor /vendor/bin/monitor.sh
class main
oneshot
seclabel u:r:monitor:s0
Sepolicy规则
1. 为新增加的文件添加安全上下文:
在 device/***/common/sepolicy/file_contexts 添加:
#for monitor
/vendor/bin/monitor.sh u:object_r:monitor_exec:s02.为添加的服务添加monitor.te文件:
type monitor, domain;
type monitor_exec, exec_type, vendor_file_type, file_type;
permissive monitor;
init_daemon_domain(monitor)如果添加的服务,没有以上sepolicy配置 ,烧写生成的固件的 boot.img,vendor.img,dmesg会提示:
init:service monitor does not have a SELinux domain defind其中 monitor这个域对应 .rc 文件中定义的服务 monitor,monitor_exec 对应脚本文件 monitor.sh。语句 permissive monitor是暂时添加的,目的是使服务在遇到权限问题时也可以正常执行,但会将所需的权限类型打印出来。init_daemon_domain 是一个宏,用来使 monitor域生效。
4.第一次编译验证:
m -j24 system/sepolicy/
打包固件,测试固件。在设备运行起来时,dmesg我们会看到一大堆sepolicy audit 提示:
[ 8.514867] type=1400 audit(1540806471.556:13): avc: denied { read write } for pid=333 comm="monitor.sh" path="/dev/ttyFIQ0" dev="tmpfs" ino=243 scontext=u:r:monitor:s0 tcontext=u:object_r:serial_device:s0 tclass=chr_file permissive=1
[ 10.124651] type=1400 audit(1540806473.170:29): avc: denied { read } for pid=333 comm="monitor.sh" name="sdcard" dev="tmpfs" ino=7920 scontext=u:r:monitor:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=1
[ 10.124786] type=1400 audit(1540806473.170:29): avc: denied { read } for pid=333 comm="monitor.sh" name="sdcard" dev="tmpfs" ino=7920 scontext=u:r:monitor:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=1
[ 10.124806] type=1400 audit(1540806473.170:30): avc: denied { read } for pid=333 comm="monitor.sh" name="primary" dev="tmpfs" ino=7921 scontext=u:r:monitor:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file permissive=1
[ 10.124886] type=1400 audit(1540806473.170:30): avc: denied { read } for pid=333 comm="monitor.sh" name="primary" dev="tmpfs" ino=7921 scontext=u:r:monitor:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file permissive=1
[ 10.124900] type=1400 audit(1540806473.170:31): avc: denied { search } for pid=333 comm="monitor.sh" name="user" dev="tmpfs" ino=7909 scontext=u:r:monitor:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=15.处理sepolicy 警告:
这个时候,我们可以通过audit2allow 命令来处理这份ker.txt:
audit2allow -i ker.txt -p out/target/product/***/root/sepolicy
我们会得到类似的如下结果:
#============= monitor ==============
allow monitor media_rw_data_file:dir { add_name open read search write };
allow monitor media_rw_data_file:file { append create open };
allow monitor mnt_user_file:dir search;
allow monitor mnt_user_file:lnk_file read;
allow monitor sdcardfs:dir { add_name search write };
allow monitor sdcardfs:file { append create open };
allow monitor serial_device:chr_file { getattr ioctl read write };
allow monitor storage_file:dir search;
allow monitor storage_file:lnk_file read;
allow monitor sysfs:file { open read };
allow monitor tmpfs:lnk_file read;
allow monitor vendor_toolbox_exec:file execute_no_trans;
#============= system_app ==============
allow system_app serialno_prop:file read;因为我们只关注 monitor 服务的sepolicy配置,所以将上面得到的allow规则,复制到:monitor.te:
type monitor, domain;
type monitor_exec, exec_type, vendor_file_type, file_type;
#permissive monitor;
init_daemon_domain(monitor)
allow monitor media_rw_data_file:dir { add_name open read search write };
allow monitor media_rw_data_file:file { append create open };
allow monitor mnt_user_file:dir search;
allow monitor mnt_user_file:lnk_file read;
allow monitor sdcardfs:dir { add_name search write };
allow monitor sdcardfs:file { append create open };
allow monitor serial_device:chr_file { getattr ioctl read write };
allow monitor storage_file:dir search;
allow monitor storage_file:lnk_file read;
allow monitor sysfs:file { open read };
allow monitor tmpfs:lnk_file read;
allow monitor vendor_toolbox_exec:file execute_no_trans;audit2allow 使用,请自行搜索相关资料,这个命令,我是放在android工程环境中执行,需要先
source build/envsetup.sh && setpaths
6.第二次编译验证:
m -j24 system/sepolicy/
打包固件,测试固件。如果确认已经无monitor服务相关的sepolicy警告,则sepolic部分添加完成,记住要移除:
monitor.te中
permissive monitor;
好了,一个androd的服务就添加完成。