Android 8.1 非系统进程设置系统域属性问题

1. 进程间通过设置属性进行交互

Android 系统开发中经常需要通过属性在各个进程间传递信息,通过一个进程 set_property,另一个进程 get_property 达到进程间通信的需求。

属性获取没有限制,但是如果需要进程可以进行设置属性操作,则需要做一些处理。因为在 init 进程属性设置处理过程中会进行 selinux 权限的检查,如果不通过的话,设置属性的请求会被拒绝。
报错 fail 如下:

W libc    : Unable to set property "use_xxx" to "1": connection failed; errno=13 (Permission denied)

以一个进程为例,如果 a 进程需要在运行过程中设置属性,则需要添加在 device/xxx/common/sepolicy/a.te 文件中添加:

allow mediacodec default_prop:property_service set;
(该命令可以通过 audit2allow 命令生成)

添加成功之后,重新编译 system/sepolicy/。

2. android 8.1(及以上版本)系统设置权限限制

这种方法在 8.1 以前的系统都可以通用,但是 Android 8.1 及以上版本系统添加了权限限制,不允许普通进程设置系统属性,编译错误如下:

FAILED: out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy 
/bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/xxxx/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then 		echo \"==========\" 1>&2; 		echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; 		echo \"List of invalid domains:\" 1>&2; 		cat out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; 	       exit 1; 		fi ) && (mv out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/xxxx/obj/ETC/sepolicy_intermediates/sepolicy )"
neverallow check failed at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2614
  (neverallow base_typeattr_4_27_0 default_prop_27_0 (property_service (set)))
    
    allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
      (allow mediacodec_27_0 default_prop_27_0 (property_service (set)))

neverallow check failed at out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4287 from system/sepolicy/public/domain.te:447
  (neverallow base_typeattr_4 default_prop (property_service (set)))
    
    allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
      (allow mediacodec_27_0 default_prop_27_0 (property_service (set)))

Failed to generate binary
Failed to build policydb
[ 34% 23/66] build out/target/product/xxxx/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
FAILED: out/target/product/xxxx/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy 
/bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -c 30 		out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/xxxx/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/xxxx/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null"
neverallow check failed at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:2614
  (neverallow base_typeattr_4_27_0 default_prop_27_0 (property_service (set)))
    
    allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
      (allow mediacodec_27_0 default_prop_27_0 (property_service (set)))

neverallow check failed at out/target/product/xxxx/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4287 from system/sepolicy/public/domain.te:447
  (neverallow base_typeattr_4 default_prop (property_service (set)))
    
    allow at out/target/product/xxxx/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6713
      (allow mediacodec_27_0 default_prop_27_0 (property_service (set)))

Failed to generate binary
Failed to build policydb
ninja: build stopped: subcommand failed.
20:55:56 ninja failed with: exit status 1

#### failed to build some targets (02:13 (mm:ss)) ####
修正解决方案 1

允许 mediacodec 进程设置 use_xxx 属性

diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 3530bec..a3a0c38 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -5,4 +5,8 @@ allow mediacodec media_prop:file { open read getattr };
 allow mediacodec system_file:dir { open read };
 allow mediacodec sysfs:file { read open getattr };
 allow mediacodec sysfs:dir { read open getattr };
 get_prop(mediacodec,ctsgts_prop);
+set_prop(mediacodec,use_mpp_mode_prop);
diff --git a/sepolicy/property.te b/sepolicy/property.te
index c71f976..5912a09 100755
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -2,5 +2,6 @@ type graphic_prop, property_type;
 type drm_prop, property_type, mlstrustedsubject;
 type media_prop, property_type, mlstrustedsubject;
 type ctsgts_prop, property_type, mlstrustedsubject;
+type use_xxx_prop, property_type, mlstrustedsubject;
 type secureboot_prop, property_type;
 type tee_supplicant_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index cd31e89..af47380 100755
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -5,6 +5,7 @@ media.                  u:object_r:media_prop:s0
 mediaplayer.            u:object_r:media_prop:s0
 cts_gts.                u:object_r:ctsgts_prop:s0
 persist.cts_gts.        u:object_r:ctsgts_prop:s0
+use_xxx                 u:object_r:use_xxx_prop:s0
 pppoe.                  u:object_r:dhcp_prop:s0
 persist.ppp             u:object_r:dhcp_prop:s0
 ro.secureboot           u:object_r:secureboot_prop:s0
修正解决方案 2

非系统域的属性设置则没有如上限制,可以将 use_xxx 属性修改为 vendor.use_xxx 改为 vender 域的属性

你可能感兴趣的:(android,系统优化)