Android 9.0 (P版本) SystemServer中的服务配置se linux权限
## 1. SystemServer 的服务定义
Android P_9.0\frameworks\base\services\java\com\android\server\SystemServer.java
/**
* Starts a miscellaneous grab bag of stuff that has yet to be refactored
* and organized.
*/
private void startOtherServices() {
try {
fadiWakeupWatcherService fadiWakeupWatcherService = new fadiWakeupWatcherService();
ServiceManager.addService("fadi_wakeupwatcher", fadiWakeupWatcherService.asBinder());
} catch (Throwable e) {
Slog.e(TAG, "Failure starting fadiWakeupWatcherService", e);
}
## 2. 没有配置Se-Linux权限的报错日志
01-01 00:05:05.381284 933 933 E SystemServer: Failure starting fadiAppLockService
01-01 00:05:05.381284 933 933 E SystemServer: java.lang.SecurityException
01-01 00:05:05.381284 933 933 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)
01-01 00:05:05.381284 933 933 E SystemServer: at android.os.BinderProxy.transact(Binder.java:1127)
01-01 00:05:05.381284 933 933 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)
01-01 00:05:05.381284 933 933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:184)
01-01 00:05:05.381284 933 933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:155)
01-01 00:05:05.381284 933 933 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:2000)
01-01 00:05:05.381284 933 933 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:456)
01-01 00:05:05.381284 933 933 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:311)
01-01 00:05:05.381284 933 933 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)
01-01 00:05:05.381284 933 933 E SystemServer: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
01-01 00:05:05.381284 933 933 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)
01-01 00:05:05.383128 933 933 E SystemServer: Failure starting fadiWakeupWatcherService
01-01 00:05:05.383128 933 933 E SystemServer: java.lang.SecurityException
01-01 00:05:05.383128 933 933 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)
01-01 00:05:05.383128 933 933 E SystemServer: at android.os.BinderProxy.transact(Binder.java:1127)
01-01 00:05:05.383128 933 933 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)
01-01 00:05:05.383128 933 933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:184)
01-01 00:05:05.383128 933 933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:155)
01-01 00:05:05.383128 933 933 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:2008)
01-01 00:05:05.383128 933 933 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:456)
01-01 00:05:05.383128 933 933 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:311)
01-01 00:05:05.383128 933 933 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)
01-01 00:05:05.383128 933 933 E SystemServer: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
01-01 00:05:05.383128 933 933 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)
随着Android系统对安全的要求越来越高,不断加强SE-LINUX的管理,有些服务我们需要进行定制配置才能正常使用
上述是表征服务服务启动,我们需要根据源码配置进行,关键字检索,查找"fadi_applock"和"fadi_wakeupwatcher"关键字
查找"fadi_applock"和"fadi_wakeupwatcher"关键字
01-01 00:05:05.382320 324 324 E SELinux : avc: denied { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
上述日志有一个配置公式,这里举个demo,但是我们目前还没对该服务进行SE-LINUX定义,故配置公式暂时不需要,故这里介绍9.0的配置方法
01-01 00:05:05.382320 324 324 E SELinux : avc: denied { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
allow system_server fadi_wakeupwatcher :service_manager { add };
01-01 00:05:05.380074 324 324 E SELinux : avc: denied { add } for service=fadi_applock pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
01-01 00:05:05.380221 324 324 E ServiceManager: add_service('fadi_applock',8f) uid=1000 - PERMISSION DENIED
allow system_server fadi_applock :service_manager { add };
4.demo
01-03 10:31:35.585148 331 331 E SELinux : avc: denied { find } for service=xxx_applock pid=5499 uid=10087 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:xxx_applock_service:s0 tclass=service_manager permissive=1
allow untrusted_app_25 xxx_applock_service:service_manager { find };
## 3. Andorid 9.0 配置SE LINUX权限
3.1 定义SE-Linux
分别在下面2个文件进行配置
- Android P_9.0\system\sepolicy\public\service.te
# fadi SE-Linux
type fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;
type fadi_applock_service, system_api_service, system_server_service, service_manager_type;
type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
- Android P_9.0\system\sepolicy\private\service_contexts
# fadi SE-Linux
fadi_wakeupwatcher u:object_r:fadi_wakeupwatcher_service:s0
fadi_applock u:object_r:fadi_applock_service:s0
fadi_longshot u:object_r:fadi_longshot_service:s0
然后编译一下
3.2 编译报错1 解决
FAILED: out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test
/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"
文件 system/sepolicy/prebuilts/api/28.0/public/service.te 和 system/sepolicy/public/service.te 不同
将system/sepolicy/prebuilts/api/28.0/public 和system/sepolicy/public对应的文件内容保持一致即可
继续make -j24 2>&1 |tee build.log编译
3.3 编译报错2 解决
根据报错提示,进行文件添加与补充
[ 43% 179/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0
[ 43% 180/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0
添加对应的权限定义
Android P_9.0\system\sepolicy\private\compat\26.0\26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
Android P\Android P_9.0\system\sepolicy\private\compat\27.0\27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
继续make -j24 2>&1 |tee build.log编译
3.4 编译报错3 解决
报错日志
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat
/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30 out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/26.0/26.0.cil
system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil
-o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat -f /dev/null"
Failed to resolve typeattributeset statement at system/sepolicy/private/compat/26.0/26.0.cil:764
Failed to compile cildb: -2
[ 1% 11/693] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat
FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat
/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30 out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/27.0/27.0.cil system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil -o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat -f /dev/null"
Failed to resolve typeattributeset statement at system/sepolicy/private/compat/27.0/27.0.cil:1486
Failed to compile cildb: -2
[ 1% 12/693] build tinysys-scp-configheader
解决方法
解决方法:将nonplat_sepolicy.cil配置完毕
- \Android P_9.0\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)
(roletype object_r fadi_wakeupwatcher_service_26_0)
(typeattribute fadi_applock_service_26_0)
(roletype object_r fadi_applock_service_26_0)
(typeattribute fadi_longshot_service_26_0)
(roletype object_r fadi_longshot_service_26_0)
- Android P_9.0\system\sepolicy\prebuilts\api\27.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)
(roletype object_r fadi_wakeupwatcher_service_27_0)
(typeattribute fadi_applock_service_27_0)
(roletype object_r fadi_applock_service_27_0)
(typeattribute fadi_longshot_service_27_0)
(roletype object_r fadi_longshot_service_27_0)
继续make -j24 2>&1 |tee build.log编译
3.5 编译OK,刷机验证日志
服务中日志正常打印了
09-21 04:17:00.560: D/fadiDisplayHelp(2157): UI show packageName = com.google.android.packageinstaller, className = com.android.packageinstaller.permission.ui.GrantPermissionsActivity
09-21 04:17:59.365: D/fadiDisplayHelp(2157): UI show packageName = com.android.launcher3, className = com.android.launcher3.Launcher
09-21 04:16:08.027: D/fadiKillAppManager(2157): updateRestrictList new = WakeUpInfo [packageName=com.android.bankabc, bootReceviers=com.feinno.teatalk.receiver.FastBootReceiver;com.xiaomi.push.service.receivers.NetworkStatusReceiver;com.feinno.teatalk.receiver.NetWorkChangeReceiver;com.huawei.android.pushagent.PushBootReceiver;com.feinno.teatalk.receiver.PushReceiver;com.huawei.android.pushagent.PushEventReceiver;com.feinno.teatalk.receiver.MiPushReceiver;com.xiaomi.push.service.receivers.PingReceiver;, pushServices=com.baidu.location.f;com.xiaomi.push.service.XMPushService;com.xiaomi.mipush.sdk.PushMessageHandler;com.xiaomi.mipush.sdk.MessageHandleService;, deny=0]
4. 本次SE-Linux的配置清单
suhuazhi@fadi-PC:~/9.1/system/sepolicy$ git status
# Not currently on any branch.
# Changes not staged for commit:
# (use "git add ..." to update what will be committed)
# (use "git checkout -- ..." to discard changes in working directory)
#
# modified: prebuilts/api/26.0/nonplat_sepolicy.cil
# modified: prebuilts/api/27.0/nonplat_sepolicy.cil
# modified: prebuilts/api/28.0/private/compat/26.0/26.0.cil
# modified: prebuilts/api/28.0/private/compat/27.0/27.0.cil
# modified: prebuilts/api/28.0/private/service_contexts
# modified: prebuilts/api/28.0/public/service.te
# modified: private/compat/26.0/26.0.cil
# modified: private/compat/27.0/27.0.cil
# modified: private/service_contexts
# modified: public/service.te
具体添加如下如下
- prebuilts/api/26.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)
(roletype object_r fadi_wakeupwatcher_service_26_0)
(typeattribute fadi_applock_service_26_0)
(roletype object_r fadi_applock_service_26_0)
(typeattribute fadi_longshot_service_26_0)
(roletype object_r fadi_longshot_service_26_0)
- prebuilts/api/27.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)
(roletype object_r fadi_wakeupwatcher_service_27_0)
(typeattribute fadi_applock_service_27_0)
(roletype object_r fadi_applock_service_27_0)
(typeattribute fadi_longshot_service_27_0)
(roletype object_r fadi_longshot_service_27_0)
- prebuilts/api/28.0/private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
- prebuilts/api/28.0/private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
- prebuilts/api/28.0/private/service_contexts
# fadi SE-Linux
fadi_wakeupwatcher u:object_r:fadi_wakeupwatcher_service:s0
fadi_applock u:object_r:fadi_applock_service:s0
fadi_longshot u:object_r:fadi_longshot_service:s0
- prebuilts/api/28.0/public/service.te
# fadi SE-Linux
type fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;
type fadi_applock_service, system_api_service, system_server_service, service_manager_type;
type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
- private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
- private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))
(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))
(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
- private/service_contexts(核心)
# fadi SE-Linux
fadi_wakeupwatcher u:object_r:fadi_wakeupwatcher_service:s0
fadi_applock u:object_r:fadi_applock_service:s0
fadi_longshot u:object_r:fadi_longshot_service:s0
- public/service.te(核心)
# fadi SE-Linux
type fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;
type fadi_applock_service, system_api_service, system_server_service, service_manager_type;
type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;