MTK Android设置setprop的selinux权限

Android设置setprop的selinux权限，理论上不仅仅适用在MTK上．
需要在system应用的代码中调用SystemProperties.set()函数进行prop属性值的修改．

环境

MTK
Android 8

修改

要改system_app.te添加权限vendor_default_prop:property_service
然后在domain.te及property.te的nerverallow中把system_app添加例外．
patch如下

// csdn帅得不敢出门
diff --git a/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
index aeff2a14a4..3845e041d8 100755
--- a/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
+++ b/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
@@ -93,5 +93,5 @@ allow system_app radio_noril_prop:file { read open getattr };
 allow system_app prod_file:dir { remove_name };
 allow system_app sysfs:file { getattr open read };
 allow system_app sysfs:dir { search };
-
+allow system_app vendor_default_prop:property_service { set };

diff --git a/system/sepolicy/prebuilts/api/30.0/public/domain.te b/system/sepolicy/prebuilts/api/30.0/public/domain.te
index 1d3f8a071d..a0a2f694aa 100644
--- a/system/sepolicy/prebuilts/api/30.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/30.0/public/domain.te
@@ -530,7 +530,7 @@ compatible_property_only(`
     neverallow { domain -init } exported_secure_prop:property_service set;
     neverallow { domain -init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
-    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+    neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
     neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
 ')
 
diff --git a/system/sepolicy/prebuilts/api/30.0/public/property.te b/system/sepolicy/prebuilts/api/30.0/public/property.te
index 43b09db8d1..c944270a9e 100644
--- a/system/sepolicy/prebuilts/api/30.0/public/property.te
+++ b/system/sepolicy/prebuilts/api/30.0/public/property.te
@@ -568,6 +568,7 @@ compatible_property_only(`
     coredomain
     -init
     -system_writes_vendor_properties_violators
+    -system_app
   } {
     property_type
     -system_property_type
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 1d3f8a071d..a0a2f694aa 100644
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -530,7 +530,7 @@ compatible_property_only(`
     neverallow { domain -init } exported_secure_prop:property_service set;
     neverallow { domain -init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
-    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+    neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
     neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
 ')
 
diff --git a/system/sepolicy/public/property.te b/system/sepolicy/public/property.te
index 43b09db8d1..c944270a9e 100644
--- a/system/sepolicy/public/property.te
+++ b/system/sepolicy/public/property.te
@@ -568,6 +568,7 @@ compatible_property_only(`
     coredomain
     -init
     -system_writes_vendor_properties_violators
+    -system_app
   } {
     property_type

作者：帅得不敢出门　csdn原创谢绝转载