Android 12 S 自定义Hal服务selinux权限添加
系列文章
Android 12 S ServiceManager原理
Android 12 S Native Service的创建流程
Android 12 S Binder原理之BpBinder,BnBinder以及IInterface介绍
Android 12 S HIDL Service创建流程
Android 12 S 自定义Hal服务selinux权限添加
Android 12 S 自定义Native服务selinux权限添加
Android 12 S java服务调用native服务
Android 12 S 自定义native服务访问java服务
自定义hal服务添加可参考HIDL Service创建流程 - 基于Android 12 S分析_加油干(◍>∇<◍)ノ゙的博客-CSDN博客
其实hal权限的配置主要还是根据兼容矩阵来的
在device/qcom/common/vendor_compatibility_matrix.xml中:
vendor.qti.hardware.customizehidl
hwbinder
1.0
ICustomizeHidl
default
根据兼容矩阵的配置,权限如下
以下部分添加缺一不可,都有可能导致服务无法自启动
device/qcom/sepolicy_vndr/generic/vendor/common/file_contexts
/vendor/bin/hw/vendor\.qti\.hardware\.customizehidl@1\.0-service u:object_r:hal_customizehidl_exec:s0
device/qcom/sepolicy_vndr/generic/vendor/common/hwservice_contexts
vendor.qti.hardware.customizehidl::ICustomizeHidl u:object_r:hal_customizehidl_hwservice:s0
device/qcom/sepolicy_vndr/generic/vendor/common/service_contexts
vendor.qti.hardware.customizehidl.ICustomizeHidl/default u:object_r:hal_customizehidl_service:s0
device/qcom/sepolicy_vndr/generic/public/file.te
type hal_customizehidl_exec, exec_type, vendor_file_type, file_type;
device/qcom/sepolicy_vndr/generic/public/hwservice.te
type hal_customizehidl_hwservice, hwservice_manager_type, protected_hwservice;
device/qcom/sepolicy_vndr/generic/public/service.te
type hal_customizehidl_service, vendor_service, protected_service, service_manager_type;
以下部分添加缺一不可,都有可能导致服务无法自启动
device/qcom/sepolicy_vndr/generic/vendor/common/hal_customizehidl.te
type hal_customizehidl, domain;//一定要和hal_customizehidl_exec的前缀一致
//域转换,会对hal_customizehidl_exec进行域转换,转换后的标签为hal_customizehidl
init_daemon_domain(hal_customizehidl);
add_hwservice(hal_customizehidl, hal_customizehidl_hwservice)
get_prop(hal_customizehidl, hwservicemanager_prop)
hwbinder_use(hal_customizehidl)
add_service(hal_customizehidl, hal_customizehidl_service)
binder_use(hal_customizehidl)
如果遇到如下错误,应该是漏了添加hwservice_contexts和hwservice.te中的相关定义和声明,添加上即可。
05-30 12:39:35.856 370 4561 I hwservicemanager: Tried to start [email protected]::ICustomizeHidl/default as a lazy service, but was unable to. Usually this happens when a service is not installed, but if the service is intended to be used as a lazy service, then it may be configured incorrectly.
为了方便理解,以下添加一些上面权限的说明
init_daemon_domain(hal_customizehidl)定义如下
# upon executing its binary. define(`init_daemon_domain', ` domain_auto_trans(init, $1_exec, $1) ')define(`domain_auto_trans', ` # Allow the necessary permissions. domain_trans($1,$2,$3) # Make the transition occur by default. type_transition $1 $2:process $3; ')define(`domain_trans', ` # Old domain may exec the file and transition to the new domain. allow $1 $2:file { getattr open read execute map }; allow $1 $3:process transition; # New domain is entered by executing the file. allow $3 $2:file { entrypoint open read execute getattr map }; # New domain can send SIGCHLD to its caller. ifelse($1, `init', `', `allow $3 $1:process sigchld;') # Enable AT_SECURE, i.e. libc secure mode. dontaudit $1 $3:process noatsecure; # XXX dontaudit candidate but requires further study. allow $1 $3:process { siginh rlimitinh }; ')
hwbinder_use(hal_customizehidl)中hwbinder_use定义如下
define(`hwbinder_use', ` # Call the hwservicemanager and transfer references to it. allow $1 hwservicemanager:binder { call transfer }; # Allow hwservicemanager to send out callbacks allow hwservicemanager $1:binder { call transfer }; # hwservicemanager performs getpidcon on clients. allow hwservicemanager $1:dir search; allow hwservicemanager $1:file { read open map }; allow hwservicemanager $1:process getattr; # rw access to /dev/hwbinder and /dev/ashmem is presently granted to # all domains in domain.te. ')
add_hwservice(hal_customizehidl, hal_customizehidl_hwservice)中add_hwservice定义如下
define(`add_hwservice', ` allow $1 $2:hwservice_manager { add find }; allow $1 hidl_base_hwservice:hwservice_manager add; neverallow { domain -$1 } $2:hwservice_manager add; ')
get_prop(hal_customizehidl, hwservicemanager_prop)中get_prop定义如下
define(`get_prop', ` allow $1 $2:file { getattr open read map }; ')
add_service(hal_customizehidl, hal_customizehidl_service)中add_service定义如下
define(`add_service', ` allow $1 $2:service_manager { add find }; neverallow { domain -$1 } $2:service_manager add; ')
binder_use(hal_customizehidl) 中binder_use定义如下
define(`binder_use', ` # Call the servicemanager and transfer references to it. allow $1 servicemanager:binder { call transfer }; # Allow servicemanager to send out callbacks allow servicemanager $1:binder { call transfer }; # servicemanager performs getpidcon on clients. allow servicemanager $1:dir search; allow servicemanager $1:file { read open }; allow servicemanager $1:process getattr; # rw access to /dev/binder and /dev/ashmem is presently granted to # all domains in domain.te. ')