6.hal服务sepolicy 以sensor hal为例

以sensor为例

  1. system/sepolicy/public/attributes
    hal_attribute(sensors);

  2. system/sepolicy/vendor/file_contexts

/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0

  1. system/sepolicy/vendor/hal_sensors_default.te

    #定义名为hal_sensosde type  关联到domain属性,system分区必须加coredomain 
    type hal_sensors_default, domain;
    # 把hal_sensors_default 设置为hal_sensors的server domain hal_sensors在hal_sensors中定义
    hal_server_domain(hal_sensors_default, hal_sensors)
    # 定义hal_sensors_default_exec  具有exec_type, vendor_file_type, file_type;属性
    type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
    # 令domain从init转换到hal_sensos_default,使之可以执行 hal daemon 进程启动的二进制文件
    init_daemon_domain(hal_sensors_default)
    
    allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
    
    allow hal_sensors_default input_device:dir r_dir_perms;
    allow hal_sensors_default input_device:chr_file r_file_perms;
    
    # Allow sensor hals to access and use gralloc memory allocated by
    # android.hardware.graphics.allocator
    allow hal_sensors_default hal_graphics_allocator_default:fd use;
    allow hal_sensors_default ion_device:chr_file r_file_perms;
    allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
    
    # allow sensor hal to use lock for keeping system awake for wake up
    # events delivery.
    wakelock_use(hal_sensors_default);
    
    # allow sensor hal to use ashmem fd from system_server.
    allow hal_sensors_default system_server:fd use;
    
  2. system/sepolicy/public/hal_sensors.te

    # HwBinder IPC from client to server
    binder_call(hal_sensors_client, hal_sensors_server)
    
    hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
    
    # Allow sensor hals to access ashmem memory allocated by apps
    allow hal_sensors { appdomain -isolated_app }:fd use;
    
    # Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
    # fd is passed in from framework sensorservice HAL.
    allow hal_sensors hal_allocator:fd use;
    
    # allow to run with real-time scheduling policy
    allow hal_sensors self:global_capability_class_set sys_nice;
    
    add_service(hal_sensors_server, hal_sensors_service)
    binder_call(hal_sensors_server, servicemanager)
    
    allow hal_sensors_client hal_sensors_service:service_manager find;
    
  3. system/sepolicy/private/service_contexts

    android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0

  4. system/sepolicy/public/service.te

    type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

  • 查看安全上下文
    • ps -AZ
    • ls -Z

https://source.android.com/docs/core/architecture/aidl/aidl-hals#sepolicy

    public/attributes:
    // define hal_foo, hal_foo_client, hal_foo_server
    hal_attribute(foo)

    public/service.te
    // define hal_foo_service
    type hal_foo_service, hal_service_type, protected_service, service_manager_type

    public/hal_foo.te:
    // allow binder connection from client to server
    binder_call(hal_foo_client, hal_foo_server)
    // allow client to find the service, allow server to register the service
    hal_attribute_service(hal_foo, hal_foo_service)
    // allow binder communication from server to service_manager
    binder_use(hal_foo_server)

    private/service_contexts:
    // bind an AIDL service name to the selinux type
    android.hardware.foo.IFooXxxx/default u:object_r:hal_foo_service:s0

    private/<some_domain>.te:
    // let this domain use the hal service
    binder_use(some_domain)
    hal_client_domain(some_domain, hal_foo)

    vendor/<some_hal_server_domain>.te
    // let this domain serve the hal service
    hal_server_domain(some_hal_server_domain, hal_foo)

你可能感兴趣的:(android)