system权限应用读sys,proc目录及SN号
Android13预置的system应用,需要读/sys, /proc目录,读(SN)serial number号, 需要修改selinux配置,否则会报avc错.
其修改方法会比Android11复杂一些.
实现
- system_app.te中添加
patch
diff --git a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
index 19ef6f8d662..08f8e4858e3 100755
--- a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
+++ b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
@@ -106,3 +106,10 @@ allow system_app uniview_file:file { getattr write open create read append watch
allow system_app uniview_file:dir { search getattr write add_name create read open };
allow system_app tombstone_data_file:dir { read watch };
allow system_app vendor_hxy_prop:file { read map getattr open };
+allow system_app prod_file:dir { remove_name };
+allow system_app sysfs:file { getattr open read write };
+allow system_app sysfs:dir { search };
+allow system_app vendor_default_prop:property_service { set };
+allow system_app proc:file { open read };- coredomain.te在添加proc与sys的例外
system/sepolicy/prebuilts/api/33.0/private/coredomain.te
system/sepolicy/private/coredomain.te
给proc与sys的neverallow添加-system_app
xml
full_treble_only(`
# /proc
neverallow {
coredomain
-init
-vold
-system_app
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
-apexd
-init
-ueventd
-vold
-system_app
} sysfs:file no_rw_file_perms;-
修改domain添加serialno_prop例外
一般只要修改private下的domain.te
system/sepolicy/prebuilts/api/33.0/private/domain.te
system/sepolicy/private/domain.te
如果要进行扩展,则还要修改
system/sepolicy/public/domain.te
system/sepolicy/prebuilts/api/33.0/public/domain.te
修改compatible_property_only- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
- neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
修改serialno_prop:file r_file_perms,添加-system_app
完整内容如下
compatible_property_only(`
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
')
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
neverallow {
domain
-adbd
-dumpstate
-fastbootd
-hal_camera_server
-hal_cas_server
-hal_drm_server
userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
-mediaserver
-recovery
-shell
-system_server
-vendor_init
-system_app
} serialno_prop:file r_file_perms;-
property_service set添加例外
system/sepolicy/prebuilts/api/33.0/private/property.te
system/sepolicy/private/property.te
property_service set的neverallow加上-system_appneverallow { coredomain -init -system_app } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
property_service set compatible_property_only中的neverallow加上-system_app
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
coredomain
-init
-system_writes_vendor_properties_violators
-system_app
} {
property_type
-system_property_type
-extended_core_property_type
}:property_service set;
')-
app.te中添加proc,sys例外
system/sepolicy/prebuilts/api/33.0/public/app.te
system/sepolicy/public/app.te
sysfs:dir_file_class_set与proc:dir_file_class_set write的neverallow中添加-system_appWrite to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app }
sysfs:dir_file_class_set write;
neverallow { appdomain -system_app }
proc:dir_file_class_set write;
作者:帅得不敢出门 原创文章谢绝转载收录