Android13配置selinux让system应用可读sys,proc,SN号
system权限应用读sys,proc目录及SN号
Android13预置的system应用,需要读/sys, /proc目录,读(SN)serial number号, 需要修改selinux配置,否则会报avc错.
其修改方法会比Android11复杂一些.
实现
- system_app.te中添加
diff --git a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
index 19ef6f8d662..08f8e4858e3 100755
--- a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
+++ b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
@@ -106,3 +106,10 @@ allow system_app uniview_file:file { getattr write open create read append watchallow system_app uniview_file:dir { search getattr write add_name create read open };allow system_app tombstone_data_file:dir { read watch };allow system_app vendor_hxy_prop:file { read map getattr open };
+allow system_app prod_file:dir { remove_name };
+allow system_app sysfs:file { getattr open read write };
+allow system_app sysfs:dir { search };
+allow system_app vendor_default_prop:property_service { set };
+allow system_app proc:file { open read };
- coredomain.te在添加proc与sys的例外
system/sepolicy/prebuilts/api/33.0/private/coredomain.te
system/sepolicy/private/coredomain.te
给proc与sys的neverallow添加-system_app
full_treble_only(`# /procneverallow {coredomain-init-vold-system_app} proc:file no_rw_file_perms;# /sysneverallow {coredomain-apexd-init-ueventd-vold-system_app} sysfs:file no_rw_file_perms;
- 修改domain添加serialno_prop例外
一般只要修改private下的domain.te
system/sepolicy/prebuilts/api/33.0/private/domain.te
system/sepolicy/private/domain.te
如果要进行扩展,则还要修改
system/sepolicy/public/domain.te
system/sepolicy/prebuilts/api/33.0/public/domain.te
修改compatible_property_only
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
修改serialno_prop:file r_file_perms,添加-system_app
完整内容如下
compatible_property_only(`neverallow { domain -init } mmc_prop:property_service set; neverallow { domain -init -vendor_init } exported_default_prop:property_service set; neverallow { domain -init } exported_secure_prop:property_service set; neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set; neverallow { domain -init -vendor_init } storage_config_prop:property_service set; neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
')# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
neverallow {domain-adbd-dumpstate-fastbootd-hal_camera_server-hal_cas_server-hal_drm_serveruserdebug_or_eng(`-incidentd')-init-mediadrmserver-mediaserver-recovery-shell-system_server-vendor_init-system_app
} serialno_prop:file r_file_perms;
- property_service set添加例外
system/sepolicy/prebuilts/api/33.0/private/property.te
system/sepolicy/private/property.te
property_service set的neverallow加上-system_app
neverallow { coredomain -init -system_app } {vendor_property_type-vendor_public_property_type
}:property_service set;
property_service set compatible_property_only中的neverallow加上-system_app
compatible_property_only(`# Neverallow coredomain to set vendor propertiesneverallow {coredomain-init-system_writes_vendor_properties_violators-system_app} {property_type-system_property_type-extended_core_property_type}:property_service set;
')
- app.te中添加proc,sys例外
system/sepolicy/prebuilts/api/33.0/public/app.te
system/sepolicy/public/app.te
sysfs:dir_file_class_set与proc:dir_file_class_set write的neverallow中添加-system_app
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app }sysfs:dir_file_class_set write;
neverallow { appdomain -system_app }proc:dir_file_class_set write;
作者:帅得不敢出门 原创文章谢绝转载收录