更新Android9OTA策略以允许系统应用程序进行SELinux更新
更新Android9OTA策略以允许系统应用程序进行SELinux更新
提问于 2021-12-07 00:33:56
我目前正致力于在Android 9自定义操作系统上开发一个系统信息亭应用程序。在尝试OTA更新时,我们注意到了一个类似于这个问题的问题:https://stackoverflow.com/a/55748901
总之,SElinux策略似乎阻止系统应用程序(作为系统进程运行)来执行OTA更新所需的某些任务。由于源代码完全在我们的控制范围内,我希望修改SELinux策略以允许下面的拒绝:
avc: denied { remove_name } for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied { getattr } for path="/cache/recovery/uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied { dac_read_search } for capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1到目前为止,我已经更新了设备system_app.te文件,以将列出的操作添加到允许列表中,但是在尝试重建时,我遇到了大量与SELinux相关的构建错误。
system_app.te:
typeattribute system_app system_writes_vendor_properties_violators;
set_prop(system_app, vendor_bluetooth_prop)
get_prop(system_app, vendor_default_prop)
allow system_app system_app_data_file:notdevfile_class_set rw_file_perms;
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
allow system_app cache_file:dir { rw_file_perms add_name create search };
allow system_app cache_file:file { rw_file_perms create };
allow system_app caam_device:chr_file rw_file_perms;
allow system_app net_radio_prop:property_service { set };
allow system_app net_radio_prop:property_service { set };
allow system_app ctl_default_prop:property_service { set };
allow system_app dhcp_prop:property_service { set };
allow system_app net_dns_prop:property_service { set };
allow system_app http_proxy_prop:property_service { set };
allow system_app net_dns_prop:file { read } ;
allow system_app update_engine:binder { call transfer };
allow system_app vendor_file:file { read open getattr };
allow system_app fs_bpf:dir { search };
allow system_app sysfs_leds:dir search;
allow system_app sysfs_slate:file { getattr open read write };
allow system_app slate_crs_device:chr_file { open read write };
allow system_app selinuxfs:file { read open };
allow system_app config_gz:file { read open getattr };
allow system_app proc:file { open read };生成来自AOSP构建的错误日志:
[ 29% 18768/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42513:
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 29% 18769/64380] build out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
FAILED: out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42942:
allow system_app cache_recovery_file:dir { search write add_name remove_name };
allow system_app cache_recovery_file:file { create write open remove_name getattr setattr };
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 29% 18770/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy: policy configuration loaded
out/host/linux-x86/bin/checkpolicy: writing CIL to out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[ 29% 18771/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_output_stream.cc
[ 29% 18772/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_data.cc
[ 29% 18773/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/readable_font_data.cc
[ 29% 18774/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/port/memory_input_stream.cc
[ 29% 18775/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/growable_memory_byte_array.cc
ninja: build stopped: subcommand failed.
21:53:56 ninja failed with: exit status 1
#### failed to build some targets (20:25 (mm:ss)) ####感谢任何关于如何正确定制这些政策的建议。
回答 1
Stack Overflow用户
发布于 2021-12-13 20:27:29
根据你的否认,政策应该是
allow system_app cache_recovery_file:dir create_dir_perms;
allow system_app cache_recovery_file:file create_file_perms;参见全局宏定义的这里
另外,解决SELinux拒绝的一个好方法是在github上搜索它们,看看其他人是如何解决的。看看this example,它与你的类似否认
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/70253597
复制相关文章
相似问题
腾讯云开发者
