#文章目录
#前言
#SELinux来源
#SELinux基本框架
#SELinux 在不同版本的表现
#使用audit2allow工具生成SELinux 权限
#完整代码
#前言
先推荐下之前的SELinux文章,但是那个是7.1的,在9.0上已经在差别很大的了。
Android7.1 在init.rc 添加shell服务
题外话~
在企业里面做项目和在大学里面做有比较大的差别,企业需要把技术转变成产品,然后把产品拿出去卖来赚钱。所以就不得不考虑到研发周期,采购成本,还有销售渠道。如果研发花费了很大的力气都搞不定,或者硬件设计上本身存在非常大的风险和研发周期,那可能对项目会是致命性的。销售可以不断的吹牛,但是吹牛的时间越长,诚信成本就越大,要不然贾老板的车千呼万唤始出来之后为啥那么多问题。
#SELinux来源
SELinux 即Security-Enhanced Linux, 由美国国家安全局(NSA)发起, Secure Computing Corporation (SCC) 和 MITRE 直接参与开发, 以及很多研究机构(如犹他大学)一起参与的强制性安全审查机制, 该系统最初是作为一款通用访问软件,发布于 2000 年 12 月(代码采用 GPL 许可发布)。并在Linux Kernel 2.6 版本后, 有直接整合进入SELinux, 搭建在Linux Security Module(LSM)基础上, 目前已经成为最受欢迎,使用最广泛的安全方案。
#SELinux基本框架
SELinux 是典型的MAC-Mandatory Access Controls 实现, 对系统中每个对象都生成一个安全上下文(Security Context), 每一个对象访问系统的资源都要进行安全上下文审查。审查的规则包括类型强制检测(type enforcement), 多层安全审查(Multi-Level Security), 以及基于角色的访问控制(RBAC: Role Based Access Control).
SELinux 搭建在Linux Security Module(LSM)基础上, 关于 LSM 架构的详细描述请参见文章 “Linux Security Modules: General Security Support for the Linux Kernel”, 该文章在 2002 年的 USENIX Security 会议上发表。有完整的实现LSM 的所有hook function. SELinux 的整体结构如下图所示:
#SELinux 在不同版本的表现
安卓在很早就已经执行了SELinux了,但是在不同的安卓版本,使用起来还是有些差别,现在我们用到了安卓9.0,可以说是最严格的权限了。以前修改一个allow的编译问题,如果不可以,就去domain.te里面把neverallow相关的添加进去,9.0上已经不行了,必须要严格安卓标准来声明和申请。
#使用audit2allow工具生成SELinux 权限
这个工具决定是一个神器,这个工具可以在SDK里面找到,有了这个工具后,再把SELinux的错误保存到一个文件里面,这样就可以使用工具来生成allow的权限问题了。
工具位置:
./external/selinux/prebuilts/bin/audit2allow
应用具体截图:
参考:
https://blog.csdn.net/q1183345443/article/details/90438283
#完整代码
我们项目需要开启一个服务,这个服务就是几个脚本的事情,这个脚本可以直接写在init.rc里面。不过呢,我考虑到直接写在init.rc里面总是出现各种问题,替换起来也比较麻烦,还有一点是写成可执行文件服务和init.rc里面执行的服务,在SELinux的权限要求还有差别。
这个问题跟几个大牛也讨论过,因为这个问题我们邓总还加班给我搞,可惜的是还是没有搞定,主要是方向没有找对,第二天我自己再看了下代码,觉得我应该是那个万中无一的男人,然后我也没干啥,在SELinux的file_context文件里面找了一个一样需要exec服务的东东,然后打开source insight,先全局搜索一下,按照这个东东依次添加进去。特别要注意的是,因为在source insight里面修改不会加回车,需要在Linux里面再修改回来一次,要不然导致的问题是编译不通过。
再然后就是编译了,如果还是局部编译可能还是有问题,因为之前乱改的很多东西对环境有影响了,然后我删了out全局编译。烧录后使用top命令看了看服务,惊讶的发现,服务已经起来了。
开机的时候,还是会看到很多SELinux的权限问题,这个就需要使用我们上面的工具来修改下了。
这套完整代码,只适合在android9.0上去用,如果是其他安卓版本的话,只能作为参考,但是在低版本上肯定比9.0容易得多。
diff --git a/device/mediatek/sepolicy/basic/plat_private/file_contexts b/device/mediatek/sepolicy/basic/plat_private/file_contexts
index f306119717..3271d2b624 100644
--- a/device/mediatek/sepolicy/basic/plat_private/file_contexts
+++ b/device/mediatek/sepolicy/basic/plat_private/file_contexts
@@ -42,3 +42,5 @@/sys/devices/platform/vibrator@0/leds/vibrator(/.*)? u:object_r:sysfs_vibrator:s0/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
+/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0
+
diff --git a/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te
new file mode 100755
index 0000000000..94c23d7ec3
--- /dev/null
+++ b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te
@@ -0,0 +1,20 @@
+#typeattribute zigbee_service coredomain;
+#type zigbee_service, domain;
+#type zigbee_service_exec, exec_type, file_type;
+#permissive zigbee_service;
+#init_daemon_domain(zigbee_service)
+
+# New added for move to /system
+typeattribute zigbee_service coredomain;
+type zigbee_service_exec , exec_type, file_type;
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+init_daemon_domain(zigbee_service)
+allow zigbee_service shell_exec:file execute;
+#allow zigbee_service zigbee_service_exec:file { getattr read open execute execute_no_trans};
+#allow zigbee_service shell_exec:file { getattr read open execute execute_no_trans};
+#allow zigbee_service system_file:file { getattr read open execute execute_no_trans};
+#allow zigbee_service system_data_file:file { getattr read open execute execute_no_trans};
diff --git a/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te
new file mode 100644
index 0000000000..b3d94d5cf8
--- /dev/null
+++ b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te
@@ -0,0 +1,2 @@
+type zigbee_service ,domain;
+allow zigbee_service shell_exec:file execute;
diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
index 9d6963909b..e3ac5ea245 100755
--- a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
+++ b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
@@ -38,3 +38,5 @@# For boot type/sys/devices/virtual/BOOT/BOOT/boot/boot_type(/.*)? u:object_r:sysfs_boot_type:s0
+/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0
+
diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te
new file mode 100644
index 0000000000..b3d94d5cf8
--- /dev/null
+++ b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te
@@ -0,0 +1,2 @@
+type zigbee_service ,domain;
+allow zigbee_service shell_exec:file execute;
diff --git a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
index aac1622a40..d3db9d1acc 100755
--- a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
+++ b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
@@ -539,6 +539,7 @@(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
+(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
index ba093e7885..d92414362c 100755
--- a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
+++ b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
@@ -562,6 +562,7 @@(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
+(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
index 90d6baea41..a21e182ce3 100755
--- a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
+++ b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
@@ -565,6 +565,7 @@(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
+(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediateksample/aiv8167sm3_bsp/device.mk b/device/mediateksample/aiv8167sm3_bsp/device.mk
index 3e5ad76a99..e8cfdfba8c 100644
--- a/device/mediateksample/aiv8167sm3_bsp/device.mk
+++ b/device/mediateksample/aiv8167sm3_bsp/device.mk
@@ -47,10 +47,10 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:mendif# for zigbee
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/Z3GatewayHost:system/bin/Z3GatewayHost
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto:system/bin/mosquitto
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto.conf:system/bin/mosquitto.conf
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto_passwd:system/bin/mosquitto_passwd
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/Z3GatewayHost:data/gateway/Z3GatewayHost
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto:data/gateway/mosquitto
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto.conf:data/gateway/mosquitto.conf
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto_passwd:data/gateway/mosquitto_passwd# Add FlashTool needed files#PRODUCT_COPY_FILES += $(LOCAL_PATH)/EBR1:EBR1
@@ -219,7 +219,8 @@ PRODUCT_PACKAGES += \i2cset \tinymix \tinyplay \
- tinypcminfo
+ tinypcminfo \
+ zigbee_service# add CarBTDemoPRODUCT_PACKAGES += CarBTDemo
diff --git a/device/mediateksample/aiv8167sm3_bsp/init.project.rc b/device/mediateksample/aiv8167sm3_bsp/init.project.rc
index 75b1e7aa28..1a9d073db2 100644
--- a/device/mediateksample/aiv8167sm3_bsp/init.project.rc
+++ b/device/mediateksample/aiv8167sm3_bsp/init.project.rc
@@ -82,6 +82,9 @@ on post-fs-datamkdir /data/vendor/wifi/wpa 0770 wifi wifimkdir /data/vendor/wifi/wpa/sockets 0770 wifi wifi+#Zigbee
+ mkdir /data/gateway/ -p
+on boot# Wlan
@@ -94,6 +97,28 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \disabledoneshot+#zigbee service zigbee /system/bin/zigbee_service /data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d
+service zigbee_service /system/bin/zigbee_service
+ user root
+ group root
+ class main
+ oneshot
+
+on property:sys.boot_completed=1
+ touch /data/gateway/log
+ echo "=== weiqifa === zigbee service#1 start" >> /data/gateway/log
+ write /dev/ttyMT0 "=== weiqifa === start zigbee service#1\n"
+ chmod 777 /data/gateway/Z3GatewayHost
+ chmod 777 /data/gateway/mosquitto
+ chmod 777 /data/gateway/mosquitto.conf
+ chmod 777 /data/gateway/mosquitto_passwd
+ chown system:system /data/gateway/Z3GatewayHost
+ chown system:system /data/gateway/mosquitto
+ chown system:system /data/gateway/mosquitto.conf
+ chown system:system /data/gateway/mosquitto_passwd
+ start zigbee_service
+ echo "=== weiqifa === zigbee service#1 end" >> /data/gateway/log
+service hdmi /system/bin/hdmiclass mainuser system
@@ -112,3 +137,4 @@ on initservice fuse_usbotg /system/bin/sdcard -u 1023 -g 1023 -w 1023 -d /mnt/media_rw/usbotg /storage/usbotgclass late_startdisabled
+
diff --git a/external/zigbee-service/Android.mk b/external/zigbee-service/Android.mk
new file mode 100755
index 0000000000..b38c2de48f
--- /dev/null
+++ b/external/zigbee-service/Android.mk
@@ -0,0 +1,8 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := zigbee_service
+LOCAL_SRC_FILES := zigbee-service.c
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_EXECUTABLE)
\ No newline at end of file
diff --git a/external/zigbee-service/zigbee-service.c b/external/zigbee-service/zigbee-service.c
new file mode 100755
index 0000000000..264c3d07ac
--- /dev/null
+++ b/external/zigbee-service/zigbee-service.c
@@ -0,0 +1,19 @@
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <linux/ioctl.h>
+#include <unistd.h>
+
+int main(int argc, char * const argv[])
+{
+
+ printf("=== weiqifa ===Zigbee start ...\n");
+ printf("argc:%d\n",argc);
+ printf("argv[0]:%s",argv[0]);
+ system("/data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d");
+ printf("=== weiqifa ===Zigbee end ...\n");
+ return (0);
+}
\ No newline at end of file 回复「 篮球的大肚子」进入技术群聊
回复「1024」获取1000G学习资料
