问题描述

注意:我是SELinux政策的新手，并遵循 vndservicemanager(由Android制定)

Note: I am beginner in SELinux policy and followed vndservicemanager by Android

我有一个Java服务(MyService)，该服务在BootComplete接收器上启动.现在，我在MyService.java的onCreate中将myservice添加到ServiceManager.

I have a java service(MyService) that starts on the BootComplete receiver.Now i am adding myservice to ServiceManager in onCreate of MyService.java.

ServiceManager.addService(mysystemservice, mybinder);

根据高音架构，通过在应用程序的Android.mk中添加以下内容，将我的应用程序移至供应商图像分区.

As per treble architecture,I moved my application to vendor image partition by adding below in Android.mk of application.

LOCAL_VENDOR_MODULE := true

我对OEM SELinux政策进行了以下更改，早些时候它是为系统服务编写的，因为我将应用程序移至供应商，因此对供应商服务进行了更改，同时提供了旧的和当前的SE政策.

I made below changes in OEM SELinux policy, earlier it was written for system service now as i moved application to vendor so made changes for vendor service, providing both old and current SE policy.

OLD

在 private/service_contexts

mysystemservice u:object_r:my_service:s0

现在

在 vendor/common/vndservice_contexts

mysystemservice u:object_r:my_service:s0

OLD

在 public/service.te

type my_service，service_manager_type;

现在

在 vendor/common/vndservice.te

type my_service，vndservice_manager_type;

OLD

在 public/servicemanager.te

允许system_app my_service:service_manager添加；

现在

在 abc.te

type abc, domain;
type abc_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(abc)

vndbinder_use(abc)

binder_call(abc, system_app)

add_service(abc, my_service)

allow abc  my_service:service_manager  find;
allow abc  my_service:service_manager  add;

经过上述更改并进行了完整构建，我可以看到我的服务上下文是out/product/target/vendor/etc/selinux/vndservice_contexts..in的一部分，代替out/product/target/system.

After above changes and giving full build I can see my service context is part of out/product/target/vendor/etc/selinux/vndservice_contexts..inplace of out/product/target/system.

但是一旦Myservice.java尝试通过

But once Myservice.java try to add "mysystemservice" in ServiceManager by

ServiceManager.addService(mysystemservice，mybinder);

ServiceManager.addService(mysystemservice, mybinder);

我低于** avc被拒绝**错误

I get below **avc denied ** error

E/SELinux:avc:为service = mysystemservice pid = 7588 uid = 1000 scontext = u:r:system_app:s0 tcontext = u:object_r:default_android_service:s0 tclass = service_manager permissive = 0拒绝{添加}2019-11-14 12:44:39.613 592-592/?E/ServiceManager:add_service('mysystemservice'，b0)uid = 1000-权限被拒绝

我们在上面的日志中可以看到，目标上下文使用默认的" tcontext = u:object_r:default_android_service:s0 "代替" my_service "

As we can see in log above Target context is taking default "tcontext=u:object_r:default_android_service:s0" inplace of "my_service"

注意:如果我保留对系统映像的更改，则一切正常，唯一的问题是将SE策略更改移至供应商时.

Note: If i keep changes for system image everything works fine only issue is when i move SE policy changes to vendor.

请让我知道我是否错过了某件事或以其他任何方式添加服务.

Please let me know if i missed something or any other way is to add Service.

推荐答案

我可以看到的一个问题是您使用的是 abc.te ，但是您尚未在 seapp_context中定义它在 vendor/common/中.

One problem I can see is that you are using abc.te, but you have not defined this in your seapp_context inside vendor/common/.

您应该定义如下内容:

user=system
seinfo=platform
name=your.package.name
domain=adbc
type=system_app_data_file

此更改后， avc 错误将指向 abc 应用域.

After this change avc error will point to abc app domain.

这篇关于将具有Android高音体系结构的供应商服务添加到ServiceManager [SELinux政策]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！