给应用添加Selinux配置的完整记录

公司人力吃紧，特别缺少C开发的同学，只能是我是一块砖，哪里需要哪里搬！记录一次Android系统完整的配置开启启动应用，并配置Selinux权限的过程！

1、添加应用程序在vendor目录，编译生成可执行文件test_abc在/system/bin/中;

这里开始是参考网上的修改，但发现编译后并不能将test_abc可执行文件打包到/system/bin中；

aaa@abc-0C:~/work/ATOS_Q/vendor/test cat Android.mkLOCAL_PATH := (call my-dir)PRODUCT_PACKAGES += \        test_abcinclude (call all-makefiles-under,(LOCAL_PATH))

test_abc\目录下的文件:

Android.mk

test_abc.c

Android.mk文件：

LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)

LOCAL_SRC_FILES:= \
    test_abc.c

LOCAL_SHARED_LIBRARIES := \
    libcutils \
    libutils

LOCAL_C_INCLUDES += \
    bionic \

LOCAL_MODULE := test_abc
LOCAL_MODULE_TAGS := optional

LOCAL_MULTILIB := 64

include $(BUILD_EXECUTABLE)

test_abc.c中就是一个main方法，操作文件和socket；

解决test_abc不能打包到system/bin路径下的方法是将test_abc整个路径都移到了qcom的厂家路径下：

aaa@abc-0C:~/work/ATOS_Q/vendor/qcom/bonito/test_abc pwd/home1/gwb/work/ATOS_Q/vendor/qcom/bonito/test_abcaaa@abc-0C:~/work/ATOS_Q/vendor/qcom/bonito/test_abc lsAndroid.mk  test_abc.c  

     23 #lyz add for test      24 include vendor/xdja/test_abc/Android.mk

2、添加test_abc的权限定义：

aaa@abc-0C:~/work/ATOS_Q$ vi device/google/bonito-sepolicy/vendor/qcom/sdm710/file_contexts      60 #lyz add for test      61 /system/bin/test_abc u:object_r:test_abc_exec:s0

3、添加开机启动，修改./system/core/rootdir/init.rc

#lyz add for test service test_abc /system/bin/test_abc     class main     oneshot     seclabel u:r:test_abc:s0

4、添加te文件： 

aaa@abc-0C:~/work/ATOS_Q$ cat device/google/bonito-sepolicy/vendor/qcom/common/test_abc.te type test_abc, domain, coredomain; type test_abc_exec, file_type, system_file_type, exec_type; init_daemon_domain(test_abc)

5、编译验证，查看dmesg开机日志：

[    9.191761] init: cannot setexeccon('u:r:test_abc_exec:s0') for test_abc: Invalid argument

问题应该是test_abc.te的路径不对，导致init启动时并不认识标签"u:r:test_abc_exec:s0"

修改第四步，将test_abc.te文件移到路径下/device/google/bonito-sepolicy/private 路径下，重新编译版本，下载启动； aaa@xdja-0C:~/work/ATOS_Q/device/google/bonito-sepolicy/private$ pwd /home1/gwb/work/ATOS_Q/device/google/bonito-sepolicy/private

6、查看dmesg开机日志，终于出来期望的deny日志：

    Line 2077: [    9.178268] type=1400 audit(258.270:14): avc: denied { dac_override } for comm="test_abc" capability=1 scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=capability permissive=0     Line 2078: [    9.178488] type=1400 audit(258.273:16): avc: denied { dac_override } for comm="test_abc" capability=1 scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=capability permissive=0 duplicate messages suppressed     Line 2079: [    9.178500] type=1400 audit(258.273:17): avc: denied { create } for comm="test_abc" scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=tcp_socket permissive=0     Line 2158: [    9.609626] type=1400 audit(258.273:17): avc: denied { create } for comm="test_abc" scontext=u:r:test_abc:s0 tcontext=u:r:test_abc:s0 tclass=tcp_socket permissive=0

7、修改test_abc.te 增加test_abc的相关权限，编译版本，重新进行验证:

#============= test_abc ==============

allow test_abc self:capability dac_override;

allow test_abc self:tcp_socket create;

8、解决/system不能root的问题：

E:\source\dual_os>adb root restarting adbd as root E:\source\dual_os>adb remount W Disabling verity for /system E Skipping /system W Disabling verity for /vendor E Skipping /vendor W Disabling verity for /product E Skipping /product W No partitions to remount /system/bin/remount exited with status 7 remount failed system路径root失败！

解决：

首先进入开发者模式，开启OEM选项，

然后adb reboot bootloader

然后fastboot flashing unlock

然后fastboot getvar unlocked

等待结果一般会出现yes，如果不是yes可能又需要百度解决这个问题

之后重启，然后adb root , adb disable-verity， 然后重启 adb remount就可以挂载了 

adb remount失败，可以使用diable-verity

C:\Users\li>adb disable-verity

verity is already disabled

using overlayfs

Now reboot your device for settings to take effect

E:\source\dual_os>adb root restarting adbd as root E:\source\dual_os>adb remount remount succeeded E:\source\dual_os>

E:\source\dual_os>adb push E:\source\dual_os\test_abc /system/bin 120 KB/s (11560 bytes in 0.093s) E:\source\dual_os>adb shell reboot E:\source\dual_os>

Selinux的概念甚多，理解起来还是很费劲的！并且需要有Linux内核的基础知识，总归来说是打通任督二脉的一件事，多多学习总是没有坏处的！

----------------------------------2021/12/09-----------------

修改never allow规则：

--- a/system/sepolicy/public/domain.te

+++ b/system/sepolicy/public/domain.te

@@ -1191,6 +1191,7 @@ neverallow {

   -init

   -runas

   -zygote

+  -abc_service

 } shell:process { transition dyntransition };

/system/sepolicy# cat public/abc_service.te

type abc_service, domain;

type abc_service_exec, system_file_type, exec_type, file_type;

system/sepolicy# cat private/abc_service.te

typeattribute  abc_service coredomain;

init_daemon_domain(abc_service)

Changes not staged for commit:

  (use "git add <file>..." to update what will be committed)

  (use "git checkout -- <file>..." to discard changes in working directory)

modified:   prebuilts/api/29.0/private/file_contexts

modified:   prebuilts/api/29.0/public/domain.te

modified:   private/compat/26.0/26.0.ignore.cil

modified:   private/compat/27.0/27.0.ignore.cil

modified:   private/compat/28.0/28.0.ignore.cil

modified:   private/file_contexts

modified:   public/domain.te

Untracked files:

  (use "git add <file>..." to include in what will be committed)

prebuilts/api/29.0/private/abc_service.te

prebuilts/api/29.0/public/abc_service.te

private/abc_service.te

public/abc_service.te

--- a/system/sepolicy/private/compat/27.0/27.0.ignore.cil

+++ b/system/sepolicy/private/compat/27.0/27.0.ignore.cil

@@ -187,6 +187,8 @@

     wm_trace_data_file

     wpantund

     wpantund_exec

+    abc_service

+    abc_service_exec

     wpantund_service

     wpantund_tmpfs))

参考 ：

https://source.android.google.cn/security/selinux/customize

https://www.cnblogs.com/schips/p/android_add_custom_service_when_system_init.html