更新 Android 9 SELinux 政策以允许通过系统应用进行 OTA 更新
Posted
技术标签:
【中文标题】更新 Android 9 SELinux 政策以允许通过系统应用进行 OTA 更新【英文标题】:Updating Android 9 SELinux Policy To Allow OTA Updates by System App 【发布时间】:2022-01-12 03:22:33 【问题描述】:我目前正在参与在 android 9 自定义操作系统上开发系统信息亭应用。 在尝试 OTA 更新时,我们注意到与此问题类似的问题: https://***.com/a/55748901
总而言之,SElinux 策略似乎阻止了系统应用程序(作为系统进程运行)执行 OTA 更新所需的某些任务。由于源代码完全由我们控制,我希望修改 SELinux 策略以允许以下拒绝:
avc: denied remove_name for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1
avc: denied setattr for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied getattr for path="/cache/recovery/uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied dac_read_search for capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
到目前为止,我已经更新了设备 system_app.te 文件以将列出的操作添加到允许列表中,但我在尝试重建时遇到了一长串与 SELinux 相关的构建错误。
system_app.te:
typeattribute system_app system_writes_vendor_properties_violators;
set_prop(system_app, vendor_bluetooth_prop)
get_prop(system_app, vendor_default_prop)
allow system_app system_app_data_file:notdevfile_class_set rw_file_perms;
allow system_app cache_recovery_file:dir search write add_name remove_name ;
allow system_app cache_recovery_file:file create write open remove_name getattr setattr ;
allow system_app cache_file:dir rw_file_perms add_name create search ;
allow system_app cache_file:file rw_file_perms create ;
allow system_app caam_device:chr_file rw_file_perms;
allow system_app net_radio_prop:property_service set ;
allow system_app net_radio_prop:property_service set ;
allow system_app ctl_default_prop:property_service set ;
allow system_app dhcp_prop:property_service set ;
allow system_app net_dns_prop:property_service set ;
allow system_app http_proxy_prop:property_service set ;
allow system_app net_dns_prop:file read ;
allow system_app update_engine:binder call transfer ;
allow system_app vendor_file:file read open getattr ;
allow system_app fs_bpf:dir search ;
allow system_app sysfs_leds:dir search;
allow system_app sysfs_slate:file getattr open read write ;
allow system_app slate_crs_device:chr_file open read write ;
allow system_app selinuxfs:file read open ;
allow system_app config_gz:file read open getattr ;
allow system_app proc:file open read ;
AOSP 构建产生的错误日志:
[ 29% 18768/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(rm -f out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42513:
allow system_app cache_recovery_file:dir search write add_name remove_name ;
allow system_app cache_recovery_file:file create write open remove_name getattr setattr ;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 29% 18769/64380] build out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
FAILED: out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42942:
allow system_app cache_recovery_file:dir search write add_name remove_name ;
allow system_app cache_recovery_file:file create write open remove_name getattr setattr ;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 29% 18770/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy: policy configuration loaded
out/host/linux-x86/bin/checkpolicy: writing CIL to out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[ 29% 18771/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_output_stream.cc
[ 29% 18772/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_data.cc
[ 29% 18773/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/readable_font_data.cc
[ 29% 18774/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/port/memory_input_stream.cc
[ 29% 18775/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/growable_memory_byte_array.cc
ninja: build stopped: subcommand failed.
21:53:56 ninja failed with: exit status 1
#### failed to build some targets (20:25 (mm:ss)) ####
感谢有关如何正确自定义这些政策的任何建议。
【问题讨论】:
【参考方案1】:根据您的否认,政策应该是
allow system_app cache_recovery_file:dir create_dir_perms;
allow system_app cache_recovery_file:file create_file_perms;
查看定义的全局宏here
解决 SELinux 拒绝的一个好方法是在 github 上搜索它们,看看其他人是如何解决的。看看this example,它与你的拒绝相似
【讨论】:
嗨,Juan,感谢您的建议,我要离开项目几周,但我会调查您发送的链接,并在我回来后尝试相应地修改政策。跨度>以上是关于更新 Android 9 SELinux 政策以允许通过系统应用进行 OTA 更新的主要内容,如果未能解决你的问题,请参考以下文章
Android:Google Play 控制台应用更新因违反政策而被拒绝:所有文件访问权限