更新 Android 9 SELinux 政策以允许通过系统应用进行 OTA 更新

Posted 2023-02-25

【中文标题】更新 Android 9 SELinux 政策以允许通过系统应用进行 OTA 更新

【英文标题】：Updating Android 9 SELinux Policy To Allow OTA Updates by System App

【发布时间】：2022-01-12 03:22:33

【问题描述】：

我目前正在参与在 android 9 自定义操作系统上开发系统信息亭应用。 在尝试 OTA 更新时，我们注意到与此问题类似的问题： https://***.com/a/55748901

总而言之，SElinux 策略似乎阻止了系统应用程序（作为系统进程运行）执行 OTA 更新所需的某些任务。由于源代码完全由我们控制，我希望修改 SELinux 策略以允许以下拒绝：

avc: denied  remove_name  for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1
avc: denied  setattr  for name="uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied  getattr  for path="/cache/recovery/uncrypt_file" dev="mmcblk3p5" ino=12 scontext=u:r:system_app:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1
avc: denied  dac_read_search  for capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1

到目前为止，我已经更新了设备 system_app.te 文件以将列出的操作添加到允许列表中，但我在尝试重建时遇到了一长串与 SELinux 相关的构建错误。

system_app.te：

typeattribute system_app system_writes_vendor_properties_violators;

set_prop(system_app, vendor_bluetooth_prop)
get_prop(system_app, vendor_default_prop)

allow system_app system_app_data_file:notdevfile_class_set rw_file_perms;
allow system_app cache_recovery_file:dir  search write add_name remove_name ;
allow system_app cache_recovery_file:file  create write open remove_name getattr setattr ;
allow system_app cache_file:dir  rw_file_perms add_name create search ;
allow system_app cache_file:file   rw_file_perms create ;
allow system_app caam_device:chr_file  rw_file_perms;
allow system_app net_radio_prop:property_service   set ;
allow system_app net_radio_prop:property_service   set ;
allow system_app ctl_default_prop:property_service   set ;
allow system_app dhcp_prop:property_service   set ;
allow system_app net_dns_prop:property_service   set ;
allow system_app http_proxy_prop:property_service   set ;
allow system_app net_dns_prop:file  read  ;
allow system_app update_engine:binder  call transfer ;
allow system_app vendor_file:file  read open getattr ;
allow system_app fs_bpf:dir  search ;
allow system_app sysfs_leds:dir search;
allow system_app sysfs_slate:file  getattr open read write ;
allow system_app slate_crs_device:chr_file  open read write ;
allow system_app selinuxfs:file  read open ;
allow system_app config_gz:file  read open getattr ;
allow system_app proc:file  open read ;

AOSP 构建产生的错误日志：

[ 29% 18768/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows 
/bin/bash -c "(rm -f out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows ) && (ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c        30 -o out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42513:
allow system_app cache_recovery_file:dir  search write add_name remove_name ;
allow system_app cache_recovery_file:file  create write open remove_name getattr setattr ;
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 29% 18769/64380] build out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy
FAILED: out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy 
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c         30 -o out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then       echo \"==========\" 1>&2;       echo \"ERROR: permissive domains not allowed in user builds\" 1>&2;         echo \"List of invalid domains:\" 1>&2;         cat out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2;       exit 1;         fi ) && (mv out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
device/seco/imx6dq/sepolicy/system_app.te:8:ERROR 'permission remove_name is not defined for class file' at token ';' on line 42942:
allow system_app cache_recovery_file:dir  search write add_name remove_name ;
allow system_app cache_recovery_file:file  create write open remove_name getattr setattr ;
checkpolicy:  error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
[ 29% 18770/64380] build out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy:  policy configuration loaded
out/host/linux-x86/bin/checkpolicy:  writing CIL to out/target/product/slate/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.cil.tmp
[ 29% 18771/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_output_stream.cc
[ 29% 18772/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/font_data.cc
[ 29% 18773/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/readable_font_data.cc
[ 29% 18774/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/port/memory_input_stream.cc
[ 29% 18775/64380] //external/sfntly:libsfntly clang++ cpp/src/sfntly/data/growable_memory_byte_array.cc
ninja: build stopped: subcommand failed.
21:53:56 ninja failed with: exit status 1

#### failed to build some targets (20:25 (mm:ss)) ####

感谢有关如何正确自定义这些政策的任何建议。

【参考方案1】：

根据您的否认，政策应该是

allow system_app cache_recovery_file:dir create_dir_perms;
allow system_app cache_recovery_file:file create_file_perms;

查看定义的全局宏here

解决 SELinux 拒绝的一个好方法是在 github 上搜索它们，看看其他人是如何解决的。看看this example，它与你的拒绝相似

【讨论】：

嗨，Juan，感谢您的建议，我要离开项目几周，但我会调查您发送的链接，并在我回来后尝试相应地修改政策。跨度>