Android : 為系統服務新增 SeLinux 許可權 (Android 9.0)
一、SElinux在Android 8.0後的差異:
從Android 4.4到Android 7.0的SELinux策略構建方式合併了所有sepolicy片段(平臺和非平臺),然後在根目錄生成單一檔案,而Android 8.0開始關於selinux架構也類似於HIDL想把系統平臺的selinux策略和廠商自己維護的策略剝離開來, 允許合作伙伴單獨自己的策略,構建他們的映象(.img)引導,這樣便可以獨立於平臺更新這些.img,反之亦然(即:在不更新合作伙伴jiang'xaing像的情況下執行平臺更新)。
關於8.0 selinux架構介紹官方文件(SELinux_Treble.pdf):
二、修改xxx service示例:
以下便通過修改xxx系統服務的selinux許可權作為例子參考(實際需根據SDK的版本修改對應目錄):
1./system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.ci
(typeattribute xxx_service_26_0)
(roletype object_r xxx_service_26_0)
2./system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil
(typeattribute xxx_service_27_0)
(roletype object_r xxx_service_27_0)
3./system/sepolicy/prebuilts/api/28.0/private/compat/26.0/26.0.cil
(typeattributeset xxx_service_26_0 (xxx_service))
4./system/sepolicy/prebuilts/api/28.0/private/compat/27.0/27.0.cil
(typeattributeset xxx_service_27_0 (xxx_service))
5./system/sepolicy/prebuilts/api/28.0/private/service_contexts
xxx u:object_r:xxx_service:s0
6./system/sepolicy/prebuilts/api/28.0/public/service.te
type xxx_service, system_api_service, system_server_service, service_manager_type;
7./system/sepolicy/private/compat/26.0/26.0.cil
(typeattributeset xxx_service_26_0 (xxx_service))
8./system/sepolicy/private/compat/27.0/27.0.cil
(typeattributeset xxx_service_27_0 (xxx_service))
9./system/sepolicy/private/service_contexts
xxx u:object_r:xxx_service:s0
10./system/sepolicy/public/service.te
type xxx_service, system_api_service, system_server_service, service_manager_type;
三、使用修改selinux許可權的系統服務:
// 1.定義aidl檔案:------------------------------------ package com.xxx.aidl; interface ISecurityServer { void startLockAppSevice(); } //2.實現aidl介面:------------------------------------ package com.xxx.aidl; public class SecurityServer extends ISecurityServer.Stub{ public void startLockAppSevice() { } } //3.提供對外介面類:---------------------------------- package com.xxx.security; public class SecurityManager { private final ISecurityServer mService; public SecurityManager(ISecurityServer service) { mService = service; } public void startLockAppSevice(){ try { mService.startLockAppSevice(); } catch (RemoteException e) { // TODO Auto-generated catch block e.printStackTrace(); } } } //4.註冊服務:--------------------------------------- SystemServiceRegistry.java 新增 registerService("xxx", com.xxx.SecurityManager.class, new CachedServiceFetcher<com.xxx.SecurityManager>() { @Override public com.xxx.SecurityManager createService(ContextImpl ctx) { IBinder b = ServiceManager.getService("xxx"); return new com.xxx.SecurityManager(com.xxx.aidl.ISecurityServer.Stub.asInterface(b)); } }); //5. SystemServer.java 將服務新增進ServiceManager ------------- try { // com.xxx.aidl.SecurityServer Security = new com.xxx.aidl.SecurityServer(mContext); ServiceManager.addService("xxx", Security); } catch (Throwable e) { Log.e(TAG, "Failure starting olc_service_security", e); } //6. 服務呼叫:------------------------------------------------- SecurityManager securityManager = (SecurityManager)getSystemService("xxx");
-end-