配套系列教学视频链接:
? ? ??安卓系列教程之ROM系统开发-百问100ask
说明
系统:Android10.0
设备: FireFly RK3399 (ROC-RK3399-PC-PLUS)
前言
之前章节将基本知识都已经讲解完了, 需要通过实战例子来验证理论, 本章节重点介绍如何定义策略。
一,目标
需要完成一个进程去操作一个文件(如设备文件),编写策略文件,并进行测试。
1, myse_test: 定义一个可执行程序, 可以读写文件,此时会设置该进程的文件上下文,以及domain,还有权限策略。
2, 新建一个被进程读写文件(如设备文件/dev/myse_dev),定义该文件的安全上下文。
实现的框图如下:
myse_test进程属于vendor分区, 策略文件也会在vendor分区。
二, 文件目录结构
device/rockchip/qh100_rk3399/test_se/
├── cmd
│?? ├── Android.mk
│?? └── myse_test.c? ?//进程对应代码
└── sepolicy? ? //策略目录
????├── device.te
????├── file_contexts
????└── myse_test.te
三,代码和策略文件辨写
?myse_test.c的代码:
test_se/cmd/myse_test.c
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#define LOG_TAG "MySeTest"
#include <log/log.h>
int main(int argc, char *argv[])
{
????????int fd ?= -1;
????????int ret = -1;
????????char *content = "hello test for selinux";
????????char *dev_name = "/dev/myse_dev";
????????fd = open(dev_name, O_RDWR);
????????if(fd < 0)
????????{
????????????????ALOGE("open %s error: %s", dev_name, strerror(errno));
????????????????return -1;
????????}
????????ret = write(fd, content, strlen(content));
????????if(ret < 0)
????????{
????????????????ALOGE("write testfile error: %s", strerror(errno));
????????????????return -1;
????????}else
????????{
????????????????ALOGD("write testfile ok: %d", ?ret);
????????}
????????while(1);
????????close(fd);
????????return 0;
}
?test_se/cmd/Android.mk编译规则
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES:= \
????myse_test.c
LOCAL_SHARED_LIBRARIES := \
????libcutils \
????liblog \
LOCAL_CFLAGS += -Wno-unused-parameter
LOCAL_PROPRIETARY_MODULE := true
LOCAL_MODULE:= myse_test
include $(BUILD_EXECUTABLE)
相关的selinux策略文件
sepolicy
????├── device.te
????├── file_contexts
????└── myse_test.te
?定义/dev/myse_dev(不是真的设备文件,是我们touch一个文件,作为模拟) 的类型, 编辑device.te:
type myse_testdev_t, dev_type;
定义myse_test文件和进程对应的type和domain,编辑myse_test.te
# subject context in proccess status
type ?myse_test_dt, domain;
# object context as a file
type myse_test_dt_exec, exec_type, vendor_file_type, file_type;
#grant perm as domain
init_daemon_domain(myse_test_dt)
定义myse_test文件和进程对应的文件上下文,编辑file_contexts:
/vendor/bin/myse_test ??????????????????u:object_r:myse_test_dt_exec:s0
/dev/myse_dev ???u:object_r:myse_testdev_t:s0
?将以上策略加入到BOARD_SEPOLICY_DIRS,
编辑: vim device/rockchip/qh100_rk3399/qh100_rk3399.mk 文件最后面添加:
BOARD_SEPOLICY_DIRS +=device/rockchip/qh100_rk3399/test_se/sepolicy
四, 编译
编译可执行程序: ?mmm device/rockchip/qh100_rk3399/test_se/cmd/, 最终生成:
out/target/product/qh100_rk3399/vendor/bin/myse_test
编译策略文件:make selinux_policy -j6 最终生成文件
ls out/target/product/qh100_rk3399/vendor/etc/selinux/
plat_pub_versioned.cil ??vendor_file_contexts????????vendor_property_contexts ?vndservice_contexts
plat_sepolicy_vers.txt ??vendor_hwservice_contexts ??vendor_seapp_contexts
selinux_denial_metadata ?vendor_mac_permissions.xml ?vendor_sepolicy.cil
ls out/target/product/qh100_rk3399/odm/etc/selinux/
precompiled_sepolicy???????????????????????????????????precompiled_sepolicy.product_sepolicy_and_mapping.sha256
precompiled_sepolicy.plat_sepolicy_and_mapping.sha256