|
客户要求保存一段数据,可写入读取,恢复出厂后数据也不会被删除。增加private分区,专门给客户app使用。
增加分区有俩种方式,俩种方式不能同时使用。
1、通过升级工具烧录镜像的方式;
2、recovery代码中格式化后挂载的方式;(不需要烧录镜像文件)
方法一类似于system分区,方法二类似于recovery分区
我使用的是方法二,方法一不做介绍。
1、修改分区文件
parameter.txt 使用的是脚本方式编译而成,所以需要修改对应的脚本配置文件,device/rockchip/common/build/rockchip/RebuildParameter.mk
partition_list := $(partition_list),backup:384M,cache:$(BOARD_CACHEIMAGE_PARTITION_SIZE),metadata:16M
+partition_list := $(partition_list),private:4M
ifeq ($(strip $(BUILD_WITH_GOOGLE_FRP)), true)
partition_list := $(partition_list),frp:512K
endif
增加private分区,大小4M。
2、修改fstab文件
修改挂载分区分拣fstab,fstab.rk30board同样是使用脚本方式编译而成,需要修改对应的脚本文件,device/rockchip/common/scripts/fstab_tools/fstab.in,完整文件如下
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
${_block_prefix}system /system ext4 ro,barrier=1 ${_flags_vbmeta},first_stage_mount${_flags_avbpubkey}
${_block_prefix}vendor /vendor ext4 ro,barrier=1 ${_flags},first_stage_mount
${_block_prefix}odm /odm ext4 ro,barrier=1 ${_flags},first_stage_mount
${_block_prefix}product /product ext4 ro,barrier=1 ${_flags},first_stage_mount
${_block_prefix}system_ext /system_ext ext4 ro,barrier=1 ${_flags},first_stage_mount
/dev/block/by-name/metadata /metadata ext4 nodev,noatime,nosuid,discard,sync wait,formattable,first_stage_mount,check
/dev/block/by-name/misc /misc emmc defaults defaults
/dev/block/by-name/cache /cache ext4 noatime,nodiratime,nosuid,nodev,noauto_da_alloc,discard wait,check
+/dev/block/by-name/private /private ext4 noatime,nodiratime,nosuid,nodev,noauto_da_alloc,discard wait,check
/devices/platform/*usb* auto vfat defaults voldmanaged=usb:auto
# For sata
/devices/platform/*.sata* auto vfat defaults voldmanaged=sata:auto
# For pcie ssd
/devices/platform/*.pcie* auto vfat defaults voldmanaged=pcie:auto
/dev/block/zram0 none swap defaults zramsize=50%
# For sdmmc
/devices/platform/${_sdmmc_device}/mmc_host* auto auto defaults voldmanaged=sdcard1:auto
# Full disk encryption has less effect on rk3326, so default to enable this.
/dev/block/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065 latemount,wait,check,fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized,keydirectory=/metadata/vold/metadata_encryption,quota,formattable,reservedsize=128M,checkpoint=fs
# for ext4
#/dev/block/by-name/userdata /data ext4 discard,noatime,nosuid,nodev,noauto_da_alloc,data=ordered,user_xattr,barrier=1 latemount,wait,formattable,check,fileencryption=software,quota,reservedsize=128M,checkpoint=block
参考cache分区就可以。
3、修改recovery.fstab,文件目录device/rockchip/rk356x/项目/recovery.fstab
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
/dev/block/platform/ff0f0000.dwmmc/by-name/user /mnt/internal_sd vfat defaults defaults
/dev/block/mmcblk0p1 /mnt/external_sd vfat /dev/block/mmcblk0 defaults
/dev/block/by-name/system /system ext4 defaults defaults
/dev/block/by-name/vendor /vendor ext4 defaults defaults
/dev/block/by-name/odm /odm ext4 defaults defaults
/dev/block/by-name/product /product ext4 defaults defaults
/dev/block/by-name/system_ext /system_ext ext4 defaults defaults
/dev/block/by-name/cache /cache ext4 defaults defaults
/dev/block/by-name/metadata /metadata ext4 defaults defaults
+/dev/block/by-name/private /private ext4 defaults defaults
/dev/block/by-name/userdata /data f2fs defaults defaults
/dev/block/by-name/cust /cust ext4 defaults defaults
/dev/block/by-name/custom /custom ext4 defaults defaults
/dev/block/by-name/radical_update /radical_update ext4 defaults defaults
/dev/block/by-name/misc /misc emmc defaults defaults
/dev/block/by-name/uboot /uboot emmc defaults defaults
/dev/block/by-name/charge /charge emmc defaults defaults
/dev/block/by-name/resource /resource emmc defaults defaults
/dev/block/by-name/parameter /parameter emmc defaults defaults
/dev/block/by-name/boot /boot emmc defaults defaults
/dev/block/by-name/recovery /recovery emmc defaults defaults
/dev/block/by-name/backup /backup emmc defaults defaults
/dev/block/by-name/frp /frp emmc defaults defaults
/dev/block/by-name/trust /trust emmc defaults defaults
/dev/block/by-name/baseparamer /baseparamer emmc defaults defaults
/dev/block/by-name/vbmeta /vbmeta emmc defaults defaults
/dev/block/by-name/dtbo /dtbo emmc defaults defaults
/dev/block/by-name/vendor_boot /vendor_boot emmc defaults defaults
4、修改挂载目录对应权限,由于5.1以后的系统启动了selinux,所以5.1以后的系统在recovery格式化这种方式,需要给新加分区设置相关属性。
system/core/rootdir/init.rc
on post-fs-data
mark_post_data
# Start checkpoint before we touch data
exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data
# We restorecon /data in case the userdata partition has been reset.
restorecon /data
# Make sure we have the device encryption key.
installkey /data
+ mkdir /private 0777 system system
# Start bootcharting as soon as possible after the data partition is
# mounted to collect more data.
mkdir /data/bootchart 0755 shell
修改private目录权限,app对目录可读写。
private目录添加属性
===================================================================
--- device/rockchip/common/sepolicy/vendor/device.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/device.te (revision 418)
@@ -13,6 +13,7 @@
type baseparameter_block_device, dev_type;
type sensor_device, dev_type;
type e2fsck_cache_block_device, dev_type;
+type e2fsck_private_block_device, dev_type;
type e2fsck_metadata_block_device, dev_type;
type e2fsck_system_block_device, dev_type;
type e2fsck_frp_block_device, dev_type;
Index: device/rockchip/common/sepolicy/vendor/file_contexts
===================================================================
--- device/rockchip/common/sepolicy/vendor/file_contexts (revision 417)
+++ device/rockchip/common/sepolicy/vendor/file_contexts (revision 418)
@@ -74,6 +74,7 @@
/dev/block/by-name/vendor u:object_r:system_block_device:s0
/dev/block/by-name/oem u:object_r:e2fsck_oem_block_device:s0
/dev/block/by-name/cache u:object_r:e2fsck_cache_block_device:s0
+/dev/block/by-name/private u:object_r:e2fsck_private_block_device:s0
/dev/block/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/by-name/boot u:object_r:boot_block_device:s0
Index: device/rockchip/common/sepolicy/vendor/fsck.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/fsck.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/fsck.te (revision 418)
@@ -1,3 +1,4 @@
allow fsck e2fsck_oem_block_device:blk_file rw_file_perms;
allow fsck e2fsck_cache_block_device:blk_file rw_file_perms;
+allow fsck e2fsck_private_block_device:blk_file rw_file_perms;
allow fsck e2fsck_frp_block_device:blk_file rw_file_perms;
Index: device/rockchip/common/sepolicy/vendor/init.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/init.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/init.te (revision 418)
@@ -38,6 +38,7 @@
allow init frp_block_device:lnk_file { relabelto };
allow init metadata_block_device:lnk_file { relabelto };
allow init e2fsck_cache_block_device:lnk_file { relabelto };
+allow init e2fsck_private_block_device:lnk_file { relabelto };
allow init system_file:system { module_load };
allow init debugfs:dir mounton;
allow init configfs:file rw_file_perms;
Index: device/rockchip/common/sepolicy/vendor/recovery.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/recovery.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/recovery.te (revision 418)
@@ -36,6 +36,9 @@
allow recovery e2fsck_cache_block_device:blk_file ioctl;
allowxperm recovery e2fsck_cache_block_device:blk_file ioctl { BLKPBSZGET };
+ allow recovery e2fsck_private_block_device:blk_file ioctl;
+ allowxperm recovery e2fsck_private_block_device:blk_file ioctl { BLKPBSZGET };
+
allow shell rootfs:file { entrypoint read};
allow recovery sysfs_power:dir {search};
allow recovery sysfs_power:file {read open};
Index: device/rockchip/common/sepolicy/vendor/untrusted_app_27.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/untrusted_app_27.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/untrusted_app_27.te (revision 418)
@@ -86,6 +86,9 @@
allow untrusted_app_27 property_socket:sock_file { read open getattr setattr write map execute };
allow untrusted_app_27 init:unix_stream_socket { connectto };
allow untrusted_app_27 proc_tty_drivers:file { read open write getattr setattr ioctl map };
+allow untrusted_app_27 unlabeled:dir { write add_name create };
+allow untrusted_app_27 unlabeled:file { write create read getattr setattr map open };
+typeattribute unlabeled mlstrustedobject;
typeattribute adbd_prop mlstrustedobject;
typeattribute serialno_prop mlstrustedobject;
typeattribute serial_device mlstrustedobject;
Index: device/rockchip/common/sepolicy/vendor/vendor_init.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/vendor_init.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/vendor_init.te (revision 418)
@@ -24,6 +24,7 @@
allow vendor_init recovery_block_device:lnk_file { relabelto };
allow vendor_init misc_block_device:lnk_file { relabelto };
allow vendor_init e2fsck_cache_block_device:lnk_file { relabelto };
+allow vendor_init e2fsck_private_block_device:lnk_file { relabelto };
allow vendor_init security_block_device:lnk_file { relabelto };
allow vendor_init device:lnk_file { create write};
allow vendor_init tmpfs:dir { write add_name create };
Index: device/rockchip/common/sepolicy/vendor/vendor_install_recovery.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/vendor_install_recovery.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/vendor_install_recovery.te (revision 418)
@@ -10,6 +10,7 @@
allow vendor_install_recovery block_device:dir { search read open getattr };
allow vendor_install_recovery baseparameter_block_device:blk_file { read write };
allow vendor_install_recovery e2fsck_cache_block_device:blk_file { read write };
+allow vendor_install_recovery e2fsck_private_block_device:blk_file { read write };
allow vendor_install_recovery mnt_media_rw_file:dir { read search open getattr };
allow vendor_install_recovery fuseblk:dir { read search open getattr };
allow vendor_install_recovery fuseblk:file { read open getattr };
@@ -20,4 +21,4 @@
#allow vendor_install_recovery vendor_install_recovery:capability { dac_read_search };
allow vendor_install_recovery fuse:dir { r_file_perms search };
allow vendor_install_recovery fuse:file r_file_perms;
-set_prop(vendor_install_recovery, vendor_system_public_prop)
\ No newline at end of file
+set_prop(vendor_install_recovery, vendor_system_public_prop)
Index: device/rockchip/common/sepolicy/vendor/vold.te
===================================================================
--- device/rockchip/common/sepolicy/vendor/vold.te (revision 417)
+++ device/rockchip/common/sepolicy/vendor/vold.te (revision 418)
@@ -6,6 +6,7 @@
allow vold unlabeled:filesystem { mount };
allow vold kernel:system { module_request };
allow vold e2fsck_cache_block_device:blk_file getattr;
+allow vold e2fsck_private_block_device:blk_file getattr;
allow vold self:capability { setgid setuid };
allow vold vold_device:blk_file ioctl;
allow vold vold_exec:file execute_no_trans;
Index: system/sepolicy/prebuilts/api/30.0/private/file_contexts
===================================================================
--- system/sepolicy/prebuilts/api/30.0/private/file_contexts (revision 417)
+++ system/sepolicy/prebuilts/api/30.0/private/file_contexts (revision 418)
@@ -26,6 +26,7 @@
/config u:object_r:rootfs:s0
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
+/private u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
Index: system/sepolicy/prebuilts/api/30.0/public/domain.te
===================================================================
--- system/sepolicy/prebuilts/api/30.0/public/domain.te (revision 417)
+++ system/sepolicy/prebuilts/api/30.0/public/domain.te (revision 418)
@@ -348,7 +348,7 @@
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+#neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
# Limit device node creation to these whitelisted domains.
neverallow {
Index: system/sepolicy/private/file_contexts
===================================================================
--- system/sepolicy/private/file_contexts (revision 417)
+++ system/sepolicy/private/file_contexts (revision 418)
@@ -26,6 +26,7 @@
/config u:object_r:rootfs:s0
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
+/private u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
Index: system/sepolicy/public/domain.te
===================================================================
--- system/sepolicy/public/domain.te (revision 417)
+++ system/sepolicy/public/domain.te (revision 418)
@@ -348,7 +348,7 @@
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+#neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
5、recovery时挂载private分区
参考metadata分区,补丁如下
Index: bootable/recovery/install/include/install/wipe_data.h
===================================================================
--- bootable/recovery/install/include/install/wipe_data.h (revision 419)
+++ bootable/recovery/install/include/install/wipe_data.h (revision 420)
@@ -30,6 +30,8 @@
bool WipeData(Device* device, bool convert_fbe);
void SureMetadataMount();
+void SurePrivateMount();
int erase_baseparameter();
void WipeFrp();
int ResizeData();
Index: bootable/recovery/install/wipe_data.cpp
===================================================================
--- bootable/recovery/install/wipe_data.cpp (revision 419)
+++ bootable/recovery/install/wipe_data.cpp (revision 420)
@@ -36,6 +36,8 @@
constexpr const char* CACHE_ROOT = "/cache";
constexpr const char* DATA_ROOT = "/data";
constexpr const char* METADATA_ROOT = "/metadata";
+constexpr const char* PRIVATE_ROOT = "/private";
/**
* reset hdmi after restore factory.
@@ -171,6 +173,16 @@
ensure_path_mounted(METADATA_ROOT);
}
}
+void SurePrivateMount() {
+ if (ensure_path_mounted(PRIVATE_ROOT)) {
+ printf("mount private fail,so formate...\n");
+ reset_tmplog_offset();
+ format_volume(PRIVATE_ROOT);
+ ensure_path_mounted(PRIVATE_ROOT);
+ }
+}
+
void WipeFrp() {
printf("begin to wipe frp partion!\n");
int ret = format_volume("/frp");
Index: bootable/recovery/recovery.cpp
===================================================================
--- bootable/recovery/recovery.cpp (revision 419)
+++ bootable/recovery/recovery.cpp (revision 420)
@@ -1170,6 +1170,10 @@
device->StartRecovery();
SureMetadataMount();
+ SurePrivateMount();
printf("Command:");
for (const auto& arg : args) {
编译成功烧录后,可以看到根目录下有private文件夹
drwxrwxrwx ? 5 system system ? ? 4096 2022-07-28 08:38 private
权限,组 用户都是对的
mount下也可以看到已经挂载到分区上了
/dev/block/mmcblk2p12 on /private type ext4 (rw,seclabel,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc)
添加分区成功
其他说明
添加ok后,发现只有adb root后才能看到private的权限,否则显示的是????,如果想不root就可以看到private权限,需要修改shell.te
allow shell unlabeled:dir { write add_name create search getattr read open };
allow shell unlabeled:file { write create read getattr setattr map open };
|