Explain Android SELinux permissions and problems in detail
As we are working on the MTK platform, the source path is based on MTK, but Qualcomm is much the same
explain
After Android 5.0, the security mechanism of seandroid / SELinux has been fully introduced, so that even if you have root permission or Chmod 777, you can no longer access the kernel node above JNI.
In fact, there are restrictions on enabling this security mechanism in Android 4.4. The following contents are introduced after 5.0, and there will be some differences in 4.4.
SELinux Mode
SELinux is divided into two modes. After Android 5.0, all processes use enabling mode.
SELinux policy file path
At compile time, the manufacturer's policy will be added to Google native by merging.
Log
If you do not have permission, you can find the following log in the kernel:
Shutdown in kernel
Adding permissions to SELinux sepolicy
Modify the corresponding source type. Te file (basically named after the source process name), and add the following line:
Usually, the policy of Google default is rarely modified. It is recommended to update the relevant policy under mediak
New node
If you are creating your own node, you need to create a file in the sepolicy path_ Add the following to the contexts file:
The files modified in Android 5.0 are device.te and file_ Contexts.be, and load in device / MediaTek / common / boardconfig.mk_ SEPOLICY_ Union adds the corresponding xxxx.te.
compile
PS neverallowed conflict after adding permissions
Compilation error:
libsepol.check_ assertion_ helper: neverallow on line xxx ofexternal/sepolicy/domain.te ……
reason:
The newly added sepolicy item violates the general policy principle specified in domain.te. Therefore, this permission policy cannot be added. If it is forcibly added, there is a risk of CTS test failure.
resolvent:
1. Find the target name to be accessed from the running log, which is generally the name after the name field AVC: denied {read write} for PID = 303 comm = "MediaServer" name = "tfa9890" dev = "TMPFS" ino = 3880 scontext = u: R: MediaServer: s0tcontext = u: object_ r:device:s0tclass=chr_ file permissive=0
2. Find the corresponding*_ Contexts file.
There are usually files_ contexts,genfs_ contexts, property_ contexts, service_ Contexts and other files
Specify in the contexts file that the target to be accessed is a "target type" that the "source type" has permission to access
For example, in file_ Add: / dev / tfa9890 U: object in contexts_ r:audio_ device:s0
give an example
Add permissions:
Add allow MediaServer device: Chr in mediaserver.te_ file { read write open};
Compilation error: libsepol.check_ assertion_ helper: neverallow on line 258 ofexternal/sepolicy/domain.te (or line 5252 of policy.conf) violated byallow mediaserver device:chr_ file { read write open};
Violation of domain.te 258: neverallow {domain cunconfineddomain cueventd} device: Chr_ file { open read write}
Run log: AVC: denied {read write} for PID = 303 comm = "MediaServer" name = "tfa9890" dev = "TMPFS" ino = 3880 scontext = u: R: MediaServer: S0 tcontext = u: object_ r:device:s0tclass=chr_ file permissive=0
Modification steps:
1. The target name is tfa9890. Its path in the system is: / dev / tfa9890. It is an audio related device file. 2. The source type is MediaServer. It is found in mediaserver.te file that it has audio_ Permission of device target type 3. So in file_ Adding "/ dev / tfa9890 U: object_r: audio_device: S0" in contexts can solve the problem
The above is the whole content of this article. I hope it will be helpful to your study, and I hope you can support programming tips.