记录Android开发中SELINUX权限问题

2023-11-06

记录Android开发中SELINUX权限和用户权限问题

在安卓开发中，当linux内核中配置了SELINUX权限管理，访问硬件相关的设备文件（led tty等）时，如果没有对文件和访问文件的程序设置selinux的权限，就有可能报如下错误。

报错

错误查看方式

adb shell logcat -v gime

或者

adb shell cat /dev/kmsg

确定selinux报错

type=1400 audit(0.0:136): avc: denied { search } for name="leds" dev="sysfs" ino=16378 scontext=u:r:mm-pp-daemon:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0

zhong type=1400 audit(0.0:2748): avc: denied { write } for name="brightness" dev="sysfs" ino=29345 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

实际是android app控制/sys/class/leds/button-backlight/brightness 导致的错误。

解决办法

$grep -nr sysfs_leds ./device/
添加的所有内容，共有三个文件file.te platform_app.te file_contexts

./device/qcom/sepolicy/common/file.te:61:#type sysfs_leds, sysfs_type, fs_type;
./device/qcom/sepolicy/common/file.te:70:type sysfs_leds, fs_type, sysfs_type;
./device/qcom/sepolicy/common/platform_app.te:35:allow system_app sysfs_leds:file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:36:allow system_app sysfs_leds:lnk_file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:37:allow system_app sysfs_leds:dir { search };
./device/qcom/sepolicy/common/platform_app.te:39:allow mm-pp-daemon sysfs_leds:file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:40:allow mm-pp-daemon sysfs_leds:lnk_file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:41:allow mm-pp-daemon sysfs_leds:dir { search };
./device/qcom/sepolicy/common/platform_app.te:44:allow system_server sysfs_leds:file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:45:allow system_server sysfs_leds:lnk_file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:46:allow system_server sysfs_leds:dir { search };
./device/qcom/sepolicy/common/file_contexts:82:/sys/class/leds/button-backlight/brightness                           u:object_r:sysfs_leds:s0
./device/qcom/sepolicy/common/file_contexts:83:/sys/devices/soc/soc:gpio-leds/leds(/.*)?       u:object_r:sysfs_leds:s0

1.注意system_app 和mm-pp-daemon是需要访问leds的应用程序和守护进程
2./sys/class/leds是/sys/devices/soc/soc:gpio-leds/leds的一个链接，所以只在file_contexts添加./sys/class/leds是不能成功的，查看软件接的方式是在主板上执行
ls -la sys/class/leds

确定linux用户权限报错

/sys/class/leds/button-backlight/brightness (Permission denied)

vim ./system/core/rootdir/init.rc
增加代码修改用户权限

chmod 0666  /sys/class/leds/button-backlight/brightness

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系:hwhale#tublm.com(使用前将#替换为@)

Android

Linux