记录Android开发中SELINUX权限和用户权限问题
在安卓开发中,当linux内核中配置了SELINUX权限管理,访问硬件相关的设备文件(led tty等)时,如果没有对文件和访问文件的程序设置selinux的权限,就有可能报如下错误。
报错
错误查看方式
adb shell logcat -v gime
或者
adb shell cat /dev/kmsg
确定selinux报错
type=1400 audit(0.0:136): avc: denied { search } for name="leds" dev="sysfs" ino=16378 scontext=u:r:mm-pp-daemon:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
zhong type=1400 audit(0.0:2748): avc: denied { write } for name="brightness" dev="sysfs" ino=29345 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
实际是android app控制/sys/class/leds/button-backlight/brightness 导致的错误。
解决办法
$grep -nr sysfs_leds ./device/
添加的所有内容,共有三个文件file.te platform_app.te file_contexts
./device/qcom/sepolicy/common/file.te:61:#type sysfs_leds, sysfs_type, fs_type;
./device/qcom/sepolicy/common/file.te:70:type sysfs_leds, fs_type, sysfs_type;
./device/qcom/sepolicy/common/platform_app.te:35:allow system_app sysfs_leds:file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:36:allow system_app sysfs_leds:lnk_file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:37:allow system_app sysfs_leds:dir { search };
./device/qcom/sepolicy/common/platform_app.te:39:allow mm-pp-daemon sysfs_leds:file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:40:allow mm-pp-daemon sysfs_leds:lnk_file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:41:allow mm-pp-daemon sysfs_leds:dir { search };
./device/qcom/sepolicy/common/platform_app.te:44:allow system_server sysfs_leds:file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:45:allow system_server sysfs_leds:lnk_file { getattr open read write };
./device/qcom/sepolicy/common/platform_app.te:46:allow system_server sysfs_leds:dir { search };
./device/qcom/sepolicy/common/file_contexts:82:/sys/class/leds/button-backlight/brightness u:object_r:sysfs_leds:s0
./device/qcom/sepolicy/common/file_contexts:83:/sys/devices/soc/soc:gpio-leds/leds(/.*)? u:object_r:sysfs_leds:s0
1.注意system_app 和mm-pp-daemon是需要访问leds的应用程序和守护进程
2./sys/class/leds是/sys/devices/soc/soc:gpio-leds/leds的一个链接,所以只在file_contexts添加./sys/class/leds是不能成功的,查看软件接的方式是在主板上执行
ls -la sys/class/leds![](https://img-blog.csdnimg.cn/20200417103406239.png)
确定linux用户权限报错
/sys/class/leds/button-backlight/brightness (Permission denied)
vim ./system/core/rootdir/init.rc
增加代码修改用户权限
chmod 0666 /sys/class/leds/button-backlight/brightness