[SELinux Policy]å¦ä½è®¾ç½®SELinuxçç¥è§å?
[Description]
android KK 4.4 çæ¬åï¼Google é»è®¤å¯ç¨äºSELinux, 并ä¼æSELinux 审æ¥å¼å¸¸æå°å¨kernel log
æè
android log(L çæ¬)ä¸ï¼å¯¹åºçå
³é®åæ¯: "avc: denied" æè
"avc: denied"
å¦ä¸è¡LOGï¼
<5>[ 17.285600].(0)[503:idmap]type=1400 audit(1356999072.320:202): avc: denied { create
} for pid=503 comm="idmap" name="overlays.list" scontext=u:r:zygote:s0
tcontext=ubject_r:resource_cache_data_file:s0 tclass=file
å³è¡¨æidmap è¿ä¸ªprocess, 使ç¨zygote çsource context, 访é®/data/resource_cache ç®å½ï¼å¹¶
å建æ件æ¶ï¼è¢«SELinux æç»è®¿é®ã
[Keyword]
android, SELinux, avc: denied, audit
[Solution]
KK çæ¬, Google åªæéå¶çå¯ç¨SELinux, å³åªæé对netd, installd, zygote, vold 以åå®ä»¬
ç´æ¥fork åºçchild process 使ç¨enforcing mode, ä½ä¸å
æ¬zygote forkçæ®éapp.
L çæ¬, Google å
¨é¢å¼å¯SELinux, å ä¹ææçprocess é½ä½¿enforcing modeï¼ å½±åé¢é常广.
ç®åææçSELinux check 失败ï¼å¨kernel log æè
android log(Lçæ¬å)ä¸é½æ对åºç"avc:
denied" æè
"avc: denied"çLOG ä¸ä¹å¯¹åºãåè¿æ¥ï¼ææ¤LOGï¼å¹¶éå°±ä¼ç´æ¥å¤±è´¥ï¼è¿éè¦ç¡®è®¤
å½æ¶SELinux ç模å¼, æ¯enforcing mode è¿æ¯ permissve mode.
é¦å
, å¡å¿
确认对åºè¿ç¨è®¿é®ç³»ç»èµæºæ¯å¦æ£å¸¸ï¼ æ¯å¦æå¿
è¦ ï¼å¦ææ¬èº«æ¯å¼å¸¸éæ³è®¿é®ï¼é£ä¹
å°±è¦èªè¡æ¶é¤è®¿é®ã
å
¶æ¬¡, å¦æ确认访é®æ¯å¿
è¦ï¼å¹¶ä¸æ£å¸¸çï¼é£ä¹å°±è¦å¯¹å¯¹åºçprocess/domain å¢å æ°çpolicy.
1). ç®åæ¹æ³
1.1 æåææçavc LOG. å¦ adb shell "cat /proc/kmsg | grep avc" > avc_log.txt
1.2 ä½¿ç¨ audit2allow tool ç´æ¥çæpolicy. audit2allow -i avc_log.txt å³å¯èªå¨è¾åºçæç
policy
1.3 å°å¯¹åºçpolicy æ·»å å°selinux policy è§åä¸ï¼å¯¹åºMTK Solution, æ¨å¯ä»¥å°å®ä»¬æ·»å å¨KK:
mediatek/custom/common/sepolicy, L: device/mediatek/common/sepolicy ä¸é¢ï¼å¦
allow zygote resource_cache_data_file:dir rw_dir_perms;
allow zygote resource_cache_data_file:file create_file_perms;
===> mediatek/custom/common/sepolicy/zygote.te (KK)
===> device/mediatek/common/sepolicy/zygote.te (L)
注æaudit2allow å®èªå¨æºæ¢°ç帮æ¨å°LOG 转æ¢æpolicy, èæ æ³ç¥éä½ æä½ççå®æå¾ï¼æå¯è½
åºç°æéæ¾å¤§é®é¢ï¼ç»å¸¸åºç°policy æ æ³ç¼è¯éè¿çæ
åµã
2). æé确认æ¹æ³
æ¤æ¹æ³éè¦å·¥ç¨äººå对SELinux åºæ¬åçï¼ä»¥åSELinux Policy Language æäºè§£.
2.1 确认æ¯åªä¸ªè¿ç¨è®¿é®åªä¸ªèµæºï¼å
·ä½éè¦åªäºè®¿é®æéï¼read ? write ? exec ? create ?
search ?
2.2 å½åè¿ç¨æ¯å¦å·²ç»å建äºpolicy æä»¶ï¼ é常æ¯process çæ§è¡æ¡£.teï¼å¦æ没æï¼å¹¶ä¸å®çç¶
è¿ç¨å³source context æ 须访é®å¯¹åºçèµæºï¼åå建æ°çte æ件.
å¨L çæ¬ä¸, Google è¦æ±ç»´æ¤å
³é® security context çå¯ä¸æ§, æ¯å¦ä¸¥ç¦zygote, netd,
installd, vold, ueventd çå
³é®process ä¸å
¶å®process å
±äº«åä¸ä¸ªsecurity context.
2.3 å建æ件åï¼å
³èå®çæ§è¡æ¡£ï¼å¨file_contexts ä¸, å
³èç¸å
³çæ§è¡æ¡£.
æ¯å¦ /system/bin/idmap åæ¯ /system/bin/idmap ubject_r:idmap_exec:s0
2.4 å¡«åpolicy å°ç¸å
³çte æ件ä¸
å¦æ沿ç¨åæ¥ç¶è¿ç¨çte æ件ï¼åç´æ¥æ·»å .
å¦ææ¯æ°çæ件ï¼é£ä¹é¦å
ï¼
#==============================================
# Type Declaration
#==============================================
type idmap, domain;
type idmap_exec, exec_type,file_type;
#==============================================
# Android Policy Rule
#==============================================
#permissive idmap;
domain_auto_trans(zygote, idmap_exec, idmap);
ç¶åæ·»å æ°çpolicy
# new policy
allow idmap resource_cache_data_file:dir rw_dir_perms;
allow idmap resource_cache_data_file:file create_file_perms;
3). æéæ¾å¤§æ
åµå¤ç
å¦æç´æ¥æç
§avc: denied çLOG 转æ¢åºSELinux Policy, å¾å¾ä¼äº§çæéæ¾å¤§é®é¢. æ¯å¦å 为è¦
访é®æ个device, å¨è¿ä¸ªdevice 没æç»åSELinux Label çæ
åµä¸, å¯è½åºç°:
<7>[11281.586780] avc: denied { read write } for pid=1217 comm="mediaserver"
name="tfa9897" dev="tmpfs" ino=4385 scontext=u:r:mediaserver:s0
tcontext=ubject_r:device:s0 tclass=chr_file permissive=0
å¦æç´æ¥æç
§æ¤LOG 转æ¢åºSELinux Policy: allow mediaserver device:chr_file {read write};
é£ä¹å°±ä¼æ¾å¼mediaserver 读åæædevice çæé. èGoogle 为äºé²æ¢è¿æ ·çæ
åµ, 使ç¨äº
neverallow è¯å¥æ¥çº¦æ, è¿æ ·ä½ ç¼è¯sepolicy æ¶å°±æ æ³ç¼è¯éè¿.
为äºè§é¿è¿ç§æéæ¾å¤§æ
åµ, æ们éè¦ç»å访é®ç®æ (Object) çSELinux Label, åå°æéç³è¯·.
é常ä¼ç±ä¸æ¥ææ
3.1 å®ä¹ç¸å
³çSELinux type.
æ¯å¦ä¸è¿°æ¡ä¾, å¨ device/mediatek/common/sepolicy/device.te æ·»å
type tfa9897_device, dev_type;
3.2 ç»å®æ件ä¸SELinux type.
æ¯å¦ä¸è¿°æ¡ä¾, å¨ device/mediatek/common/sepolicy/file_contexts æ·»å
/dev/tfa9897(/.*)? ubject_r:tfa9897_device:s0
3.3 æ·»å 对åºprocess/domain ç访é®æé.
æ¯å¦ä¸è¿°æ¡ä¾, å¨ device/mediatek/common/sepolicy/mediaserver.te æ·»å
allow mediaserver tfa9897_device:chr_file { open read write };
é£ä¹åªäºè®¿é®å¯¹è±¡é常ä¼éå°æ¤ç±»å¢ï¼(以L çæ¬ä¸ºä¾)
* device
-- ç±»åå®ä¹: external/sepolicy/device.te;device/mediatek/common/sepolicy/device.te
-- ç±»åç»å®:
external/sepolicy/file_contexts;device/mediatek/common/sepolicy/file_contexts
* File ç±»å:
-- ç±»åå®ä¹: external/sepolicy/file.te;device/mediatek/common/sepolicy/file.te
-- ç»å®ç±»å:
external/sepolicy/file_contexts;device/mediatek/common/sepolicy/file_contexts
* èæFile ç±»å:
-- ç±»åå®ä¹: external/sepolicy/file.te;device/mediatek/common/sepolicy/file.te
-- ç»å®ç±»å:
external/sepolicy/genfs_contexts;device/mediatek/common/sepolicy/genfs_contexts
* Service ç±»å:
-- ç±»åå®ä¹: external/sepolicy/service.te; device/mediatek/common/sepolicy/service.te
-- ç»å®ç±»å
ï¼external/sepolicyservice_contexts;device/mediatek/common/sepolicy/service_contexts
* Property ç±»å:
-- ç±»åå®ä¹: external/sepolicy/property.te;device/mediatek/common/sepolicy/property.te
-- ç»å®ç±»å:
external/sepolicy/property_contexts;device/mediatek/common/sepolicy/property_contexts;
é常æ们强çå对æ´æ°google default çpolicy, 大家å¯ä»¥æ´æ°mediatek ä¸é¢çç¸å
³çpolicy.
温馨提示:答案为网友推荐,仅供参考