Geek Answers Handbook

SELinux policy definition for Android system service: how to configure?

Earlier, I wrote a standalone daemon for accessing a user device (/ dev / mydev0). Looking at the source of AOSP, I decided that I needed the configuration policies in the following files to make it work:

A new device.te file containing:

type mydev_device, dev_type;

a new mydevsrvc.te file containing

 # service flash_recovery in init.rc type mydevsrvc_type, domain; type mydevsrvc_type_exec, exec_type, file_type; init_daemon_domain(mydevsrvc_type) allow mydevsrvc_type mydev_device:chr_file rw_file_perms;

edited context_file to add:

 /dev/mydev[0-9]* u:object_r:mydev_device:s0

edited service context to add:

 mydevsrvc u:object_r:mydevsrvc_type:s0

And launched the daemon by editing init.flo.rc to include these lines:

 service mydevsrvc /system/bin/mydevsrvc class main user system group system seclabel u:r:mydevsrvc_type:s0 oneshot

Now I need to access the device in Android applications, so I have to change the daemon to the Android system service.

I can start the service (thread) using the BOOT_COMPLETED intent, as described in the previous question

I cannot figure out how to configure SELinux policies so that this java service also has access to the dev file.

[Update] I continued to use the privileged daemon for this purpose. My java service connects to the daemon via sockets. I do not have a better solution.

+7
android service android-source selinux
source share
3 answers

I finally understood the answer. Spending it here because there will definitely be SEPolicy noobs like me who are looking for similar answers.

For this to work, I needed to access my device file from my java application that implements my service.

I need to add the following rule to my sepolicy directory in a new file:

allow system_app mydev_device:chr_file rw_file_perms;

In addition, my service application needs to run in the system_app domain. For this I need:

  • Set to priv_app during Android build.
  • Sign it using the platform key
  • Declare a common user ID in the manifest: android.uid.system . I found that without this, the application runs in the platform-app domain and cannot access my device file even with the corresponding SEPolicy rule change. Not sure why, though, I didn't bother to debug.

It is also possible to run my service application in the mydevsrvc_type domain. I did not find out how to do this, or it will work.

+3
source share

The following is a brief overview of the steps required to implement SELinux on your Android device:

Add SELinux support to the kernel and configuration. Provide each service (process or daemons) with a launch from its own domain. Define these services: View the init..rc file and search for all services. Examining init form warnings: Warning! The name of the service must define the SELinux domain; please correct! in the output of dmesg. Check ps -Z | grep init to see which services are running in the init domain. Label all new processes, drivers, sockets, etc. All objects must be correctly marked in order to ensure their correct interaction with the policies you apply. See Tags used in AOSP for examples to use when creating tag names. Institute security policies that fully cover all labels and limit permissions to their absolute minimum. Ideally, OEMs start with policies in AOSP and then build them for their own settings.

for more https://source.android.com/security/selinux/implement.html

+2
source share

Perhaps add a line to your ueventd.rc file or project to provide permission

0
source share

More articles:


All Articles