Android13配置selinux让system应用可读sys,proc,SN号

system权限应用读sys,proc目录及SN号

Android13预置的system应用，需要读/sys, /proc目录，读(SN)serial number号, 需要修改selinux配置，否则会报avc错．
其修改方法会比Android11复杂一些．

实现

1. system_app.te中添加

diff --git a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
index 19ef6f8d662..08f8e4858e3 100755
--- a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
+++ b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
@@ -106,3 +106,10 @@ allow system_app uniview_file:file { getattr write open create read append watch
 allow system_app uniview_file:dir { search getattr write add_name create read open };
 allow system_app tombstone_data_file:dir { read watch };
 allow system_app vendor_hxy_prop:file { read map getattr open };
+allow system_app prod_file:dir { remove_name };
+allow system_app sysfs:file { getattr open read write };
+allow system_app sysfs:dir { search };
+allow system_app vendor_default_prop:property_service { set };
+allow system_app proc:file { open read };

2. coredomain.te在添加proc与sys的例外
   system/sepolicy/prebuilts/api/33.0/private/coredomain.te
   system/sepolicy/private/coredomain.te
   给proc与sys的neverallow添加-system_app

full_treble_only(`
  # /proc
  neverallow {
    coredomain
    -init
    -vold
    -system_app
  } proc:file no_rw_file_perms;

  # /sys
  neverallow {
    coredomain
    -apexd
    -init
    -ueventd
    -vold
    -system_app
  } sysfs:file no_rw_file_perms;

3. 修改domain添加serialno_prop例外
   一般只要修改private下的domain.te
   system/sepolicy/prebuilts/api/33.0/private/domain.te
   system/sepolicy/private/domain.te
   如果要进行扩展，则还要修改
   system/sepolicy/public/domain.te
   system/sepolicy/prebuilts/api/33.0/public/domain.te
   修改compatible_property_only

-    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+    neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;

修改serialno_prop:file r_file_perms，添加-system_app

完整内容如下

compatible_property_only(`
    neverallow { domain -init } mmc_prop:property_service set; 
    neverallow { domain -init -vendor_init } exported_default_prop:property_service set; 
    neverallow { domain -init } exported_secure_prop:property_service set; 
    neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set; 
    neverallow { domain -init -vendor_init } storage_config_prop:property_service set; 
    neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; 
')


# Do not allow reading device's serial number from system properties except form 
# a few allowed domains.
neverallow {
  domain
  -adbd
  -dumpstate
  -fastbootd
  -hal_camera_server
  -hal_cas_server
  -hal_drm_server
  userdebug_or_eng(`-incidentd')
  -init
  -mediadrmserver
  -mediaserver
  -recovery
  -shell
  -system_server
  -vendor_init
  -system_app
} serialno_prop:file r_file_perms;

4. property_service set添加例外
   system/sepolicy/prebuilts/api/33.0/private/property.te
   system/sepolicy/private/property.te
   property_service set的neverallow加上-system_app

neverallow { coredomain -init -system_app } {
  vendor_property_type
  -vendor_public_property_type
}:property_service set;

property_service set compatible_property_only中的neverallow加上-system_app

compatible_property_only(`
  # Neverallow coredomain to set vendor properties
  neverallow {
    coredomain
    -init
    -system_writes_vendor_properties_violators
    -system_app
  } {
    property_type
    -system_property_type
    -extended_core_property_type
  }:property_service set;
')

5. app.te中添加proc,sys例外
   system/sepolicy/prebuilts/api/33.0/public/app.te
   system/sepolicy/public/app.te
   sysfs:dir_file_class_set与proc:dir_file_class_set write的neverallow中添加-system_app

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app }
    sysfs:dir_file_class_set write;
neverallow { appdomain -system_app }
    proc:dir_file_class_set write;

作者:帅得不敢出门　原创文章谢绝转载收录