1.收集

查看Selinux当前安全策略模式

1
2
3
4
getenforce

# Enforcing  强制模式
# Permissive 兼容模式

设置Selinux模式

1
2
3
4
5
# 设置Selinux为兼容模式
setenforce 0

# 设置Selinux为强制模式
setenforce 1
1.1 收集日志

  • 将selinux安全模式设置成兼容模式,然后运行自己的应用,点检全功能,最后导出dlt或者logcat日志。

  • 搜索avc:并且取出对应的日志,取名为xxx.txt (例如denied.txt)

  • 使用audit2allow 工具转化日志成规则

    1
    audit2allow -i denied.txt > selinux_rule.txt

    此处要注意的是audit2allow这个工具一定要用external/selinux/prebuilts/bin目录下的,否则会报如下错误

    1
    ValueError: You must specify the -p option with the path to the policy file.

2 配置规则

获取到selinux_rule.txt如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#============= bluetooth ==============
allow bluetooth mediametrics_service:service_manager find;

#============= g7ph_x5r ==============
allow g7ph_x5r ip_exec:file { execute execute_no_trans getattr map open read };
allow g7ph_x5r net_data_file:dir search;
allow g7ph_x5r net_data_file:file { getattr open read };
allow g7ph_x5r proc_cmdline:file { open read };
allow g7ph_x5r self:capability net_admin;
allow g7ph_x5r self:netlink_route_socket { bind create getattr nlmsg_write read setopt write };
allow g7ph_x5r self:udp_socket { create ioctl };
allow g7ph_x5r vendor_toolbox_exec:file { execute execute_no_trans map };

#============= hal_audio_default ==============
allow hal_audio_default hal_vehicle_hwservice:hwservice_manager find;
allow hal_audio_default netd:unix_stream_socket connectto;
allow hal_audio_default self:tcp_socket { connect create };
1
2
#============= bluetooth ==============
# 这一行中的bluetooth代表bluetooth.te文件,在device目录找到对应要生效的te把规则加入进去,保证编译通过验证一下还有没有其他规则报出来,如果没有了就说明通过了。

规则配置完成之后,可以使用如下指令仅对selinux规则进行编译,此编译通过之后,再进行整编可以加快配的速度。

1
make sepolicy

3.检查配置

有的时候权限明明加进去了却还是报相同的错误,这个时候你就得检查你是否加对地方了。

查看如下目录是否有配置的策略。

1
2
out/target/product/msmnile_gvmq/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf
out/target/product/msmnile_gvmq/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy.conf

4.处理nerverallow

4.1 system_data_file类型

报错日志:

1
neverallow on line 1161 of system/sepolicy/public/domain.te (or line 11544 of policy.conf) violated by allow iap2communication system_data_file:file { write create };

解决办法:

1
2
3
4
5
// audit2allow生成的规则
#============= iap2communication ==============
allow iap2communication i2c_device:chr_file { ioctl open read write };
allow iap2communication system_data_file:dir { add_name write };
allow iap2communication system_data_file:file { create open write };  // 此条要细化到具体某个file域
1
2
3
// 模块的filecontext中添加

/data/carplay(/.*)?	 u:object_r:carplaycommunication_file:s0
1
2
3
// 模块的file.te文件中定义type

type iap2communication_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
1
2
3
4
5
6
// iap2communication进程域访问的文件中添加规则。具体在iap2communication.te中

allow iap2communication i2c_device:chr_file { ioctl open read write };
allow iap2communication system_data_file:dir { add_name write };
//此处填入具体的域carplaycommunication_file
allow iap2communication carplaycommunication_file:file { create open write };
4.2 default_android_service类型

定义file_contexts

1
2
// qcom/sepolicy/vendor/common/file_contexts
/vendor/bin/hw/android\.hardware\.bluetoothext@1\.0-service         u:object_r:hal_bluetoothext_default_exec:s0
1
2
3
4
5
6
7
8
// 定于域 qcom/sepolicy/vendor/common/bluetoothext.te
type hal_bluetoothext_default, domain;
type hal_bluetoothext_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetoothext_default)
    
// 此处要指定具体service:hal_bluetoothext_hwservice
allow hal_bluetoothext_default hal_bluetoothext_hwservice:hwservice_manager { add find };  
allow hal_bluetoothext_default hidl_base_hwservice:hwservice_manager add;
1
2
// hwservice_contexts,定义file_contexts
android.hardware.bluetoothext::IBluetoothHci        u:object_r:hal_bluetoothext_hwservice:s0
1
2
// hwservice.te,定义hal_bluetoothext_hwservice域
type hal_bluetoothext_hwservice, hwservice_manager_type;
4.2 hal_neverallows.te类型

报错信息:

1
libsepol.report_failure: neverallow on line 27 of system/sepolicy/public/hal_neverallows.te (or line 15113 of policy.conf) violated by allow hal_audio_default hal_audio_default:tcp_socket { read create connect };

原因:

1
2
3
4
5
6
7
8
9
10
11
12
13
// system/sepolicy/public/hal_neverallows.te
// system/sepolicy/prebuilts/api/26.0/public/hal_neverallows.te
// system/sepolicy/prebuilts/api/27.0/public/hal_neverallows.te
// system/sepolicy/prebuilts/api/28.0/public/hal_neverallows.te
neverallow {
  halserverdomain
  -hal_automotive_socket_exemption
  -hal_tetheroffload_server
  -hal_wifi_server
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
  -hal_telephony_server
} domain:{ tcp_socket udp_socket rawip_socket } *;

解决办法:

1
typeattribute hal_audio_default system_executes_vendor_violators;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// system/sepolicy/public/hal_neverallows.te
// system/sepolicy/prebuilts/api/26.0/public/hal_neverallows.te
// system/sepolicy/prebuilts/api/27.0/public/hal_neverallows.te
// system/sepolicy/prebuilts/api/28.0/public/hal_neverallows.te
neverallow {
  halserverdomain
  -hal_automotive_socket_exemption
  -hal_tetheroffload_server
  -hal_wifi_server
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
  -hal_telephony_server
  -system_executes_vendor_violators
} domain:{ tcp_socket udp_socket rawip_socket } *;
4.3 引入所有sepolicy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# /device/gxatek/common/sepolicy.mk
SEPOLICY_PATH := device/gxatek/common/legacy/sepolicy

TS_PUBLIC_POLICY := $(SEPOLICY_PATH)/public
TS_COMPONET_PUBLIC := $(wildcard $(TS_PUBLIC_POLICY)/*)
BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(foreach n, $(TS_COMPONET_PUBLIC), $(n)/np_types)

TS_PRIVATE_POLICY := $(SEPOLICY_PATH)/private
TS_COMPONET_PRIVATE := $(wildcard $(TS_PRIVATE_POLICY)/*)
BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(foreach n, $(TS_COMPONET_PRIVATE), $(n)/np_types)

TS_VENDOR_POLICY := $(SEPOLICY_PATH)/vendor
TS_COMPONET_VENDOR := $(wildcard $(TS_VENDOR_POLICY)/*)
BOARD_SEPOLICY_DIRS += $(foreach n, $(TS_COMPONET_VENDOR), $(n)/np_types)
4.4 重复定义
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Multiple same specifications for vendor.ts.audioext::IAudioExtService.
Multiple same specifications for vendor.ts.broadcastradio::IBroadcastRadio.
Multiple same specifications for vendor.ts.vehiclediag::IVehicleDiag.
Multiple same specifications for vendor.ts.light::ILight.
Multiple same specifications for vendor.ts.gnssext::IGnssExt.
Multiple same specifications for vendor.ts.mex::IMex.
Multiple same specifications for vendor.ts.mextransfer::IMexTransfer.
Multiple same specifications for vendor.ts.persistenceadmin::IPersistenceAdmin.
Multiple same specifications for vendor.ts.perscommonservice::IPersCommonService.
Multiple same specifications for vendor.ts.systemlog::ISystemLog.
Multiple same specifications for vendor.ts.timesync::ITimeSync.
Multiple same specifications for vendor.ts.hardware.wifi.hostapd::IHostapd.
Multiple same specifications for vendor.ts.iap::IIap.
Multiple same specifications for vendor.ts.iap::IIapCallback.
Multiple same specifications for vendor.ts.someip::ISomeIp.
Multiple same specifications for vendor.ts.someip::ISomeIpCallback.
Multiple same specifications for vendor.ts.someip::ISomeIpClient.
Multiple same specifications for vendor.ts.someip::ISomeIpServer.
Multiple same specifications for vendor.ts.tbox::ITbox.
Multiple same specifications for vendor.ts.tbox::ITboxCallback.
Multiple same specifications for vendor.ts.tbox::ITboxWifi.
Multiple same specifications for vendor.ts.tbox::ITboxWifiCallback.
Multiple same specifications for vendor.ts.tbox::ITboxGnss.
Multiple same specifications for vendor.ts.tbox::ITboxGnssCallback.
1
2
3
4
5
out/target/product/msmnile_gvmq/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts.tmp: Multiple same specifications for /system/bin/CarPlayCommService.
out/target/product/msmnile_gvmq/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts.tmp: Multiple same specifications for /system/bin/CarPlayCommService.
out/target/product/msmnile_gvmq/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts.tmp: Multiple same specifications for /system/bin/IAP2CommService.
out/target/product/msmnile_gvmq/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts.tmp: Multiple same specifications for /system/bin/IAP2CommService.
out/target/product/msmnile_gvmq/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts.tmp: Multiple same specifications for /data/carplay(/.*)?.
4.5 属性设置
1
2
# 定义属性legacy/sepolicy/vendor/iap/np_types/property_contexts
vendor.iap.                         u:object_r:vendor_iap_prop:s0
1
2
# 定义类型legacy/sepolicy/vendor/iap/np_types/property.te
type vendor_iap_prop, property_type;
1
2
3
# 定义规则legacy/sepolicy/vendor/iap/np_rules/ts_iap_daemon.te
get_prop(np_iap_daemon, vendor_iap_prop)
# 或者使用allow np_iap_daemon xxxxx
1
2
3
4
5
6
7
8
9
10
11
12
# 报错
neverallow check failed at out/target/product/msmnile_gvmq/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versi:7081
  (neverallow base_typeattr_269_28_0 base_typeattr_270_28_0 (property_service (set)))
    <root>
    allow at out/target/product/msmnile_gvmq/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil:2767
      (allow system_app_28_0 np_persist_vendor_bt_prop (property_service (set)))

neverallow check failed at out/target/product/msmnile_gvmq/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:9 system/sepolicy/public/property.te:314
  (neverallow base_typeattr_269 base_typeattr_270 (property_service (set)))
    <root>
    allow at out/target/product/msmnile_gvmq/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil:2767
      (allow system_app_28_0 np_persist_vendor_bt_prop (property_service (set)))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# system/sepolicy/public/property.te
# ./prebuilts/api/26.0/public/property.te
# ./prebuilts/api/27.0/public/property.te    
# ./prebuilts/api/28.0/public/property.te
type system_default_prop, property_type;    # 添加定义

compatible_property_only(`
  # Neverallow coredomain to set vendor properties
  neverallow {
    coredomain
    -init
    -system_writes_vendor_properties_violators
  } {
    property_type
    .....
    -system_default_prop   #添加此行
}:property_service set;
')
1
2
# 使用 device/gxatek/common/legacy/sepolicy/public/system/mix_rules
allow system_app system_default_prop:property_service set;
1
2
# 定义属性
persist.bt.     u:object_r:system_default_prop:s0
4.6 添加服务
1
2
3
4
5
# system/sepolicy/private/seapp_contexts
# system/sepolicy/prebuilts/api/26.0/private/seapp_contexts
# system/sepolicy/prebuilts/api/27.0/private/seapp_contexts
# system/sepolicy/prebuilts/api/28.0/private/seapp_contexts
user=system seinfo=platform name=com.gxa.car.qnxapp domain=qnx_app type=system_app_data_file
1
2
3
# 定义service域   
# device/gxatek/common/legacy/sepolicy/public/system/np_types/service_contexts
QnxMessageService        u:object_r:qnx_msg_service:s0
1
2
# device/gxatek/common/legacy/sepolicy/public/system/mix_rules/service.te
type qnx_msg_service, service_manager_type;
1
2
# device/gxatek/common/legacy/sepolicy/public/system/mix_rules/system_app.te
allow system_app qnx_msg_service:service_manager add;
4.7 默认的文件类型

报错信息

1
2
libsepol.report_failure: neverallow on line 458 of system/sepolicy/public/app.te (or line 8475 of policy.conf) violated by allow system_app system_data_file:file { write create };
libsepol.report_failure: neverallow on line 458 of system/sepolicy/public/app.te (or line 8475 of policy.conf) violated by allow system_app system_data_file:dir { write create };

报错原因: system_data_file是一个默认的文件属性,需要针对每一个文件节点,配置不同的file_contexts。

1
2
3
4
# system/sepolicy/public/app.te
# system/sepolicy/prebuilts/api/28.0/public/app.te
neverallow appdomain system_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };

此处需要针对每一个data下的文件节点,设置不同的file type。

有问题的定义方法:

1
2
allow system_app system_data_file:dir { write create };
allow system_app system_data_file:file { write create };

需要查看详细的日志,针对不同目录定义不同的fie_contexts。

4.8 单独配置selinux模块方法
  • 涉及开机启动应用和系统服务的要替换vendor.img或者system.img
  • 其他功能失效相关的替换vendor/etc/selinux
4.9 gnss service
1
libsepol.report_failure: neverallow on line 9 of device/gxatek/common/legacy/sepolicy/vendor/Location/np_rules/gnss_ext.te (or line 45156 of policy.conf) violated by allow hal_gnss_default np_location_gnss_hwservice:hwservice_manager { add };

梳理关系:allow hal_gnss_default np_location_gnss_hwservice:hwservice_manager { add };

1
2
3
4
5
6
/(vendor|system/vendor)/bin/hw/vendor\.ts\.gnssext@1\.0-service           u:object_r:hal_gnss_default_exec:s0

// 不应该运行原生加入
/(vendor|system/vendor)/bin/hw/vendor\.ts\.gnss@1\.0-service       u:object_r:np_location_gnss_deamon_exec:s0

vendor.ts.gnssext::IGnssExt      u:object_r:np_location_gnss_hwservice:s0
4.10 Apk服务无法编入到规则中

解决办法

1
2
device/qcom/sepolicy/vendor/common/service_contexts和device/qcom/sepolicy/vendor/common/system/private/service_contexts中添加服务
QnxMessageService                                    u:object_r:qnx_msg_service:s0
4.11 socket_between_core_and_vendor_violators

报错信息

1
neverallow on line 716 of system/sepolicy/public/domain.te (or line 10796 of policy.conf) violated by allow system_app firewalldaemon:unix_stream_socket { connectto };
1
2
3
4
5
6
7
8
9
10
11
12
full_treble_only(`
  neverallow_establish_socket_comms({
    coredomain
    -init
    -adbd
  }, {
    domain
    -coredomain
    -socket_between_core_and_vendor_violators
  });
')

修改方法

1
2
# device/gxatek/common/legacy/sepolicy/vendor/Firewall/np_rules/firewalldaemon.te
typeattribute firewalldaemon socket_between_core_and_vendor_violators;
4.12 socket配置
1
2
# file_contexts
/dev/socket/gxafirewall                         u:object_r:firewall_socket:s0
1
2
# file.te
type firewall_socket, file_type;
1
2
# system_app.te添加规则
allow system_app firewall_socket:sock_file write;
4.13 属性文件配置
1
2
3
4
5
6
7
8
# file_contexts
/data/system/users/[0-9]+/dsp_attrs.xml                                         u:object_r:hal_audio_data_file:s0

# file.te
type hal_audio_data_file, file_type, data_file_type, core_data_file_type;

# hal_audio_default.te
allow hal_audio_default hal_audio_data_file:file { create getattr open read write };
4.14 demain 权限不够

报错信息

1
neverallow on line 866 of system/sepolicy/public/domain.te (or line 11152 of policy.conf) violated by allow np_iot_security_srv data_certs_file:dir { search };

报错原因

1
2
3
4
5
6
7
8
9
10
11
12
13
14
full_treble_only(`
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
  neverallow {
    domain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -coredomain
    -data_between_core_and_vendor_violators
    -vendor_init
  } {
    core_data_file_type
    -system_data_file # default label for files on /data. Covered below...
    -vendor_data_file
    -zoneinfo_data_file
  }:dir *;

修改方法

让np_iot_security_srv继承data_between_core_and_vendor_violators

1
2
3
4
5
# typeattribute np_iot_security_srv data_between_core_and_vendor_violators;
# 以上代码作用等同于
# type np_iot_security_srv, domain, data_between_core_and_vendor_violators;
type np_iot_security_srv, domain, data_between_core_and_vendor_violators;
type np_iot_security_srv_exec, vendor_file_type, exec_type, file_type;
4.15 对system_data_file的write和create权限

报错信息:

1
2
libsepol.report_failure: neverallow on line 1161 of system/sepolicy/public/domain.te (or line 11569 of policy.conf) violated by allow audioserver system_data_file:file { write create };
libsepol.check_assertions: 1 neverallow failures occurred

报错原因:

1
2
3
4
5
6
7
8
9
neverallow {
  domain
  -system_server
  -system_app
  -init
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;

解决办法:

1
11-08 02:38:28.259  4304  4304 I Binder:4304_3: type=1400 audit(0.0:415): avc: denied { read write open } for path="/data/core/!system!bin!audioserver.4304.Binder:4304_3" dev="vdb" ino=1442455 scontext=u:r:audioserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
1
2
# file_contexts  定义域
/data/core(/.*)?            u:object_r:np_caraudioserver_data_file:s0
1
2
# file.te  定义type,   访问/data/core一定加core_data_file_type!!!!!
type np_caraudioserver_data_file, file_type, data_file_type, core_data_file_type;
1
2
3
# 定义规则
allow audioserver np_caraudioserver_data_file:dir { add_name write };
allow audioserver np_caraudioserver_data_file:file { create open read write };
4.16 apk中有可执行so库

报错信息

1
libsepol.report_failure: neverallow on line 1290 of system/sepolicy/public/domain.te (or line 11091 of policy.conf) violated by allow system_app np_miniprogram_app:file { execute execute_no_trans };

报错原因

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Blacklist app domains not allowed to execute from /data
neverallow {
  bluetooth
  isolated_app
  nfc
  radio
  shared_relro
  system_app
} {
  data_file_type
  -dalvikcache_data_file
  -system_data_file # shared libs in apks
  -apk_data_file
}:file no_x_file_perms;

解决办法

1
2
// 使用system_data_file
allow system_app system_data_file:file { execute execute_no_trans };

5.编译配置

编译user版本默认开启selinux配置

在被引用到的mk脚本中加入如下宏。

1
ANDROID_BUILD_SELINUX_ENFORCE=true

有了如上宏

LINUX\android\system\core\init\Android.mk后设置-DALLOW_PERMISSIVE_SELINUX=0

给到LINUX\android\system\core\init\selinux.cpp

if (ALLOW_PERMISSIVE_SELINUX) {

​ return StatusFromCmdline() == SELINUX_ENFORCING; //userdebug时,通过cmdline控制

}

return true; //user时,直接开启enforcing

参考文档

1.devarea.com

2.android - android8.1: How to register vendor service to ServiceManager - Stack Overflow

3.android sepolicy 最新小结

[4.Configuring the SELinux Policy](configuring-selinux-policy-report.pdf (nsa.gov))