[Android L] SEAndroid open device file node permission (read or write) method (covering common operations: sys/xxx, proc/xxx, SystemProperties) Popular dry goods, android Official Website

[Android L] SEAndroid open device file node permission (read or write) method (covering common operations: sys/xxx, proc/xxx, SystemProperties) Popular dry goods, android Official Website

TIPS: first, let's take a look at the content in the previous blog post ([Android L] SEAndroid enhanced Androd security background summary and impact). First, let's have a full view of SEAndroid, then proceed to this section.
1. symptom description
During development based on the Android L source code environment, the APP layer needs to operate the file nodes under sys/xxx or proc/xxx according to the project requirements, but the following permission exception is reported, cannot directly operate on these nodes LedLightFileUtil (4671): java. io. fileNotFoundException:/sys/class/leds/green/brightness: open failed: EACCES (Permission denied) LedLightFileUtil (4671): at libcore. io. ioBridge. open (IoBridge. java: 456) LedLightFileUtil (4671): at java. io. fileOutputStream. <init> (FileOutputStream. java: 87) LedLightFileUtil (4671): at java. io. fileOutputStream. <init> (FileOutputStream. java: 127) LedLightFileUtil (4671): at java. io. fileOutputStream. <init> (FileOutputStream. java: 116)
[Statement] Welcome to reprint, but please keep the original source of the article: http://blog.csdn.net/yelangjueqi/article/details/46761987

2. Cause
In Android L, Google has enabled SELinux Secure Access Mechanism for the source code environment. By default, apps and frameworks have no permission to access device nodes, such as sys/xxx, proc/xxx)
3. Solution
The following describes how to grant permissions to system app or system server processes from three common operations.1) SEAndroid provides access (read or write) permissions for sys Device File nodes (for example,/sys/class/leds/green/brightness)2) SEAndroid provides access (read or write) permissions for the proc Device File node (for example,/proc/touchscreen_feature/gesture_data)3) SEAndroid provides the set (write) permission for Custom Attributes of SystemProperties.
3.1 SEAndroid provides access (read or write) permissions for sys Device File nodes (for example,/sys/class/leds/green/brightness) take the device file node that operates the LED light as an example, for example, green light:/sys/class/leds/green/brightness, give the node access permission (read or write) a green light for the APP-layer system app process: /sys/class/leds/green/brightness // shortcut/sys/devices/soc.0/gpio-leds.66/leds/green/brightness/Actual Node
PS: The default value is under the external/sepolicy directory, but the MTK platform and QCOM platform have created their own SELinux policy Directory: MTK: alps/device/mediatek/common/sepolicyQCOM: android/device/qcom/sepolicy/common. Therefore, we recommend that you perform operations under the corresponding directory of the platform. The following uses the QCOM platform as an example, the MTK platform configuration steps are the same (alps/device/mediatek/common/sepolicy)
3.1.1 In android/device/qcom/sepolicy/common/file. te, selinux type: sysfs_wingtk_leds is defined as follows:
Type sysfs_wingtk_leds, fs_type, sysfs_type;
3.1.2 bind sysfs_wingtk_leds to the actual node in android/device/qcom/sepolicy/common/file_contexts. Note that the actual Node
/Sys/devices/soc.0/gpio-leds.66/leds/green/brightness u: object_r: sysfs_wingtk_leds: s0
PS: You can also declare/sys/class/leds/green/brightness. This sentence is not required:
/Sys/class/leds/green/brightness u: object_r: sysfs_wingtk_leds: s0
Summary: The modifications to file_contexts are as follows:
/Sys/class/leds/green/brightness u: object_r: sysfs_wingtk_leds: s0/sys/devices/soc.0/gpio-leds.66/leds/green/brightness u: object_r: sysfs_wingtk_leds: s0
3.1.3 apply for permissions in android/device/qcom/sepolicy/common/system_app.te:
Allow system_app sysfs_wingtk_leds: file rw_file_perms;
PS: You can also apply for related permissions for other processes, such as system_server, in android/device/qcom/sepolicy/common/system_server.te
Allow system_server sysfs_wingtk_leds: file rw_file_perms;
PS: how to obtain the actual node When configuring the actual node in Step 1:
Root @ K31-t7:/sys/class/leds # ll-Zlrwxrwxrwx root u: object_r: sysfs: s0 flashlight-> .. /.. /devices/soc.0/flashlight.64/leds/flashlightlrwxrwxrwx root u: object_r: sysfs: s0 green-> .. /.. /devices/soc.0/gpio-leds.66/leds/greenlrwxrwxrwx root u: object_r: sysfs: s0 LCD-backlight-> .. /.. /devices/soc.0/1a00000. qcom, mdss_mdp/qcom, mdss_fb_primary.124/leds/LCD-backlightlrwxrwxrwx root u: object_r: sysfs: s0 mmc0 ::::> .. /.. /devices/soc.0/7824900. sdhci/leds/mmc0: lrwxrwxrwx root u: object_r: sysfs: s0 mmc1 :::> .. /.. /devices/soc.0/7864900. sdhci/leds/mmc1: lrwxrwxrwx root u: object_r: sysfs: s0 red-> .. /.. /devices/soc.0/gpio-leds.66/leds/redlrwxrwxrwx root u: object_r: sysfs: s0 torch-light0-> .. /.. /devices/soc.0/qcom, camera-led-flash.65/leds/torch-light0root @ K31-t7:/sys/class/leds #
Run the ll-Z command.
3.1.4 In AndroidManifest. xml, configuration: android: sharedUserId = "android. uid. system ", this step is required, because step 3 is: allow system_app sysfs_wingtk_leds: file rw_file_perms; // only allow access by the system_app process.
After the above four steps, the APP layer can read and write normally:/sys/class/leds/green/brightness
To better control access permissions, if both the APP layer and framework layer need to access a certain device node, I think it is best to access the device node in this mode, that is, do not allow the system_app process to access, only the system_server process is allowed for access, as shown below: allow system_server sysfs_wingtk_leds: file rw_file_perms;
Disadvantage: You need to add a service that starts with the system in the framework layer, and add code. Advantages: 1. you can freely control which applications can access and which applications cannot access open device nodes to better protect security issues. both the framework layer and the APP layer can access the device node. no additional permission application required
3.2 SEAndroid provides access (read or write) permission for the proc Device File node (for example,/proc/touchscreen_feature/gesture_data). The MTK platform is used as an example to modify the record.
Details

3.2.1 define selinux type: proc_quick_gesture in alps/mediatek/common/sepolicy/file. te, as follows: type proc_quick_gesture, fs_type;
3.2.2 in alps/mediatek/common/sepolicy/genfs_contexts, bind the handler to the actual node genfscon proc/touchscreen_feature/gesture_data u: object_r: proc_quick_gesture: s0

3.2.3 in alps/mediatek/common/sepolicy/common/system_app.te, apply for permission allow system_app proc_quick_gesture: file rw_file_perms;
3.2.4 In AndroidManifest. xml, configuration: android: sharedUserId = "android. uid. after four steps above, the system_app process has the permission (read or write) to access/proc/touchscreen_feature/gesture_data and other nodes.
3.3 method of enabling set (write) permission for Custom Attributes of SystemProperties in SEAndroid, as a result, writing fails. backgrounddata. enable
Taking QCOM as an example 3.3.1 android/device/qcom/sepolicy/common/property. te
Type persist_backgrounddata_prop, property_type;
3.3.2 android/device/qcom/sepolicy/common/property_contexts
Persist. backgrounddata. enable u: object_r: persist_backgrounddata_prop: s0
3.3.3 android/device/qcom/sepolicy/common/system_app.te, which opens permissions for the system_app Process
Allow system_app persist_backgrounddata_prop: property_service set;
3.3.4 in AndroidManifest. xml, configure: android: sharedUserId = "android. uid. system"
After the preceding four steps, you can use SystemProperties. set ("persist. backgrounddata. enable" ", xx) to set the attributes.
For more information, see if DAN is broken if you still do not have the permission to read and write sys or proc nodes after the above steps are correctly configured. Next, you need to configure the chown system File node in init. rc, and then the file node in chmod. The configuration paths of the two platforms are slightly different in different projects. MTK: alps/device/mediatek/mt6735/init. mt6735.rcQCOM: xx/init.tar get. rc

Copyright statement: This article is the author (http://blog.csdn.net/yelangjueqi) original articles, not allowed by the author can not be reproduced.