App讀寫文件節點配置Se linux權限

0.文章參考

• https://blog.csdn.net/xiaoxiangyuhai/article/details/76270294
• https://blog.csdn.net/u014341735/article/details/51244258

1. 需求

App 中進行讀寫Linux下的文件節點

• /sys/class/power_supply/battery/coulomb_count
• /sys/devices/platform/battery/chg_enable

其中需求加 0666 權限 /device/mediatek/mt6763/init.mt6763.rc

chmod 0666 /sys/devices/platform/battery/chg_enable

2. 現象

APP內如果不加權限的化，一般會有如下 avc 報錯

2019-03-05 20:05:39.380 6791-6791/com.fadi.batteryinfotest W/batteryinfotest: type=1400 audit(0.0:2491): avc: denied { search } for name="battery" dev="sysfs" ino=7033 scontext=u:r:untrusted_app:s0:c103,c256,c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0

2019-03-05 21:24:57.700 10300-10300/com.fadi.batteryinfotest I/batteryinfotest: type=1400 audit(0.0:2716): avc: denied { read } for name="charge_counter" dev="sysfs" ino=23843 scontext=u:r:untrusted_app:s0:c103,c256,c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1

2018-01-04 05:00:46.890 3010-3010/com.fadi.cty.kuluncount W/.cty.kuluncount: type=1400 audit(0.0:2436): avc: denied { search } for name="power_supply" dev="sysfs" ino=26573 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:sysfs_power_supply:s0 tclass=dir permissive=0

2019-01-01 10:04:53.802 3413-3413/com.fadi.cty.kuluncount W/.cty.kuluncount: type=1400 audit(0.0:692): avc: denied { search } for name="battery" dev="sysfs" ino=12364 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0

3. 錯誤的配置方法

如果直接根據上述的avc進行配置

• untrusted_app_27.te

allow untrusted_app_27 sysfs_batteryinfo:dir{search};
allow untrusted_app_27 sysfs_batteryinfo:file{read};
allow untrusted_app_27 sysfs_batteryinfo:file{getattr}

• system_app.te

allow system_app apk_data_file:dir { read open write getattr };
allow system_app apk_data_file:file { read open write getattr };
allow system_app sysfs_batteryinfo:dir { read open write getattr };
allow system_app sysfs_batteryinfo:file { read open write getattr };

一般會報如下 neverallow 異常，因爲上述配置的節點都是 sysfs_batteryinfo默認不允許訪問的，故我們需要配置節點域

libsepol.check_assertion_helper: neverallow on line xxx ofexternal/sepolicy/domain.te ……

Se-Linux 配置-文件節點域配置方法

1 配置 *_context

由於我們是給Linux的文件節點配置 SE-linux，故需要先在 *_context 中定義

• /home/huazhi.su/device/mediatek/sepolicy/basic/non_plat/genfs_contexts
  genfs_contexts 的原因是很多/sys/**/目錄下的文件都在這裏定義，故添加如下類型

genfscon sysfs /devices/platform/battery/chg_enable   u:object_r:sysfs_chg_enable:s0
genfscon sysfs /class/power_supply/battery/coulomb_count u:object_r:sysfs_coulomb_count:s0

2 配置 file.te

注意這裏的 fs_type, sysfs_type 不要漏掉

type sysfs_chg_enable, fs_type, sysfs_type;
type sysfs_coulomb_count, fs_type, sysfs_type;

3 配置運行時報的avc問題

SE-LINUX 配置公式

avc: denied  { 操作權限  }  for pid=7201  comm=“進程名”  scontext=u:r:源類型:s0  tcontext=u:r:目標類型:s0  tclass=訪問類別  permissive=0

源類型.te 文件，新增如下語句
allow  源類型 目標類型:訪問類別 {權限}；

3.1 avc 日誌 1

avc 報錯日誌

 avc: denied { read } for pid=8548 comm="owercurrenttest" name="chg_enable" dev="sysfs" ino=26104 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_chg_enable:s0 tclass=file permissive=0

完整配置，在 system_app.te配置如下

allow system_app sysfs_chg_enable:file { read write open getattr };

3.2 avc 日誌 2

avc 報錯日誌

06-27 01:55:05.304000  9318  9318 I .cty.kuluncount: type=1400 audit(0.0:1174): avc: denied { search } for name="battery" dev="sysfs" ino=12400 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
06-27 01:55:05.308000  9318  9318 I .cty.kuluncount: type=1400 audit(0.0:1177): avc: denied { getattr } for path="/sys/devices/platform/battery/power_supply/battery/coulomb_count" dev="sysfs" ino=26050 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1

完整配置，在 untrusted_app_27.te配置如下

allow untrusted_app_27 sysfs_batteryinfo:dir search;
allow untrusted_app_27 sysfs_batteryinfo:file { getattr open read };```

4 查看配置情況

可以查看 policy.conf 內容，查看SE-linux的配置情況

huazhi.su@HZCS18:~/root$ find ./out/target/product/k63v1us_64_bsp/obj/ -name "policy.conf"
./out/target/product/k63v1us_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

• grep -irn “chg_enable” ./out/target/product/k63v1us_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

huazhi.su@HZCS18:~/root grep -irn "chg_enable" ./out/target/product/k63v1us_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
52203:type sysfs_chg_enable, fs_type, sysfs_type;
63219:allow system_app sysfs_chg_enable:file { read write open getattr };
79911:genfscon sysfs /devices/platform/battery/chg_enable   u:object_r:sysfs_chg_enable:s0

5 驗證測試

下述中可以正常進行文件節點的讀寫

	Line 3394: 06-26 09:15:15.845106 10273 10273 D SU_DEBUG: writeNodeState nodeType = NODE_TYPE_BATTERY_CHARGING_ENABLED, value = 0
	Line 3395: 06-26 09:15:15.845650 10273 10273 D SU_DEBUG: writeFile: start>>>>>>>>>>>>>>>>>>
	Line 3397: 06-26 09:15:15.854321 10273 10273 D SU_DEBUG: getChargingEnable value = 0
	Line 3398: 06-26 09:15:15.854956 10273 10273 D SU_DEBUG: writeNodeState getChargingEnable = 0
	Line 3489: 06-26 09:15:17.356138 10273 10273 D SU_DEBUG: getNodeState nodeType = NODE_TYPE_BATTERY_CHARGING_ENABLED
	Line 3490: 06-26 09:15:17.360332 10273 10273 D SU_DEBUG: getChargingEnable value = 0
	Line 3491: 06-26 09:15:17.361708 10273 10273 D SU_DEBUG: writeNodeState nodeType = NODE_TYPE_BATTERY_CHARGING_ENABLED, value = 1
	Line 3492: 06-26 09:15:17.361872 10273 10273 D SU_DEBUG: writeFile: start>>>>>>>>>>>>>>>>>>
	Line 3493: 06-26 09:15:17.371975 10273 10273 D SU_DEBUG: getChargingEnable value = 1
	Line 3494: 06-26 09:15:17.372573 10273 10273 D SU_DEBUG: writeNodeState getChargingEnable = 1