Aispeech Audio Hal porting到android系統中需要添加如下selinux權限(android8.1): diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te --- a/system/sepolicy/public/domain.te +++ b/system/sepolicy/public/domain.te @@ -623,6 +623,7 @@ full_treble_only(` -coredomain -netdomain -socket_between_core_and_vendor_violators + -hal_audio }, netd);
# Vendor domains are not permitted to initiate create/open sockets owned by core domains diff --git a/system/sepolicy/public/hal_audio.te b/system/sepolicy/public/hal_audio.te index 33330bf..e69a19b7 100644 --- a/system/sepolicy/public/hal_audio.te +++ b/system/sepolicy/public/hal_audio.te @@ -32,7 +32,7 @@ neverallow hal_audio { file_type fs_type }:file execute_no_trans;
# Should never need network access. # Disallow network sockets. -neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *; +#neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *; diff --git a/system/sepolicy/public/hal_neverallows.te b/system/sepolicy/public/hal_neverallows.te index 036e1d2..13f78aa 100644 --- a/system/sepolicy/public/hal_neverallows.te +++ b/system/sepolicy/public/hal_neverallows.te @@ -16,6 +16,7 @@ neverallow { -hal_wifi_server -hal_wifi_supplicant_server -rild + -hal_audio } domain:{ tcp_socket udp_socket rawip_socket } *;
###
diff --git a/device/rockchip/common/sepolicy/hal_audio_default.te b/device/rockchip/common/sepolicy/hal_audio_default.te index ebc2023..f96c83d 100644 --- a/device/rockchip/common/sepolicy/hal_audio_default.te +++ b/device/rockchip/common/sepolicy/hal_audio_default.te @@ -7,3 +7,18 @@ allow hal_audio_default hidraw_device:chr_file { open read write };
set_prop(hal_audio_default,media_prop) allow hal_audio_default sysfs:file rw_file_perms; + +#for aispeech +allow hal_audio_default hal_audio_default:udp_socket { create bind write read getattr }; +allow hal_audio_default hal_audio_default:tcp_socket { create connect getopt setopt read write
name_connect }; +allow hal_audio_default audioserver_data_file:dir { add_name remove_name write search }; +allow hal_audio_default port:tcp_socket name_connect; +allow hal_audio_default audioserver_data_file:file { write open getattr create }; +allow hal_audio_default node:udp_socket node_bind; +allow hal_audio_default netd:unix_stream_socket connectto; +allow hal_audio_default fwmarkd_socket:sock_file write; +allow hal_audio_default audioserver_data_file:file unlink; + +#fixed common +#allow hal_audio_default vendor_shell_exec:file execute_no_trans; +#allow hal_audio_default su_exec:file { execute_no_trans read open getattr}; diff --git a/device/rockchip/common/sepolicy/netd.te b/device/rockchip/common/sepolicy/netd.te index 3acb9a6..34f814f 100644 --- a/device/rockchip/common/sepolicy/netd.te +++ b/device/rockchip/common/sepolicy/netd.te @@ -9,3 +9,7 @@ allow netd netd:netlink_scsitransport_socket { create setopt bind write read get allow netd netd:netlink_rdma_socket { create setopt bind write read getopt getattr }; allow netd netd:netlink_crypto_socket { create setopt bind write read getopt getattr };
+#for aispeech +allow netd hal_audio_default:tcp_socket { setopt getopt read write}; +allow netd hal_audio_default:udp_socket { setopt getopt read write}; +allow netd hal_audio_default:fd { use }; 說明:以上修改可以過selinux驗證,但是有修改系統默認selinux權限,無法過CTS某些測試。 見下面: armeabi-v7a CtsSecurityHostTestCases Test Result Details
android.cts.security.SELinuxNeverallowRulesTest# testNeverallowRules56 fail
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
使用腳本添加selinux
2.2.2Selinux 添加方法
Selinux 在 Android5.1 之後被真正的引入到 android 系統之中。目前在 Android8.0 及以上 系統常見 selinux 處於打開狀態。詳細的 Selinux 規則此處不再描述。Selinux 規則可以根據 log 中的提示信息進行添加。以 AispeechAudioHal 爲例,開機之後可以通過 grep logcat 獲取 selinux 的警告信息。命令如下: logcat|grepavc 或者 logcat |grepdenied 從 log 中再篩選出 audioserver 相關的 log,部分如下所示: 7 04-15 16:11:41.440 316 316 I Auth : type=1400 audit(0.0:9): avc: denied { read } for name="address" dev="sysfs" ino=14731 scontext=u:r:audioserver:s0 tcontext=u:object_r:sysfs:s0tclass=file permissive=1 8 04-15 16:11:41.440 316 316 I Auth : type=1400 audit(0.0:10): avc: denied { open } for path="/sys/devices/platform/fe300000.ethernet/net/eth0/address" dev="sysfs" ino=14731 scontext=u:r:audioserver:s0 tcontext=u:object_r: sysfs:s0 tclass=file permissive=1 9 04-15 16:11:41.443 316 316 I Auth : type=1400 audit(0.0:11): avc: denied { getattr } for path="/sys/devices/platform/fe300000.ethernet/net/eth0/address" dev="sysfs" ino=14731 scontext=u:r:audioserver:s0 tcontext=u:object _r:sysfs:s0 tclass=file permissive=1 10 04-15 16:11:41.460 316 316 I Auth : type=1400 audit(0.0:12): avc: denied { create } for scontext=u:r:audioserver:s0 tcontext=u:r:audioserver:s0 tclass=udp_socket permissive=1
11 04-15 16:11:41.460 316 316 I Auth : type=1400 audit(0.0:13): avc: denied { bind } for scontext=u:r:audioserver:s0 tcontext=u:r:audioserver:s0 tclass=udp_socket permissive=1 12 04-15 16:11:41.460 316 316 I Auth : type=1400 audit(0.0:14): avc: denied { node_bind } for saddr=127.0.0.1 scontext=u:r:audioserver:s0 tcontext=u:object_r:node:s0 tclass=udp_socketpermissive=1 13 04-15 16:11:41.460 316 316 I Auth : type=1400 audit(0.0:15): avc: denied { getattr } for laddr=127.0.0.1 lport=42108 scontext=u:r:audioserver:s0 tcontext=u:r:audioserver:s0tclass=udp_socketpermissive=1 14 04-15 16:11:41.460 316 316 I Auth : type=1400 audit(0.0:16): avc: denied { write } for name="fwmarkd" dev="tmpfs" ino=16490 scontext=u:r:audioserver:s0 tcontext=u:object_r:fwmarkd_socket:s0tclass=sock_file permissive=1 15 04-15 16:11:41.460 316 316 I Auth : type=1400 audit(0.0:17): avc: denied { connect } for scontext=u:r:audioserver:s0 tcontext=u:r:audioserver:s0 tclass=udp_socket permissive=1 16 04-15 16:11:41.466 316 316 I Auth : type=1400 audit(0.0:18): avc: denied { write } for scontext=u:r:audioserver:s0 tcontext=u:r:audioserver:s0 tclass=udp_socket permissive=1 17 04-15 16:11:51.483 316 316 I Auth : type=1400 audit(0.0:19): avc: denied { create } for scontext=u:r:audioserver:s0 tcontext=u:r:audioserver:s0 tclass=tcp_socket permissive=1 18 04-15 16:11:51.483 316 316 I Auth : type=1400 audit(0.0:20): avc: denied { write } for name="fwmarkd" dev="tmpfs" ino=16490 scontext=u:r:audioserver:s0 tcontext=u:object_r:fwmarkd_socket:s0tclass=sock_file permissive=1 19 04-15 16:11:51.483 316 316 I Auth : type=1400 audit(0.0:21): avc: denied { connectto } for path="/dev/socket/fwmarkd" scontext=u:r:audioserver:s0 tcontext=u:r:netd:s0tclass=unix_stream_socket permissive=1 把所有相關 log 全部篩選出來,存放在一個log 文件中, 例如存放在名爲audiohal_avc.log 的文件中。
通過如下命令可以自動生成 avc 規則: external/selinux/prebuilts/bin$ ./audit2allow -i audiohal_avc.log
生成的規則如下:
#============= audioserver==============
allow audioserver:fileopen;
allow audioserverfwmarkd_socket:sock_filewrite;
allow audioservernetd:unix_stream_socket connectto;
allow audioservernode:udp_socketnode_bind; allowaudioserverself:tcp_socket create;
allow audioserverself:udp_socket{writebindcreategetattrconnect};
將上述規則添加到相應的系統 te 文件中即可。
系統 xxx.te 文件存放位置一般在如下兩個地方:
1./external/sepolicy(注 7.0 及以上在/system/sepolicy)下面的 xxx.te
2.device/xxxxxxxx/common/sepolicy 下面的 xxxx.te。 添加好規則之後重新編譯固件進行刷機測試,重複上述步驟,直到 log 中沒有再出現audiohal avc 相關提示警告信息。
添加規則編譯的時候有可能會出現 neverallow 規則衝突,導致編譯出錯。此時需要到 系統限定 neverallow 規則的 te 文件中去掉相關限制即可編譯通過。
更加詳細的方法可以 自行查看相關資料。修改 neverallow 規則會導致 cts 測試無法通過,請知悉。如果系統無 需過 cts 認證,可以按需求修改系統 neverallow 規則。