Android L1版本上的kernel module載入:sepolicy, kernel, .ko
阿新 • • 發佈:2019-01-25
背景 | 在Android KK 4.4 版本後,Google 有正式有限制的啟用SELinux, 來增強android 的安全保護。 SELinux 分成enforcing mode 和 permissive mode, enforcing mode 會強制性限制訪問; 而 permissve mode 只審查許可權, 但不限制, 即不會產生實質性影響. KK 版本, Google 只有限制的啟用SELinux, 即只有針對netd, installd, zygote, vold 以及它們 直接fork 出的child process 使用enforcing mode, 但不包括zygote fork的普通app. 從L版本起,全面開啟SELinux, 幾乎所有的process 都使enforcing mode。 |
專案修改原因 | 1. 專案新增紅外裝置; 2. IR驅動是作為ko載入; 上述兩項,都會因為SELinux而出現失敗情況。 |
修改方法 | 裝置:device/mediatek/common/sepolicy/device.te |
type mmcblk1_block_device, dev_type; | |
type mmcblk1p1_block_device, dev_type; | |
type spm_device, dev_type; | |
+type ir_scx_device, dev_type; | |
工廠測試模式中的裝置:device/mediatek/common/sepolicy/factory.te | |
allow factory mtd_device:chr_file rw_file_perms; | |
allow factory self:capability sys_resource; | |
allow factory pro_info_device:chr_file { read write ioctl open}; | |
+ | |
+# Date 2015.9.22 | |
+# Add by | |
+allow factory ir_scx_device:chr_file { read write ioctl open }; | |
檔案系統中的裝置:device/mediatek/common/sepolicy/file_contexts | |
/dev/ttyACM0 u:object_r:ttyACM_device:s0 | |
/dev/hrm u:object_r:hrm_device:s0 | |
+### Add by | |
+/dev/ir_scx(/.*)? u:object_r:ir_scx_device:s0 | |
META測試中的裝置:device/mediatek/common/sepolicy/meta_tst.te | |
# Date: WK15.18 | |
# Purpose: CCT open lens driver fail | |
allow meta_tst lens_device:chr_file { read write open ioctl }; | |
+ | |
+# Date 2015.9.22 | |
+# Add by | |
+allow meta_tst ir_scx_device:chr_file { read write ioctl open }; | |
給予system process操作裝置的許可權:device/mediatek/common/sepolicy/system_server.te | |
allow system_server nvdata_file:dir search; | |
allow system_server nvdata_file:file { read getattr open }; | |
+# Date: 2015.9.22 | |
+# add by | |
+allow system_server ir_scx_device:chr_file { read write ioctl open }; |
|
設定ueventd的裝置屬性:device/{vendor}/{project}/ueventd.{chip}.rc | |
/dev/devmap 0440 root system | |
/dev/mali0 0666 system graphics | |
/dev/gps 0660 gps system | |
+/dev/ir_scx 0660 system system | |
在init.project.rc中執行insmod操作:device/{vendor}/{project}/init.project.rc | |
chmod 0660 /dev/ttyMT2 | |
chown system system /dev/ttyMT2 | |
# Add for Consumer IR | |
chmod 0777 /system/lib/modules/ir_scx.ko | |
insmod /system/lib/modules/ir_scx.ko |
|
ko insmod操作:device/mediatek/common/sepolicy/init.te | |
allow init frp_block_device:blk_file relabelto; | |
allow init userdata_block_device:blk_file relabelto; | |
# Date : 2015.9.23 | |
# Operation : Migration | |
# Purpose : support to load kernel modules. | |
allow init self:capability { sys_module }; |