外贸电商网站开发,申请邮箱免费注册,招聘类网站建设,网站费用system权限应用读sys,proc目录及SN号
Android13预置的system应用#xff0c;需要读/sys, /proc目录#xff0c;读(SN)serial number号, 需要修改selinux配置#xff0c;否则会报avc错#xff0e; 其修改方法会比Android11复杂一些#xff0e;
实现
system_app.te中添加…system权限应用读sys,proc目录及SN号
Android13预置的system应用需要读/sys, /proc目录读(SN)serial number号, 需要修改selinux配置否则会报avc错 其修改方法会比Android11复杂一些
实现
system_app.te中添加
diff --git a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te
index 19ef6f8d662..08f8e4858e3 100755
--- a/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.teb/device/sprd/mpool/module/vendor/app/msepolicy/vendor/system_app.te-106,3 106,10 allow system_app uniview_file:file { getattr write open create read append watchallow system_app uniview_file:dir { search getattr write add_name create read open };allow system_app tombstone_data_file:dir { read watch };allow system_app vendor_hxy_prop:file { read map getattr open };
allow system_app prod_file:dir { remove_name };
allow system_app sysfs:file { getattr open read write };
allow system_app sysfs:dir { search };
allow system_app vendor_default_prop:property_service { set };
allow system_app proc:file { open read };coredomain.te在添加proc与sys的例外 system/sepolicy/prebuilts/api/33.0/private/coredomain.te system/sepolicy/private/coredomain.te 给proc与sys的neverallow添加-system_app
full_treble_only(# /procneverallow {coredomain-init-vold-system_app} proc:file no_rw_file_perms;# /sysneverallow {coredomain-apexd-init-ueventd-vold-system_app} sysfs:file no_rw_file_perms;修改domain添加serialno_prop例外 一般只要修改private下的domain.te system/sepolicy/prebuilts/api/33.0/private/domain.te system/sepolicy/private/domain.te 如果要进行扩展则还要修改 system/sepolicy/public/domain.te system/sepolicy/prebuilts/api/33.0/public/domain.te 修改compatible_property_only
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;修改serialno_prop:file r_file_perms添加-system_app
完整内容如下
compatible_property_only(neverallow { domain -init } mmc_prop:property_service set; neverallow { domain -init -vendor_init } exported_default_prop:property_service set; neverallow { domain -init } exported_secure_prop:property_service set; neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set; neverallow { domain -init -vendor_init } storage_config_prop:property_service set; neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
)# Do not allow reading devices serial number from system properties except form
# a few allowed domains.
neverallow {domain-adbd-dumpstate-fastbootd-hal_camera_server-hal_cas_server-hal_drm_serveruserdebug_or_eng(-incidentd)-init-mediadrmserver-mediaserver-recovery-shell-system_server-vendor_init-system_app
} serialno_prop:file r_file_perms;property_service set添加例外 system/sepolicy/prebuilts/api/33.0/private/property.te system/sepolicy/private/property.te property_service set的neverallow加上-system_app
neverallow { coredomain -init -system_app } {vendor_property_type-vendor_public_property_type
}:property_service set;property_service set compatible_property_only中的neverallow加上-system_app
compatible_property_only(# Neverallow coredomain to set vendor propertiesneverallow {coredomain-init-system_writes_vendor_properties_violators-system_app} {property_type-system_property_type-extended_core_property_type}:property_service set;
)app.te中添加proc,sys例外 system/sepolicy/prebuilts/api/33.0/public/app.te system/sepolicy/public/app.te sysfs:dir_file_class_set与proc:dir_file_class_set write的neverallow中添加-system_app
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -system_app }sysfs:dir_file_class_set write;
neverallow { appdomain -system_app }proc:dir_file_class_set write;作者:帅得不敢出门 原创文章谢绝转载收录
