需求
自定义了个SystemProperties的属性,需要在system应用中修改它,介绍MTK及展锐的设置方法,可扩展到其他平台.
比如代码中要这么设置
SystemProperties.set("property_name", "value");
默认会引发selinux无权限的报错.
实现
修改方法是在对应的.te中添加对应的属性,注意不同的平台属性及修改目录可能不一样,比如展锐的与MTK的就不一样.
如果不确定,可以让APP跑起来,根据logcat中selinux的报错信息来做修改.
第一步是在system_app.te中修改添加default_prop:property_service set
第二步是在两处domain.te中修改添加例外.
MTK
权限是default_prop:property_service set
因为Android版本是8,所以domain.te选的是api/26.0目录下的.
diff --git a/device/mediatek/sepolicy/bsp/non_plat/system_app.te b/device/mediatek/sepolicy/bsp/non_plat/system_app.te
index ca5fca1392..eb99644918 100755
--- a/device/mediatek/sepolicy/bsp/non_plat/system_app.te
+++ b/device/mediatek/sepolicy/bsp/non_plat/system_app.te
@@ -149,5 +149,5 @@ allow system_app protect_s_data_file:dir { getattr search read open add_name rem
-
+allow system_app default_prop:property_service { set };
allow system_app ota_package_file:file {append};
diff --git a/system/sepolicy/prebuilts/api/26.0/public/domain.te b/system/sepolicy/prebuilts/api/26.0/public/domain.te
index d2b370a21b..8cb180314c 100644
--- a/system/sepolicy/prebuilts/api/26.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/26.0/public/domain.te
@@ -441,7 +441,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init -system_app -service_manager_type } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 714a6b3af8..dbee8685e4 100644
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -444,7 +444,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init -system_app -service_manager_type } default_prop:property_service set;
展锐
要改system_app.te添加权限vendor_default_prop:property_service
然后在domain.te及property.te的nerverallow中把system_app添加例外.
Android 11 对应api/30.0
patch如下文章来源:https://www.toymoban.com/news/detail-666246.html
// csdn帅得不敢出门
diff --git a/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
index aeff2a14a4..3845e041d8 100755
--- a/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
+++ b/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
@@ -93,5 +93,5 @@ allow system_app radio_noril_prop:file { read open getattr };
allow system_app prod_file:dir { remove_name };
allow system_app sysfs:file { getattr open read };
allow system_app sysfs:dir { search };
-
+allow system_app vendor_default_prop:property_service { set };
diff --git a/system/sepolicy/prebuilts/api/30.0/public/domain.te b/system/sepolicy/prebuilts/api/30.0/public/domain.te
index 1d3f8a071d..a0a2f694aa 100644
--- a/system/sepolicy/prebuilts/api/30.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/30.0/public/domain.te
@@ -530,7 +530,7 @@ compatible_property_only(`
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init } exported2_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
')
diff --git a/system/sepolicy/prebuilts/api/30.0/public/property.te b/system/sepolicy/prebuilts/api/30.0/public/property.te
index 43b09db8d1..c944270a9e 100644
--- a/system/sepolicy/prebuilts/api/30.0/public/property.te
+++ b/system/sepolicy/prebuilts/api/30.0/public/property.te
@@ -568,6 +568,7 @@ compatible_property_only(`
coredomain
-init
-system_writes_vendor_properties_violators
+ -system_app
} {
property_type
-system_property_type
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 1d3f8a071d..a0a2f694aa 100644
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -530,7 +530,7 @@ compatible_property_only(`
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init } exported2_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
')
diff --git a/system/sepolicy/public/property.te b/system/sepolicy/public/property.te
index 43b09db8d1..c944270a9e 100644
--- a/system/sepolicy/public/property.te
+++ b/system/sepolicy/public/property.te
@@ -568,6 +568,7 @@ compatible_property_only(`
coredomain
-init
-system_writes_vendor_properties_violators
+ -system_app
} {
property_type
作者:帅得不敢出门 csdn原创谢绝转载文章来源地址https://www.toymoban.com/news/detail-666246.html
到了这里,关于MTK Android设置setprop的selinux权限的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!