## 1. SystemServer 的服务定义
Android P_9.0\frameworks\base\services\java\com\android\server\SystemServer.java

    /**     * Starts a miscellaneous grab bag of stuff that has yet to be refactored     * and organized.     */    private void startOtherServices() {        try {            fadiWakeupWatcherService fadiWakeupWatcherService = new fadiWakeupWatcherService();            ServiceManager.addService("fadi_wakeupwatcher", fadiWakeupWatcherService.asBinder());        } catch (Throwable e) {            Slog.e(TAG, "Failure starting fadiWakeupWatcherService", e);        }

## 2. 没有配置Se-Linux权限的报错日志

01-01 00:05:05.381284   933   933 E SystemServer: Failure starting fadiAppLockService01-01 00:05:05.381284   933   933 E SystemServer: java.lang.SecurityException01-01 00:05:05.381284   933   933 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.BinderProxy.transact(Binder.java:1127)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:184)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:155)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:2000)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:456)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:311)01-01 00:05:05.381284   933   933 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)01-01 00:05:05.383128   933   933 E SystemServer: Failure starting fadiWakeupWatcherService01-01 00:05:05.383128   933   933 E SystemServer: java.lang.SecurityException01-01 00:05:05.383128   933   933 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.BinderProxy.transact(Binder.java:1127)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:184)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:155)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:2008)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:456)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:311)01-01 00:05:05.383128   933   933 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)

随着Android系统对安全的要求越来越高,不断加强SE-LINUX的管理,有些服务我们需要进行定制配置才能正常使用

上述是表征服务服务启动,我们需要根据源码配置进行,关键字检索,查找"fadi_applock"和"fadi_wakeupwatcher"关键字

查找"fadi_applock"和"fadi_wakeupwatcher"关键字01-01 00:05:05.382320   324   324 E SELinux : avc:  denied  { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

上述日志有一个配置公式,这里举个demo,但是我们目前还没对该服务进行SE-LINUX定义,故配置公式暂时不需要,故这里介绍9.0的配置方法

01-01 00:05:05.382320   324   324 E SELinux : avc:  denied  { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0allow system_server fadi_wakeupwatcher :service_manager { add };01-01 00:05:05.380074   324   324 E SELinux : avc:  denied  { add } for service=fadi_applock pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=001-01 00:05:05.380221   324   324 E ServiceManager: add_service('fadi_applock',8f) uid=1000 - PERMISSION DENIEDallow system_server fadi_applock :service_manager { add };4.demo01-03 10:31:35.585148 331 331 E SELinux : avc: denied { find } for service=xxx_applock pid=5499 uid=10087 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:xxx_applock_service:s0 tclass=service_manager permissive=1allow untrusted_app_25 xxx_applock_service:service_manager { find };

## 3. Andorid 9.0 配置SE LINUX权限

3.1 定义SE-Linux

分别在下面2个文件进行配置

  • Android P_9.0\system\sepolicy\public\service.te
# fadi SE-Linuxtype fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;type fadi_applock_service, system_api_service, system_server_service, service_manager_type;type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
  • Android P_9.0\system\sepolicy\private\service_contexts
# fadi SE-Linuxfadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0fadi_applock                              u:object_r:fadi_applock_service:s0fadi_longshot                             u:object_r:fadi_longshot_service:s0

然后编译一下

3.2 编译报错1 解决

FAILED: out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"文件 system/sepolicy/prebuilts/api/28.0/public/service.te 和 system/sepolicy/public/service.te 不同

将system/sepolicy/prebuilts/api/28.0/public 和system/sepolicy/public对应的文件内容保持一致即可

继续make -j24 2>&1 |tee build.log编译

3.3 编译报错2 解决

根据报错提示,进行文件添加与补充

[ 43% 179/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0[ 43% 180/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0

添加对应的权限定义
Android P_9.0\system\sepolicy\private\compat\26.0\26.0.cil

(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))

Android P\Android P_9.0\system\sepolicy\private\compat\27.0\27.0.cil

(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))

继续make -j24 2>&1 |tee build.log编译

3.4 编译报错3 解决

报错日志

FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30              out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/26.0/26.0.cil system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil -o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat -f /dev/null"Failed to resolve typeattributeset statement at system/sepolicy/private/compat/26.0/26.0.cil:764Failed to compile cildb: -2[  1% 11/693] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compatFAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30              out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/27.0/27.0.cil system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil -o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat -f /dev/null"Failed to resolve typeattributeset statement at system/sepolicy/private/compat/27.0/27.0.cil:1486Failed to compile cildb: -2[  1% 12/693] build tinysys-scp-configheader

解决方法
解决方法:将nonplat_sepolicy.cil配置完毕

  • \Android P_9.0\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)(roletype object_r fadi_wakeupwatcher_service_26_0)(typeattribute fadi_applock_service_26_0)(roletype object_r fadi_applock_service_26_0)(typeattribute fadi_longshot_service_26_0)(roletype object_r fadi_longshot_service_26_0)
  • Android P_9.0\system\sepolicy\prebuilts\api\27.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)(roletype object_r fadi_wakeupwatcher_service_27_0)(typeattribute fadi_applock_service_27_0)(roletype object_r fadi_applock_service_27_0)(typeattribute fadi_longshot_service_27_0)(roletype object_r fadi_longshot_service_27_0)

继续make -j24 2>&1 |tee build.log编译

3.5 编译OK,刷机验证日志

服务中日志正常打印了

09-21 04:17:00.560: D/fadiDisplayHelp(2157): UI show packageName = com.google.android.packageinstaller, className = com.android.packageinstaller.permission.ui.GrantPermissionsActivity09-21 04:17:59.365: D/fadiDisplayHelp(2157): UI show packageName = com.android.launcher3, className = com.android.launcher3.Launcher09-21 04:16:08.027: D/fadiKillAppManager(2157): updateRestrictList new = WakeUpInfo [packageName=com.android.bankabc, bootReceviers=com.feinno.teatalk.receiver.FastBootReceiver;com.xiaomi.push.service.receivers.NetworkStatusReceiver;com.feinno.teatalk.receiver.NetWorkChangeReceiver;com.huawei.android.pushagent.PushBootReceiver;com.feinno.teatalk.receiver.PushReceiver;com.huawei.android.pushagent.PushEventReceiver;com.feinno.teatalk.receiver.MiPushReceiver;com.xiaomi.push.service.receivers.PingReceiver;, pushServices=com.baidu.location.f;com.xiaomi.push.service.XMPushService;com.xiaomi.mipush.sdk.PushMessageHandler;com.xiaomi.mipush.sdk.MessageHandleService;, deny=0]

4. 本次SE-Linux的配置清单

suhuazhi@fadi-PC:~/9.1/system/sepolicy$ git status# Not currently on any branch.# Changes not staged for commit:#   (use "git add ..." to update what will be committed)#   (use "git checkout -- ..." to discard changes in working directory)##       modified:   prebuilts/api/26.0/nonplat_sepolicy.cil#       modified:   prebuilts/api/27.0/nonplat_sepolicy.cil#       modified:   prebuilts/api/28.0/private/compat/26.0/26.0.cil#       modified:   prebuilts/api/28.0/private/compat/27.0/27.0.cil#       modified:   prebuilts/api/28.0/private/service_contexts#       modified:   prebuilts/api/28.0/public/service.te#       modified:   private/compat/26.0/26.0.cil#       modified:   private/compat/27.0/27.0.cil#       modified:   private/service_contexts#       modified:   public/service.te

具体添加如下如下

  1. prebuilts/api/26.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)(roletype object_r fadi_wakeupwatcher_service_26_0)(typeattribute fadi_applock_service_26_0)(roletype object_r fadi_applock_service_26_0)(typeattribute fadi_longshot_service_26_0)(roletype object_r fadi_longshot_service_26_0)
  1. prebuilts/api/27.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)(roletype object_r fadi_wakeupwatcher_service_27_0)(typeattribute fadi_applock_service_27_0)(roletype object_r fadi_applock_service_27_0)(typeattribute fadi_longshot_service_27_0)(roletype object_r fadi_longshot_service_27_0)
  1. prebuilts/api/28.0/private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
  1. prebuilts/api/28.0/private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
  1. prebuilts/api/28.0/private/service_contexts
# fadi SE-Linuxfadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0fadi_applock                              u:object_r:fadi_applock_service:s0fadi_longshot                             u:object_r:fadi_longshot_service:s0
  1. prebuilts/api/28.0/public/service.te
# fadi SE-Linuxtype fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;type fadi_applock_service, system_api_service, system_server_service, service_manager_type;type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
  1. private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
  1. private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
  1. private/service_contexts(核心)
# fadi SE-Linuxfadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0fadi_applock                              u:object_r:fadi_applock_service:s0fadi_longshot                             u:object_r:fadi_longshot_service:s0
  1. public/service.te(核心)
# fadi SE-Linuxtype fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;type fadi_applock_service, system_api_service, system_server_service, service_manager_type;type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;

更多相关文章

  1. Android 下载文件 显示进度条
  2. 在AndroidManifest.xml文件中的android:windowSoftInputMode属性
  3. Andorid在布局文件中中文加粗
  4. android的文件、目录操作
  5. android Intent打开各种类型文件((PDF、word、excel、ppt、chm)
  6. android文件操作的实例
  7. Android 以流的方式读取服务器图片文件
  8. Android之自定义Adapter的ListView
  9. Android 文件浏览器源码

随机推荐

  1. Android下实现injectso
  2. 解析android中的帮助、about、关于作者、
  3. 安卓进阶第五篇之常见动画的使用
  4. Android下Button实现图文混排效果
  5. Android4.0 battery架构和管理
  6. 重拾Android之路之Android签名及打包
  7. 配置ionic+Android开发环境
  8. Android(安卓)Wifi BT的工作流程和portin
  9. Android(安卓)Toolbar的详细使用步骤
  10. Android(安卓)RecyclerView —— 适配器