## 1. SystemServer 的服务定义
Android P_9.0\frameworks\base\services\java\com\android\server\SystemServer.java

    /**     * Starts a miscellaneous grab bag of stuff that has yet to be refactored     * and organized.     */    private void startOtherServices() {        try {            fadiWakeupWatcherService fadiWakeupWatcherService = new fadiWakeupWatcherService();            ServiceManager.addService("fadi_wakeupwatcher", fadiWakeupWatcherService.asBinder());        } catch (Throwable e) {            Slog.e(TAG, "Failure starting fadiWakeupWatcherService", e);        }

## 2. 没有配置Se-Linux权限的报错日志

01-01 00:05:05.381284   933   933 E SystemServer: Failure starting fadiAppLockService01-01 00:05:05.381284   933   933 E SystemServer: java.lang.SecurityException01-01 00:05:05.381284   933   933 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.BinderProxy.transact(Binder.java:1127)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:184)01-01 00:05:05.381284   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:155)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:2000)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:456)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:311)01-01 00:05:05.381284   933   933 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)01-01 00:05:05.381284   933   933 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)01-01 00:05:05.383128   933   933 E SystemServer: Failure starting fadiWakeupWatcherService01-01 00:05:05.383128   933   933 E SystemServer: java.lang.SecurityException01-01 00:05:05.383128   933   933 E SystemServer: at android.os.BinderProxy.transactNative(Native Method)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.BinderProxy.transact(Binder.java:1127)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.ServiceManagerProxy.addService(ServiceManagerNative.java:153)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:184)01-01 00:05:05.383128   933   933 E SystemServer: at android.os.ServiceManager.addService(ServiceManager.java:155)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.server.SystemServer.startOtherServices(SystemServer.java:2008)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.server.SystemServer.run(SystemServer.java:456)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.server.SystemServer.main(SystemServer.java:311)01-01 00:05:05.383128   933   933 E SystemServer: at java.lang.reflect.Method.invoke(Native Method)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)01-01 00:05:05.383128   933   933 E SystemServer: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:891)

随着Android系统对安全的要求越来越高,不断加强SE-LINUX的管理,有些服务我们需要进行定制配置才能正常使用

上述是表征服务服务启动,我们需要根据源码配置进行,关键字检索,查找"fadi_applock"和"fadi_wakeupwatcher"关键字

查找"fadi_applock"和"fadi_wakeupwatcher"关键字01-01 00:05:05.382320   324   324 E SELinux : avc:  denied  { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0

上述日志有一个配置公式,这里举个demo,但是我们目前还没对该服务进行SE-LINUX定义,故配置公式暂时不需要,故这里介绍9.0的配置方法

01-01 00:05:05.382320   324   324 E SELinux : avc:  denied  { add } for service=fadi_wakeupwatcher pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0allow system_server fadi_wakeupwatcher :service_manager { add };01-01 00:05:05.380074   324   324 E SELinux : avc:  denied  { add } for service=fadi_applock pid=933 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=001-01 00:05:05.380221   324   324 E ServiceManager: add_service('fadi_applock',8f) uid=1000 - PERMISSION DENIEDallow system_server fadi_applock :service_manager { add };4.demo01-03 10:31:35.585148 331 331 E SELinux : avc: denied { find } for service=xxx_applock pid=5499 uid=10087 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:xxx_applock_service:s0 tclass=service_manager permissive=1allow untrusted_app_25 xxx_applock_service:service_manager { find };

## 3. Andorid 9.0 配置SE LINUX权限

3.1 定义SE-Linux

分别在下面2个文件进行配置

  • Android P_9.0\system\sepolicy\public\service.te
# fadi SE-Linuxtype fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;type fadi_applock_service, system_api_service, system_server_service, service_manager_type;type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
  • Android P_9.0\system\sepolicy\private\service_contexts
# fadi SE-Linuxfadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0fadi_applock                              u:object_r:fadi_applock_service:s0fadi_longshot                             u:object_r:fadi_longshot_service:s0

然后编译一下

3.2 编译报错1 解决

FAILED: out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test/bin/bash -c "(diff -rq system/sepolicy/prebuilts/api/28.0/public system/sepolicy/public ) && (diff -rq system/sepolicy/prebuilts/api/28.0/private system/sepolicy/private ) && (touch out/target/product/fadi6761_l05/obj/ETC/sepolicy_freeze_test_intermediates/sepolicy_freeze_test )"文件 system/sepolicy/prebuilts/api/28.0/public/service.te 和 system/sepolicy/public/service.te 不同

将system/sepolicy/prebuilts/api/28.0/public 和system/sepolicy/public对应的文件内容保持一致即可

继续make -j24 2>&1 |tee build.log编译

3.3 编译报错2 解决

根据报错提示,进行文件添加与补充

[ 43% 179/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/treble_sepolicy_tests_26.0[ 43% 180/410] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/treble_sepolicy_tests_27.0

添加对应的权限定义
Android P_9.0\system\sepolicy\private\compat\26.0\26.0.cil

(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))

Android P\Android P_9.0\system\sepolicy\private\compat\27.0\27.0.cil

(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))

继续make -j24 2>&1 |tee build.log编译

3.4 编译报错3 解决

报错日志

FAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30              out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/26.0/26.0.cil system/sepolicy/prebuilts/api/26.0/nonplat_sepolicy.cil -o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_26.0_intermediates/26.0_compat -f /dev/null"Failed to resolve typeattributeset statement at system/sepolicy/private/compat/26.0/26.0.cil:764Failed to compile cildb: -2[  1% 11/693] build out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compatFAILED: out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat/bin/bash -c "out/host/linux-x86/bin/secilc -m -M true -G -N -c 30              out/target/product/fadi6761_l05/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil system/sepolicy/private/compat/27.0/27.0.cil system/sepolicy/prebuilts/api/27.0/nonplat_sepolicy.cil -o out/target/product/fadi6761_l05/obj/ETC/treble_sepolicy_tests_27.0_intermediates/27.0_compat -f /dev/null"Failed to resolve typeattributeset statement at system/sepolicy/private/compat/27.0/27.0.cil:1486Failed to compile cildb: -2[  1% 12/693] build tinysys-scp-configheader

解决方法
解决方法:将nonplat_sepolicy.cil配置完毕

  • \Android P_9.0\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)(roletype object_r fadi_wakeupwatcher_service_26_0)(typeattribute fadi_applock_service_26_0)(roletype object_r fadi_applock_service_26_0)(typeattribute fadi_longshot_service_26_0)(roletype object_r fadi_longshot_service_26_0)
  • Android P_9.0\system\sepolicy\prebuilts\api\27.0\nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)(roletype object_r fadi_wakeupwatcher_service_27_0)(typeattribute fadi_applock_service_27_0)(roletype object_r fadi_applock_service_27_0)(typeattribute fadi_longshot_service_27_0)(roletype object_r fadi_longshot_service_27_0)

继续make -j24 2>&1 |tee build.log编译

3.5 编译OK,刷机验证日志

服务中日志正常打印了

09-21 04:17:00.560: D/fadiDisplayHelp(2157): UI show packageName = com.google.android.packageinstaller, className = com.android.packageinstaller.permission.ui.GrantPermissionsActivity09-21 04:17:59.365: D/fadiDisplayHelp(2157): UI show packageName = com.android.launcher3, className = com.android.launcher3.Launcher09-21 04:16:08.027: D/fadiKillAppManager(2157): updateRestrictList new = WakeUpInfo [packageName=com.android.bankabc, bootReceviers=com.feinno.teatalk.receiver.FastBootReceiver;com.xiaomi.push.service.receivers.NetworkStatusReceiver;com.feinno.teatalk.receiver.NetWorkChangeReceiver;com.huawei.android.pushagent.PushBootReceiver;com.feinno.teatalk.receiver.PushReceiver;com.huawei.android.pushagent.PushEventReceiver;com.feinno.teatalk.receiver.MiPushReceiver;com.xiaomi.push.service.receivers.PingReceiver;, pushServices=com.baidu.location.f;com.xiaomi.push.service.XMPushService;com.xiaomi.mipush.sdk.PushMessageHandler;com.xiaomi.mipush.sdk.MessageHandleService;, deny=0]

4. 本次SE-Linux的配置清单

suhuazhi@fadi-PC:~/9.1/system/sepolicy$ git status# Not currently on any branch.# Changes not staged for commit:#   (use "git add ..." to update what will be committed)#   (use "git checkout -- ..." to discard changes in working directory)##       modified:   prebuilts/api/26.0/nonplat_sepolicy.cil#       modified:   prebuilts/api/27.0/nonplat_sepolicy.cil#       modified:   prebuilts/api/28.0/private/compat/26.0/26.0.cil#       modified:   prebuilts/api/28.0/private/compat/27.0/27.0.cil#       modified:   prebuilts/api/28.0/private/service_contexts#       modified:   prebuilts/api/28.0/public/service.te#       modified:   private/compat/26.0/26.0.cil#       modified:   private/compat/27.0/27.0.cil#       modified:   private/service_contexts#       modified:   public/service.te

具体添加如下如下

  1. prebuilts/api/26.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_26_0)(roletype object_r fadi_wakeupwatcher_service_26_0)(typeattribute fadi_applock_service_26_0)(roletype object_r fadi_applock_service_26_0)(typeattribute fadi_longshot_service_26_0)(roletype object_r fadi_longshot_service_26_0)
  1. prebuilts/api/27.0/nonplat_sepolicy.cil
(typeattribute fadi_wakeupwatcher_service_27_0)(roletype object_r fadi_wakeupwatcher_service_27_0)(typeattribute fadi_applock_service_27_0)(roletype object_r fadi_applock_service_27_0)(typeattribute fadi_longshot_service_27_0)(roletype object_r fadi_longshot_service_27_0)
  1. prebuilts/api/28.0/private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
  1. prebuilts/api/28.0/private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
  1. prebuilts/api/28.0/private/service_contexts
# fadi SE-Linuxfadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0fadi_applock                              u:object_r:fadi_applock_service:s0fadi_longshot                             u:object_r:fadi_longshot_service:s0
  1. prebuilts/api/28.0/public/service.te
# fadi SE-Linuxtype fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;type fadi_applock_service, system_api_service, system_server_service, service_manager_type;type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;
  1. private/compat/26.0/26.0.cil
(typeattributeset fadi_wakeupwatcher_service_26_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_26_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_26_0 (fadi_longshot_service))
  1. private/compat/27.0/27.0.cil
(typeattributeset fadi_wakeupwatcher_service_27_0 (fadi_wakeupwatcher_service))(typeattributeset fadi_applock_service_27_0 (fadi_applock_service))(typeattributeset fadi_longshot_service_27_0 (fadi_longshot_service))
  1. private/service_contexts(核心)
# fadi SE-Linuxfadi_wakeupwatcher                        u:object_r:fadi_wakeupwatcher_service:s0fadi_applock                              u:object_r:fadi_applock_service:s0fadi_longshot                             u:object_r:fadi_longshot_service:s0
  1. public/service.te(核心)
# fadi SE-Linuxtype fadi_wakeupwatcher_service, system_api_service, system_server_service, service_manager_type;type fadi_applock_service, system_api_service, system_server_service, service_manager_type;type fadi_longshot_service, system_api_service, system_server_service, service_manager_type;

更多相关文章

  1. [zz] Android(安卓)Service 示例
  2. 手机壁纸设置相关
  3. android apilevel和android系统版本对应关系
  4. Android(安卓)以流的方式读取服务器图片文件
  5. android 3.0编译环境需要的所有组件
  6. android 蓝牙各种UUID
  7. Android(安卓)Bluetooth UUID
  8. Android上的并发服务
  9. Android工程的编译过程

随机推荐

  1. android 多点
  2. [置顶] Android(安卓)网络连接--Wifi/3G
  3. Android程序优化之对屏幕旋转的处理总结
  4. Android实现内录
  5. Android(安卓)O: 触摸事件传递流程源码分
  6. Android的线程使用来更新UI----Thread、H
  7. Android源代码下载
  8. windows环境下进入到android 模拟器
  9. Android中改变Activity的不同icon:activit
  10. 收藏各种技术源码