android 8 去掉selinux

修改：system/core/init/init.cpp

static void selinux_initialize(bool in_kernel_domain) {
    Timer t;

    selinux_callback cb;
    cb.func_log = selinux_klog_callback;
    selinux_set_callback(SELINUX_CB_LOG, cb); 
    cb.func_audit = audit_callback;
    selinux_set_callback(SELINUX_CB_AUDIT, cb); 

    if (in_kernel_domain) {
        LOG(INFO) << "Loading SELinux policy";
        if (!selinux_load_policy()) {
            panic();
        }    

        bool kernel_enforcing = (security_getenforce() == 1);
        bool is_enforcing = selinux_is_enforcing();
        if (kernel_enforcing != is_enforcing) {
            if (security_setenforce(is_enforcing)) {
                PLOG(ERROR) << "security_setenforce(%s) failed" << (is_enforcing ? "true" : "false");
                security_failure();
            }    
        }    

        std::string err; 
        if (!WriteFile("/sys/fs/selinux/checkreqprot", "0", &err)) {
            LOG(ERROR) << err; 
            security_failure();
        }    

        // init's first stage can't set properties, so pass the time to the second stage.
        setenv("INIT_SELINUX_TOOK", std::to_string(t.duration().count()).c_str(), 1);
    } else {
        selinux_init_all_handles();
    } 

修改is_enforcing的值(０或者１)

static bool selinux_is_enforcing(void)
{
   
return false;
 if (ALLOW_PERMISSIVE_SELINUX) {
        return selinux_status_from_cmdline() == SELINUX_ENFORCING;
    }
    return true;
}

由上可以返回selinux_status_from_cmdline()== SELINUX_PERMISSIVE即可把selinux允许
因为返回值只有两个类型
enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
 

enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };

static selinux_enforcing_status selinux_status_from_cmdline() {
    selinux_enforcing_status status = SELINUX_ENFORCING;

    import_kernel_cmdline(false, [&](const std::string& key, const std::string& value, bool in_qemu) {
        if (key == "androidboot.selinux" && value == "permissive") {
            status = SELINUX_PERMISSIVE;
        }
    });

    return status;
}

即androidboot.selinux == permissive即可允许

故在平台上添加kernel cmdline
BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom androidboot.selinux=permissive msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 androidboot.memcg=false earlyprintk

但仍会有权限打印但提示permissive=1，说明允许操作

[   27.895071] selinux: avc:  denied  { set } for property=vendor.audio.sys.init pid=394 

uid=1041 gid=1005 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:audio_prop:s0 tclass=property_service permissive=1

--------------------- 
作者：康师傅的技术小站 
来源：CSDN 
原文：https://blog.csdn.net/u010481276/article/details/83652881 
版权声明：本文为博主原创文章，转载请附上博文链接！