需求

自定义了个SystemProperties的属性，需要在system应用中修改它，介绍MTK及展锐的设置方法，可扩展到其他平台．
比如代码中要这么设置

SystemProperties.set("property_name", "value");

默认会引发selinux无权限的报错．

实现

修改方法是在对应的.te中添加对应的属性，注意不同的平台属性及修改目录可能不一样，比如展锐的与MTK的就不一样．
如果不确定，可以让APP跑起来，根据logcat中selinux的报错信息来做修改．
第一步是在system_app.te中修改添加default_prop:property_service set
第二步是在两处domain.te中修改添加例外．

MTK

权限是default_prop:property_service set
因为Android版本是8，所以domain.te选的是api/26.0目录下的．

diff --git a/device/mediatek/sepolicy/bsp/non_plat/system_app.te b/device/mediatek/sepolicy/bsp/non_plat/system_app.te
index ca5fca1392..eb99644918 100755
--- a/device/mediatek/sepolicy/bsp/non_plat/system_app.te
+++ b/device/mediatek/sepolicy/bsp/non_plat/system_app.te
@@ -149,5 +149,5 @@ allow system_app protect_s_data_file:dir { getattr search read open add_name rem
-
+allow system_app default_prop:property_service { set };
 allow system_app ota_package_file:file ｛append｝;
diff --git a/system/sepolicy/prebuilts/api/26.0/public/domain.te b/system/sepolicy/prebuilts/api/26.0/public/domain.te
index d2b370a21b..8cb180314c 100644
--- a/system/sepolicy/prebuilts/api/26.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/26.0/public/domain.te
@@ -441,7 +441,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 
 # Require that domains explicitly label unknown properties, and do not allow
 # anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init -system_app -service_manager_type } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
 
 # Do not allow reading device's serial number from system properties except form
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 714a6b3af8..dbee8685e4 100644
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -444,7 +444,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 
 # Require that domains explicitly label unknown properties, and do not allow
 # anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init -system_app -service_manager_type } default_prop:property_service set;

展锐

要改system_app.te添加权限vendor_default_prop:property_service
然后在domain.te及property.te的nerverallow中把system_app添加例外．
Android 11 对应api/30.0
patch如下

// csdn帅得不敢出门
diff --git a/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te b/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
index aeff2a14a4..3845e041d8 100755
--- a/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
+++ b/device/sprd/mpool/module/app/msepolicy/vendor/system_app.te
@@ -93,5 +93,5 @@ allow system_app radio_noril_prop:file { read open getattr };
 allow system_app prod_file:dir { remove_name };
 allow system_app sysfs:file { getattr open read };
 allow system_app sysfs:dir { search };
-
+allow system_app vendor_default_prop:property_service { set };

diff --git a/system/sepolicy/prebuilts/api/30.0/public/domain.te b/system/sepolicy/prebuilts/api/30.0/public/domain.te
index 1d3f8a071d..a0a2f694aa 100644
--- a/system/sepolicy/prebuilts/api/30.0/public/domain.te
+++ b/system/sepolicy/prebuilts/api/30.0/public/domain.te
@@ -530,7 +530,7 @@ compatible_property_only(`
     neverallow { domain -init } exported_secure_prop:property_service set;
     neverallow { domain -init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
-    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+    neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
     neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
 ')
 
diff --git a/system/sepolicy/prebuilts/api/30.0/public/property.te b/system/sepolicy/prebuilts/api/30.0/public/property.te
index 43b09db8d1..c944270a9e 100644
--- a/system/sepolicy/prebuilts/api/30.0/public/property.te
+++ b/system/sepolicy/prebuilts/api/30.0/public/property.te
@@ -568,6 +568,7 @@ compatible_property_only(`
     coredomain
     -init
     -system_writes_vendor_properties_violators
+    -system_app
   } {
     property_type
     -system_property_type
diff --git a/system/sepolicy/public/domain.te b/system/sepolicy/public/domain.te
index 1d3f8a071d..a0a2f694aa 100644
--- a/system/sepolicy/public/domain.te
+++ b/system/sepolicy/public/domain.te
@@ -530,7 +530,7 @@ compatible_property_only(`
     neverallow { domain -init } exported_secure_prop:property_service set;
     neverallow { domain -init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
-    neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+    neverallow { domain -init -vendor_init -system_app } vendor_default_prop:property_service set;
     neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
 ')
 
diff --git a/system/sepolicy/public/property.te b/system/sepolicy/public/property.te
index 43b09db8d1..c944270a9e 100644
--- a/system/sepolicy/public/property.te
+++ b/system/sepolicy/public/property.te
@@ -568,6 +568,7 @@ compatible_property_only(`
     coredomain
     -init
     -system_writes_vendor_properties_violators
+    -system_app
   } {
     property_type

作者：帅得不敢出门　csdn原创谢绝转载

Android获取selinux的setprop权限修改SystemProperties

需求

实现

MTK

展锐

猜你喜欢