前言
简单笔记
步骤
一、首先验证是否是 Selinux 权限相关问题
在 eng 版本中使用:
setenforce 0
临时关闭 selinux 后,再验证。(注:有时是权限问题,但也未必有效,这时可通过 log 确认)
二、给可执行程序添加权限:
src\device\qcom\sepolicy\common\file_contexts
# [email protected] 20180108 add unlock start
/vendor/bin/unlockcheck u:object_r:unlockcheck_exec:s0
# [email protected] 20180108 add unlock end
# 新增的权限文件
src\device\qcom\sepolicy\common\unlockcheck.te
# 以下几个是可执行程序必要的权限声明
type unlockcheck ,domain;
type unlockcheck_exec , file_type, vendor_file_type, exec_type;
init_daemon_domain(unlockcheck)
# 以下权限是通过 kernel log 一条条添加的,报哪条添加哪条
allow unlockcheck qdma_data_file:file create_file_perms;
allow unlockcheck qdma_data_file:dir create_dir_perms;
allow unlockcheck { proc sysfs }:file r_file_perms;
allow unlockcheck { proc sysfs }:dir r_dir_perms;
allow unlockcheck factory_data_file: file {read write open create getattr};
allow unlockcheck factory_data_file: dir {search write read add_name};
allow unlockcheck self:capability dac_override;
allow unlockcheck diag_device:chr_file {read write open ioctl};
// 根据 Log 信息添加
// [ 342.204415] type=1400 audit(4504.179:161): avc: denied { search } for pid=5728 comm="unlockcheck" name="block" dev="tmpfs" ino=568 scontext=u:r:unlockcheck:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
// scontext=u:r:unlockcheck:s0 # 操作主体 unlockcheck , 可通过 ls -Z ps -Z 查看
// tcontext=u:object_r:block_device:s0 # 操作客体 block_device
// tclass=dir permissive=0 # 操作客体所属类别 dir , 相关权限可通过执行相关权限目录酌情添加
allow unlockcheck block_device:dir { search getattr read write};
allow unlockcheck proinfo_block_device:blk_file {open read write};