SEPolicy for Android Native binder client

Question

I'm new to the Android world

I want to know how to set SEPolicy for native binder client program (And what to set as well..)

I'm using vendor binder (vndservicemanager) reference from Using Binde-IPC

And I add some files for the required SEPolicy

---

Now I have two built executables -- my_binder_service and my_client

both of them are under /vendor/bin/

my_binder_service is started at boot time, and it will add service to vendor servicemanager

my_client is a program that uses binder IPC to execute some function from my_binder_service

Here's my setting in init.rc

service my_binder_service /vendor/bin/my_binder_service
    class main
    class oneshot
    class console
    seclabel u:r:my_binder_service:s0

What's I have so far:

1. my_binder_service is successfully started at boot time
2. It can add service to vendor servicemanager
3. my_client behaves well under permissive mode

Things above are verified under enforcing mode, by ps -AZ and vndservice list command

---

However, my_client runs into segmentation fault under enforcing mode

I check the denied message by

dmesg | grep avc | grep my_
logcat | grep avc: | grep my_

But I didn't find any message under both permissive and enforcing mode

I also check the contexts of these 2 running process by ps -AZ :

u:r:my_binder_service:s0  <- for my_binder_service
u:r:su:s0                 <- for my_client

I found that the process context is not set correctly for my_client

And I think this might be the issue of my_client under enforcing mode

I think my_binder_service is set correctly because of the seclabel command in init.rc file

But I don't know where to set the process context for my_client

Here's the content of my_client.te (my_binder_service.te is similar to this)

type my_client, domain;
type my_client_exec, exec_type, file_type, vendor_file_type;

init_daemon_domain(my_client)

allow my_client my_client_exec:file entrypoint;
allow my_client serial_device:chr_file { read write };

vndbinder_use(my_client);
binder_call(my_client, my_binder_service);

and file context is specified in file_context file

/vendor/bin/my_binder_service      u:object_r:my_binder_service_exec:s0
/vendor/bin/my_client              u:object_r:my_client_exec:s0

Is anything missing in the SEPolicy part?

Or this isn't an issue about SEPolicy?

Answer 1

I found solution to my question few hours later..

It turned out that it's not related to the SEPolicy of client program

---

First, I found that vndservice list didn't lisy my_binder_service under enforcing mode, I mixed up with the result of permissive mode.

Then, I re-check the SOP in Using Binder IPC again to see if I missed anything.

And in fact! I did miss a lot of things...

---

Here's all the modification I made

# In vndservice_contexts 
my_binder_service                         u:object_r:my_binder_service:s0

I thought seclabel in init.rc works, but it turned out that this line is still necessary

# In my_binder_service.te
type my_binder_service, domain, vndservice_manager_type;
allow my_binder_service self:service_manager add;

vndservice_manager_type is added and the allow rule is added based on logcat| grep avc: result and audit2allow command

The only change I made in my_client.te is that I delete init_domain_daemon() in it

Since I find it unreasonable after checking the te_macros file

---

And finally, everything works under enforcing mode

Except that the process context for my_client is still su instead of my_client, which I think might be irrelevant to this issue.

Maybe the only thing matters to the IPC between client and server is the following lines

binder_call(my_client, my_binder_service);
binder_call(my_binder_service, my_client);