Reputation: 433
Add vendor service to ServiceManager with android treble architecture[SELinux policy]
Note: I am beginner in SELinux policy and followed vndservicemanager by Android
I have a java service(MyService) that starts on the BootComplete receiver. Now i am adding myservice to ServiceManager in onCreate of MyService.java.
ServiceManager.addService(mysystemservice, mybinder);
As per treble architecture, I moved my application to vendor image partition by adding below in Android.mk of application.
LOCAL_VENDOR_MODULE := true
I made below changes in OEM SELinux policy, earlier it was written for system service now as i moved application to vendor so made changes for vendor service, providing both old and current SE policy.
Created Context "my_service"
OLD
In private/service_contexts
mysystemservice u:object_r:my_service:s0
NOW
In vendor/common/vndservice_contexts
mysystemservice u:object_r:my_service:s0
Defined Service Type
OLD
In public/service.te
type my_service, service_manager_type;
NOW
In vendor/common/vndservice.te
type my_service, vndservice_manager_type;
Now giving add permission
OLD
In public/servicemanager.te
allow system_app my_service:service_manager add;
NOW
In abc.te
type abc, domain;
type abc_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(abc)
vndbinder_use(abc)
binder_call(abc, system_app)
add_service(abc, my_service)
allow abc my_service:service_manager find;
allow abc my_service:service_manager add;
After above changes and giving full build I can see my service context is part of out/product/target/vendor/etc/selinux/vndservice_contexts..inplace of out/product/target/system.
But once Myservice.java try to add "mysystemservice" in ServiceManager by
ServiceManager.addService(mysystemservice, mybinder);
I get below **avc denied ** error
E/SELinux: avc: denied { add } for service=mysystemservice pid=7588 uid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0 2019-11-14 12:44:39.613 592-592/? E/ServiceManager: add_service('mysystemservice',b0) uid=1000 - PERMISSION DENIED
As we can see in log above Target context is taking default "tcontext=u:object_r:default_android_service:s0" inplace of "my_service"
Note: If i keep changes for system image everything works fine only issue is when i move SE policy changes to vendor.
Please let me know if i missed something or any other way is to add Service.
Upvotes: 5
Views: 3918
Answers (1)
Reputation: 39
One problem I can see is that you are using abc.te, but you have not defined this in your seapp_context inside vendor/common/.
You should define something like below:
user=system
seinfo=platform
name=your.package.name
domain=adbc
type=system_app_data_file
After this change avc error will point to abc app domain.
Upvotes: 0
Related Questions
- SELinux policy definition for Android system service: how to setup?
- Add new security policy in SElinux on Android 10
- AndroidP-SELinux Permission Denied for a new created service
- How to run a service in init (Android 8.1)
- Android init service error invalid keyword 'u:object_r:system_file:s0
- android8.1: How to register vendor service to ServiceManager
- init warning: Service myservice needs a SELinux domain defined. Please fix
- How to create a service in /init.rc?
- SELinux Permission Denied for a new framework service in android
- Selinux Denies Starting Service on Android 8