How to inject SELinux policies permanently in andr

2019-08-22 10:07发布

问题:

I have a rooted android device and I need to inject following policies into it:

sepolicy-inject -s init -t su -c process -p transition -l
sepolicy-inject -s su -t system_file -c file -p entrypoint -l
sepolicy-inject -s init -t su -c process -p rlimitinh -l
sepolicy-inject -s init -t su -c process -p siginh -l
sepolicy-inject -s su -t shell_exec -c file -p read -l
sepolicy-inject -s su -t shell_exec -c file -p execute -l
sepolicy-inject -s su -t shell_exec -c file -p getattr  -l
sepolicy-inject -s su -t vendor_toolbox_exec -c file -p execute_no_trans -l
sepolicy-inject -s init -t su -c process -p noatsecure -l
sepolicy-inject -s su -t toolbox_exec -c file -p getattr -l
sepolicy-inject -s su -t toolbox_exec -c file -p execute -l
sepolicy-inject -s su -t system_file -c file -p execute_no_trans -l
sepolicy-inject -s su -t storage_file -c dir -p search -l
sepolicy-inject -s su -t storage_file -c lnk_file -p read -l
sepolicy-inject -s su -t tmpfs -c dir -p search -l
sepolicy-inject -s su -t mnt_user_file -c dir -p search -l
sepolicy-inject -s su -t mnt_user_file -c lnk_file -p read -l
sepolicy-inject -s su -t sdcardfs -c dir -p search -l
sepolicy-inject -s su -t sdcardfs -c file -p append -l
sepolicy-inject -s su -t toolbox_exec -c file -p read -l
sepolicy-inject -s su -t toolbox_exec -c file -p open -l
sepolicy-inject -s su -t sdcardfs -c file -p read -l
sepolicy-inject -s su -t sdcardfs -c file -p write -l

As you can see, I am using sepolicy-inject commands to inject the required policies. I am facing a problem where on reboot these policies not exists anymore.

As per my understanding the new policies are injected at /sys/fs/selinux/policy location and this is not persistent storage. Also, there is a file on root partition /sepolicy which contain these policy rules.

I found ./sepolicy in boot.img. I have a A/B partition device so, the ./sepolicy in boot.img is for recovery only.

Now, I am not able to understand how to inject the required policies permanently to the device because of following reason:

  1. /sys/fs/selinux/policy and /sepolicy are not on permanent storage partition.
  2. boot.img only contain SELinux policies that are available on recovery only.

Please suggest how can I achieve my goal.

回答1:

"/sepolicy" is a ramdisk so it's temporarily. You can solve it by put that command in some "init" script that will run "sepolicy-inject ..." commands at bootup ;)