{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 爷的心禁止访问 的问题《How to inject SELinux policies permanently in andr》','https://www.manongdao.com/q-1027124.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a rooted android device and I need to inject following policies into it:
sepolicy-inject -s init -t su -c process -p transition -l
sepolicy-inject -s su -t system_file -c file -p entrypoint -l
sepolicy-inject -s init -t su -c process -p rlimitinh -l
sepolicy-inject -s init -t su -c process -p siginh -l
sepolicy-inject -s su -t shell_exec -c file -p read -l
sepolicy-inject -s su -t shell_exec -c file -p execute -l
sepolicy-inject -s su -t shell_exec -c file -p getattr -l
sepolicy-inject -s su -t vendor_toolbox_exec -c file -p execute_no_trans -l
sepolicy-inject -s init -t su -c process -p noatsecure -l
sepolicy-inject -s su -t toolbox_exec -c file -p getattr -l
sepolicy-inject -s su -t toolbox_exec -c file -p execute -l
sepolicy-inject -s su -t system_file -c file -p execute_no_trans -l
sepolicy-inject -s su -t storage_file -c dir -p search -l
sepolicy-inject -s su -t storage_file -c lnk_file -p read -l
sepolicy-inject -s su -t tmpfs -c dir -p search -l
sepolicy-inject -s su -t mnt_user_file -c dir -p search -l
sepolicy-inject -s su -t mnt_user_file -c lnk_file -p read -l
sepolicy-inject -s su -t sdcardfs -c dir -p search -l
sepolicy-inject -s su -t sdcardfs -c file -p append -l
sepolicy-inject -s su -t toolbox_exec -c file -p read -l
sepolicy-inject -s su -t toolbox_exec -c file -p open -l
sepolicy-inject -s su -t sdcardfs -c file -p read -l
sepolicy-inject -s su -t sdcardfs -c file -p write -l
As you can see, I am using sepolicy-inject commands to inject the required policies. I am facing a problem where on reboot these policies not exists anymore.
As per my understanding the new policies are injected at /sys/fs/selinux/policy location and this is not persistent storage. Also, there is a file on root partition /sepolicy which contain these policy rules.
I found ./sepolicy in boot.img. I have a A/B partition device so, the ./sepolicy in boot.img is for recovery only.
Now, I am not able to understand how to inject the required policies permanently to the device because of following reason:
/sys/fs/selinux/policyand/sepolicyare not on permanent storage partition.boot.imgonly contain SELinux policies that are available on recovery only.
Please suggest how can I achieve my goal.
"/sepolicy" is a ramdisk so it's temporarily. You can solve it by put that command in some "init" script that will run "sepolicy-inject ..." commands at bootup ;)