#文章目录

• #前言

• #SELinux来源

• #SELinux基本框架

• #SELinux 在不同版本的表现

• #使用audit2allow工具生成SELinux 权限

• #完整代码

#前言

先推荐下之前的SELinux文章，但是那个是7.1的，在9.0上已经在差别很大的了。

Android7.1 在init.rc 添加shell服务

题外话~

在企业里面做项目和在大学里面做有比较大的差别，企业需要把技术转变成产品，然后把产品拿出去卖来赚钱。所以就不得不考虑到研发周期，采购成本，还有销售渠道。如果研发花费了很大的力气都搞不定，或者硬件设计上本身存在非常大的风险和研发周期，那可能对项目会是致命性的。销售可以不断的吹牛，但是吹牛的时间越长，诚信成本就越大，要不然贾老板的车千呼万唤始出来之后为啥那么多问题。

#SELinux来源

SELinux 即Security-Enhanced Linux, 由美国国家安全局(NSA)发起, Secure Computing Corporation (SCC) 和 MITRE 直接参与开发, 以及很多研究机构(如犹他大学)一起参与的强制性安全审查机制, 该系统最初是作为一款通用访问软件，发布于 2000 年 12 月(代码采用 GPL 许可发布)。并在Linux Kernel 2.6 版本后, 有直接整合进入SELinux, 搭建在Linux Security Module(LSM)基础上, 目前已经成为最受欢迎，使用最广泛的安全方案。

#SELinux基本框架

SELinux 是典型的MAC-Mandatory Access Controls 实现, 对系统中每个对象都生成一个安全上下文(Security Context), 每一个对象访问系统的资源都要进行安全上下文审查。审查的规则包括类型强制检测(type enforcement), 多层安全审查(Multi-Level Security), 以及基于角色的访问控制(RBAC: Role Based Access Control).

SELinux 搭建在Linux Security Module(LSM)基础上, 关于 LSM 架构的详细描述请参见文章 “Linux Security Modules: General Security Support for the Linux Kernel”, 该文章在 2002 年的 USENIX Security 会议上发表。有完整的实现LSM 的所有hook function. SELinux 的整体结构如下图所示:

#SELinux 在不同版本的表现

安卓在很早就已经执行了SELinux了，但是在不同的安卓版本，使用起来还是有些差别，现在我们用到了安卓9.0，可以说是最严格的权限了。以前修改一个allow的编译问题，如果不可以，就去domain.te里面把neverallow相关的添加进去，9.0上已经不行了，必须要严格安卓标准来声明和申请。

#使用audit2allow工具生成SELinux 权限

这个工具决定是一个神器，这个工具可以在SDK里面找到，有了这个工具后，再把SELinux的错误保存到一个文件里面，这样就可以使用工具来生成allow的权限问题了。

工具位置：

./external/selinux/prebuilts/bin/audit2allow

参考：

https://blog.csdn.net/q1183345443/article/details/90438283

#完整代码

我们项目需要开启一个服务，这个服务就是几个脚本的事情，这个脚本可以直接写在init.rc里面。不过呢，我考虑到直接写在init.rc里面总是出现各种问题，替换起来也比较麻烦，还有一点是写成可执行文件服务和init.rc里面执行的服务，在SELinux的权限要求还有差别。

这个问题跟几个大牛也讨论过，因为这个问题我们邓总还加班给我搞，可惜的是还是没有搞定，主要是方向没有找对，第二天我自己再看了下代码，觉得我应该是那个万中无一的男人，然后我也没干啥，在SELinux的file_context文件里面找了一个一样需要exec服务的东东，然后打开source insight，先全局搜索一下，按照这个东东依次添加进去。特别要注意的是，因为在source insight里面修改不会加回车，需要在Linux里面再修改回来一次，要不然导致的问题是编译不通过。

再然后就是编译了，如果还是局部编译可能还是有问题，因为之前乱改的很多东西对环境有影响了，然后我删了out全局编译。烧录后使用top命令看了看服务，惊讶的发现，服务已经起来了。

开机的时候，还是会看到很多SELinux的权限问题，这个就需要使用我们上面的工具来修改下了。

这套完整代码，只适合在android9.0上去用，如果是其他安卓版本的话，只能作为参考，但是在低版本上肯定比9.0容易得多。

diff --git a/device/mediatek/sepolicy/basic/plat_private/file_contexts b/device/mediatek/sepolicy/basic/plat_private/file_contexts
index f306119717..3271d2b624 100644
--- a/device/mediatek/sepolicy/basic/plat_private/file_contexts
+++ b/device/mediatek/sepolicy/basic/plat_private/file_contexts
@@ -42,3 +42,5 @@
/sys/devices/platform/vibrator@0/leds/vibrator(/.*)? u:object_r:sysfs_vibrator:s0

/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
+/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0
+
diff --git a/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te
new file mode 100755
index 0000000000..94c23d7ec3
--- /dev/null
+++ b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te
@@ -0,0 +1,20 @@
+#typeattribute zigbee_service coredomain;
+#type zigbee_service, domain;
+#type zigbee_service_exec, exec_type, file_type;
+#permissive zigbee_service;
+#init_daemon_domain(zigbee_service)
+
+# New added for move to /system
+typeattribute zigbee_service coredomain;
+type zigbee_service_exec , exec_type, file_type;
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+init_daemon_domain(zigbee_service)
+allow zigbee_service shell_exec:file execute;
+#allow zigbee_service zigbee_service_exec:file        { getattr read open execute execute_no_trans};
+#allow zigbee_service shell_exec:file         { getattr read open execute execute_no_trans};
+#allow zigbee_service system_file:file        { getattr read open execute execute_no_trans};
+#allow zigbee_service system_data_file:file   { getattr read open execute execute_no_trans};
diff --git a/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te
new file mode 100644
index 0000000000..b3d94d5cf8
--- /dev/null
+++ b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te
@@ -0,0 +1,2 @@
+type zigbee_service ,domain;
+allow zigbee_service shell_exec:file execute;
diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
index 9d6963909b..e3ac5ea245 100755
--- a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
+++ b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
@@ -38,3 +38,5 @@

# For boot type
/sys/devices/virtual/BOOT/BOOT/boot/boot_type(/.*)? u:object_r:sysfs_boot_type:s0
+/system/bin/zigbee_service    u:object_r:zigbee_service_exec:s0
+
diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te
new file mode 100644
index 0000000000..b3d94d5cf8
--- /dev/null
+++ b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te
@@ -0,0 +1,2 @@
+type zigbee_service ,domain;
+allow zigbee_service shell_exec:file execute;
diff --git a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
index aac1622a40..d3db9d1acc 100755
--- a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
+++ b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
@@ -539,6 +539,7 @@
(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
(typeattributeset statusbar_service_26_0 (statusbar_service))
(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
+(typeattributeset zigbee_service_26_0 (zigbee_service))
(typeattributeset idmap_26_0 (idmap))
(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
index ba093e7885..d92414362c 100755
--- a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
+++ b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
@@ -562,6 +562,7 @@
(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
(typeattributeset statusbar_service_26_0 (statusbar_service))
(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
+(typeattributeset zigbee_service_26_0 (zigbee_service))
(typeattributeset idmap_26_0 (idmap))
(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
index 90d6baea41..a21e182ce3 100755
--- a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
+++ b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
@@ -565,6 +565,7 @@
(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
(typeattributeset statusbar_service_26_0 (statusbar_service))
(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
+(typeattributeset zigbee_service_26_0 (zigbee_service))
(typeattributeset idmap_26_0 (idmap))
(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediateksample/aiv8167sm3_bsp/device.mk b/device/mediateksample/aiv8167sm3_bsp/device.mk
index 3e5ad76a99..e8cfdfba8c 100644
--- a/device/mediateksample/aiv8167sm3_bsp/device.mk
+++ b/device/mediateksample/aiv8167sm3_bsp/device.mk
@@ -47,10 +47,10 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:m
endif

# for zigbee
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/Z3GatewayHost:system/bin/Z3GatewayHost
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto:system/bin/mosquitto
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto.conf:system/bin/mosquitto.conf
-PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto_passwd:system/bin/mosquitto_passwd
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/Z3GatewayHost:data/gateway/Z3GatewayHost
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto:data/gateway/mosquitto
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto.conf:data/gateway/mosquitto.conf
+PRODUCT_COPY_FILES += $(LOCAL_PATH)/zigbee/mosquitto_passwd:data/gateway/mosquitto_passwd

# Add FlashTool needed files
#PRODUCT_COPY_FILES += $(LOCAL_PATH)/EBR1:EBR1
@@ -219,7 +219,8 @@ PRODUCT_PACKAGES += \
i2cset \
tinymix \
tinyplay \
-	tinypcminfo
+	tinypcminfo \
+	zigbee_service

# add CarBTDemo
PRODUCT_PACKAGES += CarBTDemo
diff --git a/device/mediateksample/aiv8167sm3_bsp/init.project.rc b/device/mediateksample/aiv8167sm3_bsp/init.project.rc
index 75b1e7aa28..1a9d073db2 100644
--- a/device/mediateksample/aiv8167sm3_bsp/init.project.rc
+++ b/device/mediateksample/aiv8167sm3_bsp/init.project.rc
@@ -82,6 +82,9 @@ on post-fs-data
mkdir /data/vendor/wifi/wpa 0770 wifi wifi
mkdir /data/vendor/wifi/wpa/sockets 0770 wifi wifi

+#Zigbee
+    mkdir /data/gateway/ -p
+
on boot

# Wlan
@@ -94,6 +97,28 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \
disabled
oneshot

+#zigbee service zigbee /system/bin/zigbee_service  /data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d
+service zigbee_service /system/bin/zigbee_service
+	user root
+	group root
+	class main
+	oneshot
+
+on property:sys.boot_completed=1
+    touch /data/gateway/log
+    echo "=== weiqifa === zigbee service#1 start" >> /data/gateway/log
+	write /dev/ttyMT0 "=== weiqifa === start zigbee service#1\n"
+    chmod 777 /data/gateway/Z3GatewayHost
+    chmod 777 /data/gateway/mosquitto
+    chmod 777 /data/gateway/mosquitto.conf
+    chmod 777 /data/gateway/mosquitto_passwd
+    chown system:system /data/gateway/Z3GatewayHost
+    chown system:system /data/gateway/mosquitto
+    chown system:system /data/gateway/mosquitto.conf
+    chown system:system /data/gateway/mosquitto_passwd
+    start zigbee_service
+    echo "=== weiqifa === zigbee service#1 end" >> /data/gateway/log
+
service hdmi /system/bin/hdmi
class main
user system
@@ -112,3 +137,4 @@ on init
service fuse_usbotg /system/bin/sdcard -u 1023 -g 1023 -w 1023 -d /mnt/media_rw/usbotg /storage/usbotg
class late_start
disabled
+
diff --git a/external/zigbee-service/Android.mk b/external/zigbee-service/Android.mk
new file mode 100755
index 0000000000..b38c2de48f
--- /dev/null
+++ b/external/zigbee-service/Android.mk
@@ -0,0 +1,8 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := zigbee_service
+LOCAL_SRC_FILES := zigbee-service.c
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_EXECUTABLE)
\ No newline at end of file
diff --git a/external/zigbee-service/zigbee-service.c b/external/zigbee-service/zigbee-service.c
new file mode 100755
index 0000000000..264c3d07ac
--- /dev/null
+++ b/external/zigbee-service/zigbee-service.c
@@ -0,0 +1,19 @@
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <linux/ioctl.h>
+#include <unistd.h>
+
+int main(int argc, char * const argv[])
+{
+
+    printf("=== weiqifa ===Zigbee start ...\n");
+    printf("argc:%d\n",argc);
+    printf("argv[0]:%s",argv[0]);
+    system("/data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d");
+    printf("=== weiqifa ===Zigbee end ...\n");
+    return (0);
+}
\ No newline at end of file