Search code examples
androidserviceandroid-sourceselinux

SELinux policy definition for Android system service: how to setup?

I had earlier written a standalone daemon to access a custom device (/dev/mydev0). Looking at AOSP source, I figured I needed setup policies in following files to make it work:

new file device.te containing:

type mydev_device, dev_type;

new file mydevsrvc.te containing

# service flash_recovery in init.rc
type mydevsrvc_type, domain;
type mydevsrvc_type_exec, exec_type, file_type;

init_daemon_domain(mydevsrvc_type)

allow mydevsrvc_type mydev_device:chr_file rw_file_perms;

edited file_contexts to add:

/dev/mydev[0-9]*    u:object_r:mydev_device:s0

edited service_contexts to add:

mydevsrvc                  u:object_r:mydevsrvc_type:s0

And started the daemon by editing init.flo.rc to include these lines:

service mydevsrvc /system/bin/mydevsrvc
    class main
    user system
    group system
    seclabel u:r:mydevsrvc_type:s0
    oneshot

Now, I need to access the device in android apps, so I must change the daemon into an android system service.

I can startup the service (thread) using BOOT_COMPLETED intent as explained in a previous question

I am not able to figure out how to setup SELinux policies so that this java service is also able to access the dev file.

[Update] I have continued using privileged daemon for this purpose. My java service connects to daemon through sockets. I don't have a better solution.

Solution

  • I finally figured out the answer. Posting it here, because there sure will be SEPolicy noobs like me looking for similar answers.

    For this work, I needed to be able to access my device file from my java app that implements my service.

    I needed to add following rule in my sepolicy directory, in a new file:

    allow system_app mydev_device:chr_file rw_file_perms;

    Also, needed to make my service app run in system_app domain. For this, I need to:

    1. Install in priv_app during Android build.
    2. Sign it with platform key
    3. Declare shared user id in manifest: android.uid.system. I found that without this, app runs in platform-app domain and wasn't able to access my device file even with corresponding change in SEPolicy rule. Not sure why though, I didn't bother to debug.

    It might also be possible to run my Service app in mydevsrvc_type domain. I didn't find out how to do that, or whether that will work.