Search code examples
androidshelliptablesinit

on boot my android phone init .sh script run but not fully

Stack!

This my first question on this, so don't be too hard with me.

I want to run my own .sh script file on boot my android. To get this I rebuild kernel image and before that I add to init.rc file my own service which start after boot complete trigger:

on property:dev.bootcomplete=1
    start fota-snoop
    start fota-trigger
    start startup-prober
    start fairnet

the service itself:

service fairnet /system/bin/sh /system/etc/init.fairnet.sh
    user root
    group root
    disabled
    oneshot

permissions of /system/etc/init.fairnet.sh is set 644 like others init .sh scripts, and owner is root:root :

-rw-r--r-- root     root          280 2018-01-09 01:03 init.fairnet.sh

init.fairnet.sh:

#!/system/bin/sh

insmod /system/lib/modules/xt_HL.ko
lsmod > /system/etc/curlsmod
/system/bin/iptables -t mangle -L > /system/etc/preiptables
/system/bin/iptables -t mangle -A POSTROUTING -o rmnet+ -j TTL --ttl-set 64
/system/bin/iptables -t mangle -L > /system/etc/postiptables

the most funny thing is command of load kernel module works fine, on boot too, but the other strings don't works: output files didn't exist, rule for iptables didn't add. I can't understand why insmod works and other commands don't.

Thanks for reading and sorry for my terrible English.

Solution

  • Problem solved!

    SELinux blocked iptables in boot.

    dmesg | grep iptables

    gives me

    <36>[   39.819005] type=1400 audit(1516096993.541:9): avc: denied { create } for pid=2652 comm="iptables" lport=255 scontext=u:r:init_shell:s0 tcontext=u:r:init_shell:s0 tclass=rawip_socket op_res=-13 ppid=2640 pcomm="sh" tgid=2640 tgcomm="sh"

    that means in current /sepolicy don't have rule i need.

    For adding that rule i use sepolicy-inject, for build it need /usr/lib/libsepol.a, libsepol1-dev contains it. Also may use builded binaries for all archs (don't work for me, I build my own).

    ./sepolicy-inject -s init_shell -t init_shell -c rawip_socket -p getopt,create,setopt -P sepolicy -o sepolicy_new

    add needed rule and make new sepolicy_new from old sepolicy from device.

    Flash device with new sepolicy with new boot.img, I use AIK for Win.

    Done! Now after boot my .sh script automatically runs and fully.

    Thanks for reading and again sorry for my terrible English.

    P.S. My own service I replaced from init.sony.rc to init.qcom.rc, also removed group root and disabled, but I done it only for ideological reasons and that not solve problem.

    P.P.S. Change mode from Enforced to Permissive may do the thing, but I don't want to lost SELinux.