SELinux policy definition for Android system service: how to setup?

android service android-source selinux
GPS picture GPS · Nov 18, 2015 · Viewed 11.4k times · Source

I had earlier written a standalone daemon to access a custom device (/dev/mydev0). Looking at AOSP source, I figured I needed setup policies in following files to make it work:

new file device.te containing:

type mydev_device, dev_type;

new file mydevsrvc.te containing

# service flash_recovery in init.rc
type mydevsrvc_type, domain;
type mydevsrvc_type_exec, exec_type, file_type;

init_daemon_domain(mydevsrvc_type)

allow mydevsrvc_type mydev_device:chr_file rw_file_perms;

edited file_contexts to add:

/dev/mydev[0-9]*    u:object_r:mydev_device:s0

edited service_contexts to add:

mydevsrvc                  u:object_r:mydevsrvc_type:s0

And started the daemon by editing init.flo.rc to include these lines:

service mydevsrvc /system/bin/mydevsrvc
    class main
    user system
    group system
    seclabel u:r:mydevsrvc_type:s0
    oneshot

Now, I need to access the device in android apps, so I must change the daemon into an android system service.

I can startup the service (thread) using BOOT_COMPLETED intent as explained in a previous question

I am not able to figure out how to setup SELinux policies so that this java service is also able to access the dev file.

[Update] I have continued using privileged daemon for this purpose. My java service connects to daemon through sockets. I don't have a better solution.

Answer

GPS picture GPS · Jan 12, 2018

I finally figured out the answer. Posting it here, because there sure will be SEPolicy noobs like me looking for similar answers.

For this work, I needed to be able to access my device file from my java app that implements my service.

I needed to add following rule in my sepolicy directory, in a new file:

allow system_app mydev_device:chr_file rw_file_perms;

Also, needed to make my service app run in system_app domain. For this, I need to:

  1. Install in priv_app during Android build.
  2. Sign it with platform key
  3. Declare shared user id in manifest: android.uid.system. I found that without this, app runs in platform-app domain and wasn't able to access my device file even with corresponding change in SEPolicy rule. Not sure why though, I didn't bother to debug.

It might also be possible to run my Service app in mydevsrvc_type domain. I didn't find out how to do that, or whether that will work.

Related questions

Start service in Android

I want to call a service when a certain activity starts. So, here's the Service class: public class UpdaterServiceManager extends Service { private final int UPDATE_INTERVAL = 60 * 1000; private Timer timer = new Timer(); private static final int NOTIFICATION_EX = 1; private NotificationManager notificationManager; …

Read More
Android: How can I get the current foreground activity (from a service)?

Is there a native android way to get a reference to the currently running Activity from a service? I have a service running on the background, and I would like to update my current Activity when an event occurs (in …

Read More
How to check if Location Services are enabled?

I'm developing an app on Android OS. I don't know how to check if Location Services are enabled or not. I need a method that returns "true" if they are enabled and "false" if not (so in the last case …

Read More