云南网站建设模块,怎么运营一个淘宝店铺,wordpress 百度ping,最新房价排行榜#文章目录#前言#SELinux来源#SELinux基本框架#SELinux 在不同版本的表现#使用audit2allow工具生成SELinux 权限#完整代码#前言先推荐下之前的SELinux文章#xff0c;但是那个是7.1的#xff0c;在9.0上已经在差别很大的了。Android7.1 在init.rc 添加shell服务题外话~在企业里… #文章目录#前言#SELinux来源#SELinux基本框架#SELinux 在不同版本的表现#使用audit2allow工具生成SELinux 权限#完整代码#前言先推荐下之前的SELinux文章但是那个是7.1的在9.0上已经在差别很大的了。Android7.1 在init.rc 添加shell服务题外话~在企业里面做项目和在大学里面做有比较大的差别企业需要把技术转变成产品然后把产品拿出去卖来赚钱。所以就不得不考虑到研发周期采购成本还有销售渠道。如果研发花费了很大的力气都搞不定或者硬件设计上本身存在非常大的风险和研发周期那可能对项目会是致命性的。销售可以不断的吹牛但是吹牛的时间越长诚信成本就越大要不然贾老板的车千呼万唤始出来之后为啥那么多问题。#SELinux来源SELinux 即Security-Enhanced Linux, 由美国国家安全局(NSA)发起, Secure Computing Corporation (SCC) 和 MITRE 直接参与开发, 以及很多研究机构(如犹他大学)一起参与的强制性安全审查机制, 该系统最初是作为一款通用访问软件发布于 2000 年 12 月(代码采用 GPL 许可发布)。并在Linux Kernel 2.6 版本后, 有直接整合进入SELinux, 搭建在Linux Security Module(LSM)基础上, 目前已经成为最受欢迎使用最广泛的安全方案。#SELinux基本框架SELinux 是典型的MAC-Mandatory Access Controls 实现, 对系统中每个对象都生成一个安全上下文(Security Context), 每一个对象访问系统的资源都要进行安全上下文审查。审查的规则包括类型强制检测(type enforcement), 多层安全审查(Multi-Level Security), 以及基于角色的访问控制(RBAC: Role Based Access Control).SELinux 搭建在Linux Security Module(LSM)基础上, 关于 LSM 架构的详细描述请参见文章 “Linux Security Modules: General Security Support for the Linux Kernel”, 该文章在 2002 年的 USENIX Security 会议上发表。有完整的实现LSM 的所有hook function. SELinux 的整体结构如下图所示:#SELinux 在不同版本的表现安卓在很早就已经执行了SELinux了但是在不同的安卓版本使用起来还是有些差别现在我们用到了安卓9.0可以说是最严格的权限了。以前修改一个allow的编译问题如果不可以就去domain.te里面把neverallow相关的添加进去9.0上已经不行了必须要严格安卓标准来声明和申请。#使用audit2allow工具生成SELinux 权限这个工具决定是一个神器这个工具可以在SDK里面找到有了这个工具后再把SELinux的错误保存到一个文件里面这样就可以使用工具来生成allow的权限问题了。工具位置./external/selinux/prebuilts/bin/audit2allow
应用具体截图参考https://blog.csdn.net/q1183345443/article/details/90438283#完整代码我们项目需要开启一个服务这个服务就是几个脚本的事情这个脚本可以直接写在init.rc里面。不过呢我考虑到直接写在init.rc里面总是出现各种问题替换起来也比较麻烦还有一点是写成可执行文件服务和init.rc里面执行的服务在SELinux的权限要求还有差别。这个问题跟几个大牛也讨论过因为这个问题我们邓总还加班给我搞可惜的是还是没有搞定主要是方向没有找对第二天我自己再看了下代码觉得我应该是那个万中无一的男人然后我也没干啥在SELinux的file_context文件里面找了一个一样需要exec服务的东东然后打开source insight先全局搜索一下按照这个东东依次添加进去。特别要注意的是因为在source insight里面修改不会加回车需要在Linux里面再修改回来一次要不然导致的问题是编译不通过。再然后就是编译了如果还是局部编译可能还是有问题因为之前乱改的很多东西对环境有影响了然后我删了out全局编译。烧录后使用top命令看了看服务惊讶的发现服务已经起来了。开机的时候还是会看到很多SELinux的权限问题这个就需要使用我们上面的工具来修改下了。这套完整代码只适合在android9.0上去用如果是其他安卓版本的话只能作为参考但是在低版本上肯定比9.0容易得多。diff --git a/device/mediatek/sepolicy/basic/plat_private/file_contexts b/device/mediatek/sepolicy/basic/plat_private/file_contexts
index f306119717..3271d2b624 100644
--- a/device/mediatek/sepolicy/basic/plat_private/file_contextsb/device/mediatek/sepolicy/basic/plat_private/file_contexts-42,3 42,5 /sys/devices/platform/vibrator0/leds/vibrator(/.*)? u:object_r:sysfs_vibrator:s0/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0diff --git a/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te
new file mode 100755
index 0000000000..94c23d7ec3
--- /dev/nullb/device/mediatek/sepolicy/basic/plat_private/zigbee_service.te-0,0 1,20
#typeattribute zigbee_service coredomain;
#type zigbee_service, domain;
#type zigbee_service_exec, exec_type, file_type;
#permissive zigbee_service;
#init_daemon_domain(zigbee_service)# New added for move to /system
typeattribute zigbee_service coredomain;
type zigbee_service_exec , exec_type, file_type;#
# MTK Policy Rule
# init_daemon_domain(zigbee_service)
allow zigbee_service shell_exec:file execute;
#allow zigbee_service zigbee_service_exec:file { getattr read open execute execute_no_trans};
#allow zigbee_service shell_exec:file { getattr read open execute execute_no_trans};
#allow zigbee_service system_file:file { getattr read open execute execute_no_trans};
#allow zigbee_service system_data_file:file { getattr read open execute execute_no_trans};
diff --git a/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te
new file mode 100644
index 0000000000..b3d94d5cf8
--- /dev/nullb/device/mediatek/sepolicy/basic/plat_public/zigbee_service.te-0,0 1,2
type zigbee_service ,domain;
allow zigbee_service shell_exec:file execute;
diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts
index 9d6963909b..e3ac5ea245 100755
--- a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contextsb/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/file_contexts-38,3 38,5 # For boot type/sys/devices/virtual/BOOT/BOOT/boot/boot_type(/.*)? u:object_r:sysfs_boot_type:s0
/system/bin/zigbee_service u:object_r:zigbee_service_exec:s0diff --git a/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te b/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te
new file mode 100644
index 0000000000..b3d94d5cf8
--- /dev/nullb/device/mediatek/sepolicy/basic/prebuilts/api/26.0/plat_public/zigbee_service.te-0,0 1,2
type zigbee_service ,domain;
allow zigbee_service shell_exec:file execute;
diff --git a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil
index aac1622a40..d3db9d1acc 100755
--- a/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cilb/device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil-539,6 539,7 (typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
index ba093e7885..d92414362c 100755
--- a/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cilb/device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil-562,6 562,7 (typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil b/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil
index 90d6baea41..a21e182ce3 100755
--- a/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cilb/device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil-565,6 565,7 (typeattributeset hci_attach_dev_26_0 (hci_attach_dev))(typeattributeset statusbar_service_26_0 (statusbar_service))(typeattributeset boot_logo_updater_26_0 (boot_logo_updater))
(typeattributeset zigbee_service_26_0 (zigbee_service))(typeattributeset idmap_26_0 (idmap))(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
diff --git a/device/mediateksample/aiv8167sm3_bsp/device.mk b/device/mediateksample/aiv8167sm3_bsp/device.mk
index 3e5ad76a99..e8cfdfba8c 100644
--- a/device/mediateksample/aiv8167sm3_bsp/device.mkb/device/mediateksample/aiv8167sm3_bsp/device.mk-47,10 47,10 PRODUCT_COPY_FILES $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:mendif# for zigbee
-PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/Z3GatewayHost:system/bin/Z3GatewayHost
-PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/mosquitto:system/bin/mosquitto
-PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/mosquitto.conf:system/bin/mosquitto.conf
-PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/mosquitto_passwd:system/bin/mosquitto_passwd
PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/Z3GatewayHost:data/gateway/Z3GatewayHost
PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/mosquitto:data/gateway/mosquitto
PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/mosquitto.conf:data/gateway/mosquitto.conf
PRODUCT_COPY_FILES $(LOCAL_PATH)/zigbee/mosquitto_passwd:data/gateway/mosquitto_passwd# Add FlashTool needed files#PRODUCT_COPY_FILES $(LOCAL_PATH)/EBR1:EBR1-219,7 219,8 PRODUCT_PACKAGES \i2cset \tinymix \tinyplay \
- tinypcminfotinypcminfo \zigbee_service# add CarBTDemoPRODUCT_PACKAGES CarBTDemo
diff --git a/device/mediateksample/aiv8167sm3_bsp/init.project.rc b/device/mediateksample/aiv8167sm3_bsp/init.project.rc
index 75b1e7aa28..1a9d073db2 100644
--- a/device/mediateksample/aiv8167sm3_bsp/init.project.rcb/device/mediateksample/aiv8167sm3_bsp/init.project.rc-82,6 82,9 on post-fs-datamkdir /data/vendor/wifi/wpa 0770 wifi wifimkdir /data/vendor/wifi/wpa/sockets 0770 wifi wifi#Zigbeemkdir /data/gateway/ -p
on boot# Wlan-94,6 97,28 service wpa_supplicant /vendor/bin/hw/wpa_supplicant \disabledoneshot#zigbee service zigbee /system/bin/zigbee_service /data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d
service zigbee_service /system/bin/zigbee_serviceuser rootgroup rootclass mainoneshoton property:sys.boot_completed1touch /data/gateway/logecho weiqifa zigbee service#1 start /data/gateway/logwrite /dev/ttyMT0 weiqifa start zigbee service#1\nchmod 777 /data/gateway/Z3GatewayHostchmod 777 /data/gateway/mosquittochmod 777 /data/gateway/mosquitto.confchmod 777 /data/gateway/mosquitto_passwdchown system:system /data/gateway/Z3GatewayHostchown system:system /data/gateway/mosquittochown system:system /data/gateway/mosquitto.confchown system:system /data/gateway/mosquitto_passwdstart zigbee_serviceecho weiqifa zigbee service#1 end /data/gateway/log
service hdmi /system/bin/hdmiclass mainuser system-112,3 137,4 on initservice fuse_usbotg /system/bin/sdcard -u 1023 -g 1023 -w 1023 -d /mnt/media_rw/usbotg /storage/usbotgclass late_startdisableddiff --git a/external/zigbee-service/Android.mk b/external/zigbee-service/Android.mk
new file mode 100755
index 0000000000..b38c2de48f
--- /dev/nullb/external/zigbee-service/Android.mk-0,0 1,8
LOCAL_PATH : $(call my-dir)include $(CLEAR_VARS)
LOCAL_MODULE : zigbee_service
LOCAL_SRC_FILES : zigbee-service.c
LOCAL_MODULE_TAGS : optionalinclude $(BUILD_EXECUTABLE)
\ No newline at end of file
diff --git a/external/zigbee-service/zigbee-service.c b/external/zigbee-service/zigbee-service.c
new file mode 100755
index 0000000000..264c3d07ac
--- /dev/nullb/external/zigbee-service/zigbee-service.c-0,0 1,19
#include sys/stat.h
#include fcntl.h
#include unistd.h
#include stdio.h
#include stdlib.h
#include string.h
#include linux/ioctl.h
#include unistd.hint main(int argc, char * const argv[])
{printf( weiqifa Zigbee start ...\n);printf(argc:%d\n,argc);printf(argv[0]:%s,argv[0]);system(/data/gateway/mosquitto -c /data/gateway/mosquitto.conf -d);printf( weiqifa Zigbee end ...\n);return (0);
}
\ No newline at end of file 回复「 篮球的大肚子」进入技术群聊回复「1024」获取1000G学习资料
