Run shell script at boot in Android 9.0 on i.MX8M Mini Evk

abhijit_thorat · ‎08-02-2019

Hi,

I am using iMX 8 Mini EVK for my Project. I build Android 9.0 from AOSP for this board.

Now I want to run a script at boot.

I did following changes in files but still I am facing an issue.

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc

service gea3appservice /vendor/bin/sh /vendor/bin/run.sh
    class late_start
    user root system
    group root system
    oneshot

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservice.te

# gea3app service
type gea3appservice, domain;
type gea3appservice_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(gea3appservice)
domain_auto_trans(init, vendor_shell_exec, gea3appservice)

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts

/vendor/bin/run.sh u:object_r:gea3appservice_exec:s0

When I manually run service I get following error :

[ 134.010656] type=1400 audit(1564667688.236:3740): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1

Do anyone know this issue?

I tried with the approach suggested by Android developer site

Writing SELinux Policy | Android Open Source Project

But I get following error

libsepol.report_failure: neverallow on line 1002 of system/sepolicy/public/domain.te (or line 11242 of policy.conf) violated by allow gea3appservice gea3appservice_exec:file { execute entrypoint };

HelloHi · ‎09-16-2022

I got the same error in AOSP12, can plese you tell me the solution for this

abhijit_thorat · ‎08-09-2019

First I was trying to run a script from from vendor/bin.

Now I am trying to run from system/bin. But still facing same issue.

Following are the changes in AOSP:

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc

(Added one service named gea3appservicefromsystem in init.rc)

service gea3appservicefromsystem /system/bin/sh /system/bin/run
    class main
    user root
    group root
    oneshot

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservicefromsystem.te

(Created new SELinux domain for service )

# gea3app service
type gea3appservicefromsystem, coredomain, domain;
type gea3appservicefromsystem_exec, exec_type, file_type;
init_daemon_domain(gea3appservicefromsystem)
domain_auto_trans(init, shell_exec, gea3appservicefromsystem)

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts

(To ensure executable properly labeled so SELinux runs the service in the proper domain)

/system/bin/run u:object_r:gea3appservicefromsystem_exec:s0

File : Android_AOSP_build/out/target/product/evk_8mm/system/bin/run

(This is the script which will run at startup)

#!/bin/sh
mkdir /data/local/tmp/DirFromSystem
#Run GEA Application in background
./gea3app &

File : /home/bruvitiadmin/Android_AOSP_build/device/fsl/imx8m/evk_8mm/BoardConfig.mk

(Changed mode of SELinux from enforcing mode to permissive mode)

BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive

File : Android_AOSP_build/device/fsl/imx8m/sepolicy/init.te

(Allow transition for a service to execute)

allow init gea3appservicefromsystem_exec:process {transition};

We build AOSP and flash image. We found that script runs at bootup but application failed to start.

Following are the logs:

[   19.028563] type=1400 audit(25.088:22): avc: denied { getattr } for pid=3082 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[   19.049710] type=1400 audit(25.088:22): avc: denied { getattr } for pid=3082 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[   19.070570] type=1400 audit(25.088:23): avc: denied { execute } for pid=3082 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[   19.090694] type=1400 audit(25.088:23): avc: denied { execute } for pid=3082 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

When we start service manually in superuser, script run but application fails to start. we get following logs :

130|evk_8mm:/data/local/tmp # start gea3appservicefromsystem
[ 143.274084] init: Received control message 'start' for 'gea3appservicefromsystem' from pid: 4267 (start gea3appservicefromsystem)
[ 143.286215] init: starting service 'gea3appservicefromsystem'...
[ 143.293347] type=1400 audit(1565344652.192:66): avc: denied { dac_read_search } for pid=4227 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=1
[ 143.310758] type=1400 audit(1565344745.140:67): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
[ 143.327813] type=1400 audit(1565344745.140:67): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
[ 143.328017] audit: audit_lost=12 audit_rate_limit=5 audit_backlog_limit=64
[ 143.344601] type=1400 audit(1565344745.164:68): avc: denied { getattr } for pid=4268 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.351445] audit: rate limit exceeded
[ 143.373387] type=1400 audit(1565344745.164:68): avc: denied { getattr } for pid=4268 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
evk_8mm:/data/local/tmp # [ 143.387862] init: Service 'gea3appservicefromsystem' (pid 4268) exited with status 127
[ 143.398021] type=1400 audit(1565344745.164:69): avc: denied { execute } for pid=4268 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.428640] type=1400 audit(1565344745.164:69): avc: denied { execute } for pid=4268 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.449068] type=1400 audit(1565344745.164:70): avc: denied { read open } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.470883] type=1400 audit(1565344745.164:70): avc: denied { read open } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.492470] type=1400 audit(1565344745.164:71): avc: denied { execute_no_trans } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

diegoadrian · ‎08-09-2019

Hello,

Have you remounted Android to have permission to modify the system path?

You can make it through adb.

Best regards,

Diego

abhijit_thorat · ‎09-11-2019

No. We didn't remount Android.

But now we change the way to run script.

We refer below link:

shell - SELinux prevents my init.rc exec command to execute - Android Enthusiasts Stack Exchange

diegoadrian · ‎09-11-2019

Hello,

Did you solve the problem? Or are you willing to disable SELinux?

Best regards,

Diego.

abhijit_thorat · ‎11-12-2019

Yes I solved the issue

nayanasuresh455 · ‎05-12-2020

Hi ,

I got same error. can you tell me the solution for this.

Best regards,

N.Suresh.

Run shell script at boot in Android 9.0 on i.MX8M Mini Evk

Run shell script at boot in Android 9.0 on i.MX8M Mini Evk

Android

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Linux