Run shell script at boot in Android 9.0 on i.MX8M Mini Evk

cancel
Showing results for 
Search instead for 
Did you mean: 

Run shell script at boot in Android 9.0 on i.MX8M Mini Evk

3,567 Views
abhijit_thorat
Contributor III

Hi,

I am using iMX 8 Mini EVK for my Project. I build Android 9.0 from AOSP for this board.

Now I want to run a script at boot.

I did following changes in files but still I am facing an issue.

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc

service gea3appservice /vendor/bin/sh /vendor/bin/run.sh
    class late_start
    user root system
    group root system
    oneshot

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservice.te

# gea3app service
type gea3appservice, domain;
type gea3appservice_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(gea3appservice)
domain_auto_trans(init, vendor_shell_exec, gea3appservice)

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts

/vendor/bin/run.sh   u:object_r:gea3appservice_exec:s0

When I manually run service I get following error :

[  134.010656] type=1400 audit(1564667688.236:3740): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1

Do anyone know this issue?

I tried with the approach suggested by Android developer site

Writing SELinux Policy  |  Android Open Source Project 

But I get following error

libsepol.report_failure: neverallow on line 1002 of system/sepolicy/public/domain.te (or line 11242 of policy.conf) violated by allow gea3appservice gea3appservice_exec:file { execute entrypoint };

0 Kudos
6 Replies

1,269 Views
abhijit_thorat
Contributor III

First I was trying to run a script from from vendor/bin.

Now I am trying to run from system/bin. But still facing same issue.

Following are the changes in AOSP:

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc

(Added one service named gea3appservicefromsystem in init.rc)

service gea3appservicefromsystem /system/bin/sh /system/bin/run
    class main
    user root
    group root
    oneshot

 

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservicefromsystem.te

(Created new SELinux domain for service )

# gea3app service
type gea3appservicefromsystem, coredomain, domain;
type gea3appservicefromsystem_exec, exec_type, file_type;
init_daemon_domain(gea3appservicefromsystem)
domain_auto_trans(init, shell_exec, gea3appservicefromsystem)

 

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts

(To ensure executable properly labeled so SELinux runs the service in the proper domain)


/system/bin/run      u:object_r:gea3appservicefromsystem_exec:s0

File : Android_AOSP_build/out/target/product/evk_8mm/system/bin/run

(This is the script which will run at startup)


#!/bin/sh
mkdir /data/local/tmp/DirFromSystem
#Run GEA Application in background
./gea3app &

File : /home/bruvitiadmin/Android_AOSP_build/device/fsl/imx8m/evk_8mm/BoardConfig.mk

(Changed mode of SELinux from enforcing mode to permissive mode)


BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive

File : Android_AOSP_build/device/fsl/imx8m/sepolicy/init.te

(Allow transition for a service to execute)

allow init gea3appservicefromsystem_exec:process {transition};


We build AOSP and flash image. We found that script runs at bootup but application failed to start.

Following are the logs:


[   19.028563] type=1400 audit(25.088:22): avc: denied { getattr } for pid=3082 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[   19.049710] type=1400 audit(25.088:22): avc: denied { getattr } for pid=3082 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[   19.070570] type=1400 audit(25.088:23): avc: denied { execute } for pid=3082 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[   19.090694] type=1400 audit(25.088:23): avc: denied { execute } for pid=3082 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

When we start service manually in superuser, script run but application fails to start. we get following logs :

130|evk_8mm:/data/local/tmp # start gea3appservicefromsystem
[  143.274084] init: Received control message 'start' for 'gea3appservicefromsystem' from pid: 4267 (start gea3appservicefromsystem)
[  143.286215] init: starting service 'gea3appservicefromsystem'...
[  143.293347] type=1400 audit(1565344652.192:66): avc: denied { dac_read_search } for pid=4227 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=1
[  143.310758] type=1400 audit(1565344745.140:67): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
[  143.327813] type=1400 audit(1565344745.140:67): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
[  143.328017] audit: audit_lost=12 audit_rate_limit=5 audit_backlog_limit=64
[  143.344601] type=1400 audit(1565344745.164:68): avc: denied { getattr } for pid=4268 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[  143.351445] audit: rate limit exceeded
[  143.373387] type=1400 audit(1565344745.164:68): avc: denied { getattr } for pid=4268 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
evk_8mm:/data/local/tmp # [  143.387862] init: Service 'gea3appservicefromsystem' (pid 4268) exited with status 127
[  143.398021] type=1400 audit(1565344745.164:69): avc: denied { execute } for pid=4268 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[  143.428640] type=1400 audit(1565344745.164:69): avc: denied { execute } for pid=4268 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[  143.449068] type=1400 audit(1565344745.164:70): avc: denied { read open } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[  143.470883] type=1400 audit(1565344745.164:70): avc: denied { read open } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[  143.492470] type=1400 audit(1565344745.164:71): avc: denied { execute_no_trans } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
0 Kudos

1,269 Views
diegoadrian
NXP Employee
NXP Employee

Hello,

Have you remounted Android to have permission to modify the system path?

You can make it through adb.

Best regards,

Diego

0 Kudos

1,269 Views
abhijit_thorat
Contributor III

No. We didn't remount Android.

But now we change the way to run script.

We refer below link:

shell - SELinux prevents my init.rc exec command to execute - Android Enthusiasts Stack Exchange 

0 Kudos

1,269 Views
diegoadrian
NXP Employee
NXP Employee

Hello,

Did you solve the problem? Or are you willing to disable SELinux? 

Best regards,

Diego.

0 Kudos

1,269 Views
abhijit_thorat
Contributor III

Yes I solved the issue

0 Kudos

1,269 Views
nayanasuresh455
Contributor I

Hi ,

 I got same error. can you tell me the solution for this.

Best regards,

N.Suresh.

0 Kudos