AnsweredAssumed Answered

How to Write SE-Linux policy for android System Service?

Question asked by Thinh Nguyen on Oct 17, 2018
Latest reply on Nov 6, 2018 by Xiaofeng Lei

I am studying Android system. I am using imx8mq-evk (android 8.1). I would like to extend android system service. So I modified android source code in folder "<android root>/frameworks/base/services/core" to add my custom service. After that, I tested by flashing android image to the board; My custom service is denied by selinux. I got this error

10-17 10:08:48.412 2674 2674 I auditd : avc: denied { add } for service=auxdisplay pid=3763 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
10-17 10:08:48.413 2674 2674 E ServiceManager: add_service('auxdisplay',5e) uid=1000 - PERMISSION DENIED

 

I followed some instructions (here and here) to add selinux permission for my custom service. Below are my steps

1. In file service.te

type auxdisplayj_service, system_api_service, system_server_service, service_manager_type;

2. In file service_contexts

auxdisplay u:object_r:auxdisplayj_service:s0

3. in file system_server.te

allow system_server auxdisplayj_service:service_manager add;

4. in file private/compat/26.0/26.0.cil

(typeattributeset auxdisplayj_service_26_0 (auxdisplayj_service))

5. In file prebuild/api/26.0/nonplat_sepolicy.cil

(typeattribute auxdisplayj_service_26_0)
(roletype object_r auxdisplayj_service_26_0)
(typeattributeset service_manager_type (auxdisplayj_service_26_0))

After compiling and flashing android image to the board. I still get the same error; my service is not allowed. Is there anything wrong in my steps? All advice is welcome. Many thanks.

Outcomes