Сеполици для нативной системы службы ⇐ Android

[Anonymous]

На Android 15 я пытаюсь создать нативную службу (My-SVC), которая начинается с загрузки, собирать некоторую информацию о устройстве и записать его в /дата/.../my-svc.info файл.
anddroid.bp выглядит так: < /p>
//my-svc android.bp
cc_binary {
name: "my-svc",
host_supported: true,
vendor_available: true,
product_available: true,
min_sdk_version: "29",
sdk_version: "current",

local_include_dirs: [
"include",
],
srcs: [
xyz,
],
arch: {
x86: {
srcs: xyz,
},
x86_64: {
srcs: xyz,
},
},
cflags: [
"-std=c99",
"-Oz",
"-D_GNU_SOURCE=1",
"-Wno-unused-function",
"-Wno-unused-parameter",
"-Wno-missing-field-initializers",
],
shared_libs: [
"liblog",
],
apex_available: [
"//apex_available:platform",
"//apex_available:anyapex",
],
}
< /code>
По умолчанию бинарные земли службы в /system/bin.
Это вызывает некоторые никогда не вскрытые нарушения сетолики при строительстве.# my service sepolicy domain
type my-svc_init, domain;
type my-svc_init_exec, exec_type, file_type, system_file_type;
init_daemon_domain(my-svc_init)
< /code>
my-svc.fc выглядит так: < /p>
# my service sepolicy file context
/system(/vendor)?/bin/my-svc u:object_r:my-svc_init_exec:s0
< /code>
//build error:
neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:24050 from system/sepolicy/private/domain.te:1265
(neverallow base_typeattr_434 base_typeattr_442 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod
watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint)))

allow at out/soong/.intermediates/system/sepolicy/vendor_sepolicy.cil/android_common/vendor_sepolicy.cil:2986 from device/google/common/sepolicy/my-svc.te:4 from out/soong/.intermediat
es/system/sepolicy/vendor_sepolicy.cil.raw/android_common/vendor_sepolicy.cil.raw:2338
(allow my-svc_init my-svc_init_exec (file (read getattr map execute open entrypoint)))

neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:24035 from system/sepolicy/private/domain.te:1216
(neverallow base_typeattr_232 base_typeattr_437 (file (entrypoint)))

allow at out/soong/.intermediates/system/sepolicy/vendor_sepolicy.cil/android_common/vendor_sepolicy.cil:2986 from device/google/common/sepolicy/my-svc.te:4 from out/soong/.intermediat
es/system/sepolicy/vendor_sepolicy.cil.raw/android_common/vendor_sepolicy.cil.raw:2338
(allow my-svc_init my-svc_init_exec (file (read getattr map execute open entrypoint)))

neverallow check failed at out/soong/.intermediates/system/sepolicy/plat_sepolicy.cil/android_common/plat_sepolicy.cil:24025 from system/sepolicy/private/domain.te:1191
(neverallow base_typeattr_434 base_typeattr_435 (file (execute execute_no_trans entrypoint)))

allow at out/soong/.intermediates/system/sepolicy/vendor_sepolicy.cil/android_common/vendor_sepolicy.cil:2986 from device/google/common/sepolicy/my-svc.te:4 from out/soong/.intermediat
es/system/sepolicy/vendor_sepolicy.cil.raw/android_common/vendor_sepolicy.cil.raw:2338
(allow my-svc_init my-svc_init_exec (file (read getattr map execute open entrypoint)))
< /code>
If I change system_file_type to vendor_file_type in domain definition,
it builds without error, but I get below avc denied errors on starting the service:
I init : starting service 'my-svc_init'...
I auditd : type=1400 audit(0.0:88): avc: denied { entrypoint } for comm="init" path="/system/bin/my-svc" dev="dm-6" ino=10711269 scontext=u:r:my-svc_init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
I init : ... started service 'my-svc_init' has pid 2107
I init : Command 'start my-svc_init' action=sys.boot_completed=1 (/vendor/etc/init/init.common.rc:64) took 59ms and succeeded
I auditd : type=1400 audit(0.0:89): avc: denied { map } for comm="my-svc" path="/system/bin/my-svc" dev="dm-6" ino=10711269 scontext=u:r:my-svc_init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
I auditd : type=1400 audit(0.0:90): avc: denied { read } for comm="my-svc" path="/system/bin/my-svc" dev="dm-6" ino=10711269 scontext=u:r:my-svc_init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
I auditd : type=1400 audit(0.0:91): avc: denied { execute } for comm="my-svc" path="/system/bin/my-svc" dev="dm-6" ino=10711269 scontext=u:r:my-svc_init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
I auditd : type=1400 audit(0.0:92): avc: denied { getattr } for comm="my-svc" path="/system/bin/my-svc" dev="dm-6" ino=10711269 scontext=u:r:my-svc_init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
I auditd : type=1400 audit(0.0:93): avc: denied { write } for comm="my-svc" name="system" dev="dm-54" ino=63873 scontext=u:r:my-svc_init:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
I init : Service 'my-svc_init' (pid 2107) exited with status 0 oneshot service took 0.294000 seconds in background
I init : Sending signal 9 to service 'my-svc_init' (pid 2107) process group...
< /code>
I am obviously doing things wrong here.
I have little knowledge of SEPolicy.
Can someone be kind enough to quickly advice me on this?

Подробнее здесь: https://stackoverflow.com/questions/796 ... em-service