新增HIDL service需要修改的sepolicy文件整理

最新推荐文章于 2025-09-19 11:53:07 发布

原创最新推荐文章于 2025-09-19 11:53:07 发布 · 1.8k 阅读

10 ·

CC 4.0 BY-SA版权

文章标签：

#selinux

个人笔记专栏收录该内容

6 篇文章

订阅专栏

本文详细介绍如何在Android系统中创建自定义HAL（硬件抽象层）服务的过程。从编辑配置文件到实现跨进程通信的安全策略，逐步解析添加HAL服务所需的步骤及注意事项。

以添加 “android.hardware.lightnew@1.0-service” 为例，替换 lightnew 为自定义名称即可

1. system/sepolicy/public/attributes

2. system/sepolicy/prebuilts/api/29.0/public/attributes

+ hal_attribute(lightnew);

//hal_attribute函数如下：

system/sepolicy/prebuilts/api/29.0/public/te_macros

#####################################
# hal_attribute(hal_name)
# Add an attribute for hal implementations along with necessary
# restrictions.
define(`hal_attribute', `
attribute hal_$1;
expandattribute hal_$1 true;
attribute hal_$1_client;
expandattribute hal_$1_client true;
attribute hal_$1_server;
expandattribute hal_$1_server false;

//所以后文的lightnew会有前缀hal_

3. 新建文件 system/sepolicy/public/hal_lightnew.te

4 新建文件system/sepolicy/prebuilts/api/29.0/public/hal_lightnew.te

# HwBinder IPC from client to server, and callbacks
binder_call(hal_lightnew_client, hal_lightnew_server)
binder_call(hal_lightnew_server, hal_lightnew_client)

hal_attribute_hwservice(hal_lightnew, hal_lightnew_hwservice)

5. 新建文件system/sepolicy/vendor/hal_lightnew_default.te

type hal_lightnew_default, domain;
hal_server_domain(hal_lightnew_default, hal_lightnew)

type hal_lightnew_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_lightnew_default)

6. system/sepolicy/private/hwservice_contexts

7. system/sepolicy/prebuilts/api/29.0/public/hwservice.te

+ android.hardware.lightnew::ILightnew u:object_r:hal_lightnew_hwservice:s0

8. system/sepolicy/private/system_server.te

9. system/sepolicy/prebuilts/api/29.0/private/system_server.te

+ hal_client_domain(system_server, hal_lightnew)

10. system/sepolicy/public/hwservice.te

11. system/sepolicy/prebuilts/api/29.0/public/hwservice.te

+ type hal_lightnew_hwservice, hwservice_manager_type;

12. system/sepolicy/vendor/file_contexts

+ /(vendor|system/vendor)/bin/hw/android\.hardware\.lightnew@1\.0-service u:object_r:hal_lightnew_default_exec:s0

13. system/sepolicy/private/compat/26.0/26.0.ignore.cil
14. system/sepolicy/private/compat/27.0/27.0.ignore.cil
15. system/sepolicy/private/compat/28.0/28.0.ignore.cil

16. system/sepolicy/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
17. system/sepolicy/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
18. system/sepolicy/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil

new_objects 中添加：

+ hal_lightnew_hwservice

19. system/sepolicy/private/app_neverallows.te

20. system/sepolicy/prebuilts/api/29.0/private/app_neverallows.te

all_untrusted_apps 中添加：

+ hal_lightnew_hwservice

//以下文件为通过VTS：

21. system/sepolicy/public/su.te

22. system/sepolicy/prebuilts/api/29.0/public/su.te

+ typeattribute su hal_lightnew_client;