\device\mediateksample\tb8163p3_bsp\device.mk
PRODUCT_PACKAGES += android.hardware.rowan@1.0-impl //hidl主文件
PRODUCT_PACKAGES += android.hardware.rowan@1.0-service //hidl服务文件
PRODUCT_PACKAGES += android.hardware.rowan@1.0-service.rc //hidl服务自启动
PRODUCT_PACKAGES += android.hardware.rowan-V1.0-java //
PRODUCT_PACKAGES += android.hardware.rowan-V1.0-java-static //
PRODUCT_PACKAGES += rowan.default //hal层
PRODUCT_PACKAGES += PowerCtl //app
-------------------------------------------------------------------------
sudo apt-get install tree
tree hardware
hardware/
├── interfaces
│ ├── rowan
│ ├── 1.0
│ │ ├── Android.bp //cc_library {name: "android.hardware.rowan@1.0",}
│ │ ├── Android.mk //LOCAL_MODULE := android.hardware.rowan-V1.0-java //LOCAL_MODULE := android.hardware.rowan-V1.0-java-static
│ │ ├── default
│ │ │ ├── android.hardware.rowan@1.0-service.rc //service rowan-hal-1-0 /vendor/bin/hw/android.hardware.rowan@1.0-service
│ │ │ ├── Android.mk //LOCAL_MODULE := android.hardware.rowan@1.0-impl //LOCAL_MODULE := android.hardware.rowan@1.0-service
│ │ │ ├── RowanModule.cpp //IRowanModule* HIDL_FETCH_IRowanModule(const char* /* name */) { hw_get_module(ROWAN_HARDWARE_MODULE_ID, const_cast<const hw_module_t**>(&module)); }
//return new RowanModule(module); RowanModule::RowanModule(rowan_module_t *module) : mModule(module){}
│ │ │ ├── RowanModule.h //struct RowanModule : public IRowanModule { };
│ │ │ ├── service.cpp //return defaultPassthroughServiceImplementation<IRowanModule>();
│ │ ├── IRowanModule.hal //package android.hardware.rowan@1.0; interface IRowanModule { };
│ │ └── types.hal //package android.hardware.rowan@1.0;
│ └── Android.bp // This is an autogenerated file, do not edit.
└── libhardware //hal层
├── include
│ └── hardware
│ └── rowan.h //#define ROWAN_HARDWARE_MODULE_ID "rowan" typedef struct rowan_module { } rowan_module_t; hidl和hal共同include了这个.h
└── modules
├── Android.mk //hardware_modules :=rowan
└── rowan
├── Android.bp //cc_library_shared {name: "rowan.default",}
└── rowan.c //struct rowan_module HAL_MODULE_INFO_SYM = {.common = {.id = ROWAN_HARDWARE_MODULE_ID,.methods = &rowan_module_methods,}.GpioControl = control_interface,};
-------------------------------------------------------------------------
\vendor\mediatek\proprietary\packages\3rd-party\PowerCtl\Android.mk
LOCAL_PACKAGE_NAME := PowerCtl
LOCAL_STATIC_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
\vendor\mediatek\proprietary\packages\3rd-party\PowerCtl\src\com\example\administrator\powercontrol\MainActivity.java
import android.hardware.rowan.V1_0.IRowanModule;
private IRowanModule myService = null;
myService = IRowanModule.getService();
myService.gpioControl("/dev/along_gpio", 120, 1074040853);
-------------------------------------------------------------------------
/system/sepolicy/public/global_macros
30 define(`r_dir_perms', `{ open getattr read search ioctl lock }')
31 define(`w_dir_perms', `{ open search write add_name remove_name lock }')
32 define(`ra_dir_perms', `{ r_dir_perms add_name write }')
33 define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-------------------------------------------------------------------------
添加te文件时有两种思路
一. 按照system/sepolicy 目录中添加vibrator service的步骤添加hello service
二. 在device 目录下添加hello.te 文件等操作实现
---------------------------------------------------------------------------------------
方法一. system/sepolicy 部分添加
这里举例添加了两种服务,一种service,另一种hwservice
1. \system\sepolicy\public\service.te 定义服务名称和属性
type xxx_service,app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
\system\sepolicy\public\hwservice.te
type hal_rowan_hwservice, hwservice_manager_type;
2.\system\sepolicy\private\service_contexts 添加服务名称
xxx u:object_r:xxx_service:s0
\system\sepolicy\private\hwservice_contexts
android.hardware.rowan::IRowanModule u:object_r:hal_rowan_hwservice:s0
\system\sepolicy\private\file_contexts
/(vendor|system/vendor)/bin/hw/android.hardware\.rowan@1\.0-service u:object_r:hal_rowan_default_exec:s0
---------------------------------------------------------------------------------------
3.\system\sepolicy\private\compat\26.0\26.0.cil 文件最后添加
(typeattributeset xxx_service_26_0 (xxx_service))
(typeattributeset hal_rowan_hwservice_26_0 (hal_rowan_hwservice))
---------------------------------------------------------------------------------------
4.\system\sepolicy\prebuilts\api\26.0\public\service.te 定义服务名称和属性
type xxx_service,app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
\system\sepolicy\prebuilts\api\26.0\public\hwservice.te
type hal_rowan_hwservice, hwservice_manager_type;
5.\system\sepolicy\prebuilts\api\26.0\private\service_contexts 添加服务名称
xxx u:object_r:xxx_service:s0
\system\sepolicy\prebuilts\api\26.0\private\hwservice_contexts
android.hardware.rowan::IRowanModule u:object_r:hal_rowan_hwservice:s0
\system\sepolicy\prebuilts\api\26.0\private\file_contexts
/(vendor|system/vendor)/bin/hw/android.hardware\.rowan@1\.0-service u:object_r:hal_rowan_default_exec:s0
---------------------------------------------------------------------------------------
6.\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil 添加相应配置
6.1
(typeattribute xxx_service_26_0)
(roletype object_r xxx_service_26_0)
(typeattribute hal_rowan_hwservice_26_0)
(roletype object_r hal_rowan_hwservice_26_0)
6.2 typeattributeset system_server_service 在最后添加自定义的服务 xxx_service_26_0
6.3 typeattributeset app_api_service 在最后添加自定义的服务 xxx_service_26_0
6.4 typeattributeset ephemeral_app_api_service 在最后添加自定义的服务 xxx_service_26_0
6.5 typeattributeset service_manager_type 在最后添加自定义的服务 xxx_service_26_0
(typeattributeset hwservice_manager_type 在最后添加自定义的服务 hal_rowan_hwservice_26_0
----------------------------------------------------------------------------------------
文件修改后可以mmm system/sepolicy/ 验证语法或规则是否符合要求。
----------------------------------------------------------------------------------------
方法二. device添加
MTK包含很多重复的.te文件,bsp的优先级最高
./mediatek/sepolicy/full/plat_public/service.te
./mediatek/sepolicy/full/plat_private/service.te
./mediatek/sepolicy/full/prebuilts/api/26.0/plat_public/service.te
./mediatek/sepolicy/full/prebuilts/api/26.0/plat_private/service.te
./mediatek/sepolicy/basic/plat_public/service.te
./mediatek/sepolicy/bsp/plat_public/service.te 添加
./mediatek/sepolicy/bsp/plat_private/service.te
./mediatek/sepolicy/bsp/prebuilts/api/26.0/plat_public/service.te
./mediatek/sepolicy/bsp/prebuilts/api/26.0/plat_private/service.te
type xxx_service, service_manager_type;
----------------------------------------------------------------------------------------
./mediatek/sepolicy/full/plat_private/service_contexts
./mediatek/sepolicy/full/prebuilts/api/26.0/plat_private/service_contexts
./mediatek/sepolicy/basic/plat_private/service_contexts
./mediatek/sepolicy/bsp/plat_private/service_contexts 添加
./mediatek/sepolicy/bsp/prebuilts/api/26.0/plat_private/service_contexts添加
xxx u:object_r:xxx_service:s0
----------------------------------------------------------------------------------------
./mediatek/sepolicy/full/plat_private/system_server.te
./mediatek/sepolicy/full/non_plat/system_server.te
./mediatek/sepolicy/full/prebuilts/api/26.0/plat_private/system_server.te
./mediatek/sepolicy/basic/plat_private/system_server.te
./mediatek/sepolicy/basic/non_plat/system_server.te
./mediatek/sepolicy/basic/prebuilts/api/26.0/plat_private/system_server.te
./mediatek/sepolicy/bsp/plat_private/system_server.te 添加
./mediatek/sepolicy/bsp/non_plat/system_server.te
./mediatek/sepolicy/bsp/prebuilts/api/26.0/plat_private/system_server.te
./mediatek/mt8167/sepolicy/basic/system_server.te
allow system_server xxx_service:service_manager { add };
----------------------------------------------------------------------------------------
添加两个文件
./mediatek/sepolicy/bsp/plat_private/hello.te
typeattribute hello coredomain;
init_daemon_domain(xxx)
./mediatek/sepolicy/bsp/plat_public/hello.te
type xxx, domain;
type xxx_exec, exec_type, file_type;
或者一个文件:
./mediatek/mt8163/sepolicy/bsp/hello.te
type xxx, domain;
type xxx_exec, exec_type, file_type;
typeattribute hello coredomain;
init_daemon_domain(xxx)
------------------------------------------------------------------------------------------
ps:
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
# hal_server_domain(hal_foo_default, hal_foo)
#
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')
-----------------------------------------------------------------------------------------
添加device/mediatek/mt8163/sepolicy/bsp/hal_rowan_default.te
#Set a new domain called hal_rowan_default
type hal_rowan_default, domain;
#Set your domain as server domain of hal_rowan in which define by AOSP already
hal_server_domain(hal_rowan_default, hal_rowan)
#Set your exec file type
type hal_rowan_default_exec, exec_type, vendor_file_type, file_type;
#Setup for domain transition
init_daemon_domain(hal_rowan_default)
#correlated to untrusted_app_visible_hwservice & untrusted_app_visible_halserver
typeattribute hal_rowan_hwservice untrusted_app_visible_hwservice;
typeattribute hal_rowan_default untrusted_app_visible_halserver;
allow hal_rowan_default sysfs:file { write r_file_perms };
allow hal_rowan_default ttyMT_device:file rw_file_perms;
allow hal_rowan_default hal_rowan_hwservice:hwservice_manager { find add };
allow hal_rowan_default along_gpio_device:chr_file rw_file_perms;
------------------------------------------------------------------------------------------
init_daemon_domain(hal_rowan_default) 是一个宏,声明当一个domain为init的进程创建一个子进程执行一个type为hal_rowan_default_exec的文件时,将该子进程的domain设置为hal_rowan_default,而不是继承父进程的domain。并且给与hal_rowan_default这个domain,所有定义在tmpfs_domain宏中的权限
所以在init_daemon_domain(hal_rowan_default)之前,必须先定义hal_rowan_default_exec的类型,否则,编译报错。
rebuildlog:
#line 22
device/mediatek/mt8163/sepolicy/bsp/hal_rowan_default.te:15:ERROR 'unknown type hal_rowan_default_exec' at token ';' on line 45677:
allow init hal_rowan_default_exec:file { getattr open read execute map };
#line 15
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/tb8163p3_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy.conf
------------------------------------------------------------------------------------------
hwbinder模式下dlopen问题和passthrough模式(sp<IRowanModule> service = new RowanModule(myModule))编译无法通过:
01-01 00:07:26.123 221 221 W /system/bin/hwservicemanager: getTransport: FOUND entry android.hardware.rowan@1.0::IRowanModule/default in either framework or device manifest.
01-01 00:07:26.139 4929 4929 E vndksupport: Could not load /vendor/lib/hw/android.hardware.rowan@1.0-impl.so from sphal namespace: dlopen failed: library "android.hardware.rowan@1.0.so" not found.
01-01 00:07:26.140 4929 4929 E ./rowantest: Failed to dlopen android.hardware.rowan@1.0-impl.so: unknown error
Android.mk
LOCAL_MODULE := android.hardware.rowan@1.0-service
LOCAL_INIT_RC := android.hardware.rowan@1.0-service.rc
LOCAL_SRC_FILES := \
service.cpp \
RowanModule.cpp
------------------------------------------------------------------------------------------
ps: SELINUX 基本类型的定义:
/system/sepolicy/public/attributes
/system/sepolicy/prebuilts/api/26.0/public/attributes
attribute hwservice_manager_type;
attribute dev_type;
\system\sepolicy\private\file_contexts
android.hardware.rowan::IRowanModule u:object_r:hal_rowan_hwservice:s0
* u:object_r:default_android_hwservice:s0
/device/mediatek/sepolicy/basic/non_plat/
/dev/ttyMT.* u:object_r:ttyMT_device:s0
------------------------------------------------------------------------------------------
SELINUX 基本类型hal_rowan的定义:
1.\system\sepolicy\public\attributes
1.\system\sepolicy\public\attributes
\system\sepolicy\prebuilts\api\26.0\public\attributes
attribute hal_rowan;
attribute hal_rowan_client;
attribute hal_rowan_server;
2.新增 sepolicy/public/hal_rowan.te
新增 system/sepolicy/prebuilts/api/26.0/public/hal_rowan.te
# HwBinder IPC from client to server, and callbacks
binder_call(hal_rowan_client, hal_rowan_server)
binder_call(hal_rowan_server, hal_rowan_client)
add_hwservice(hal_rowan_server, hal_rowan_hwservice)
allow hal_rowan_client hal_rowan_hwservice:hwservice_manager find;
3.\system\sepolicy\private\system_server.te
\system\sepolicy\prebuilts\api\26.0\private\system_server.te
hal_client_domain(system_server, hal_rowan)
4.\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil
(allow hal_rowan_client hal_rowan_server (binder (call transfer)))
(allow hal_rowan_server hal_rowan_client (binder (transfer)))
(allow hal_rowan_client hal_rowan_server (fd (use)))
(allow hal_rowan_server hal_rowan_client (binder (call transfer)))
(allow hal_rowan_client hal_rowan_server (binder (transfer)))
(allow hal_rowan_server hal_rowan_client (fd (use)))
(allow hal_rowan_server hal_rowan_hwservice_26_0 (hwservice_manager (add find)))
(allow hal_rowan_server hidl_base_hwservice_26_0 (hwservice_manager (add)))
------------------------------------------------------------------------------------------
权限放大问题:
avc: denied { find } for pid=1217
comm="hal_rowan_default" name="tfa9897" dev="tmpfs" ino=4385 scontext=u:r:hal_rowan_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0
如果直接按照此LOG 转换出SELinux Policy: allow hal_rowan_default default_android_hwservice:hwservice_manager find;
那么就会开放 hal_rowan_default 读写所有default_android_hwservice 的权限.
而Google 为了防止这样的情况, 使用了neverallow 语句来约束, 这样你编译sepolicy 时就无法编译通过:
/system/sepolicy/prebuilts/api/26.0/public/domain.te
neverallow * default_android_service:service_manager add;
neverallow * default_android_vndservice:service_manager { add find };
neverallow * default_android_hwservice:hwservice_manager { add find };
所以需要自定义一个 hal_rowan_hwservice
------------------------------------------------------------------------------------------
dev节点权限:
W rowan@1.0-servi: type=1400 audit(0.0:89): avc: denied { read write } for name="along_gpio" dev="tmpfs" ino=7561 scontext=u:r:hal_rowan_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0
device/mediatek/sepolicy/basic/non_plat/device.te:
type along_gpio_device, dev_type;
device/mediatek/sepolicy/basic/non_plat/file_contexts:
/dev/along_gpio u:object_r:along_gpio_device:s0
device/mediatek/mt8163/sepolicy/bsp/hal_rowan_default.te:
allow hal_rowan_default along_gpio_device:chr_file rw_file_perms;
------------------------------------------------------------------------------------------
android.hardware.rowan@1.0-service.rc
service rowan-hal-1-0 /vendor/bin/hw/android.hardware.rowan@1.0-service
class hal #给服务指定一个类属,这样方便操作多个服务同时启动或停止 //在启动hal类的serive时自动启动rowan-hal-1-0
user system #在执行此服务之前先切换用户名
group system
添加了.rc文件发现服务无法启动
init: Service xxx does not have a SELinux domain defined.
\system\sepolicy\private\file_contexts
/(vendor|system/vendor)/bin/hw/android.hardware\.rowan@1\.0-service u:object_r:hal_rowan_default_exec:s0
\system\sepolicy\prebuilts\api\26.0\private\file_contexts
/(vendor|system/vendor)/bin/hw/android.hardware\.rowan@1\.0-service u:object_r:hal_rowan_default_exec:s0
并且sepolicy/public/hal_rowan.te
type hal_rowan_default, domain;
hal_server_domain(hal_rowan_default, hal_rowan)
type hal_rowan_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_rowan_default)
------------------------------------------------------------------------------------------
\hardware\interfaces\rowan\1.0\default\service.cpp
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
using android::hardware::rowan::V1_0::IRowanModule; using android::hardware::rowan::V1_0::implementation::RowanModule; int main (int /* argc */, char * /* argv */ []) { //configureRpcThreadpool(4, true); //RowanModule myRowanModule; //auto status = myRowanModule.registerAsService(); //CHECK_EQ(status, android::OK) << "Failed to register myRowanModule HAL implementation"; //joinRpcThreadpool(); //return 0; // joinRpcThreadpool shouldn't exit //configureRpcThreadpool(maxThreads, true); //sp<IRowanModule> myRowanModule = new IRowanModule; //status_t status = myRowanModule->registerAsService(); //register more interfaces here //joinRpcThreadpool(); //return 0; // joinRpcThreadpool shouldn't exit #if 1 //Passthrough dlopen so return defaultPassthroughServiceImplementation<IRowanModule>(); #else //Binder rowan_module_t* myModule= nullptr; //android::sp<IRowanModule> service = new RowanModule(myModule); sp<IRowanModule> service = new RowanModule(myModule); //RowanModule service; /system/libhidl/transport/HidlTransportSupport.cpp configureRpcThreadpool(4, true); /*Configures how many threads the process-wide hwbinder threadpoolhas to process incoming requests.*/ if(android::OK != service->registerAsService()) //service->registerAsService("rowan") return 1; joinRpcThreadpool(); //system/libhidl/transport/HidlTransportSupport.cpp #endif } |
------------------------------------------------------------------------------------------
上层 app Android.mk:
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := $(call all-subdir-java-files)
LOCAL_PACKAGE_NAME := PowerCtl
#LOCAL_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
LOCAL_STATIC_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
LOCAL_CERTIFICATE := platform
include $(BUILD_PACKAGE)
java getservice方法:
import android.hardware.rowan.V1_0.IRowanModule;
private IRowanModule myService = null;
myService = IRowanModule.getService();
myService.gpioControl("/dev/along_gpio", 120, 1074040853);
如果编译报错"unhandled exception type Exception"
在Java中除了RuntimeException及其任何子类,其他异常类都被Java的异常强制处理机制强制异常处理。
关于那些被强制异常处理的代码块,必须进行异常处理,否则编译器会提示“Unhandled exception type Exception”错误警告。
Java中用于处理异常的方式
自行处理:可能引发异常的语句封入在try内,而处理异常的相应语句则封入catch块内
回避异常:在方法声明中包含throws子句,通知潜在调用者,如果发生了异常,必须由调用者处理。
try {
//mDemoManager = (DemoManager)getSystemService("demo");
myService = IRowanModule.getService();
} catch (Exception e) {
Log.e ("xxx","IRowanModule getService error!");
e.printStackTrace();
}
untrusted_apps 权限问题:
由于手动安装的app都会被当成untrusted_apps, 并且google在对所有的做了限制
/system/sepolicy/private/app_neverallows.te
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
在apk运行调用接口是会提示untrusted_apps没有权限或者下面这个错误:
W System.err: java.lang.NullPointerException: Attempt to invoke interface method 'int android.hardware.rowan.V1_0.IRowanModule.gpioControl(java.lang.String, int, int)' on a null object reference
方法一:
需要在Android.mk
LOCAL_CERTIFICATE := platform
方法二:
修改app_neverallows.te,不过修改该文件后就无法过cts了
方法三:
\device\mediatek\sepolicy\bsp\non_plat\app.te
\device\mediatek\sepolicy\bsp\non_plat\platform.te
\device\mediatek\sepolicy\bsp\non_plat\system.te 添加:
allow xxxx_app hal_rowan_hwservice:hwservice_manager find;
allow xxxx_app hal_rowan_default:binder call;
但是由于google在app_neverallows.te的限制,如果在app.te添加allow xxxx_app hal_rowan_hwservice:hwservice_manager find;
就会出现以下编译错误:
libsepol.report_failure: neverallow on line 71 of system/sepolicy/private/isolated_app.te (or line 25626 of policy.conf) violated by allow isolated_app hal_rowan_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22412 of policy.conf) violated by allow untrusted_app_25 hal_rowan_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22412 of policy.conf) violated by allow ephemeral_app hal_rowan_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22412 of policy.conf) violated by allow untrusted_v2_app hal_rowan_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22412 of policy.conf) violated by allow mediaprovider hal_rowan_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22412 of policy.conf) violated by allow untrusted_app hal_rowan_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22412 of policy.conf) violated by allow isolated_app hal_rowan_hwservice:hwservice_manager { find };
libsepol.check_assertions: 7 neverallow failures occurred
Error while expanding policy
libsepol.report_failure: neverallow on line 162 of system/sepolicy/private/app_neverallows.te (or line 22396 of policy.conf) violated by allow untrusted_app hal_rowan_hwservice:hwservice_manager { find };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Failed to generate binary
Failed to build policydb
[ 22% 23/102] build out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy
FAILED: out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy
/bin/bash -c "(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/tb8163p3_bsp/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/tb8163p3_bsp/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/tb8163p3_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"eng\" = \"user\" -a -s out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/tb8163p3_bsp/obj/ETC/sepolicy_intermediates/sepolicy )"
neverallow check failed at out/target/product/tb8163p3_bsp/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:10437 from system/sepolicy/private/app_neverallows.te:220
(neverallow untrusted_app base_typeattr_203 (binder (call transfer)))
<root>
allow at out/target/product/tb8163p3_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:13157
(allow untrusted_app_27_0 hal_rowan_default (binder (call)))
neverallow check failed at out/target/product/tb8163p3_bsp/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:10433 from system/sepolicy/private/app_neverallows.te:220
(neverallow untrusted_app_all base_typeattr_203 (binder (call transfer)))
<root>
allow at out/target/product/tb8163p3_bsp/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:13157
(allow untrusted_app_27_0 hal_rowan_default (binder (call)))
system/sepolicy/private/app_neverallows.te
system/prebuilts/api/26.0/private/app_neverallows.te
附:app_neverallows.te:
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
-hal_cas_hwservice
-untrusted_app_visible_hwservice
}:hwservice_manager find;
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
mediaprovider
untrusted_app
untrusted_app_25
untrusted_app_all
untrusted_v2_app
}')
full_treble_only(`
neverallow all_untrusted_apps {
halserverdomain
-coredomain
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-untrusted_app_visible_halserver
}:binder { call transfer };
')
在\device\mediatek\mt8163\sepolicy\bsp\hal_rowan_default.te 添加:
#correlated to untrusted_app_visible_hwservice & coredomain
typeattribute hal_rowan_hwservice untrusted_app_visible_hwservice;
typeattribute hal_rowan_default coredomain;
然后编译错误:
The following domains must not be associated with the "coredomain" attribute because they are executed off of /vendor or /system/vendor:
hal_rowan_default
那就换一个吧
typeattribute hal_rowan_default untrusted_app_visible_halserver;
------------------------------------------------------------------------------------------
如果编译出现以下错误:
Caused by: java.lang.ClassNotFoundException: Didn't find class "android.hardware.rowan.V1_0.IRowanModule"
on path: DexPathList[[zip file "/system/app/PowerCtl/PowerCtl.apk"],
nativeLibraryDirectories=[/system/app/PowerCtl/lib/arm, /system/lib, /vendor/lib, /system/lib, /vendor/lib]]
需要在Android.mk 修改:
LOCAL_STATIC_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
或者在build/target/product/core_minimal.mk 或者\device\mediatek\mt8163\device.mk 中
PRODUCT_BOOT_JARS 的变量中添加 android.hardware.rowan-V1.0-java
这就相当于把 android.hardware.rowan-V1.0-java.jar 放到了一个公共的、众所周知的地方,自然不会出现找不到class的问题。
# The order of PRODUCT_BOOT_JARS matters.
PRODUCT_BOOT_JARS := \
$(TARGET_CORE_JARS) \
legacy-test \
ext \
framework \
telephony-common \
voip-common \
ims-common \
org.apache.http.legacy.boot \
android.hidl.base-V1.0-java \
android.hidl.manager-V1.0-java
接着编译出现 unknown package name of class file 用grep查找错误的来源,发现出自一个Python脚本:
build/make/core/tasks/check_boot_jars/check_boot_jars.py
def CheckJar(jar):
"""Check a jar file.
"""
# Get the list of files inside the jar file.
p = subprocess.Popen(args='jar tf %s' % jar,
stdout=subprocess.PIPE, shell=True)
stdout, _ = p.communicate()
if p.returncode != 0:
return False
items = stdout.split()
for f in items:
if f.endswith('.class'):
package_name = os.path.dirname(f)
package_name = package_name.replace('/', '.')
# Skip class without a package name
if package_name and not whitelist_re.match(package_name):
print >> sys.stderr, ('Error: %s contains class file %s, which is not in the whitelist'
% (jar, f))
return False
return True
很明显,如果自己的jar的包名(package name)不在whitelist_re里面的话,编译报错,通过添加log发现whitelist_re来自一个txt文件:
/build/make/core/tasks/check_boot_jars/package_whitelist.txt
查看该文件发现PRODUCT_BOOT_JARS的其他jar的包名都有在这里定义,仿照文件格式把自己的包名添加到这里就OK!
--------------------------------------------------------------------------
修改device下的26.0.cil编译无法通过,文件权限会变化,即使改回来也不行,不知什么原因。
device/mediatek/sepolicy/full/private/compat/26.0/26.0.cil //这两个没有用到
device/mediatek/sepolicy/basic/private/compat/26.0/26.0.cil //这两个没有用到
device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil
-rwxrwxr-x 1 isaac isaac 44537 Oct 16 11:28 26.0.cil //original
-->
-rw-rwxr-x 1 isaac isaac 42665 Oct 16 11:22 26.0.cil
FAILED: out/target/product/tb8163p3_bsp/obj/ETC/treble_sepolicy_tests_intermediates/26.0_compat
/bin/bash -c "out/host/linux-x86/bin/secilc -M true -G -N -c 30 out/target/product/tb8163p3_bsp/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil device/mediatek/sepolicy/bsp/prebuilts/api/26.0/nonplat_sepolicy.cil -o out/target/product/tb8163p3_bsp/obj/ETC/treble_sepolicy_tests_intermediates/26.0_compat -f /dev/null"
Failed to resolve typeattributeset statement at device/mediatek/sepolicy/bsp/private/compat/26.0/26.0.cil:434
Failed to compile cildb: -2
所以修改下面这两个文件就可以了:
\system\sepolicy\prebuilts\api\26.0\nonplat_sepolicy.cil
\system\sepolicy\private\compat\26.0\26.0.cil
-----------------------------------------------------------------------------------------
jack_res_jar_flags
package.apk
package.apk.unsigned
ERROR: /home/isaac/Work/tb8163p3_bsp_r8/alps/vendor/mediatek/proprietary/packages/3rd-party/PowerCtl/src/com/example/administrator/powercontrol/MainActivity.java:21.8: The import android.hardware.rowan cannot be resolved
LOCAL_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
---------------------------------------
在hardware/interfaces/rowan/1.0/Android.mk
LOCAL_JACK_ENABLED := disabled
这样就能生成classes.jar
----------------------------------------------------------------
error: 'out/target/common/obj/JAVA_LIBRARIES/android.hardware.rowan-V1.0-java_intermediates/classes.jack', needed by 'out/target/common/obj/APPS/PowerCtl_intermediates/with-local/classes.dex', missing and no known rule to make it
在PowerCtl的Android.mk也加上:
LOCAL_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
---------------------------------------------------------------------------------
user版本adb执行/system/bin/gpiotest
rowantest Failed to get service
E SELinux : avc: denied { find } for interface=android.hardware.rowan::IRowanModule pid=7254 scontext=u:r:shell:s0 tcontext=u:object_r:hal_rowan_hwservice:s0 tclass=hwservice_manager permissive=0
---------------------------------------------------------------------------------
W /system/bin/hwservicemanager: getTransport: FOUND entry android.hardware.rowan@1.0::IRowanModule/default in either framework or device manifest.
W rowantest: type=1400 audit(0.0:73): avc: denied { call } for scontext=u:r:shell:s0 tcontext=u:r:hal_rowan_default:s0 tclass=binder permissive=0
W android.hardware.rowan@1.0::RowanModule: IRowanModule: cannot call into hwbinder service: Status(EX_TRANSACTION_FAILED): 'FAILED_TRANSACTION: '; No permission? Check for selinux denials.
---------------------------------------------------------------------------------
device/mediatek/mt8163/sepolicy/bsp/hal_myled_default.te:35:ERROR 'unknown type storaged' at token ';' on line 45848:
allow system_app storaged:binder { call transfer };
--------------------------------------
###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
')
###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
')
---------------------------------------------------------------------------------
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := $(call all-subdir-java-files)
LOCAL_PACKAGE_NAME := PowerCtl
LOCAL_STATIC_JAVA_LIBRARIES += android.hardware.rowan-V1.0-java
#LOCAL_CERTIFICATE := platform
LOCAL_JACK_ENABLED := disabled
include $(BUILD_PACKAGE)
LOCAL_JACK_ENABLED := disabled会生成以下文件:
out\target\common\obj\APPS\PowerCtl_intermediates\classes.jar
----------------------------------------------------------------------------------
apk要通过HIDL控制GPIO必须加载三个classes.jar库
out\target\common\obj\JAVA_LIBRARIES\android.hardware.rowan-V1.0-java_intermediates\rowan_classes.jar
out\target\common\obj\JAVA_LIBRARIES\android.hidl.base-V1.0-java_intermediates\hidl_base_classes.jar
out\target\common\obj\JAVA_LIBRARIES\hwbinder_intermediates\hwbinder_classes.jar
如果hwbinder_intermediates找不到,需要在frameworks\base\Android.mk添加:
# HwBinder
# =======================================================
include $(CLEAR_VARS)
LOCAL_SRC_FILES := \
core/java/android/os/HidlSupport.java \
core/java/android/annotation/NonNull.java \
core/java/android/os/HwBinder.java \
core/java/android/os/HwBlob.java \
core/java/android/os/HwParcel.java \
core/java/android/os/IHwBinder.java \
core/java/android/os/IHwInterface.java \
core/java/android/os/DeadObjectException.java \
core/java/android/os/DeadSystemException.java \
core/java/android/os/RemoteException.java \
core/java/android/util/AndroidException.java \
LOCAL_NO_STANDARD_LIBRARIES := true
LOCAL_JAVA_LIBRARIES := core-oj core-libart
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE := hwbinder
LOCAL_DX_FLAGS := --core-library
LOCAL_UNINSTALLABLE_MODULE := true
include $(BUILD_JAVA_LIBRARY)
然后mmma frameworks/base,之后再rebuild就会生成hwbinder_intermediates(mmma生成很多垃圾apk?)
如果还是没有classes.jar那就加上LOCAL_JACK_ENABLED := disabled
---------------------------------------------------------------------------------------------
01-01 00:00:30.097000 1368 1368 I auditd : type=1400 audit(0.0:20): avc: denied { transition } for comm="init" path="/system/bin/kedao.sh" dev="mmcblk0p31" ino=531 scontext=u:r:init:s0 tcontext=u:object_r:kedao_exec:s0 tclass=process permissive=0
<11>[ 24.969185] .(3)[1381:init]init: cannot execve('/system/bin/kedao.sh'): Permission denied
<36>[ 24.969378] .(1)[290:logd.auditd]type=1400 audit(1570851884.494:20): avc: denied { transition } for pid=1381 comm="init" path="/system/bin/kedao.sh" dev="mmcblk0p31" ino=531 scontext=u:r:init:s0 tcontext=u:object_r:kedao_exec:s0 tclass=process permissive=0
扫一扫
1338
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
