Monday, December 8, 2014

root access - How to add SELinux policy on a user-debug ROM that has `split` policy scheme?


I have a Sony device that supports treble and is a system-as-root and A/B device. It has a user-debug ROM installed on it so, its adb shell is rooted.


I have disabled dm-verity using adb disable-verity after running adb root and adb remount commands.


As documented here, this device also has split policies at /system/etc/selinux(the 'plat' portion of the policy) and /vendor/etc/selinux(the 'nonplat' portion of the policy).


I am trying to run test.sh using following init script:


#/etc/init/m_daemon.rc

# define service, use executable here if script not needed

service m_daemon /system/xbin/test.sh

# don't start unless explicitly asked to
disabled

# Use `seclabel u:r:magisk:s0` to run with unrestricted SELinux context to avoid avc denials
# can also use "u:r:su:s0" on userdebug / eng builds if no Magisk.
# It's required if SELinux is enforcing and service needs access
# to some system resources not allowed by default sepolicy
# seclabel u:object_r:qlogd_exec:s0

seclabel u:r:su:s0

# start the service when the boot is completed
on property:sys.boot_completed=1
# Use it to start the service
start m_daemon


/system/xbin/test.sh file has the following contents:


#!/system/bin/sh

echo `date` > /sdcard/test

When the device reboot then it fails to run with the following error:



202.932913 / 11-26 20:21:04.074 audit: type=1400 audit(1574763664.074:213): avc: denied { transition } for pid=8534 comm="init" path="/system/xbin/test.sh" dev="sda24" ino=8150 scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process permissive=0


202.933268 / 11-26 20:21:04.074 init: cannot execve('/system/xbin/test.sh'): Permission denied



To fix it, I have used sepolicy-inject and run the following commands:


sepolicy-inject -s init -t su -c process -p transition -P /sys/fs/selinux/policy -l
sepolicy-inject -s init -t su -c process -p noatsecure -P /sys/fs/selinux/policy -l

sepolicy-inject -s init -t su -c process -p rlimitinh -P /sys/fs/selinux/policy -l
sepolicy-inject -s init -t su -c process -p siginh -P /sys/fs/selinux/policy -l

but these needs to be run again after reboot.


So, I have tried to patch precompiled_sepolicy using following commands:


sepolicy-inject -s init -t su -c process -p transition -P /vendor/etc/selinux/precompiled_sepolicy -l
sepolicy-inject -s init -t su -c process -p noatsecure -P /vendor/etc/selinux/precompiled_sepolicy -l
sepolicy-inject -s init -t su -c process -p rlimitinh -P /vendor/etc/selinux/precompiled_sepolicy -l
sepolicy-inject -s init -t su -c process -p siginh -P /vendor/etc/selinux/precompiled_sepolicy -l


but the policies are not injected: neither live nor after reboot.


To test, I am just checking the date in /sdcard/test file.


So, I just want to know:



  • Why patching precompiled_policy didn't work?

  • Where to patch the required policies using rooted adb shell that should persist after a reboot?



Answer



To patch the policies, do the following:




  1. Change the value in /system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 OR empty this file.

  2. Inject required policies in /system/etc/selinux/plat_sepolicy.cil

  3. "Loading compiled SELinux policy" should show in logs and the init service will run fine.


No comments:

Post a Comment

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...