android 10 系统源码 persist分区存储数据,并在system_server中对数据进行读写操作,过滤selinux对权限限制
公冶渝
Persist 分区恢复出厂设置不会被清除掉
1.新建文件存储目录hs_data
/device/qcom/common/rootdir/etc/init.qcom.rc
@@ -157,6 +157,8 @@ on boot
mkdir /mnt/vendor/persist/secnvm 0770 system system
mkdir /mnt/vendor/persist/iar_db 0770 system system
mkdir /mnt/vendor/spunvm 0770 system system
+
+ mkdir /mnt/vendor/persist/hs_data 0777 system system
#Create WIGIG socket area
mkdir /dev/socket/wigig 0770 wifi wifi
+ chmod 0777 /mnt/vendor/persist/hs_data/vcom
+
# Create directory used for display
# for backward compatibility
mkdir /persist/display 0770 system graphics
2.过滤vendor_persist_type对system_server dir file 限制
/device/qcom/sepolicy/vendor/common/domain.te
@@ -26,6 +26,7 @@ neverallow {
-init
-ueventd
-vold
+ -system_server
} vendor_persist_type: { dir file } *;
allow { domain - coredomain } mnt_vendor_file:lnk_file r_file_perms;
3.定义type persist_hs_file
device/qcom/sepolicy/vendor/common/file.te
@@ -250,6 +250,8 @@ type persist_alarm_file, file_type, vendor_persist_type;
type persist_time_file, file_type, vendor_persist_type;
+type persist_hs_file, file_type, vendor_persist_type;
+
# nfc file type for data vendor access
type nfc_vendor_data_file, file_type, data_file_type;
4.对该/mnt/vendor/persist/hs_data、目录下的所有文件定义为u:object_r:persist_hs_file:s0类型
/device/qcom/sepolicy/vendor/common/file_contexts
@@ -731,3 +731,4 @@
/sys/class/power_supply/usb/real_type u:object_r:sysfs_usb_supply:s0
/sys/class/power_supply/battery/voltage_now u:object_r:sysfs_battery_supply:s0
/sys/class/power_supply/battery/current_now u:object_r:sysfs_battery_supply:s0
+/mnt/vendor/persist/hs_data(/.*)? u:object_r:persist_hs_file:s0
5.允许系统服务对/mnt/vendor/persist/hs_data/目录下进行读写操作
/device/qcom/sepolicy/vendor/common/system_server.te
@@ -167,3 +167,8 @@ hal_client_domain(system_server, hal_wifilearner)
allow system_server sysfs_graphics:file { getattr open read write };
+allow system_server mnt_vendor_file:dir { open read search getattr };
+allow system_server vendor_file:file { open read write execute getattr };
+allow system_server persist_hs_file:dir { open write read add_name search getattr };
+allow system_server persist_hs_file:file { getattr open read write create };
+
6.在system/sepolicy中过滤系统服务对/mnt/vendor/persist/hs_data/目录下进行读写操作
/system/sepolicy/prebuilts/api/29.0/public/domain.te
@@ -473,6 +473,7 @@ neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_p
# and invalidate dm-verity signatures.
neverallow {
domain
+ -system_server
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
} {
@@ -975,6 +976,7 @@ full_treble_only(`
coredomain
-init
-shell
+ -system_server
-system_executes_vendor_violators
} {
vendor_file_type
@@ -989,6 +991,7 @@ full_treble_only(`
neverallow {
coredomain
-shell
+ -system_server
-system_executes_vendor_violators
} {
vendor_file_type
@@ -1008,6 +1011,7 @@ full_treble_only(`
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-shell
+ -system_server
-system_executes_vendor_violators
-ueventd # reads /vendor/ueventd.rc
} {
@@ -1333,6 +1337,7 @@ full_treble_only(`
-perfprofd
-heapprofd
-ueventd
+ -system_server
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
@@ -1369,6 +1374,7 @@ neverallow {
-init
-ueventd
-vold
+ -system_server
-system_writes_mnt_vendor_violators
} mnt_vendor_file:dir *;
/system/sepolicy/public/domain.te
@@ -473,6 +473,7 @@ neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_p
# and invalidate dm-verity signatures.
neverallow {
domain
+ -system_server
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
} {
@@ -975,6 +976,7 @@ full_treble_only(`
coredomain
-init
-shell
+ -system_server
-system_executes_vendor_violators
} {
vendor_file_type
@@ -989,6 +991,7 @@ full_treble_only(`
neverallow {
coredomain
-shell
+ -system_server
-system_executes_vendor_violators
} {
vendor_file_type
@@ -1008,6 +1011,7 @@ full_treble_only(`
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-shell
+ -system_server
-system_executes_vendor_violators
-ueventd # reads /vendor/ueventd.rc
} {
@@ -1333,6 +1337,7 @@ full_treble_only(`
-perfprofd
-heapprofd
-ueventd
+ -system_server
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
@@ -1369,6 +1374,7 @@ neverallow {
-init
-ueventd
-vold
+ -system_server
-system_writes_mnt_vendor_violators
} mnt_vendor_file:dir
frameworks/base/services/core/java/com/android/server/hs/HsService.java
@@ -41,6 +41,8 @@ import android.widget.FrameLayout;
import com.android.server.wm.ActivityTaskManagerService;
+import java.io.File;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -976,13 +978,27 @@ public class HsService extends IHsManager.Stub {
}
@Override
+ public boolean SetVcomVoltage(int vcom) throws RemoteException {
+ try {
+ String val = String.valueOf(vcom);
+ boolean isOk = Utils.writeFile(Utils.HS_VCOM_VOLTAGE, val);
+ if (isOk) {
+ File file = new File(Utils.PERSIST_VCOM_VOLTAGE);
+ if (file.exists()) {
+ boolean result = Utils.writeFile(Utils.PERSIST_VCOM_VOLTAGE, val);
+ Log.i(LOG_TAG, "OkaySetEinkVcomVoltage:" + val + " " + result);
+ } else {
+ if (file.createNewFile()) {
+ boolean result = Utils.writeFile(Utils.PERSIST_VCOM_VOLTAGE, val);
+ Log.i(LOG_TAG, "OkaySetEinkVcomVoltage createNewFile vcom:" + val + " " + result);
+ }
+ }
+ return setProperties(Utils.VCOM_VOLTAGE, val);
+ }
+ } catch (IOException e) {
+ e.printStackTrace();
}
+ return false;
}
类似资料: