当前位置: 首页 > 工具软件 > Persist > 使用案例 >

android 10 系统源码 persist分区存储数据,并在system_server中对数据进行读写操作,过滤selinux对权限限制

公冶渝
2023-12-01

Persist 分区恢复出厂设置不会被清除掉

1.新建文件存储目录hs_data 
/device/qcom/common/rootdir/etc/init.qcom.rc
@@ -157,6 +157,8 @@ on boot
     mkdir /mnt/vendor/persist/secnvm 0770 system system
     mkdir /mnt/vendor/persist/iar_db 0770 system system
     mkdir /mnt/vendor/spunvm 0770 system system
+       
+    mkdir /mnt/vendor/persist/hs_data 0777 system system
 
     #Create WIGIG socket area
     mkdir /dev/socket/wigig 0770 wifi wifi

+    chmod 0777 /mnt/vendor/persist/hs_data/vcom
+
     # Create directory used for display
     # for backward compatibility
     mkdir /persist/display 0770 system graphics

2.过滤vendor_persist_type对system_server dir file 限制
/device/qcom/sepolicy/vendor/common/domain.te
@@ -26,6 +26,7 @@ neverallow {
     -init
     -ueventd
     -vold
+    -system_server
     } vendor_persist_type: { dir file } *;
 
 allow { domain - coredomain } mnt_vendor_file:lnk_file r_file_perms;

3.定义type persist_hs_file
device/qcom/sepolicy/vendor/common/file.te
@@ -250,6 +250,8 @@ type persist_alarm_file, file_type, vendor_persist_type;
 
 type persist_time_file, file_type, vendor_persist_type;
 
+type persist_hs_file, file_type, vendor_persist_type;
+
 # nfc file type for data vendor access
 type nfc_vendor_data_file, file_type, data_file_type;

4.对该/mnt/vendor/persist/hs_data、目录下的所有文件定义为u:object_r:persist_hs_file:s0类型
/device/qcom/sepolicy/vendor/common/file_contexts
@@ -731,3 +731,4 @@
 /sys/class/power_supply/usb/real_type                           u:object_r:sysfs_usb_supply:s0
 /sys/class/power_supply/battery/voltage_now                     u:object_r:sysfs_battery_supply:s0
 /sys/class/power_supply/battery/current_now                     u:object_r:sysfs_battery_supply:s0
+/mnt/vendor/persist/hs_data(/.*)?                               u:object_r:persist_hs_file:s0

5.允许系统服务对/mnt/vendor/persist/hs_data/目录下进行读写操作
/device/qcom/sepolicy/vendor/common/system_server.te
@@ -167,3 +167,8 @@ hal_client_domain(system_server, hal_wifilearner)
 
 allow system_server sysfs_graphics:file { getattr open read write };
 
+allow system_server mnt_vendor_file:dir { open read search getattr };
+allow system_server vendor_file:file { open read write execute getattr };
+allow system_server persist_hs_file:dir { open write read add_name search getattr };
+allow system_server persist_hs_file:file { getattr open read write create };
+

6.在system/sepolicy中过滤系统服务对/mnt/vendor/persist/hs_data/目录下进行读写操作
/system/sepolicy/prebuilts/api/29.0/public/domain.te
@@ -473,6 +473,7 @@ neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_p
 # and invalidate dm-verity signatures.
 neverallow {
     domain
+    -system_server
     with_asan(`-asan_extract')
     recovery_only(`userdebug_or_eng(`-fastbootd')')
 } {
@@ -975,6 +976,7 @@ full_treble_only(`
       coredomain
       -init
       -shell
+      -system_server
       -system_executes_vendor_violators
     } {
       vendor_file_type
@@ -989,6 +991,7 @@ full_treble_only(`
     neverallow {
       coredomain
       -shell
+      -system_server
       -system_executes_vendor_violators
     } {
       vendor_file_type
@@ -1008,6 +1011,7 @@ full_treble_only(`
     userdebug_or_eng(`-perfprofd')
     userdebug_or_eng(`-heapprofd')
     -shell
+    -system_server
     -system_executes_vendor_violators
     -ueventd # reads /vendor/ueventd.rc
   } {
@@ -1333,6 +1337,7 @@ full_treble_only(`
     -perfprofd
     -heapprofd
     -ueventd
+    -system_server
   } vendor_file:file { no_w_file_perms no_x_file_perms open };
 ')
 
@@ -1369,6 +1374,7 @@ neverallow {
   -init
   -ueventd
   -vold
+  -system_server
   -system_writes_mnt_vendor_violators
 } mnt_vendor_file:dir *;
 
/system/sepolicy/public/domain.te
@@ -473,6 +473,7 @@ neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_p
 # and invalidate dm-verity signatures.
 neverallow {
     domain
+    -system_server
     with_asan(`-asan_extract')
     recovery_only(`userdebug_or_eng(`-fastbootd')')
 } {
@@ -975,6 +976,7 @@ full_treble_only(`
       coredomain
       -init
       -shell
+      -system_server
       -system_executes_vendor_violators
     } {
       vendor_file_type
@@ -989,6 +991,7 @@ full_treble_only(`
     neverallow {
       coredomain
       -shell
+      -system_server
       -system_executes_vendor_violators
     } {
       vendor_file_type
@@ -1008,6 +1011,7 @@ full_treble_only(`
     userdebug_or_eng(`-perfprofd')
     userdebug_or_eng(`-heapprofd')
     -shell
+    -system_server
     -system_executes_vendor_violators
     -ueventd # reads /vendor/ueventd.rc
   } {
@@ -1333,6 +1337,7 @@ full_treble_only(`
     -perfprofd
     -heapprofd
     -ueventd
+    -system_server
   } vendor_file:file { no_w_file_perms no_x_file_perms open };
 ')
 
@@ -1369,6 +1374,7 @@ neverallow {
   -init
   -ueventd
   -vold
+  -system_server
   -system_writes_mnt_vendor_violators
 } mnt_vendor_file:dir


frameworks/base/services/core/java/com/android/server/hs/HsService.java
@@ -41,6 +41,8 @@ import android.widget.FrameLayout;
 
 import com.android.server.wm.ActivityTaskManagerService;
 
+import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -976,13 +978,27 @@ public class HsService extends IHsManager.Stub {
     }
 
     @Override
+    public boolean SetVcomVoltage(int vcom) throws RemoteException {
+        try {
+            String val = String.valueOf(vcom);
+            boolean isOk = Utils.writeFile(Utils.HS_VCOM_VOLTAGE, val);
+            if (isOk) {
+                File file = new File(Utils.PERSIST_VCOM_VOLTAGE);
+                if (file.exists()) {
+                    boolean result = Utils.writeFile(Utils.PERSIST_VCOM_VOLTAGE, val);
+                    Log.i(LOG_TAG, "OkaySetEinkVcomVoltage:" + val + " " + result);
+                } else {
+                    if (file.createNewFile()) {
+                        boolean result = Utils.writeFile(Utils.PERSIST_VCOM_VOLTAGE, val);
+                        Log.i(LOG_TAG, "OkaySetEinkVcomVoltage createNewFile vcom:" + val + " " + result);
+                    }
+                }
+                return setProperties(Utils.VCOM_VOLTAGE, val);
+            }
+        } catch (IOException e) {
+            e.printStackTrace();
         }
+        return false;

     }
 类似资料: