本文主要是介绍android8 去掉selinux,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
安卓代码
android/system/core/init/init.cpp
static void selinux_initialize(bool in_kernel_domain) {Timer t;selinux_callback cb;cb.func_log = selinux_klog_callback;selinux_set_callback(SELINUX_CB_LOG, cb); cb.func_audit = audit_callback;selinux_set_callback(SELINUX_CB_AUDIT, cb); if (in_kernel_domain) {LOG(INFO) << "Loading SELinux policy";if (!selinux_load_policy()) {panic();} bool kernel_enforcing = (security_getenforce() == 1);bool is_enforcing = selinux_is_enforcing();if (kernel_enforcing != is_enforcing) {if (security_setenforce(is_enforcing)) {PLOG(ERROR) << "security_setenforce(%s) failed" << (is_enforcing ? "true" : "false");security_failure();} } std::string err; if (!WriteFile("/sys/fs/selinux/checkreqprot", "0", &err)) {LOG(ERROR) << err; security_failure();} // init's first stage can't set properties, so pass the time to the second stage.setenv("INIT_SELINUX_TOOK", std::to_string(t.duration().count()).c_str(), 1);} else {selinux_init_all_handles();} 修改is_enforcing的值(0或者1)
static bool selinux_is_enforcing(void)
{if (ALLOW_PERMISSIVE_SELINUX) {return selinux_status_from_cmdline() == SELINUX_ENFORCING;}return true;
}
由上可以返回selinux_status_from_cmdline()== SELINUX_PERMISSIVE即可把selinux允许
因为返回值只有两个类型
enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };static selinux_enforcing_status selinux_status_from_cmdline() {selinux_enforcing_status status = SELINUX_ENFORCING;import_kernel_cmdline(false, [&](const std::string& key, const std::string& value, bool in_qemu) {if (key == "androidboot.selinux" && value == "permissive") {status = SELINUX_PERMISSIVE;}});return status;
}
即androidboot.selinux == permissive即可允许
故在平台上添加kernel cmdline
BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom androidboot.selinux=permissive msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 androidboot.memcg=false earlyprintk
但仍会有权限打印但提示permissive=1,说明允许操作
[ 27.895071] selinux: avc: denied { set } for property=vendor.audio.sys.init pid=394 uid=1041 gid=1005 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:audio_prop:s0 tclass=property_service permissive=1
这篇关于android8 去掉selinux的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
