shell 自动配置Android SElinux权限
|Word count:673|Reading time:3min
脚本功能
1 2 3 4 5 6 7 8 9 10 11 12 13
| log文件[input_log.txt]: 05-22 20:00:36.164 2696 2696 I light@2.0-servi: type=1400 audit(0.0:21): avc: denied { read write } for name="mik!tsensor" dev="tmpfs" ino=7764 scontext=u:r:hal_light_mstar:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file permissive=1 05-22 20:00:36.168 2696 2696 I light@2.0-servi: type=1400 audit(0.0:22): avc: denied { open } for path="/dev/mik!tsensor" dev="tmpfs" ino=7764 scontext=u:r:hal_light_mstar:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file permissive=1 05-22 20:00:36.168 2696 2696 I light@2.0-servi: type=1400 audit(0.0:23): avc: denied { ioctl } for path="/dev/mik!tsensor" dev="tmpfs" ino=7764 ioctlcmd=0x2400 scontext=u:r:hal_light_mstar:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file permissive=1 05-22 20:00:39.968 3109 3109 I anelledsservice: type=1400 audit(0.0:24): avc: denied { write } for name="value" dev="sysfs" ino=2140 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_led_gpio:s0 tclass=file permissive=1
执行脚本 ./make_sepolicy_te_file.sh input_log.txt [output_filename.txt]
输出文件[output_filename.txt]: allow hal_light_mstar sensors_device:chr_file { ioctl open read write }; allowxperm hal_light_mstar sensors_device:chr_file ioctl { 0x2400 };
|
脚本使用
logcat | grep avc > /data/xxx.log 将权限log信息拷贝到一个文件中
./make_sepolicy_te_file.sh xxx.log [output.txt] 执行脚本,并将log文件作为命令行参数,输出文件名命令行参数为可选项
cat output.txt 将输出文件的配置项拷贝到对应te文件中
脚本代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
| #!/bin/bash
input_file=$1 output_file=$2 temp_file="temp_file.txt"
if [[ -z $input_file ]]; then echo "Please provide the input log file as an argument." exit 1 fi
if [[ -z $output_file ]]; then output_file='output_policy.txt' fi
>$output_file >$temp_file
while IFS= read -r log_message; do context=$(echo $log_message | grep -o 'scontext=[^ ]\+' | cut -d'=' -f2 | cut -d':' -f3) tclass=$(echo $log_message | grep -o 'tclass=[^ ]\+' | cut -d'=' -f2 | cut -d':' -f2) file_operation=$(echo "$log_message" | awk -F'[{}]' '{print $2}') file_type=$(echo $log_message | grep -o 'tcontext=[^ ]\+' | cut -d'=' -f2 | cut -d':' -f3) ioctlcmd=$(echo $log_message | grep -o 'ioctlcmd=[^ ]\+' | cut -d'=' -f2)
if [[ -n $context && -n $tclass && -n $file_type && -n $file_operation ]]; then if [[ $file_operation == " ioctl " && -n $ioctlcmd ]]; then converted_rule="allowxperm $context $file_type:$tclass ioctl { $ioctlcmd };" echo $converted_rule >> $temp_file fi converted_rule="allow $context $file_type:$tclass { $file_operation };" echo $converted_rule >> $temp_file fi done < $input_file
sort -u $temp_file -o $temp_file
while IFS= read -r log_message; do if [[ -n $prefix ]]; then prefix_compare=$(echo "$log_message" | awk -F'{' '{print $1}') if [[ "$prefix" = "$prefix_compare" ]]; then file_operation+=' ' file_operation+=$(echo "$log_message" | awk -F'[{}]' '{print $2}') else converted_rule="$prefix { $file_operation };" echo $converted_rule >> $output_file prefix=$(echo "$log_message" | awk -F'{' '{print $1}') file_operation=$(echo "$log_message" | awk -F'[{}]' '{print $2}') fi else prefix=$(echo "$log_message" | awk -F'{' '{print $1}') file_operation=$(echo "$log_message" | awk -F'[{}]' '{print $2}') fi done < $temp_file
converted_rule="$prefix { $file_operation };" echo $converted_rule >> $output_file rm $temp_file
sync
|