脚本功能

1
2
3
4
5
6
7
8
9
10
11
12
13
log文件[input_log.txt]:
05-22 20:00:36.164  2696  2696 I light@2.0-servi: type=1400 audit(0.0:21): avc: denied { read write } for name="mik!tsensor" dev="tmpfs" ino=7764 scontext=u:r:hal_light_mstar:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file permissive=1
05-22 20:00:36.168  2696  2696 I light@2.0-servi: type=1400 audit(0.0:22): avc: denied { open } for path="/dev/mik!tsensor" dev="tmpfs" ino=7764 scontext=u:r:hal_light_mstar:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file permissive=1
05-22 20:00:36.168  2696  2696 I light@2.0-servi: type=1400 audit(0.0:23): avc: denied { ioctl } for path="/dev/mik!tsensor" dev="tmpfs" ino=7764 ioctlcmd=0x2400 scontext=u:r:hal_light_mstar:s0 tcontext=u:object_r:sensors_device:s0 tclass=chr_file permissive=1
05-22 20:00:39.968  3109  3109 I anelledsservice: type=1400 audit(0.0:24): avc: denied { write } for name="value" dev="sysfs" ino=2140 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_led_gpio:s0 tclass=file permissive=1

执行脚本
./make_sepolicy_te_file.sh input_log.txt [output_filename.txt]

输出文件[output_filename.txt]:
allow hal_light_mstar sensors_device:chr_file { ioctl open read write };
allowxperm hal_light_mstar sensors_device:chr_file ioctl { 0x2400 };

脚本使用

logcat | grep avc > /data/xxx.log 将权限log信息拷贝到一个文件中

./make_sepolicy_te_file.sh xxx.log [output.txt] 执行脚本,并将log文件作为命令行参数,输出文件名命令行参数为可选项

cat output.txt 将输出文件的配置项拷贝到对应te文件中

脚本代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/bin/bash

input_file=$1
output_file=$2
temp_file="temp_file.txt"

if [[ -z $input_file ]]; then
    echo "Please provide the input log file as an argument."
    exit 1
fi

if [[ -z $output_file ]]; then
    output_file='output_policy.txt'
fi

>$output_file
>$temp_file

while IFS= read -r log_message; do
    context=$(echo $log_message | grep -o 'scontext=[^ ]\+' | cut -d'=' -f2  | cut -d':' -f3)
    tclass=$(echo $log_message | grep -o 'tclass=[^ ]\+' | cut -d'=' -f2 | cut -d':' -f2)
    file_operation=$(echo "$log_message" | awk -F'[{}]' '{print $2}')
    file_type=$(echo $log_message | grep -o 'tcontext=[^ ]\+' | cut -d'=' -f2 | cut -d':' -f3)
    ioctlcmd=$(echo $log_message | grep -o 'ioctlcmd=[^ ]\+' | cut -d'=' -f2)

    if [[ -n $context && -n $tclass && -n $file_type && -n $file_operation ]]; then
        if [[ $file_operation == " ioctl " && -n $ioctlcmd ]]; then
            converted_rule="allowxperm $context $file_type:$tclass ioctl { $ioctlcmd };"
            echo $converted_rule >> $temp_file
        fi
        converted_rule="allow $context $file_type:$tclass { $file_operation };"
        echo $converted_rule >> $temp_file
    fi
done < $input_file

sort -u $temp_file -o $temp_file

while IFS= read -r log_message; do
    if [[ -n $prefix ]]; then
        prefix_compare=$(echo "$log_message" | awk -F'{' '{print $1}')
        if [[ "$prefix" = "$prefix_compare" ]]; then
            file_operation+=' '
            file_operation+=$(echo "$log_message" | awk -F'[{}]' '{print $2}')
        else
            converted_rule="$prefix { $file_operation };"
            echo $converted_rule >> $output_file
            prefix=$(echo "$log_message" | awk -F'{' '{print $1}')
            file_operation=$(echo "$log_message" | awk -F'[{}]' '{print $2}')
        fi
    else
        prefix=$(echo "$log_message" | awk -F'{' '{print $1}')
        file_operation=$(echo "$log_message" | awk -F'[{}]' '{print $2}')
    fi
done < $temp_file

converted_rule="$prefix { $file_operation };"
echo $converted_rule >> $output_file
rm $temp_file

sync