问题
How to use custom RenderScript script in an application which is signed by system certificate?
LogCat output:
E/RenderScript: Failed loading RS driver: dlopen failed: cannot locate symbol "_ZN7android12renderscript15RsdCpuReference6createEPNS0_7ContextEjjPFPKNS1_9CpuSymbolES3_PKcEPFPNS1_9CpuScriptES3_PKNS0_6ScriptEEPFPN4llvm6ModuleEPN3bcc8RSScriptESK_SK_EPFS8_S8_jES8_" referenced by "/system/vendor/lib/libRSDriver_adreno.so"...
E/RenderScript: Failed to load runtime libRSDriver_adreno.so, loading default
W/EventThread: type=1400 audit(0.0:200): avc: denied { execute } for path="/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so" dev="mmcblk0p25" ino=65890 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
W/EventThread: type=1300 audit(0.0:200): arch=40000028 syscall=192 per=800008 success=no exit=-13 a0=9aa80000 a1=6c0 a2=5 a3=12 items=0 ppid=336 ppcomm=main auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 exe="/system/bin/app_process32" subj=u:r:system_app:s0 key=(null)
W/auditd: type=1323 audit(0.0:200): fd=120 flags=0x12
W/auditd: type=1327 audit(0.0:200): proctitle="[packageName]"
W/auditd: type=1320 audit(0.0:200):
E/RenderScript: Unable to open shared library (/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so): dlopen failed: couldn't map "/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so" segment 0: Permission denied
It looks like the permission issue because this file /data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so exists on the phone.
I have my own Android OS build (Lineage 14.1 to be specific), so I'm able to alter privileges. I've already managed to give my application access to video_device (by excluding system_app from neverallow block in sepolicy repository app.te file). But I'm unable to find any connection between system app and renderscript privileges.
回答1:
I've finally managed to resolve this issue.
RenderScript code is being compiled to shared library file (.so) and placed in /data directory/partition. SELinux policy, implemented in LineageOS14.1 is preventing system_app (this is a type to which policy rules are "assigned", and application signed by system certificate is recognized as this type), to execute on system_app_data_file (this is type identifying directory in which various system application data are stored, in my case compiled RenderScript libraries).
Loading library requires execute permission, and that is why the log is printed (denied {execute} ...).
So, what can be done with it?
In AOSP, /system/sepolicy repository needs few changes:
1 system_app.te: Allow system_app to execute on system_app_data_file
diff --git a/system_app.te b/system_app.te
index 50320c5..25ebf06 100644
--- a/system_app.te
+++ b/system_app.te
@@ -11,6 +11,7 @@ binder_service(system_app)
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+allow system_app system_app_data_file:{ file lnk_file } { execute };
# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
However, this modification is not enough - building ASOP now will finish with an error saying that other rules are conflicting with this one.
2 app.te: Add system_app_data_file as exception to neverallow executing from /data
diff --git a/app.te b/app.te
index 19a7dac..7a34645 100644
--- a/app.te
+++ b/app.te
@@ -453,18 +454,19 @@ neverallow appdomain {
# Blacklist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
nfc
radio
shared_relro
system_app
} {
data_file_type
-dalvikcache_data_file
-system_data_file # shared libs in apks
+ -system_app_data_file
-apk_data_file
}:file no_x_file_perms;
This rule, without my change, is preventing system_app from executing on files - modification adds an exception for system_app_data_file.
来源:https://stackoverflow.com/questions/46788666/use-custom-renderscript-in-system-signed-application