在系统签名的应用程序中使用自定义RenderScript [英] Use custom RenderScript in system signed application

问题描述

如何在由系统证书签名的应用程序中使用自定义RenderScript脚本?

How to use custom RenderScript script in an application which is signed by system certificate?

LogCat输出:

E/RenderScript: Failed loading RS driver: dlopen failed: cannot locate symbol "_ZN7android12renderscript15RsdCpuReference6createEPNS0_7ContextEjjPFPKNS1_9CpuSymbolES3_PKcEPFPNS1_9CpuScriptES3_PKNS0_6ScriptEEPFPN4llvm6ModuleEPN3bcc8RSScriptESK_SK_EPFS8_S8_jES8_" referenced by "/system/vendor/lib/libRSDriver_adreno.so"...
E/RenderScript: Failed to load runtime libRSDriver_adreno.so, loading default
W/EventThread: type=1400 audit(0.0:200): avc: denied { execute } for path="/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so" dev="mmcblk0p25" ino=65890 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
W/EventThread: type=1300 audit(0.0:200): arch=40000028 syscall=192 per=800008 success=no exit=-13 a0=9aa80000 a1=6c0 a2=5 a3=12 items=0 ppid=336 ppcomm=main auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 exe="/system/bin/app_process32" subj=u:r:system_app:s0 key=(null)
W/auditd: type=1323 audit(0.0:200): fd=120 flags=0x12
W/auditd: type=1327 audit(0.0:200): proctitle="[packageName]"
W/auditd: type=1320 audit(0.0:200): 
E/RenderScript: Unable to open shared library (/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so): dlopen failed: couldn't map "/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so" segment 0: Permission denied

这似乎是权限问题，因为此文件/data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so在手机上存在.

It looks like the permission issue because this file /data/user_de/0/[packageName]/code_cache/com.android.renderscript.cache/librs.rgb2yuv.so exists on the phone.

我有自己的Android OS版本(具体来说是14.1版)，因此我可以更改权限.我已经设法授予我的应用程序对video_device的访问权限(通过从Sepolicy存储库app.te文件的neverallow块中排除system_app).但是我找不到系统应用程序和renderscript特权之间的任何连接.

I have my own Android OS build (Lineage 14.1 to be specific), so I'm able to alter privileges. I've already managed to give my application access to video_device (by excluding system_app from neverallow block in sepolicy repository app.te file). But I'm unable to find any connection between system app and renderscript privileges.

推荐答案

我终于设法解决了这个问题.

I've finally managed to resolve this issue.

RenderScript代码正在编译为共享库文件(.so)，并放置在/data目录/分区中.在LineageOS14.1中实施的SELinux策略阻止 system_app (这是分配了"策略规则的类型，并且由系统证书签名的应用程序被识别为这种类型)在上执行> system_app_data_file (这是类型识别目录，用于存储各种系统应用程序数据，在我的情况下是编译的RenderScript库).

RenderScript code is being compiled to shared library file (.so) and placed in /data directory/partition. SELinux policy, implemented in LineageOS14.1 is preventing system_app (this is a type to which policy rules are "assigned", and application signed by system certificate is recognized as this type), to execute on system_app_data_file (this is type identifying directory in which various system application data are stored, in my case compiled RenderScript libraries).

加载库需要执行权限，这就是为什么打印日志(denied {execute} ...)的原因.

Loading library requires execute permission, and that is why the log is printed (denied {execute} ...).

那么，怎么办呢?

在AOSP中，/system/sepolicy存储库需要进行一些更改:

In AOSP, /system/sepolicy repository needs few changes:

diff --git a/system_app.te b/system_app.te
index 50320c5..25ebf06 100644
--- a/system_app.te
+++ b/system_app.te
@@ -11,6 +11,7 @@ binder_service(system_app)
 # Read and write /data/data subdirectory.
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+allow system_app system_app_data_file:{ file lnk_file } { execute };

 # Read and write to /data/misc/user.
 allow system_app misc_user_data_file:dir create_dir_perms;

但是，这种修改是不够的-构建ASOP现在将以一条错误说明其他规则与此冲突而结束.

However, this modification is not enough - building ASOP now will finish with an error saying that other rules are conflicting with this one.

diff --git a/app.te b/app.te
index 19a7dac..7a34645 100644
--- a/app.te
+++ b/app.te
@@ -453,18 +454,19 @@ neverallow appdomain {
 # Blacklist app domains not allowed to execute from /data
 neverallow {
   bluetooth
   isolated_app
   nfc
   radio
   shared_relro
   system_app
 } {
   data_file_type
   -dalvikcache_data_file
   -system_data_file # shared libs in apks
+  -system_app_data_file
   -apk_data_file
 }:file no_x_file_perms;

此规则，未经我的更改，阻止了 system_app 在文件上执行-修改会为 system_app_data_file 添加一个例外.

This rule, without my change, is preventing system_app from executing on files - modification adds an exception for system_app_data_file.

这篇关于在系统签名的应用程序中使用自定义RenderScript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！