访问 `proc` 文件系统以从系统应用程序读取 `/proc/[pid]/some-file` [英] Accessing `proc` file-system to read `/proc/[pid]/some-file` from a system app
问题描述
我有一个自定义 A10 存储库,我试图在其中创建一个能够读取 /proc/[pid]/some-file 文件的应用程序,例如stat 和 status,有点像 ps 的作用.
I have a custom A10 repo in which I'm trying to create an app that would be able to read /proc/[pid]/some-file files e.g. stat and status, kind of like ps does.
阅读此 answer 后,很明显应该添加一个 AID_READPROC已完成使用自定义权限.
Having read this answer it was clear that a AID_READPROC should be added which I have done using a custom permission.
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.poke.mon"
android:sharedUserId="android.uid.system">
<!-- More stuff -->
<uses-permission android:name="com.poke.READPROC_PERM" />
<!-- More stuff -->
</application>
</manifest>
我通过编辑适当的 platform.xml、AndroidManifest.xml 和 sytem-current 添加了 文件并在 com.poke.READPROC_PERM.txtprivapp-permissions 文件中允许该权限
I have added com.poke.READPROC_PERM by editing the appropriate platform.xml, AndroidManifest.xml and sytem-current.txt files and allowing that permission in the privapp-permissions file
我已经通过 cat 验证了我的应用进程的 status 文件,并验证了 gid 3009 确实存在.
I have validated by cat-ing the status file for my app's process and verifying that gid 3009 is indeed present.
但是我仍然被 sepolicy 阻止(禁用强制执行,代码可以访问文件).
However I was still being blocked by sepolicy (with the enforcement disabled the code could access the files).
将 r_dir_file(priv_app, proc) 添加到 priv_app.te 导致错误.
Adding r_dir_file(priv_app, proc) to the priv_app.te resulted in errors.
编译器给出的原因是这个行在 coredomain.te 中:
The reason given by the compiler was this line in coredomain.te :
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
# /proc
neverallow {
coredomain
-init
-vold
} proc:file no_rw_file_perms;
创建自定义域导致了我可能想要的类似错误
Creating a custom domain resulted in similar errors as I probably want to
typeattribute my_apps_domain coredomain;
为了避免大量的复杂性和重复(我需要与其他服务等进行通信).
To avoid a lot of complexity and duplication (I need to communicate with other services etc.).
有没有办法解决这个限制?(例如,查看 genfscon 它似乎不支持通配符映射,例如 /proc/\d+/some-file)
Is there a way to work around that limitation? (e.g. looking at genfscon it doesn't seem to support wildchar mapping e.g. /proc/\d+/some-file)
shell 能够很好地执行 ps 似乎也很奇怪,但它也是 第一行shell.te:
It also seems weird that shell is able to do ps just fine yet it's also coredomain defined by the first line of shell.te:
typeattribute shell coredomain;
那么也许我还缺少其他一些神奇的 sepolicy 门?
So maybe there's some other magical sepolicy door I'm missing?
推荐答案
为您的应用定义自定义域:
Define an custom domain for your app:
user=_app isPrivApp=true seinfo=platform name=com.myapp.packagename domain=my_custom_domain type=app_data_file levelFrom=all
user=_app isPrivApp=true seinfo=platform name=com.myapp.packagename domain=my_custom_domain type=app_data_file levelFrom=all
ref:https://cs.android.com/android/platform/superproject/+/master:device/google/coral-sepolicy/private/seapp_contexts;drc=01b96a3a966f075abcba27cb415cece348a3278e;l=5
将自定义域标记为核心域:
Label the custom domain as coredomain:
typeattribute my_custom_domain coredomain;
typeattribute my_custom_domain coredomain;
然后您将使用 neverallow 限制.
Then you will work with the neverallow limit.
这篇关于访问 `proc` 文件系统以从系统应用程序读取 `/proc/[pid]/some-file`的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
