system/core/fs_mgr里加入一个resize工具,有权限问题log如下:

[   19.952455] audit: type=1400 audit(83369.909:5): avc:  denied  { execute_no_trans } for  pid=283 comm="init" path="/system/bin/resize.f2fs" dev="mmcblk0p35" ino=1952 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1

这个log就是sepolicy不允许init执行/system/bin/resize.f2fs。

Android 8.0里init.te规则要求init在执行程序时需要增加新的domain。

# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;

ok,不用新建domain,参考e2fsck添加resize.f2fs到file_contexts的fsck domain里即可。

/system/bin/resize\.f2fs  --  u:object_r:fsck_exec:s0

修改完后如何验证是个问题,编译烧录boot.img后ls -Z看了下:

u:object_r:system_file:s0 /system/bin/resize.f2fs

明显没有生效,难道要编译system.img么,Xeon估计至少也要1h。

先看下sepolicy下的Android.mk,里面有个生成file_contexts.bin模块的脚本:

LOCAL_MODULE := file_contexts.bin
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

进入/system/sepolicy,mma -j4编译后会生成在如下路径:

obj/ETC/file_contexts.bin_intermediates/file_contexts.bin

ok,下一步把当前的system.img解压出来再用新的file_contexts.bin重新生成即可。

注意要把这个工具放入system目录再生成img才会生效,官方文档有介绍:

file_contexts - Located in the sepolicy subdirectory. This file assigns labels to files and is used by various userspace components. As you create new policies, create or update this file to assign new labels to files. In order to apply new file_contexts, you must rebuild the filesystem image or run restorecon on the file to be relabeled. On upgrades, changes to file_contexts are automatically applied to the system and userdata partitions as part of the upgrade. Changes can also be automatically applied on upgrade to other partitions by adding restorecon_recursive calls to your init.board.rc file after the partition has been mounted read-write.

试了下adb push进用restorecon好像没有改过来,暂且略过。

btw: 其他的te文件修改编译boot.img,生成也在ETC/下。