Start service in Android N


#1

How to start service in Android Nougat deployed in Khadas VIM2.

I touched the file device/khadas/kvim2/init.amlogic.board.rc.
and added

 service mosquitto /system/bin/mosquitto -c /etc/mosquitto/mosquitto.conf
    class main
    user root
    group root
    disabled

 on property:sys.boot_completed=1
    start mosquitto

The binary moquitto has many library (32-bit) dependencies and they’re installed in /system/lib.
mosquitto.conf is placed in /etc/mosquitto folder.

   I don't see any logs related to mosquitto.  Please me know how to start the service and how to debug it.

#2

Can you provide those files for me? I will have a try. Thanks.


#3

Hi,

Added mosquitto (32-bit) to /system/bin using Android.mk as below

include $(CLEAR_VARS)
LOCAL_MODULE := mosquitto
LOCAL_MODULE_CLASS := EXECUTABLES
LOCAL_SRC_FILES := mosquitto
LOCAL_MULTILIB := 32
include $(BUILD_PREBUILT)

I got the below error in adb logcat.

01-01 12:34:14.780 5736 5736 I mosquitto: type=1400 audit(0.0:32): avc: denied { module_request } for kmod=“personality-8” scontext=u:r:shell:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1

Followed the work around given by Nick in this link
https://groups.google.com/forum/#!topic/android-porting/0e5RrrvQ2MU

Added the line
dontaudit domain kernel:system module_request;
to the end of
device/khadas/common/sepolicy/init.te

and commented the statments with
ifdef CONFIG_MODULES
in common/kernel/exec_domain.c

After that I could not see above log in adb but the service is not started.

Any help would be appreciated.


#4

As I said above, Can you provide those files for me?


#5

Could not attach so files even as zip, could you please give your email id?


#6

My email is terry@szwesion.com


#7

Sent mail. Could you please take a look?


#8

I tried to exec the mosquitto with adb command. That’s ok.

# adb connect IP_ADDR
# adb root
# adb connect IP_ADDR
# adb remount
# adb connect IP_ADDR
# adb push mosquitto /system/bin
# adb push libkbcrypto.so /system/lib
# adb push libkbssl.so /system/lib
# adb push mosquitto.conf /system/etc/
# adb  shell sync
# adb reboot
# adb connect IP_ADDR
# adb shell
# mosquitto -c /system/etc/mosquitto.conf
                           
1528733510: mosquitto version 1.4.14 (build date 2018-05-14 17:19:09+0530) starting
1528733510: Config loaded from /system/etc/mosquitto.conf.
1528733510: Opening ipv6 listen socket on port 1883.
1528733510: Opening ipv4 listen socket on port 1883
1528733510: Warning: Mosquitto should not be run as root/administrator.



#9

Thanks for the response.

The problem is starting the same binary as service.

I added the below lines to the end of the file “device/khadas/kvim2/init.amlogic.board.rc” but mosquitto is not at all started.

service mos_service /system/bin/mosquitto -c /etc/mosquitto/mosquitto.conf
class main
user root
group root
disabled

on property:sys.boot_completed=1
start mos_service


#10

If you want to add service in init.amlogic.board.rc file. You can refer to this commit


#11

All the changes in this commit are in place. Could you please tell me what needs to be done to start the mosquitto service?


#12

You can refer to the following modifications. The mosquitto is work.

kvim2:/ $ ps | grep mosquitto                                                  
root      5201  1     5908   2176  poll_sched 0000000000 S /system/bin/mosquitto

1. The direction of ‘device/khadas’

diff --git a/kvim2/device.mk b/kvim2/device.mk
index 006d1c9..b88278e 100644
--- a/kvim2/device.mk
+++ b/kvim2/device.mk
@@ -50,6 +50,12 @@ PRODUCT_COPY_FILES += \
      device/khadas/kvim2/preinstall/preinstall.sh:system/bin/preinstall.sh
 
+ PRODUCT_COPY_FILES += \
+     device/khadas/kvim2/mosquitto/mosquitto:system/bin/mosquitto \
+     device/khadas/kvim2/mosquitto/libkbcrypto.so:system/lib/libkbcrypto.so \
+     device/khadas/kvim2/mosquitto/libkbssl.so:system/lib/libkbssl.so \
+     device/khadas/kvim2/mosquitto/mosquitto.conf:system/etc/mosquitto.conf

diff --git a/kvim2/product/init.amlogic.rc b/kvim2/product/init.amlogic.rc
index 3278e98..0448f7d 100644
--- a/kvim2/product/init.amlogic.rc
+++ b/kvim2/product/init.amlogic.rc
@@ -536,6 +536,12 @@ service preinstall /system/bin/preinstall.sh
     oneshot
     seclabel u:r:preinstall:s0
 
+service mosquitto /system/bin/mosquitto -c /system/etc/mosquitto.conf
+    user root
+    group system
+    oneshot
+    seclabel u:r:mosquitto:s0
+
 service rsdb /system/bin/rsdb.sh
        user root
        group root
@@ -551,6 +557,9 @@ on property:config.disable_instaboot=false
 on property:dev.bootcomplete=1
     start preinstall
 
+on property:dev.bootcomplete=1
+    start mosquitto

2. The direction of ‘system/sepolicy’

diff --git a/domain.te b/domain.te
index 662b479..6f9d15d 100644
--- a/domain.te
+++ b/domain.te
@@ -279,6 +279,7 @@ neverallow {
     -shell
     userdebug_or_eng(`-su')
     -preinstall
+    -mosquitto
     -rsdb
     -system_server
     -zygote
@@ -312,7 +313,7 @@ neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_p
 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
 # Only recovery should be doing writes to /system
-neverallow { domain -recovery -preinstall } { system_file exec_type }:dir_file_class_set
+neverallow { domain -recovery -preinstall -mosquitto} { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom append unlink link rename };
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
 
@@ -381,6 +382,7 @@ neverallow {
   -cppreopts
   -dex2oat
   -preinstall
+  -mosquitto
   -otapreopt_slot
 } dalvikcache_data_file:file no_w_file_perms;
 
@@ -393,6 +395,7 @@ neverallow {
   -dex2oat
   -zygote
   -preinstall
+  -mosquitto
   -otapreopt_slot
 } dalvikcache_data_file:dir no_w_dir_perms;
 
@@ -473,6 +476,7 @@ neverallow {
   -system_app
   -init
   -preinstall
+  -mosquitto
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -552,11 +556,13 @@ neverallow {
 # servicemanager is the only process which handles list request
 neverallow {
    -preinstall
+   -mosquitto
 } servicemanager:service_manager list;
 
 # only service_manager_types can be added to service_manager
 neverallow {
    -preinstall
+   -mosquitto
 } service_manager_type:service_manager { add find };
 
 # Prevent assigning non property types to properties
diff --git a/file_contexts b/file_contexts
index 0e112c5..8877926 100644
--- a/file_contexts
+++ b/file_contexts
@@ -206,6 +206,7 @@
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/preinstall.sh   u:object_r:preinstall_exec:s0
+/system/bin/mosquitto   u:object_r:mosquitto_exec:s0
 /system/bin/rsdb.sh         u:object_r:rsdb_exec:s0
 /system/bin/cppreopts.sh   u:object_r:cppreopts_exec:s0
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0


diff --git a/mosquitto.te b/mosquitto.te
new file mode 100644
index 0000000..b65e042
--- /dev/null
+++ b/mosquitto.te
@@ -0,0 +1,47 @@
+# mosquitto seclabel is specified in init.amlogic.rc
+type mosquitto, domain;
+type mosquitto_exec, exec_type, file_type;
+
+init_daemon_domain(mosquitto)
+
+allow mosquitto activity_service:service_manager { find add list };
+allow mosquitto account_service:service_manager { find add list };
+allow mosquitto proc_net:file { read open getattr write };
+allow mosquitto ashmem_device:chr_file { execute getattr read open write };
+allow mosquitto toolbox_exec:file { getattr execute_no_trans open read execute };
+allow mosquitto rootfs:lnk_file  { getattr open read write execute };
+allow mosquitto system_file:file { execute_no_trans open read write execute };
+allow mosquitto system_file:dir { read open write getattr execute};
+allow mosquitto shell_exec:file  { getattr open read write execute execute_no_trans };
+#allow mosquitto shell_data_file:dir { create getattr setattr search };
+#allow mosquitto shell_data_file:file { open create read write getattr };
+allow mosquitto shell:file { getattr };
+allow mosquitto zygote_exec:file { read open write execute getattr execute_no_trans };
+allow mosquitto system_data_file:dir { open read write add_name create };
+allow mosquitto system_data_file:file { open read write create lock };
+allow mosquitto system_data_file:lnk_file { unlink read write open };
+allow mosquitto dalvikcache_data_file:dir { open read write search getattr add_name remove_name unli
+allow mosquitto dalvikcache_data_file:file { open read write lock getattr create execute execute_no_
+allow mosquitto dalvikcache_data_file:lnk_file { read getattr unlink open write };
+allow mosquitto servicemanager:binder { call  transfer};
+allow mosquitto servicemanager:dir  { open read write create search };
+allow mosquitto servicemanager:file  { open read write create };
+allow mosquitto self:process execmem;
+allow mosquitto mosquitto_tmpfs:file { execute open read write create };
+allow mosquitto servicemanager:process { getattr execmem };
+allow servicemanager mosquitto:dir search;
+allow servicemanager mosquitto:file { open read write create };
+allow servicemanager mosquitto:process { getattr execmem };
+allow mosquitto user_service:service_manager { find add list };
+allow mosquitto package_service:service_manager { find add list };
+allow mosquitto system_server:binder { call transfer };
+allow mosquitto system_server:unix_stream_socket { read write create getopt setopt };
+allow system_server mosquitto:binder { call transfer };
+allow mosquitto apk_data_file:dir create_dir_perms;
+allow mosquitto apk_data_file:file { create_file_perms link };
+allow mosquitto apk_tmp_file:dir create_dir_perms;
+allow mosquitto apk_tmp_file:file create_file_perms;
+
+binder_use(mosquitto)
+binder_service(mosquitto)
+binder_call(mosquitto, system_server)


#13

The service mosquitto started. Thanks a lot terry. It’s working now.