Hello,
Can anyone suggest how to create .te file for any service?
And where do I add that .te file? In public or private?
You can refer to the following, there are many examples.
device/rockchip/common
commit 589c40516dde95fc7c89edae35420b65554216d1
Author: goenjoy <goenjoy@khadas.com>
Date: Thu Aug 15 17:37:01 2019 +0800
PCIE: add PCIE auto mount support
diff --git a/init.rk30board.rc b/init.rk30board.rc
index 14651b1..79a2b4d 100755
--- a/init.rk30board.rc
+++ b/init.rk30board.rc
@@ -355,6 +355,10 @@ service rk_store_keybox /vendor/bin/rk_store_keybox
class main
oneshot
+service fuse_pcie0 /system/bin/sdcard -u 1023 -g 1023 /mnt/media_rw/pcie0 /storage/pcie0
+ class late_start
+ disabled
+
#vts audio property
on property:vts.native_server.on=1
setprop vendor.vts_test true
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index bfc7713..be9fe31 100755
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -32,3 +32,6 @@ type cec_device, dev_type;
#for hid audio
type hidraw_device, dev_type;
+
+#for pcie
+type sda_block_device, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
old mode 100644
new mode 100755
index d767577..0879a03
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -65,7 +65,8 @@
/dev/block/by-name/misc u:object_r:misc_block_device:s0
/dev/block/by-name/security u:object_r:security_block_device:s0
/dev/block/by-name/baseparameter u:object_r:baseparameter_block_device:s0
-
+/dev/block/nvme0n1 u:object_r:sda_block_device:s0
+/dev/block/nvme0n1p(.*) u:object_r:sda_block_device:s0
/sys/devices/platform/fb/graphics/fb[0-9]/cabc u:object_r:sysfs_fb:s0
/sys/kernel/debug/mali/gpu_memory u:object_r:sys_mali:s0
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
old mode 100644
new mode 100755
index 3cbdc97..f447506
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -12,4 +12,4 @@ allow tee block_device:dir { getattr search };
allow tee security_block_device:blk_file { ioctl open read write };
allow tee uboot_block_device:blk_file { ioctl open read write };
allow tee rpmb_block_device:blk_file { ioctl open read write };
-
+allow tee sda_block_device:blk_file { read open write ioctl };
Yes, I have seen few examples and I have tried to run the script on android boot but it does not get started.
My shell script is in system/bin (yyy.sh).
I have defined my service in “system/core/bootstat/bootstat.rc” file.
Snippet:
service xxx /system/bin/sh /system/bin/yyy.sh
class main
oneshot
seclabel u:r:displaysize:s0
My xxx.te file is located at system/sepolicy/xxx.te.
Snippet:
type xxx, domain;
type xxx__exec, exec_type, file_type;
I have added my .te file in Android.mk file located at system/sepolicy/Android.mk
Just for your information, my shell script works okay when I execute it from adb shell.
So, what could be wrong here? Why my script does’t get executed on android boot?
I check the dmesg and I got following logs regarding my service
init: starting service ‘xxx’…
init: cannot setexeccon(‘u:r:xxx:s0’) for xxx: Invalid argument
init: Service ‘xxx’ (pid 1076) exited with status 6