Start service in Android N

How to start service in Android Nougat deployed in Khadas VIM2.

I touched the file device/khadas/kvim2/init.amlogic.board.rc.
and added

 service mosquitto /system/bin/mosquitto -c /etc/mosquitto/mosquitto.conf
    class main
    user root
    group root
    disabled

 on property:sys.boot_completed=1
    start mosquitto

The binary moquitto has many library (32-bit) dependencies and they’re installed in /system/lib.
mosquitto.conf is placed in /etc/mosquitto folder.

   I don't see any logs related to mosquitto.  Please me know how to start the service and how to debug it.

Can you provide those files for me? I will have a try. Thanks.

Hi,

Added mosquitto (32-bit) to /system/bin using Android.mk as below

include $(CLEAR_VARS)
LOCAL_MODULE := mosquitto
LOCAL_MODULE_CLASS := EXECUTABLES
LOCAL_SRC_FILES := mosquitto
LOCAL_MULTILIB := 32
include $(BUILD_PREBUILT)

I got the below error in adb logcat.

01-01 12:34:14.780 5736 5736 I mosquitto: type=1400 audit(0.0:32): avc: denied { module_request } for kmod=“personality-8” scontext=u:r:shell:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1

Followed the work around given by Nick in this link
https://groups.google.com/forum/#!topic/android-porting/0e5RrrvQ2MU

Added the line
dontaudit domain kernel:system module_request;
to the end of
device/khadas/common/sepolicy/init.te

and commented the statments with
ifdef CONFIG_MODULES
in common/kernel/exec_domain.c

After that I could not see above log in adb but the service is not started.

Any help would be appreciated.

As I said above, Can you provide those files for me?

Could not attach so files even as zip, could you please give your email id?

My email is terry@szwesion.com

Sent mail. Could you please take a look?

I tried to exec the mosquitto with adb command. That’s ok.

# adb connect IP_ADDR
# adb root
# adb connect IP_ADDR
# adb remount
# adb connect IP_ADDR
# adb push mosquitto /system/bin
# adb push libkbcrypto.so /system/lib
# adb push libkbssl.so /system/lib
# adb push mosquitto.conf /system/etc/
# adb  shell sync
# adb reboot
# adb connect IP_ADDR
# adb shell
# mosquitto -c /system/etc/mosquitto.conf
                           
1528733510: mosquitto version 1.4.14 (build date 2018-05-14 17:19:09+0530) starting
1528733510: Config loaded from /system/etc/mosquitto.conf.
1528733510: Opening ipv6 listen socket on port 1883.
1528733510: Opening ipv4 listen socket on port 1883
1528733510: Warning: Mosquitto should not be run as root/administrator.

Thanks for the response.

The problem is starting the same binary as service.

I added the below lines to the end of the file “device/khadas/kvim2/init.amlogic.board.rc” but mosquitto is not at all started.

service mos_service /system/bin/mosquitto -c /etc/mosquitto/mosquitto.conf
class main
user root
group root
disabled

on property:sys.boot_completed=1
start mos_service

If you want to add service in init.amlogic.board.rc file. You can refer to this commit

All the changes in this commit are in place. Could you please tell me what needs to be done to start the mosquitto service?

You can refer to the following modifications. The mosquitto is work.

kvim2:/ $ ps | grep mosquitto                                                  
root      5201  1     5908   2176  poll_sched 0000000000 S /system/bin/mosquitto

1. The direction of ‘device/khadas’

diff --git a/kvim2/device.mk b/kvim2/device.mk
index 006d1c9..b88278e 100644
--- a/kvim2/device.mk
+++ b/kvim2/device.mk
@@ -50,6 +50,12 @@ PRODUCT_COPY_FILES += \
      device/khadas/kvim2/preinstall/preinstall.sh:system/bin/preinstall.sh
 
+ PRODUCT_COPY_FILES += \
+     device/khadas/kvim2/mosquitto/mosquitto:system/bin/mosquitto \
+     device/khadas/kvim2/mosquitto/libkbcrypto.so:system/lib/libkbcrypto.so \
+     device/khadas/kvim2/mosquitto/libkbssl.so:system/lib/libkbssl.so \
+     device/khadas/kvim2/mosquitto/mosquitto.conf:system/etc/mosquitto.conf

diff --git a/kvim2/product/init.amlogic.rc b/kvim2/product/init.amlogic.rc
index 3278e98..0448f7d 100644
--- a/kvim2/product/init.amlogic.rc
+++ b/kvim2/product/init.amlogic.rc
@@ -536,6 +536,12 @@ service preinstall /system/bin/preinstall.sh
     oneshot
     seclabel u:r:preinstall:s0
 
+service mosquitto /system/bin/mosquitto -c /system/etc/mosquitto.conf
+    user root
+    group system
+    oneshot
+    seclabel u:r:mosquitto:s0
+
 service rsdb /system/bin/rsdb.sh
        user root
        group root
@@ -551,6 +557,9 @@ on property:config.disable_instaboot=false
 on property:dev.bootcomplete=1
     start preinstall
 
+on property:dev.bootcomplete=1
+    start mosquitto

2. The direction of ‘system/sepolicy’

diff --git a/domain.te b/domain.te
index 662b479..6f9d15d 100644
--- a/domain.te
+++ b/domain.te
@@ -279,6 +279,7 @@ neverallow {
     -shell
     userdebug_or_eng(`-su')
     -preinstall
+    -mosquitto
     -rsdb
     -system_server
     -zygote
@@ -312,7 +313,7 @@ neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_p
 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
 # Only recovery should be doing writes to /system
-neverallow { domain -recovery -preinstall } { system_file exec_type }:dir_file_class_set
+neverallow { domain -recovery -preinstall -mosquitto} { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom append unlink link rename };
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
 
@@ -381,6 +382,7 @@ neverallow {
   -cppreopts
   -dex2oat
   -preinstall
+  -mosquitto
   -otapreopt_slot
 } dalvikcache_data_file:file no_w_file_perms;
 
@@ -393,6 +395,7 @@ neverallow {
   -dex2oat
   -zygote
   -preinstall
+  -mosquitto
   -otapreopt_slot
 } dalvikcache_data_file:dir no_w_dir_perms;
 
@@ -473,6 +476,7 @@ neverallow {
   -system_app
   -init
   -preinstall
+  -mosquitto
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -552,11 +556,13 @@ neverallow {
 # servicemanager is the only process which handles list request
 neverallow {
    -preinstall
+   -mosquitto
 } servicemanager:service_manager list;
 
 # only service_manager_types can be added to service_manager
 neverallow {
    -preinstall
+   -mosquitto
 } service_manager_type:service_manager { add find };
 
 # Prevent assigning non property types to properties
diff --git a/file_contexts b/file_contexts
index 0e112c5..8877926 100644
--- a/file_contexts
+++ b/file_contexts
@@ -206,6 +206,7 @@
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/preinstall.sh   u:object_r:preinstall_exec:s0
+/system/bin/mosquitto   u:object_r:mosquitto_exec:s0
 /system/bin/rsdb.sh         u:object_r:rsdb_exec:s0
 /system/bin/cppreopts.sh   u:object_r:cppreopts_exec:s0
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0


diff --git a/mosquitto.te b/mosquitto.te
new file mode 100644
index 0000000..b65e042
--- /dev/null
+++ b/mosquitto.te
@@ -0,0 +1,47 @@
+# mosquitto seclabel is specified in init.amlogic.rc
+type mosquitto, domain;
+type mosquitto_exec, exec_type, file_type;
+
+init_daemon_domain(mosquitto)
+
+allow mosquitto activity_service:service_manager { find add list };
+allow mosquitto account_service:service_manager { find add list };
+allow mosquitto proc_net:file { read open getattr write };
+allow mosquitto ashmem_device:chr_file { execute getattr read open write };
+allow mosquitto toolbox_exec:file { getattr execute_no_trans open read execute };
+allow mosquitto rootfs:lnk_file  { getattr open read write execute };
+allow mosquitto system_file:file { execute_no_trans open read write execute };
+allow mosquitto system_file:dir { read open write getattr execute};
+allow mosquitto shell_exec:file  { getattr open read write execute execute_no_trans };
+#allow mosquitto shell_data_file:dir { create getattr setattr search };
+#allow mosquitto shell_data_file:file { open create read write getattr };
+allow mosquitto shell:file { getattr };
+allow mosquitto zygote_exec:file { read open write execute getattr execute_no_trans };
+allow mosquitto system_data_file:dir { open read write add_name create };
+allow mosquitto system_data_file:file { open read write create lock };
+allow mosquitto system_data_file:lnk_file { unlink read write open };
+allow mosquitto dalvikcache_data_file:dir { open read write search getattr add_name remove_name unli
+allow mosquitto dalvikcache_data_file:file { open read write lock getattr create execute execute_no_
+allow mosquitto dalvikcache_data_file:lnk_file { read getattr unlink open write };
+allow mosquitto servicemanager:binder { call  transfer};
+allow mosquitto servicemanager:dir  { open read write create search };
+allow mosquitto servicemanager:file  { open read write create };
+allow mosquitto self:process execmem;
+allow mosquitto mosquitto_tmpfs:file { execute open read write create };
+allow mosquitto servicemanager:process { getattr execmem };
+allow servicemanager mosquitto:dir search;
+allow servicemanager mosquitto:file { open read write create };
+allow servicemanager mosquitto:process { getattr execmem };
+allow mosquitto user_service:service_manager { find add list };
+allow mosquitto package_service:service_manager { find add list };
+allow mosquitto system_server:binder { call transfer };
+allow mosquitto system_server:unix_stream_socket { read write create getopt setopt };
+allow system_server mosquitto:binder { call transfer };
+allow mosquitto apk_data_file:dir create_dir_perms;
+allow mosquitto apk_data_file:file { create_file_perms link };
+allow mosquitto apk_tmp_file:dir create_dir_perms;
+allow mosquitto apk_tmp_file:file create_file_perms;
+
+binder_use(mosquitto)
+binder_service(mosquitto)
+binder_call(mosquitto, system_server)

The service mosquitto started. Thanks a lot terry. It’s working now.