LoginSignup
0

More than 5 years have passed since last update.

brillo emulatorで中を見てみよう。。。selinuxの無効化から

Last updated at Posted at 2015-11-25

前回、brillo emulatorを強制起動してみましたので、中を覗いていってみたいと思います。

前回気になったのは、selinuxのpolicy violationの数々

capability: warning: `wpa_supplicant' uses 32-bit capabilities (legacy support in use)
type=1400 audit(1448466976.510:11): avc: denied { write } for pid=1039 comm="logd" name="property_service" dev="tmpfs" ino=528 scontext=u:r:logd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
type=1400 audit(1448466977.090:12): avc: denied { write } for pid=1039 comm="logd" name="property_service" dev="tmpfs" ino=528 scontext=u:r:logd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
type=1400 audit(1448466977.210:13): avc: denied { write } for pid=1039 comm="logd" name="property_service" dev="tmpfs" ino=528 scontext=u:r:logd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
type=1400 audit(1448466978.490:14): avc: denied { write } for pid=1039 comm="logd" name="property_service" dev="tmpfs" ino=528 scontext=u:r:logd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
type=1400 audit(1448466980.620:15): avc: denied { write } for pid=1060 comm="logd.writer" name="property_service" dev="tmpfs" ino=528 scontext=u:r:logd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
type=1400 audit(1448466980.940:16): avc: denied { write } for pid=1060 comm="logd.writer" name="property_service" dev="tmpfs" ino=528 scontext=u:r:logd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
type=1400 audit(1448466981.500:17): avc: denied { search } for pid=1094 comm="bluetoothtbd" name="cpuctl" dev="tmpfs" ino=748 scontext=u:r:bluetoothtbd:s0 tcontext=u:object_r:cpuctl_device:s0 tclass=dir permissive=0
type=1400 audit(1448466982.270:18): avc: denied { search } for pid=1052 comm="keystore" name="cpuctl" dev="tmpfs" ino=748 scontext=u:r:keystore:s0 tcontext=u:object_r:cpuctl_device:s0 tclass=dir permissive=0
type=1400 audit(1448466982.280:19): avc: denied { search } for pid=1055 comm="Binder_2" name="cpuctl" dev="tmpfs" ino=748 scontext=u:r:sensorservice:s0 tcontext=u:object_r:cpuctl_device:s0 tclass=dir permissive=0
type=1400 audit(1448466982.320:20): avc: denied { sys_nice } for pid=1055 comm="Binder_2" capability=23 scontext=u:r:sensorservice:s0 tcontext=u:r:sensorservice:s0 tclass=capability permissive=0
type=1400 audit(1448466982.320:21): avc: denied { sys_nice } for pid=1098 comm="sensorservice" capability=23 scontext=u:r:sensorservice:s0 tcontext=u:r:sensorservice:s0 tclass=capability permissive=0
type=1400 audit(1448466982.320:22): avc: denied { sys_nice } for pid=1098 comm="Binder_1" capability=23 scontext=u:r:sensorservice:s0 tcontext=u:r:sensorservice:s0 tclass=capability permissive=0
type=1400 audit(1448466982.330:23): avc: denied { sys_nice } for pid=1098 comm="Binder_1" capability=23 scontext=u:r:sensorservice:s0 tcontext=u:r:sensorservice:s0 tclass=capability permissive=0
type=1400 audit(1448466990.980:24): avc: denied { search } for pid=1119 comm="mediaserver" name="cpuctl" dev="tmpfs" ino=748 scontext=u:r:mediaserver:s0 tcontext=u:object_r:cpuctl_device:s0 tclass=dir permissive=0

というわけで、解析作業の邪魔なので、selinuxを無効化してみましょう。

まず、selinuxがかかっていることの確認

$ ls
type=1400 audit(1448467661.040:25): avc: denied { getattr } for pid=1141 comm="ls" path="/init" dev="sda" ino=22 scontext=u:r:shell:s0 tcontext=u:object_r:init_exec:s0 tclass=file permissive=0
ls: ./init: Permission denied
acct         dev               init.rc     property_contexts sepolicy         
cache        etc               init.usb.rc root              service_contexts 
config       file_contexts.bin lost+found  sbin              storage          
d            fstab.device      mnt         sdcard            sys              
data         init.environ.rc   oem         seapp_contexts    system           
default.prop init.qemu.rc      proc        selinux_version   ueventd.rc       

はい。このようにenforceされているので、auditのlogがでます。

selinuxの無効化

$ su 
# setenforce 0
type=1404 audit(1448467710.180:26): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
# getenforce
Permissive

とすると、

# ls /
acct         etc               init.usb.rc       sbin             sys        
cache        file_contexts.bin lost+found        sdcard           system     
config       fstab.device      mnt               seapp_contexts   ueventd.rc 
d            init              oem               selinux_version  
data         init.environ.rc   proc              sepolicy         
default.prop init.qemu.rc      property_contexts service_contexts 
dev          init.rc           root              storage          

このように、selinuxに邪魔されなくなります。

つづく。

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0