问题由来

System app 需要读取网卡地址，而网卡地址存储在 sys/class/net/eth0/address

所以通过 cat sys/class/net/eth0/address 就能获取设备网卡地址

但是安全等级越来越高，

1|HTC5K:/ $ cat sys/class/net/eth0/address

cat: sys/class/net/eth0/address: Permission denied

HTC5K:/ $ ifconfig

ifconfig: ioctl 8927: Permission denied

avc: denied { search } for name=“net” dev=“sysfs” ino=12684 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

avc: denied { read } for name=“address” dev=“sysfs” ino=25277 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

avc: denied { open } for path="/sys/devices/platform/1100a000.spi/spi_master/spi32766/spi32766.0/net/eth0/address" dev=“sysfs” ino=25277 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

增加权限

device/mediatek/sepolicy/basic/non_plat/system_app.te

 allow system_app self:netlink_kobject_uevent_socket {read bind create setopt };
 # system_app need to read from sysfs /sys/class/switch/hdmi/state
 r_dir_file(system_app, sysfs_switch);
+allow system_app sysfs_net:dir { search read };
+allow system_app sysfs:file { open read };

编译报错

libsepol.report_failure: neverallow on line 91 of system/sepolicy/private/coredomain.te (or line 32781 of policy.conf) violated by allow system_app sysfs:file { read open };

libsepol.check_assertions: 1 neverallow failures occurred

Error while expanding policy

修改忽略规则

system/sepolicy/private/coredomain.te

system/sepolicy/prebuilts/api/29.0/private/coredomain.te

@@ -102,6 +102,7 @@ full_treble_only(`
     -init
     -ueventd
     -vold
+    -system_app
   } sysfs:file no_rw_file_perms;
   # /dev