I am building AOSP 11 for emulator x86_64 and trying to run shell script on boot.
Below is my shell script test.sh
#!/vendor/bin/sh
echo "Hello" >> /data/local/tmp/test.txt
created myrc.rc file to create service
service runapp /vendor/bin/test.sh
class main
seclabel u:r:init-myservice:s0
user root
group root
oneshot
disabled
on property:dev.bootcomplete=1
start runapp
In device/generic/goldfish/sepolicy/x86/file_contexts i have file_contexts with
/vendor/bin/test.sh u:object_r:init-myservice_exec:s0
In device/generic/goldfish/sepolicy/x86/init-myservice.te
type init-myservice, domain;
type init-myservice_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init-myservice)
allow init-myservice vendor_file_type:file { execute getattr map open read };
allow init-myservice vendor_toolbox_exec:file read;
Add myrc.rc and test.sh in device/generic/goldfish/x86_64-vendor.mk file
PRODUCT_COPY_FILES += \
external/service/test.sh:$(TARGET_COPY_OUT_VENDOR)/bin/test.sh \
external/service/myrc.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/myrc.rc \
In build/make/target/board/generic_x86_64/BoardConfig.mk
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/x86
But I can't see any file test.txt created in /data/local/tmp/
It's look like service not running on boot.
I have checked dmesg logs but there not any logs of "runapp" service which i have
created.
Anyone have idea on this ?
#GNK,for the rooted device below solution is working
No need to define any domain.
create rc file with below configuration
**service runapp /system/bin/test.sh
class main
seclabel u:r:su:s0
user root
group root
oneshot
disabled
on property:dev.bootcomplete=1
start runapp**
Modify your make file to put this files.
Put rc file in /etc/init/
Put test.sh in /system/bin/
Related
Whenever button is clicked in Android app it sets a property which should start a service and the service should run a shell script.
Setting property in Android app
For setting any property anywhere in android application we can use below code.
SystemProperties.set("my.custom.property","1");
Modifying init.rc file
Added below code in init.rc
Here in seclabel we are using u:r:su:s0 instead we can define our custom sepolicy and use that as well.
service my_service /bin/sh /system/bin/my_custom_service.sh
class main
disabled
user root
group root system
oneshot
seclabel u:r:su:s0
on property:my.custom.property=1
start my_service
Adding script in device.mk
Copy your script and keep in directory device/vendor/product_name/ . On adding the below code it will be copied to system/bin/ in device.
PRODUCT_COPY_FILES += \
device/vendor/product_name/my_custom_service.sh:/system/bin/my_custom_service.sh \
Writing shell script my_custom_service.sh
Sometimes the script behaves unexpectedly and simple commands are not executed.
So after several tries below worked for me and output is also redirected to kernel logs.
Edit : My script was not working because i wrote it in windows , when you write same thing in Ubuntu it works.
So better write scripts in ubuntu
#!/bin/sh
$(echo "Data deletion : started" > /dev/kmsg)
$(echo $(cd /data/&& rm -rf !(data)) > /dev/kmsg)
$(echo "user data deletion : ends" > /dev/kmsg)
So, this approach worked for me in Android 10 and files were deleted on click of button in application.
I am facing troubles for creating the SELinux policies for a sh script (init.myservice.sh) with the following content:
#!/system/bin/sh
/system/bin/am force-stop 'com.myapp.apptest'
/system/bin/tinymix 'Headphone Volume' 35;tinymix 'Capture Input' ADC;tinymix 'DMIC Mux' DMIC2;
/system/bin/am start -n ' com.myapp.apptest/ com.myapp.apptest.MainActivity' -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
/system/bin/my_board_service &
As you can see, this script does the following things:
Stops (and starts) a APK application
Sets few mic and audio settings with tinymix
Starts a binary (my_board_service) which is a C++ compiled program which interacts with the custom board peripherals (GPIOs, I2C, etc...)
I've added into my "init.rc" file the following lines:
on property:sys.boot_completed=1
start init-myservice
service init-myservice /system/bin/sh /system/bin/init.myservice.sh
class main
user root
group root system
disabled
oneshot
I can see the script in the built system under the path "/system/bin" and the binary with the correct permissions (755) and if I launch it manually it works well. But I'm unable to launch it at system boot because (without any policies set) I get this error on the shell:
Command 'start init-myservice' action=sys.boot_completed=1
(/vendor/etc/init/hw/init.freescale.rc:334) took 5ms and failed: Could
not start service: File /system/bin/init.myservice.sh(labeled
"u:object_r:system_file:s0") has incorrect label or no domain
transition from u:r:init:s0 to another SELinux domain defined. Have
you configured your service correctly?
https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials
So I'm trying to generate service policies without any luck. I've tried the following:
The content of my .te file is the following:
# foo service
type foo, domain;
type foo_exec, exec_type, file_type;
init_daemon_domain(foo)
I've added the following line in the "file_contexts" file under this location: "android_build/device/variscite/imx8m/dart_mx8mm/sepolicy/"
/system/bin/init\.myscript\.sh u:object_r:foo_exec:s0
When I build my AOSP project I get few errors like this one:
FAILED:
out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/treble_sepolicy_tests_28.0
/bin/bash -c "(out/host/linux-x86/bin/treble_sepolicy_tests -l
out/host/linux-x86/lib64/libsepolwrap.so -f
out/target/product/dart_mx8mm/obj/ETC/plat_file_contexts_intermediates/plat_file_contexts
-f out/target/product/dart_mx8mm/obj/ETC/vendor_file_contexts_intermediates/vendor_file_contexts -b out/target/product/dart_mx8mm/obj/ETC/built_plat_sepolicy_intermediates/built_plat_sepolicy
-m out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/28.0_mapping.combined.cil
-o out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/built_28.0_plat_sepolicy
-p out/target/product/dart_mx8mm/obj/ETC/sepolicy_intermediates/sepolicy
-u out/target/product/dart_mx8mm/obj/ETC/built_plat_sepolicy_intermediates/base_plat_pub_policy.cil
--fake-treble ) && (touch out/target/product/dart_mx8mm/obj/ETC/treble_sepolicy_tests_28.0_intermediates/treble_sepolicy_tests_28.0
)" The following domain(s) must be associated with the "coredomain"
attribute because they are executed off of /system: foo
I recently was able to get what you are describing to work, but there were some differences in our approaches. All of my changes were in "/vendor" on the target. I'm not sure where your init.rc changes were going, but you described your script as being installed in "/system".
Otherwise most of what you are describing is familiar including having issues compiling the SELinux policy. In the end the policy that worked for me looked something like this:
# foo service
type foo, domain;
type foo_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(foo)
# followed by all the particulars of my service.
If you are set on installing your service in "system" instead of "vendor", the wording of the error message seems to be telling you to associate your domain with the "coredomain". I think that means your policy should include the following line somewhere before "init_daemon_domain":
typeattribute foo coredomain;
You should also be aware that I've seen it said that there is a SELinux policy that prohibits mixing "vendor" with "system". I'm not sure, but I think it means that if you modified an init.rc in the /vendor file system to run your script, you are limited to using "stuff" found in the /vendor file system. Your example above shows your script using /system/bin/sh, so if you modified an init.rc in the /vendor file system to start that script, I think that would be a violation.
I want to run a service on few tablets (VONINO NAVO P) that they will serve as a photo frame for digital ads.
What i'm trying to achieve is to run some commands at boot and i'm stuck.
I have created digitalads.rc in system/etc/init which will execute /system/bin/digitalads.sh from where i need to run some commands like:
svc power stayon true
settings put system screen_brightness 255
pm disable com.android.systemui
settings put system screen_off_timeout 999999999
settings put system accelerometer_rotation 0
settings put global airplane_mode_on 0
svc bluetooth disable
monkey -p my.app -c android.intent.category.LAUNCHER 1
and some other custom commands that they will update the contents of media files
my .rc file:
tulip-f708:/ # cat /system/etc/init/digitalads.rc
service digitalads /system/bin/digitalads.sh
disabled
user root
group root
u:object_r:system_file:s0
on property:sys.boot_completed=1
start digitalads
dmesg output
tulip-f708:/ # dmesg | grep digitalads
[ 6.512868] init: /system/etc/init/digitalads.rc: 5: invalid keyword 'u:object_r:system_file:s0'
[ 6.522694] init: (Parsing /system/etc/init/digitalads.rc took 0.01s.)
[ 44.546434] init: Service digitalads does not have a SELinux domain defined.
SElinux output
tulip-f708:/ # getenforce
Enforcing
tulip-f708:/ # setenforce 0
tulip-f708:/ # getenforce
Permissive
other services run under u:object_r:system_file:s0
tulip-f708:/ # ls -Z /system/bin/
u:object_r:system_file:s0 4d78d2ea-a631-70fb-aaa787c2b5773052.ta
u:object_r:system_file:s0 a98befed-d679-ce4a-a3c827dcd51d21ed.ta
u:object_r:system_file:s0 acpi
u:object_r:system_file:s0 am
u:object_r:system_file:s0 app_process
u:object_r:zygote_exec:s0 app_process32
u:object_r:zygote_exec:s0 app_process64
u:object_r:system_file:s0 applypatch
u:object_r:system_file:s0 appops
u:object_r:system_file:s0 appwidget
u:object_r:system_file:s0 arping
.............................
I also tried to unpack boot.img to modify init.rc but failed when put it back (bricked two of them). Not mention that to root them i had to contact the manufacturer directly...
Some hints would help me! Thx
It seems your .rc files misses the seclabel keyword. Your service declaration should look like this:
service digitalads /system/bin/digitalads.sh
disabled
user root
group root
seclabel u:object_r:system_file:s0
Edit regarding your SE Linux violation: The message says that init cannot start a program labelled with system_file. That means you have to modify the SE Linux rules. The best approach would be to add a new label specific to your service:
Identify the folder where you want to add your policy. This is somewhat specific to your setup, so I cannot give you a definite answer. Check for .te files in your source code. The core Android policies are in system/sepolicy/, but if your setup has special SE policies somewhere in devices/ or vendor/, these location would be better suited for your customization (because it makes it easier for your to update to a new Android version when your customizations are as isolated as possible).
In that folder, create a new policy file, e.g. digitalads.te. Add the following rules:
type digitalads_exec, system_file_type, exec_type, file_type;
type digitalads domain;
init_daemon_domain(digitalads)
In the same folder, there should be a file file_contexts: Add a line like
/system/bin/digitalads u:object_r:digitalads_exec:s0
(When you boot with this change, ls -Z /system/bin/digitalads should show this label.)
For the seclabel in your .rc file, replace system_file with digitalads.
(Check dmesg output and also ps -Z to verify your service has been labelled correctly.)
I am trying to log to a file from custom shell script started as service using init.project.rc. On using below lines in the script(ethmon.sh), i am unable to log it to file test.txt. It is not even creating the file. Any hints on this?
ethmon.sh
mkdir /data/local/tmp/test 2>/dev/null
echo "Issue Observed with IP at `date`" >> /data/local/tmp/test/test.txt
dmesg >> /data/local/tmp/test/test.txt
timeout -t 10 logcat -v time -f /data/local/tmp/test/logcat.txt
init.project.rc
service ethmon /system/xbin/ethmon
class main
user root
group root
oneshot
on property:dev.bootcomplete=1
start ethmon
preload_script.sh
cp -f $SOURCE_FOLDER/ethmon.sh $OUT/system/xbin/ethmon
I am new to aosp, am i missing some permissions to be added for this.
NOTE: Other lines of code(ifconfig eth0 down/up, netcfg) is working fine in the same script.
Finally i added selinux permissions and created .te file for my service to get the log thing working. Thanks https://stackoverflow.com/users/12098405/dash-o for the help. People with same issue can comment for any further information.
I have rooted android phone and I am getting the # when I use "su" i wish to write a script that would keep running in background like service at application end and do the needful task for me. Where should i keep the .sh fle so that it will run on system boot so that no body will able to kill it ... i mean it should work like system service/apps ..
you have to write a script and save it either data/local/tmp/example.sh and it should like that
example.sh
#!/system/bin/sh
cd /data/local/tmp
while true; do
for i in *.apk ; do
if ls $i 2> /dev/null >/dev/null ; then
echo "`date` : Found new $i " >> /data/local/tmp/update_log
fi
done
sleep 120
reboot
sleep 180
done
and add it to any .sh file which is run on boot of the device it will check for any apk on data/local/tmp folder and create a list of that as update_log i put it on /data/local/tmp
and bind it with init.wlan.sh on the last line with & ..hope it works for you