運行時調試開關 Selinux
| Cmd | Discription | Other |
|---|---|---|
| adb shell getenforce | 查看當前 Selinux 功能是 permissive(關閉)還是 enforce(打開)的 | |
| adb shell setenforce 0 | 開Selinux:設置成模式permissive | |
| adb shell setenforce 1 | 關Selinux:設置成模式enforce |
說明:setenforce 修改的狀態在設備重啓後會失效,需要重新執行命令重新設置。
修改源碼永久開關 Selinux
Android 默認是打開 Selinux 功能的,我們可以按如下方法修改代碼強制關閉 Selinux,方便代碼功能層面的調試,記得功能調試ok後,把 Selinux 功能恢復,再補充 selinux sepolicy 方面的修改。
關鍵字:return false; //add to close selinux
Android 10
bool IsEnforcing() {
{
int fd(open("/mboot/selinux", O_RDONLY | O_CLOEXEC | O_BINARY));
if (fd != -1) {
char v = 0xff;
if (read(fd, &v, 1) < 0)
PLOG(ERROR) << "Failed to read /mboot/selinux";
close(fd);
LOG(WARNING) << "/mboot/selinux is " << v;
return v == '1';
}
}
+ return false; //add to close selinux
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
}
Android 9.0
/system/core/init/selinux.cpp
bool IsEnforcing() {
+ return false; //add to close selinux
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
}
Android 8.1
/system/core/init/init.cpp
static bool selinux_is_enforcing(void)
{
+ return false; //add to close selinux
if (ALLOW_PERMISSIVE_SELINUX) {
return selinux_status_from_cmdline() == SELINUX_ENFORCING;
}
Andorid 4.4
/system/core/init/init.c
static bool selinux_is_enforcing(void)
{
char tmp[PROP_VALUE_MAX];
+ return false;//add to close selinux
if (property_get("ro.boot.selinux", tmp) == 0) {
/* Property is not set. Assume enforcing */
return true;
}
if (strcmp(tmp, "permissive") == 0) {
/* SELinux is in the kernel, but we've been told to go into permissive mode */
return false;
}
if (strcmp(tmp, "enforcing") != 0) {
ERROR("SELinux: Unknown value of ro.boot.selinux. Got: \"%s\". Assuming enforcing.\n", tmp);
}
return true;
}