Run shell script at boot in AOSP

Question

I am using iMX 8 Mini EVK for my Project. I build Android 9.0 from AOSP for this board. Now I want to run a script at boot. I did following changes in files but still, I am facing an issue.

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc

service gea3appservice /vendor/bin/sh /vendor/bin/run.sh 
  class late_start
  user root system
  group root system
  oneshot

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservice.te

type gea3appservice, domain;
type gea3appservice_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(gea3appservice)

domain_auto_trans(init, vendor_shell_exec, gea3appservice)

File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts

/vendor/bin/run.sh   u:object_r:gea3appservice_exec:s0

When I manually run service I get following error :

[ 134.010656] type=1400 audit(1564667688.236:3740): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1

Does anyone know this issue?

I tried with the approach suggested by the Android developer site

https://source.android.com/security/selinux/device-policy

But I get the following error

libsepol.report_failure: neverallow on line 1002 of system/sepolicy/public/domain.te (or line 11242 of policy.conf) violated by allow gea3appservice gea3appservice_exec:file { execute entrypoint };

What are the DAC (`chmod`) file permissions of `/vendor/bin/run.sh `? — Simpl, Aug 06 '19 at 07:20
@Abhijit , I am also facing the same prob with the Adnroid12 device. Have you got any solution for this ? — GNK, Sep 16 '22 at 09:06

Ismail Moukafih · Answer 1 · 2020-07-03T07:39:20.517

this works for me

in init.mydevice.rc i have

on property:sys.boot_completed=1
    start init-myservice-sh

service init-myservice-sh /vendor/bin/init.myscript.sh
    class main
    user root
    group root system
    disabled
    oneshot

and this is init.myscript.sh

#!/system/bin/sh

echo '#################  It works  ##################'
cd /system/app
ls -hal

in device/myvendor/mydevice/sepolicy folder i have file_contexts with

/vendor/bin/init\.myscript\.sh      u:object_r:init-myservice_exec:s0

and init-myservice.te

type init-myservice, domain;
type init-myservice_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(init-myservice)

allow init-myservice vendor_shell_exec:file rx_file_perms;
allow init-myservice vendor_toolbox_exec:file rx_file_perms;

of course you have to copy your script to the bin dir

PRODUCT_COPY_FILES += \
 $(LOCAL_PATH)/init.myscript.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.myscript.sh

and in BoardConfig.mk

BOARD_SEPOLICY_DIRS := device/myvendor/mydevice/sepolicy

in my console i can see this

console:/ $ dmesg | grep myservice                                             
[   21.098013] init: starting service 'init-myservice-sh'...
[   21.148562] init: Command 'start init-myservice-sh' action=sys.boot_completed=1 (/vendor/etc/init/hw/init.mydevice.rc:66) took 51ms and succeeded

and try this

console:/ $ init.myscript.sh
#################  It works  ##################

for moor details see this article https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials

Doesn't work for Android 10: avc: denied { map } for comm="init.myservice" path="/system/bin/sh" dev="dm-6" ino=872 scontext=u:r:init_myservice:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0 — Yuriy Chernyshov, Aug 18 '20 at 17:06
I can get it to work on android 10 by using /vendor/bin/sh instead of /system/bin/sh. That will execute a basic script. Unfortunately, my script needs to execute other commands found in /system/bin (Like am.. to start an activity), I still get denials an those and neverallow build errors if I try to allow access. — Dennis, Oct 02 '20 at 18:10
I am also facing the same prob with the Adnroid12 device. Have you got any solution? – — GNK, Sep 16 '22 at 09:05

Simpl · Answer 2 · 2019-08-07T21:23:16.453

0

The failed neverallow rule could indicate that your script tried to run a binary in /system, which is not allowed by a script located in /vendor according to the rule in system/sepolicy/public/domain.te.

Do not allow vendor components to execute files from system except for the ones whitelist here.

edited Aug 07 '19 at 21:23

answered Aug 07 '19 at 20:16

Simpl

1,938
1
10
21

I checked by moving my script(**run.sh**) into **/system** directory but still i am facing same issue. – Abhijit Nov 13 '19 at 05:52
You mentioned two error messages in your question. One error before you tried something from source.android.com and a second error after that. About which error are we talking? – Simpl Nov 13 '19 at 07:00
[ 134.010656] type=1400 audit(1564667688.236:3740): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1 – Abhijit Nov 14 '19 at 07:16
I cannot reproduce your problem. Is `init` the proper user or is it part of the proper group to access `/vendor/bin/sh`? – Simpl Nov 14 '19 at 10:20
I am also facing the same prob with the Adnroid12 device. Have you got any solution? – GNK Sep 16 '22 at 09:04

Run shell script at boot in AOSP

2 Answers2

Linked