Not able to run the script from init.rc

Hi,

I have added below lines in init.hikey960.rc file, but the script is not getting executed

start init_hikey /data/init_hikey.sh
user root
oneshot

Even the ifconfig command is not executed : ifconfig eth0 192.168.1.10 up
Can you please suggest.

Thanks

1 Like

Try service instead of start. Make sure init_hikey.sh is executable. You can see some examples here: init.common.rc - device/linaro/hikey - Git at Google. Also reference Executing a script in Android init system. - Krzysztof Adamski, although it’s old.

Yes I have added the line “chmod 0777 /data/init_hikey.sh” in init.hikey960.rc, and also manually executed it from command prompt also.
I tried with below all methods, none of it is working :

service /system/bin/sh /data/init_hikey.sh
class main
user root
oneshot

service sh /data/init_hikey.sh
class main
user root
oneshot

service /system/bin/sh /data/init_hikey.sh
class main
oneshot

My script contains :

#!/system/bin/sh

mkdir /data/tmp

please suggest.

Thanks

The correct way to declare a service is:
service <name> <pathname> [ <argument> ]
<option>
<option>

example:
service yourservicename /system/bin/sh /path/to/myscript.sh
class main
user root
oneshot
...

see documentation

We need some log to help you, could you please start your service manually with:
$ su
$ dmesg -c
$ start yourservicename
$ dmesg

And give us the output (init msg, avc msg…)

Thanks for your inputs.
As you suggested I added the below lines in init.hikey960.rc file under post-fs-data :

chmod 0777 /data/init_hikey.sh
service init_hikey /system/bin/sh /data/init_hikey.sh
class main
user root
oneshot

Getting below error in dmesg :

[ 18.378699] init: service init_hikey does not have a SELinux domain defined
[ 18.389931] read descriptors

My script :

#!/system/bin/sh

mkdir /data/anil

Even on running the command “start init_hikey” the same msg is seen:

[ 355.410989] init: service init_hikey does not have a SELinux domain defined

please suggest.

Thanks,

Ok, the service declaration looks good.

Problems start here.

SELinux (Security-Enhanced Linux) is now part of the Android security model which leads to a default-deny behaviour. In a nutshell, Anything that is not explicitly allowed is denied (policy).

The mandatory condition here is to assign a domain for your script, please look at the documentation, section “Label new services and address denials”.

Thanks Loic.
Its working after following the steps mentioned in the documentation.

Thanks

Hi Loic,
i added service in init.qcom.rc as

service eth /system/bin/sh /persist/eth0.sh
class late_start
user root system
group root system
oneshot

then i created a domain eth as
type eth, domain;
type eth_exec, exec_type, file_type;

init_daemon_domain(eth)

now when im trying to build system image im getting the build error:
FAILED: out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy
/bin/bash -c “(out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/msm8996/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp -f /dev/null ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ “userdebug” = “user” -a -s out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo “==========” 1>&2; echo “ERROR: permissive domains not allowed in user builds” 1>&2; echo “List of invalid domains:” 1>&2; cat out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/msm8996/obj/ETC/sepolicy_intermediates/sepolicy )”
neverallow check failed at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4140
(neverallow base_typeattr_56_27_0 base_typeattr_57_27_0 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:12386
(allow eth eth_exec (file (read getattr map execute entrypoint open)))

neverallow check failed at out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4743 from system/sepolicy/public/domain.te:668
(neverallow base_typeattr_56 base_typeattr_57 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:12386
(allow eth eth_exec (file (read getattr map execute entrypoint open)))

Failed to generate binary
Failed to build policydb
[ 0% 132/36601] host Java: guavalib (out/host/common/obj/JAVA_LIBRARIES/guavalib_intermediates/classes)
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning
[ 0% 133/36601] build out/target/product/msm8996/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
FAILED: out/target/product/msm8996/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy
/bin/bash -c “out/host/linux-x86/bin/secilc -M true -G -c 30 out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil out/target/product/msm8996/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil -o out/target/product/msm8996/obj/ETC/precompiled_sepolicy_intermediates/precompiled_sepolicy -f /dev/null”
neverallow check failed at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:4140
(neverallow base_typeattr_56_27_0 base_typeattr_57_27_0 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:12386
(allow eth eth_exec (file (read getattr map execute entrypoint open)))

neverallow check failed at out/target/product/msm8996/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4743 from system/sepolicy/public/domain.te:668
(neverallow base_typeattr_56 base_typeattr_57 (file (execute execute_no_trans entrypoint)))

allow at out/target/product/msm8996/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:12386
(allow eth eth_exec (file (read getattr map execute entrypoint open)))

Failed to generate binary
Failed to build policydb

need your help on this.

Regards,
Laxman

Did you add a file context for you executable.
e.g. /system/bin/mydaemon – u:object_r:mydaemon_exec:s0

Could you try to move your script to system/bin

Hi Loic,
Now its working with out adding any domain.the only change i made was instead of executing my script from system sh i executed from vendor sh.

Thanks,
Laxman

That’s interesting.
We recently had to add a domain for the service and transition shell_exec from the init domain to our service domain.

type cust_domain, domain;
type cust_domain_exec, exec_type, file_type;

init_daemon_domain(cust_domain)
domain_auto_trans(init, shell_exec, cust_domain)

Hello,
I have a server that is installed into the android device, i can launch it with a line command
in fact; I want to create a service that launch my server automatically at the start-up of the android device.
the service is creating and everything is fine but when adding the permissions only this one couldn’t work:
#============= system_server ==============
allow system_server default_prop:property_service set;
i got this error when i add the permission :
(or line 9139 of policy.conf) violated by allow system_server default_prop:property_service { set };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Have you any idea ?? it is possible for example to modify the domain.te file ??
Thank you,
Waiting for your answers

Android specifies a bunch of things that you shouldn’t be allowed to do because it grants too much privilege to… something. The thing that strikes me as odd here is that you are trying to alter default_prop in runtime. That really doesn’t seem to make any sense.

What are you trying to accomplish?

thanks for your answer,
what i want to accomplish is to make the server that i created into my andoid device starting automatically with the start-up of my device because i have other work to do like publishing content …
that’s why i’m creating my service
I m not trying to alter default_prop but that’s what i get from “dmesg” command when i write " start my-service" , and by the way it works well in the enforce mode.
Do you think there is another way to do it ??

Can you post the AVC DENIAL error that your service causes?

[ 2880.354888] init: sys_prop: permission denied uid:1000 name:ro.hdmi.tvvendorid
[ 2895.404035] init: avc: denied { set } for property=ro.hdmi.tvvendorid pid=638 uid=1000 gid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0

So somewhere in your service, you are attempting to set the property “ro.hdmi.tvvendorid”. Correct? In other words, you ARE trying to alter default_prop.

See the “ro.” prefix at the beginning of that property name? That means “Read Only”. Simply put, unless you are INIT, you cannot WRITE a READ-ONLY property, and even if you ARE init, you can only write it ONCE.

Is it possible to start a service from a script of another service ?
for example i have two services: service1 and service2 that are created in init.project.rc : i just start the service1 and i want my second service to be started at a specific time for example the script of my service one is like that :
#!/system/bin/sh

start service2
#…

Is it possible to do it this way ?
or it is possible to create an .apk that can start the “service2” that i created in init.project.rc ??
Thank in advance.

Its possible, but that is a really hackish way to approach it. Please read the documentation for Android’s init;

https://android.googlesource.com/platform/system/core/+/master/init/README.md

For example;

Turns a disabled service into an enabled one as if the service did not specify disabled. If the service is supposed to be running, it will be started now. Typically used when the bootloader sets a variable that indicates a specific service should be started when needed. E.g.

on property:ro.boot.myfancyhardware=1
enable my_fancy_service_for_my_fancy_hardware

Basically, init has the capability of coordinating services.

Hi,
I did a user build for aosp9 so will not have su binaries for build, I want to run this shell file:

#!/usr/bin/env bash
# Add the IP address to the eth0 interface
ip addr add 192.168.43.0/24 dev eth0

# Check if the command was successful
if [ $? -eq 0 ]; then
  echo "IP address added successfully."
else
  echo "Failed to add IP address."
fi

I want to run this shell file with help of a service wtih root permissions to make that command work so here is my init.staticaddr.rc:

    # Set up the ethernet ipv4 addr

    service staticaddr /vendor/bin/sh /vendor/etc/staticcommand.sh
        class core
        user root 
        group root 
        oneshot

I wrote .te file for this service like this and added in sepolicy folder:

    type staticaddr, domain;
    type staticaddr_exec, exec_type, vendor_file_type, file_type;

    init_daemon_domain(staticaddr)

In file context i added this line:

# static ip
/vendor/bin/staticaddr          u:object_r:staticaddr_exec:s0

in device.mk files I have added product copy files to copy these init.staticaddr.rc file to root/ folder and staticaddr.sh file to system/etc/folder

Build is successful, but there is not output traces of that shell file running i.e, static ip is not getting assigned to ethernet, same procedure is working fine for user debug build which will have root access, when i did adb shell service list, I cannot see the service name and also ehternet ip is not getting updated.

can anyone please guide where I am doing wrong