2

I'm trying to run a script that exectues when the device has finished booting. This particular device does not support running scripts from an init.d directory, which is why I am using init.rc.

The init.rc file has been modified to include the following code

on property:sys.boot_completed=1
start initAsic

service initAsic /data/local/tmp/runn.sh
user root
group root
oneshot

The boot image has then been rebuilt and flashed to the device. The changes can be confirmed by viewing the init.rc file located at /

Currently I am only using a simple test script (testScript.sh) which issues the following command 

echo hi >> /data/local/tmp/test.txt

The testScript.sh and text.txt file has 777 permissions set and both have been pushed to the device using adb push. Their current location is /data/local/tmp/

For some reason it seems that my script is not running, as I can't see any text being written to test.txt.

Am I missing something? Could it be an issue with SELinux?

My device currently has SElinux set to permissive. This was done via altering the BoardConfig.mk file and doing a rebuild of the boot.img.

Ringo001
  • 41
  • 7
  • 1
    Does this answer your question? How to run an executable on boot and keep it running? – alecxs May 15 '20 at 08:18
  • Add disabled keyword to service. After reboot check log: dmesg | grep -C5 initAsic. – Irfan Latif May 15 '20 at 08:21
  • Apolgies for the late repsonse and thanks for your suggestions.

    @alecxs I have seen that post and replicated most of the steps in one of the outlined processes but not step for step - the only difference being the locations of the files that are being run. Didn't have any success.

    @IrfanLatif I've added the disabled keyword to the servies and ran the dmesg command. It seems that my suscpicon was correct, as it's returning service initAsic does not have a SELinux domain defined. I should be able to sort out the issue now - will let you know how I go and post an answer. Thanks.

     – Ringo001 May 21 '20 at 06:08

1 Answers1

1

By running the command dmesg | grep -C5 initAsic I saw that I was getting this error code returned

service initAsic does not have a SELinux domain defined

The issue what that I needed to add the line seclabel u:r:init:s0 to my init service as this is a requirement of init. The complete service now looks like this. The disabled keyword has also been added as suggested by Irfan. 

service initAsic2 /data/local/tmp/runn.sh
seclabel u:r:init:s0
user root
group root
oneshot
disabled

Also note that SElinux must be set to permissive to allow this service to run or preferably - as setting SElinux to permissive is a security risk - defining the appropriate rules for SElinux and using the modified policy.

More information on the topic here: https://android.stackexchange.com/a/207647/218526

This post was where I found the suggestion to add seclabel property. It also has more useful information regarding the SELinux issue I was encountering: https://stackoverflow.com/questions/43600261/init-warning-service-myservice-needs-a-selinux-domain-defined-please-fix

Ringo001
  • 41
  • 7
  • What's the purpose of adding seclabel when you are making SELinux ineffective by setting it permissive? Disabling SELinux is a security risk. Instead define context and/or inject proper SELinux rules. See details here. Or at least use some permissive context like Magisk's for your service only. See my answer to the question marked duplicate by @alecxs. – Irfan Latif May 21 '20 at 14:41
  • tbh @IrfanLatif I'm not sure why it worked. Setting SELinux to permissive should have made it ineffective but for me it seems it did not - I will look into it a bit more to confirm that it wasn't another factor that contributed to it working. I do understand it's a security risk but for my purposes (rapid prototyping) it is ok. In the future I plan to properly define SELinux rules. – Ringo001 May 22 '20 at 05:44
  • It worked because seclabel field is a requirement of init that you fulfilled. The point is, seclabel is of no use when SELinux is set to permissive. It's no more protecting the service or any other file/process. – Irfan Latif May 22 '20 at 05:47