I'm porting AOSP to a custom board, and I need /dev/ttymxc4 to be owned by u-blox so that the GPS driver can use it. (Nothing else needs to use it.)
Ideally, I would like this to be specified in the build process, rather than as I run-time hack.
Where is the best place to manage the ownership of device nodes in /dev?
I assume when you say GPS driver you are actually perhaps referring to a user space daemon which needs to communicate with a Linux kernel driver?
Traditional Linux DAC permissions are normally established in Android at boot by the init process, usually in a file such as init.common.rc in the appropriate device directory of AOSP. This is also where the daemon (aka init service) is defined. Typically you would reuse the system group for your daemon and then chown the device files to system with standard perms such as 0660 or 0440.
Remember that SELinux MAC permissions must be established as well in all recent versions of Android. Establishing SELinux permissions is fairly complex but generally when you must do the following when setting up a new daemon that needs to communicate with a kernel driver:
file_contexts to assign a label to the file created by the kernel driverSee:
https://source.android.com/security/selinux/customize https://source.android.com/security/selinux/implement https://source.android.com/security/selinux/images/SELinux_Treble.pdf
Examples:
https://android.googlesource.com/device/google/marlin/+/oreo-mr1-release/init.common.rc https://android.googlesource.com/device/google/marlin/+/oreo-mr1-release/sepolicy/init_radio.te