Shulou(Shulou.com)05/31 Report--

Today, the editor will share with you the relevant knowledge points about how to use SELinux in Android. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

1. Basic concepts of SELinux resource access

SELinux uses type enforcement to improve mandatory access control. All subjects (program processes) have access to objects (files / socket and other resources) with a TE rule. When a program accesses a resource, the system searches all TE rule sets and processes them based on the results. This rule set is described by access vector rules (AV, Access Vector).

The kernel exposes the permissions of resources that are allowed to be accessed, and TE describes what kind of access the subject has. SELinux defines 30 different object categories:

Security process system capability filesystem file dir fd lnk_file chr_file blk_file socket_file...

Each object category defines an operation license. For example, there are 19 operation licenses for file:

Ioctl read write create getattr setattr lock relablefrom relableto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint

These two items will be covered later in the introduction of common grammars. So for the operation license of file, we can see that it is basically the operation method of the file, so when the program calls these functions, the system will check whether there is a TE rule and grant the program permission to use the function.

2. SELinux in Android

2.1 enable SELinux

First of all, you must turn on the SELinux function. Google provides a switch to turn on this option. The following variables are defined in BoardConfig.mk:

BOARD_SEPOLICY_DIRS + = build/target/board/generic/sepolicy

Under the corresponding path, there will be many TE files that describe the process's access permission to the resource.

2.2 declare the type

Type type name type system_app

2.3 Association types and attributes

There are two ways to associate a type with an attribute.

First, associate the defined properties when you declare the type.

Type system_app, domain

This associates the system_app with the defined domain attribute when it is defined.

Typeattribute platform_app mlstrustedsubject

If you have defined the type platform_app, you can use typeattribute to associate it with the defined mIstrustedsubject.

Note: all attributes and types share the same namespace, so don't have attributes and types with the same name when naming them.

Access Vector (AV) rules

AV is used to describe the permission of the subject to access the object. There are usually four types of AV rules:

Allow: indicates that the subject is allowed to perform permitted operations on the object.

Neverallow: indicates that the subject is not allowed to perform the specified operation on the object.

Auditallow: means to allow operations and record access decision information.

Dontaudit: does not record the decision information that violates the rules. Breaking the rules does not affect the operation.

General type rule grammatical bits:

Allow platform_app debugfs:file {read ioctl}

Represents a program process that is classified as platform_app and performs read and ioctl operations on files of type debugfs.

Fourth, some special configuration files:

External/sepolicy/attributes-> all defined attributes are in this file external/sepolicy/access_vectors-> corresponds to each class can be allowed to execute the command external/sepolicy/roles-> Android defines only one role, the name is r, associate r and attribute domain external/sepolicy/users-> is actually associated with user and roles, set the user security level, S0 is the lowest level is the default level Mls_systemHigh is the highest level external/sepolicy/security_classes-> refers to the class in the above command. Personally, I think the content of this class refers to the module of operation that the program or system may use during the operation of android. External/sepolicy/te_macros-> system-defined macros are all in the te_macros file external/sepolicy/*.te-> some configuration files, including various operating rules. Fifth, selinux has two working modes.

"permissive": all operations are allowed (that is, no MAC), but log is logged if there is a permission violation

"enforcing": all operations are checked for permissions

VI. Other

The following functions often appear in te files:

Unix_socket_connect (platform_app, agpsd, mtk_agpsd)

This is actually a macro. It is defined in a file named te_macros. After a global search of this macro, the following definition is found:

Unix_socket_connect ($1, qmuxd, qmux) allow qmux $1_qmuxd_socket:sock_file {getattr unlink};')

It is also an allow access vector.

These are all the contents of the article "how to use SELinux in Android". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.