SElinux-2
来源:互联网 发布:js中的深拷贝和浅拷贝 编辑:程序博客网 时间:2024/05/21 02:20
chcon context pathgetenforceReturns the current enforcing mode.
getenforcegetseboolReturns SELinux boolean value(s):
getsebool [-a | boolean_name]idIf SELinux is enabled then the security context is automatically displayed.load_policyLoad new policy into kernel:
load_policy policy-filelsSupports -Z option to display security context.psSupports -Z option to display security context.restoreconRestore file default security context as defined in the file_contexts or seapp_contexts files. The options are: D - data files, F - Force reset, n - do not change, R/r - Recursive change, v - Show changes.
restorecon [-DFnrRv] pathnamerunconRun command in specified security context:
runcon context program args...setenforceModify the SELinux enforcing mode:
setenforce [enforcing|permissive|1|0]setseboolSet SELinux boolean to a value (note that the cmd does not set the boolean across reboots):
setsebool boolean_name [1|true|on|0|false|off]
2. Init.rc Commands.
service option: Change to security context before exec'ing this service. Primarily for use by services run from the rootfs, e.g. ueventd, adbd. Services on the system partition can instead use policy defined transitions based on their file security context. If not specified and no transition is defined in policy, defaults to the init context.
restorecon <path>action command: Restore the file named by <path> to the security context specified in the file_contexts configuration. Not required for directories created by the init.rc as these are automatically labeled correctly by init.
restorecon_recursive <path> [ <path> ]*action command: Recursively restore the directory tree named by <path> to the security context specified in the file_contexts configuration. Do NOT use this with paths leading to shell-writable or app-writable directories, e.g. /data/local/tmp, /data/data or any prefix thereof.
See the Checking File Labels section for further details.
setcon <securitycontext>action command: Set the current process security context to the specified string. This is typically only used from early-init to set the init context before any other process is started (see init.rc example above).
setenforce 0|1action command: Set the SELinux system-wide enforcing status. 0 is permissive (i.e. log but do not deny), 1 is enforcing.
setsebool <name> <value>action command: Set SELinux boolean <name> to <value>.
<value> may be 1|true|on or 0|false|off
SELinux Policy
10SEAndroid Policy Files
两个路径:
Google Original: alps/external/sepolicy/XXX.te (通常不建议修改)
MTK: alps/device/mediatek/common/sepolicy/XXX.te
所有的Policy 最终采用Union(合并) 的方式编译在一起.
access_vectors, security_classes
:SE for Android classes and permissions.
initial_sids, initial_sids_contexts,
:Initial_sid
fs_use, genfs_contexts, port_contexts
: file system label
users, roles
: only user (u) and role (r) used by the policy
mls
: Contains the constraints applied to the defined classes and permissions.
global_macros, mls_macro, te_marcos
: Some macros use to policy define…
attributes
: Contains the attribute names that will be used to group type identifiers defined by the policy.
policy_capabilities
: Contains the policy capabilities enabled for the kernel policy
*.te
: Contains all type enforcement policy for process and resources
file_contexts
: contains default file contexts for setting the filesystem as standard SELinux
property_contexts
: contains default contexts to be applied to Android property services
service_contexts
: Contains default contexts for Android services
seapp_contexts
: contains information to allow domain or file contexts to be computed based on parameters
mac_permissions.xml
: contains information to allow apk install permissions and mappings to selinux domain
selinux-network.sh
:If using iptables, then the information may be configured in this file as part of the build.
3. SELinux Files in Phone
SELinux Policy 手机上关键性的配置文件包括
/sepolicy : 所有SELinux Policy 编译后的sepolicy 文件
/file_contexts : 系统文件以及device 所对应的security context
/seapp_contexts: zygote 设置app 的security context 的配置项
/service_contexts: service 所绑定的security context
/property_contexts: property 所绑定的security context
/system/etc/security/mac_permissions.xml 定义app 的security context 类型
/selinux_version: 对应system property: ro.build.fingerprint
/selinux_network.sh 设置selinux 对网络端的访问
L 版本上, 在android.c 中使用了特别的判定函数 set_policy_index, 此用来比较
/selinux_version
/data/security/current/selinux_version
两只文件都存在, 并且完全一致, 只有这样才会使用/data/security/current 下面的文件, 其它情况下都会使用根目录的配置文件.
selinux_version 中存储的是build 的BUILD_FINGERPRINT 即system property: ro.build.fingerprint
11Understand SEAndroid Policy
针对系统中不同的“文件” 类型(Class), 如普通的file, socket, 比如SELinux 使用的security, 比如针对每个process 参数的process 等定义相关的class. 而每一个class 都有相对应的permissions. 比如file 就有 read, write, create, getattr, setattr, lock, ioctl 等等. 比如process 就有fork, sigchld, sigkill, ptrace, getpgid, setpgid 等等.
具体在SEAndroid 当中, 在external/sepolicy/access_vectors 中定义相关的class, 以及他们具有那些Permissions. 在security_classes 中声明这些classes.
比如file:
external/access_vectors
#
# Define a common prefix for file access vectors.
#
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
==============>
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
external/security_classes
class file
注意的是, 这些定义和 Kernel 中相关API 是强相关的,普通用户严禁修改.
2. SE for Android Classes and Permissions
除了Kernel 默认定义的Class/Permissions 之外, Google 还为SEAndroid 定义了几个 UserSpace 会使用到的Class/Permissions, 它们是:
Not currently used in policy but kernel (selinux/hooks.c) checks permission in selinux_binder_transaction call.
set_context_mgrRegister self as the Binder Context Manager aka servicemanager (global name service). Can A set the context manager to B, where normally A == B.See policy module servicemanager.te.
transferTransfer a binder reference to another process (can A transfer a binder reference to B?).3. Multi-Level Security and Multi-Category
Google 目前虽然已经定义好了MLS/MCS 的框架,但并没有真正使用. 相关的policy code 主要定义在mls, 以及 mls_macros 当中.
比如:
# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
(l1 domby l2 or t1 == mlstrustedsubject);
但目前mls_num_sens=1, mls_num_cats=1024; 所有process 的level 都是0 并且, 所有的process 都还没有真正使用level 属性, 所以MLS/MCS 目前我们可以不关注.
这个是SELinux 的重点之一, 每一个文件有唯一的Security Context, 而目前版本type 是Security Context 中最重要的栏目. 即可以说,每一个文件对应一个type, 而每一个type 都对应有一个或几个Attribute.
所有常见的Attribute 定义在: external/attrubites 下面, 如;
# All types used for devices.
attribute dev_type;
attribute domain;
attribute fs_type;
attribute contextmount_type;
Type 的定义就比较分散, 主要有:
- SElinux-2
- 2-14firewall\SELINUX
- selinux
- SELinux
- SELinux
- SELinux
- SELinux
- SELinux
- selinux
- SELinux
- SElinux
- Selinux
- SELinux
- SElinux
- selinux
- SElinux
- selinux
- Selinux
- 1162 Eddy's picture
- OpenLayer基础学习
- 串口收到数据到无线发射数据的过程
- 在mySQL中新建视图执行报错 1060?
- Linux 套接字编程中的 5 个隐患
- SElinux-2
- 用PHP设计一个验证码类 并在面使用
- OpenStack源码系列---起始篇
- CentOS6.4下编译安装配置nginx1.2.3+php5.3.16+mysql5.5.27+memcached1.4.5
- 持续集成 之 apache-continuum
- java读取excel中的日期
- SElinux-3
- 双向数据bind的探究(-)-jquery实现
- 第五周上机项目3 用多文件组织多个类的程序