Home | History | Annotate | Download | only in libselinux
      1 This directory contains a small port of libselinux for Android.
      2 It was originally forked in mid-2011, circa libselinux 2.1.0.
      3 Some changes have been cherry-picked from the upstream libselinux.
      4 Upstream git repository is https://github.com/SELinuxProject/selinux
      5 (libselinux subdirectory) and official releases are available from
      6 https://github.com/SELinuxProject/selinux/wiki/Releases.
      7 
      8 This fork differs from upstream libselinux in at least the following ways:
      9 
     10 * Dependencies on glibc-specific features have been removed/replaced
     11 in order to work with bionic,
     12 
     13 * Legacy code and compatibility interfaces have been removed,
     14 
     15 * Many interfaces, functions, and files are omitted since they are
     16 unused in Android,
     17 
     18 * The python bindings are omitted since they are unused in Android,
     19 
     20 * The setrans (context translation) support has been removed since
     21 there is no need for MLS label translation in Android and the support
     22 imposes extra overhead on calls passing security contexts,
     23 
     24 * The SELinux policy files are all located in / rather than under
     25 /etc/selinux since /etc is not available in Android until /system
     26 is mounted and use fixed paths, not dependent on /etc/selinux/config,
     27 
     28 * The kernel policy file (sepolicy in Android, policy.N in Linux) does
     29 not include a version suffix since Android does not need to support
     30 booting multiple kernels,
     31 
     32 * The policy loading logic does not support automatic downgrading of
     33 the kernel policy file to a version known to the kernel, since this
     34 requires libsepol on the device and is only needed to support mixing
     35 and matching kernels and userspace easily,
     36 
     37 * The selabel interface and label_file backend have been extended to
     38 support label-by-symlink and partial matching support for use by ueventd
     39 in labeling device nodes based on stable symlink names and by init for
     40 optimizing its restorecon_recursive of /sys,
     41 
     42 * Since the fork, upstream libselinux has switched the label_file
     43 backend to use a binary version of the file_contexts file
     44 (file_contexts.bin) that contains precompiled versions of the pcre
     45 regexes.  This reduces the time to load the file_contexts
     46 configuration, which in Linux can be significant due to the large
     47 number of entries (> 5000).  As Android has far fewer entries (~400),
     48 this has not yet seemed necessary.
     49 
     50 * restorecon functionality, including recursive restorecon, has been
     51 fully implemented within new libselinux functions, along with optimizations
     52 to prune the tree walk if no change has occurred in file_contexts since
     53 the last restorecon,
     54 
     55 * Support for new Android-specific SELinux configuration files, such
     56 as seapp_contexts, property_contexts, and service_contexts, has been
     57 added.
     58 
     59 New files added for Android:
     60 * libselinux/include/selinux/android.h
     61 * libselinux/src/android.c
     62 * libselinux/src/label_android_property.c (later added upstream)
     63