README.android
1 This directory contains a small port of libselinux for Android.
2 It was originally forked in mid-2011, circa libselinux 2.1.0.
3 Some changes have been cherry-picked from the upstream libselinux.
4 Upstream git repository is https://github.com/SELinuxProject/selinux
5 (libselinux subdirectory) and official releases are available from
6 https://github.com/SELinuxProject/selinux/wiki/Releases.
7
8 This fork differs from upstream libselinux in at least the following ways:
9
10 * Dependencies on glibc-specific features have been removed/replaced
11 in order to work with bionic,
12
13 * Legacy code and compatibility interfaces have been removed,
14
15 * Many interfaces, functions, and files are omitted since they are
16 unused in Android,
17
18 * The python bindings are omitted since they are unused in Android,
19
20 * The setrans (context translation) support has been removed since
21 there is no need for MLS label translation in Android and the support
22 imposes extra overhead on calls passing security contexts,
23
24 * The SELinux policy files are all located in / rather than under
25 /etc/selinux since /etc is not available in Android until /system
26 is mounted and use fixed paths, not dependent on /etc/selinux/config,
27
28 * The kernel policy file (sepolicy in Android, policy.N in Linux) does
29 not include a version suffix since Android does not need to support
30 booting multiple kernels,
31
32 * The policy loading logic does not support automatic downgrading of
33 the kernel policy file to a version known to the kernel, since this
34 requires libsepol on the device and is only needed to support mixing
35 and matching kernels and userspace easily,
36
37 * The selabel interface and label_file backend have been extended to
38 support label-by-symlink and partial matching support for use by ueventd
39 in labeling device nodes based on stable symlink names and by init for
40 optimizing its restorecon_recursive of /sys,
41
42 * Since the fork, upstream libselinux has switched the label_file
43 backend to use a binary version of the file_contexts file
44 (file_contexts.bin) that contains precompiled versions of the pcre
45 regexes. This reduces the time to load the file_contexts
46 configuration, which in Linux can be significant due to the large
47 number of entries (> 5000). As Android has far fewer entries (~400),
48 this has not yet seemed necessary.
49
50 * restorecon functionality, including recursive restorecon, has been
51 fully implemented within new libselinux functions, along with optimizations
52 to prune the tree walk if no change has occurred in file_contexts since
53 the last restorecon,
54
55 * Support for new Android-specific SELinux configuration files, such
56 as seapp_contexts, property_contexts, and service_contexts, has been
57 added.
58
59 New files added for Android:
60 * libselinux/include/selinux/android.h
61 * libselinux/src/android.c
62 * libselinux/src/label_android_property.c (later added upstream)
63