1 <html devsite><head> 2 <title>SELinux </title> 3 <meta name="project_path" value="/_project.yaml"/> 4 <meta name="book_path" value="/_book.yaml"/> 5 </head> 6 <body> 7 <!-- 8 Copyright 2017 The Android Open Source Project 9 10 Licensed under the Apache License, Version 2.0 (the "License"); 11 you may not use this file except in compliance with the License. 12 You may obtain a copy of the License at 13 14 http://www.apache.org/licenses/LICENSE-2.0 15 16 Unless required by applicable law or agreed to in writing, software 17 distributed under the License is distributed on an "AS IS" BASIS, 18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 See the License for the specific language governing permissions and 20 limitations under the License. 21 --> 22 23 <p> SELinux </p> 24 25 <h2 id="mandatory_access_control"></h2> 26 27 <p> Linux (SELinux) Linux (MAC) MAC Linux (DAC) DAC MAC </p> 28 29 <p>SELinux Linux (LSM) LSM SELinux </p> 30 31 <p> Android Android Android </p> 32 33 <p> Android 4.3 SELinux (DAC) (MAC) Root DAC Linux Root SELinux Root </p> 34 35 <p> SELinux <a href="implement.html#use_cases"></a></p> 36 37 <h2 id="enforcement_levels"></h2> 38 39 <p> SELinux</p> 40 41 <ul> 42 <li><em></em> - SELinux 43 </li><li><em></em> - EPERM 44 </li></ul> 45 46 <p></p> 47 48 <ul> 49 <li><em></em> - Android (AOSP) 50 </li><li><em></em> - 51 </li></ul> 52 53 <p> Android SELinux Root </p> 54 55 <p></p> 56 57 <h2 id="labels_rules_and_domains"></h2> 58 59 <p><em></em>SELinux SELinux SELinux SELinux user:role:type:mls_level type </p> 60 61 <p>allow domains types:classes permissions;<em></em><em></em><em></em><em></em></p> 62 63 <ul> 64 <li>Domain<em></em> - 65 </li><li><em></em>Type - 66 </li><li><em></em>Class - 67 </li><li><em></em>Permission - 68 </li></ul> 69 70 <p></p> 71 <code>allow appdomain app_data_file:file rw_file_perms;</code> 72 73 <p> app_data_file global_macros te_macros AOSP <a href="https://android.googlesource.com/platform/system/sepolicy/">system/sepolicy</a> </p> 74 75 <p><em></em><em></em><em></em>domain file_type </p> 76 77 <p> SELinux avc </p><pre> 78 <rule variant> <source_types> <target_types> : <classes> <permissions> 79 </pre> 80 81 <p><em></em><em></em><em></em><em></em> source_types permissions target_types classes allow </p> 82 83 <pre> 84 allow domain null_device:chr_file { open }; 85 </pre> 86 87 <p><em></em><em></em><em></em><em></em>domain target_type null_devicechr_fileopen</p> 88 89 <pre> 90 allow domain null_device:chr_file { getattr open read ioctl lock append write}; 91 </pre> 92 93 <p>domain null_device /dev/null <code>/dev/null</code> </p> 94 95 <p><em></em> domain </p> 96 97 <p> Android untrusted_app </p> 98 99 <p> Android UID system_app </p> 100 101 <p></p> 102 103 <ul> 104 <li>socket_device</li><li>device</li><li>block_device</li><li>default_service</li><li>system_data_file</li><li>tmpfs</li></ul> 105 106 </body></html>
