xref: /docs/source.android.com/zh-cn/security/selinux/device-policy.html

<html devsite><head>
    <title> SELinux </title>
    <meta name="project_path" value="/_project.yaml"/>
    <meta name="book_path" value="/_book.yaml"/>
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->

<p>Android  (AOSP)  Android AOSP  90-95% 5-10% </p>

<h2 id="device_bringup"></h2>

<p></p>

<h3 id="run_in_permissive_mode"></h3>

<p><a href="index.html#background"></a></p>

<ol>
  <li>
  </li><li>
</li></ol>

<p><a href="validate.html#switching_to_permissive"></a> BoardConfig.mk <code>platform/device/&lt;vendor&gt;/&lt;target&gt;/BoardConfig.mk</code> <code>make clean</code> <code>make bootimage</code></p>

<p></p>

<p><code>adb getenforce</code></p>

<p></p>

<h3 id="enforce_early"></h3>

<p> <a href="https://en.wikipedia.org/wiki/Eating_your_own_dog_food">dogfooding</a></p>

<h3 id="remove_or_delete_existing_policy"></h3>

<p></p>

<ul>
  <li></li><li> <a href="#overuse_of_negation"></a>
  </li><li> <a href="#policy_size_explosion"></a>
  </li><li>Dead </li></ul>

<h3 id="address_denials_of_core_services"></h3>

<p></p>

<pre class="no-pretty-print">
avc: denied { open } for pid=1003 comm=mediaserver path="/dev/kgsl-3d0
dev="tmpfs" scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0
tclass=chr_file permissive=1
avc: denied { read write } for pid=1003 name="kgsl-3d0" dev="tmpfs"
scontext=u:r:mediaserver:s0
tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
</pre>

<p> <code>/dev/kgsl-3d0</code> <code>tcontext</code>  <code>device</code><code>/dev</code> <a href="https://android.googlesource.com/platform/external/sepolicy/+/marshmallow-dev/file_contexts#31">device</a> <a href="validate.html#using_audit2allow">audit2allow</a> </p>

<p> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#1">gpu_device</a> <a href="https://android.googlesource.com/platform/external/sepolicy/+/marshmallow-dev/mediaserver.te#24">mediaserver  gpu_device </a></p>

<p></p>

<ol>
  <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#31"></a>
  </li><li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#80"></a>
  </li><li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#21"></a>
  </li><li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#89"></a>
  </li><li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#8">nfc</a>
  </li><li>gps_device</li><li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#139">/sys </a>
  </li><li>/proc </li></ol>

<p> <a href="customize.html#neverallow">neverallow</a> </p>

<h3 id="label_new_services_and_address_denials"></h3>

<p> init  SELinux foo SELinux </p>

<p> <code>init.&lt;target&gt;.rc</code> </p>

<pre class="no-pretty-print">
service foo /system/bin/foo
    class core
</pre>

<ol>
  <li>foo<br />

      <p> <code>device/&lt;oem&gt;/&lt;target&gt;/sepolicy/foo.te</code></p>

<pre class="no-pretty-print">
# foo service
type foo, domain;
type foo_exec, exec_type, file_type;

init_daemon_domain(foo)
</pre>

      <p> foo SELinux </p>
  </li>

  <li> <code>/system/bin/foo</code> <br />

      <p> <code>device/&lt;oem&gt;/&lt;target&gt;/sepolicy/
         file_contexts</code></p>

<pre class="no-pretty-print">
/system/bin/foo   u:object_r:foo_exec:s0
</pre>

      <p> SELinux </p>
  </li>

  <li></li>

  <li> SELinux <br />

      <p><a href="validate.html#using_audit2allow">audit2allow</a> </p>
  </li>
</ol>

<h3 id="enforcing_mode"></h3>

<p></p>

<h2 id="common_mistakes"></h2>

<p></p>

<h3 id="overuse_of_negation"></h3>

<p></p>

<p><code>allow { domain -untrusted_app } scary_debug_device:chr_file rw_file_perms</code></p>

<p></p>

<p> <code>untrusted_app</code>  <code>isolated_app</code>  AOSP <code>scary_debug_device</code></p>

<h3 id="debugging_features_in_production"></h3>

<p></p>

<p> eng/userdebug  SELinux  <code>adb root</code>  <code>adb setenforce 0</code></p>

<p> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/platform_app.te#3">userdebug_or_eng</a> </p>

<h3 id="policy_size_explosion"></h3>

<p><a href="http://arxiv.org/abs/1510.05497"> Wild  SEAndroid </a> 5-10% 20% Dead </p>

<p></p>

<ul>
  <li> ramdisk 
  </li><li>
  </li><li>
</li></ul>

<p> 50%  40% AOSP  Shamu  Flounder </p>

<p><img alt=" 1" src="images/selinux_device_policy_reduction.png"/></p>
<p class="img-caption"><strong> 1</strong>. </p>

<p> audit2allow Dead </p>

<h3 id="granting_the_dac_override_capability"> dac_override </h3>

<p><code> dac_override</code>  unix user/group/world  <code>dac_override</code> <a href="https://android-review.googlesource.com/#/c/174530/5/update_engine.te@11"> unix </a> initvold  installd unix  <a href="http://danwalsh.livejournal.com/69478.html">Dan Walsh </a></p>

<h2 id="additional_resources"></h2>

<p><a href="http://seandroid.bitbucket.org/ForMoreInformation.html">SEAndroid </a></p>

<p>AOSP  <a href="index.html">Android  SELinux</a> </p>

<p><a href="http://seandroid.bitbucket.org/"></a></p>

</body></html>