S009SEAndroid中定义的各种策略文件

在external/sepolicy目录 存放了很多SELinux的策略定义文件,在类似device/lge/mako/sepolicy目录下也放了策略文件,作为指定的机型的策略定义。

文件描述概述

  1. roles 角色定义
  2. users selinux 用户定义
  3. attributes type所有可能包含的属性
  4. security_classes 所有客体的类型
  5. access_vectors 所有允许的权限操作
  6. *.te 类型强制规则文件
  7. te_macros TE的宏定义文件te_macros
  8. file_contexts 文件系统中定义的各文件的标签
  9. genfs_contexts 虚拟文件系统的安全上下文设置规则
  10. mac_permissions.xml 给不同签名的App分配不同的seinfo字符串, 这个seinfo描述的其实并不是安全上下文中的Type,它是用来在另外一个文件external/sepolicy/seapp_contexts中查找对应的Type的。
  11. seapp_contexts 定义app的Type
  12. service_contexts 系统服务在启动时是通过在文件service_contexts匹配对应名称的上下文来设置
  13. initial_sid_contexts
  14. port_contexts
  15. property_contexts

1. 角色定义文件roles

角色定义文件用来定义SELinux系统的角色。文件roles的内容如下:

role r;
role r types domain;

从这里可以看到,SEAndroid实际上只定义了一种角色r。

2. 用户定义文件users

用户定义文件用来定义用户,前面我们介绍了,SELinux中的用户可以有三种,但是SEAndroid中只定义了一种u,下面是文件user的内容:

user u roles { r } level s0 range s0 - mls_systemhigh;

无论是user,还是role,在SEAndroid目前的定义中都只有一种,所以暂时也就没有大的用处。

3. 属性定义文件attributes

属性定义文件attributes中定义了所有type定义中需要用到的属性值,如下所示:

######################################
# Attribute declarations
#

# All types used for devices.
attribute dev_type;

# All types used for processes.
attribute domain;

# All types used for filesystems.
attribute fs_type;

# All types used for context= mounts.
attribute contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
attribute file_type;

# All types used for domain entry points.
attribute exec_type;

# All types used for /data files.
attribute data_file_type;

# All types use for sysfs files.
attribute sysfs_type;

# Attribute used for all sdcards
attribute sdcard_type;

# All types used for nodes/hosts.
attribute node_type;

# All types used for network interfaces.
attribute netif_type;

# All types used for network ports.
attribute port_type;

# All types used for property service
attribute property_type;

# All types used for services managed by service_manager.
attribute service_manager_type;

# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down. 表示系统中所有受信任的主体
attribute mlstrustedsubject;

# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher 表示系统中所有受信任的客体
attribute mlstrustedobject;

# Domains that are allowed all permissions ("unconfined").
attribute unconfineddomain;

# All domains used for apps.
attribute appdomain;

# All domains used for apps with network access.
attribute netdomain;

# All domains used for apps with bluetooth access.
attribute bluetoothdomain;

# All domains used for binder service domains.
attribute binderservicedomain;

4. Class定义文件security_classes

在规则定义语句中会用到客体限制类别(Object Class),文件security_classes定义了所有系统中用到的class,如下所示:

# FLASK

#
# Define the security object classes
#

# Classes marked as userspace are classes
# for userspace object managers

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc

#
# userspace object manager classes
#

# passwd/chfn/chsh
class passwd            # userspace

# SE-X Windows stuff (more classes below)
class x_drawable        # userspace
class x_screen          # userspace
class x_gc          # userspace
class x_font            # userspace
class x_colormap        # userspace
class x_property        # userspace
class x_selection       # userspace
class x_cursor          # userspace
class x_client          # userspace
class x_device          # userspace
class x_server          # userspace
class x_extension       # userspace

# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket

class dbus          # userspace
class nscd          # userspace

# IPSec association
class association

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket

class appletalk_socket

class packet

# Kernel access key retention
class key

class context           # userspace

class dccp_socket

class memprotect

class db_database       # userspace
class db_table          # userspace
class db_procedure      # userspace
class db_column         # userspace
class db_tuple          # userspace
class db_blob           # userspace

# network peer labels
class peer

# Capabilities >= 32
class capability2

# More SE-X Windows stuff
class x_resource        # userspace
class x_event           # userspace
class x_synthetic_event     # userspace
class x_application_data    # userspace

# kernel services that need to override task security, e.g. cachefiles
class kernel_service

class tun_socket

# Still More SE-X Windows stuff
class x_pointer         # userspace
class x_keyboard        # userspace

# More Database stuff
class db_schema         # userspace
class db_view           # userspace
class db_sequence       # userspace
class db_language       # userspace

class binder
class zygote

# Property service
class property_service          # userspace

# Service manager
class service_manager           # userspace

# Keystore Key
class keystore_key              # userspace

# FLASK

security_classes文件比较长,这里只列举了其中的一部分,class的定义比较容易理解,基本上是对系统资源一个细化的类别定义。定义客体的类型(type)时,附加属性相当于指定了客体能代表的一个比较粗的范围,在allow规则中加上客体限制类别后,相当于把客体限制到了一个更小的范围。

5. 操作定义文件access_vectors

allow语句的最后一项为允许的操作,所有的操作都在文件access_vectors中定义,文件的部分内容如下:

#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
    ioctl
    read
    write
    create
    getattr
    setattr
    lock
    relabelfrom
    relabelto
    append
    unlink
    link
    rename
    execute
    swapon
    quotaon
    mounton
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
    ioctl
    read
    write
    create
    getattr
    setattr
    lock
    relabelfrom
    relabelto
    append
# socket-specific
    bind
    connect
    listen
    accept
    getopt
    setopt
    shutdown
    recvfrom
    sendto
    recv_msg
    send_msg
    name_bind
}

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
    create
    destroy
    getattr
    setattr
    read
    write
    associate
    unix_read
    unix_write
}

#
#  Define a common prefix for userspace database object access vectors.
#

common database
{
    create
    drop
    getattr
    setattr
    relabelfrom
    relabelto
}

#
# Define a common prefix for pointer and keyboard access vectors.
#

common x_device
{
    getattr
    setattr
    use
    read
    write
    getfocus
    setfocus
    bell
    force_cursor
    freeze
    grab
    manage
    list_property
    get_property
    set_property
    add
    remove
    create
    destroy
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
    mount
    remount
    unmount
    getattr
    relabelfrom
    relabelto
    transition
    associate
    quotamod
    quotaget
}

class dir
inherits file
{
    add_name
    remove_name
    reparent
    search
    rmdir
    open
    audit_access
    execmod
}

class file
inherits file
{
    execute_no_trans
    entrypoint
    execmod
    open
    audit_access
}

class lnk_file
inherits file
{
    open
    audit_access
    execmod
}

class chr_file
inherits file
{
    execute_no_trans
    entrypoint
    execmod
    open
    audit_access
}

class blk_file
inherits file
{
    open
    audit_access
    execmod
}

class sock_file
inherits file
{
    open
    audit_access
    execmod
}

class fifo_file
inherits file
{
    open
    audit_access
    execmod
}

class fd
{
    use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
    connectto
    newconn
    acceptfrom
    node_bind
    name_connect
}

class udp_socket
inherits socket
{
    node_bind
}

class rawip_socket
inherits socket
{
    node_bind
}

class node
{
    tcp_recv
    tcp_send
    udp_recv
    udp_send
    rawip_recv
    rawip_send
    enforce_dest
    dccp_recv
    dccp_send
    recvfrom
    sendto
}

class netif
{
    tcp_recv
    tcp_send
    udp_recv
    udp_send
    rawip_recv
    rawip_send
    dccp_recv
    dccp_send
    ingress
    egress
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
    connectto
    newconn
    acceptfrom
}

class unix_dgram_socket
inherits socket

#
# Define the access vector interpretation for process-related objects
#

class process
{
    fork
    transition
    sigchld # commonly granted from child to parent
    sigkill # cannot be caught or ignored
    sigstop # cannot be caught or ignored
    signull # for kill(pid, 0)
    signal  # all other signals
    ptrace
    getsched
    setsched
    getsession
    getpgid
    setpgid
    getcap
    setcap
    share
    getattr
    setexec
    setfscreate
    noatsecure
    siginh
    setrlimit
    rlimitinh
    dyntransition
    setcurrent
    execmem
    execstack
    execheap
    setkeycreate
    setsockcreate
}


#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
    enqueue
}

class msg
{
    send
    receive
}

class shm
inherits ipc
{
    lock
}


#
# Define the access vector interpretation for the security server.
#

class security
{
    compute_av
    compute_create
    compute_member
    check_context
    load_policy
    compute_relabel
    compute_user
    setenforce     # was avc_toggle in system class
    setbool
    setsecparam
    setcheckreqprot
    read_policy
}


#
# Define the access vector interpretation for system operations.
#

class system
{
    ipc_info
    syslog_read
    syslog_mod
    syslog_console
    module_request
}

#
# Define the access vector interpretation for controling capabilies
#

class capability
{
    # The capabilities are defined in include/linux/capability.h
    # Capabilities >= 32 are defined in the capability2 class.
    # Care should be taken to ensure that these are consistent with
    # those definitions. (Order matters)

    chown
    dac_override
    dac_read_search
    fowner
    fsetid
    kill
    setgid
    setuid
    setpcap
    linux_immutable
    net_bind_service
    net_broadcast
    net_admin
    net_raw
    ipc_lock
    ipc_owner
    sys_module
    sys_rawio
    sys_chroot
    sys_ptrace
    sys_pacct
    sys_admin
    sys_boot
    sys_nice
    sys_resource
    sys_time
    sys_tty_config
    mknod
    lease
    audit_write
    audit_control
    setfcap
}

class capability2
{
    mac_override    # unused by SELinux
    mac_admin   # unused by SELinux
    syslog
    wake_alarm
    block_suspend
}

#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
    passwd  # change another user passwd
    chfn    # change another user finger info
    chsh    # change another user shell
    rootok  # pam_rootok check (skip auth)
    crontab # crontab on another user
}

#
# SE-X Windows stuff
#
class x_drawable
{
    create
    destroy
    read
    write
    blend
    getattr
    setattr
    list_child
    add_child
    remove_child
    list_property
    get_property
    set_property
    manage
    override
    show
    hide
    send
    receive
}

class x_screen
{
    getattr
    setattr
    hide_cursor
    show_cursor
    saver_getattr
    saver_setattr
    saver_hide
    saver_show
}

class x_gc
{
    create
    destroy
    getattr
    setattr
    use
}

class x_font
{
    create
    destroy
    getattr
    add_glyph
    remove_glyph
    use
}

class x_colormap
{
    create
    destroy
    read
    write
    getattr
    add_color
    remove_color
    install
    uninstall
    use
}

class x_property
{
    create
    destroy
    read
    write
    append
    getattr
    setattr
}

class x_selection
{
    read
    write
    getattr
    setattr
}

class x_cursor
{
    create
    destroy
    read
    write
    getattr
    setattr
    use
}

class x_client
{
    destroy
    getattr
    setattr
    manage
}

class x_device
inherits x_device

class x_server
{
    getattr
    setattr
    record
    debug
    grab
    manage
}

class x_extension
{
    query
    use
}

class x_resource
{
    read
    write
}

class x_event
{
    send
    receive
}

class x_synthetic_event
{
    send
    receive
}

#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
    nlmsg_read
    nlmsg_write
}

class netlink_firewall_socket
inherits socket
{
    nlmsg_read
    nlmsg_write
}

class netlink_tcpdiag_socket
inherits socket
{
    nlmsg_read
    nlmsg_write
}

class netlink_nflog_socket
inherits socket

class netlink_xfrm_socket
inherits socket
{
    nlmsg_read
    nlmsg_write
}

class netlink_selinux_socket
inherits socket

class netlink_audit_socket
inherits socket
{
    nlmsg_read
    nlmsg_write
    nlmsg_relay
    nlmsg_readpriv
    nlmsg_tty_audit
}

class netlink_ip6fw_socket
inherits socket
{
    nlmsg_read
    nlmsg_write
}

class netlink_dnrt_socket
inherits socket

# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
    acquire_svc
    send_msg
}

# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
    getpwd
    getgrp
    gethost
    getstat
    admin
    shmempwd
    shmemgrp
    shmemhost
    getserv
    shmemserv
}

# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
    sendto
    recvfrom
    setcontext
    polmatch
}

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

class appletalk_socket
inherits socket

class packet
{
    send
    recv
    relabelto
    flow_in     # deprecated
    flow_out    # deprecated
    forward_in
    forward_out
}

class key
{
    view
    read
    write
    search
    link
    setattr
    create
}

class context
{
    translate
    contains
}

class dccp_socket
inherits socket
{
    node_bind
    name_connect
}

class memprotect
{
    mmap_zero
}

class db_database
inherits database
{
    access
    install_module
    load_module
    get_param   # deprecated
    set_param   # deprecated
}

class db_table
inherits database
{
    use     # deprecated
    select
    update
    insert
    delete
    lock
}

class db_procedure
inherits database
{
    execute
    entrypoint
    install
}

class db_column
inherits database
{
    use     # deprecated
    select
    update
    insert
}

class db_tuple
{
    relabelfrom
    relabelto
    use     # deprecated
    select
    update
    insert
    delete
}

class db_blob
inherits database
{
    read
    write
    import
    export
}

# network peer labels
class peer
{
    recv
}

class x_application_data
{
    paste
    paste_after_confirm
    copy
}

class kernel_service
{
    use_as_override
    create_files_as
}

class tun_socket
inherits socket
{
    attach_queue
}

class x_pointer
inherits x_device

class x_keyboard
inherits x_device

class db_schema
inherits database
{
    search
    add_name
    remove_name
}

class db_view
inherits database
{
    expand
}

class db_sequence
inherits database
{
    get_value
    next_value
    set_value
}

class db_language
inherits database
{
    implement
    execute
}

class binder
{
    impersonate
    call
    set_context_mgr
    transfer
}

class zygote
{
    specifyids
    specifyrlimits
    specifyinvokewith
    specifyseinfo
}

class property_service
{
    set
}

class service_manager
{
    add
    find
    list
}

class keystore_key
{
    test
    get
    insert
    delete
    exist
    saw
    reset
    password
    lock
    unlock
    zero
    sign
    verify
    grant
    duplicate
    clear_uid
    reset_uid
    sync_uid
    password_uid
}

access_vectors文件通过两种方式定义操作,一种方式是通过common语句,这种方式定义的操作是一种公共的操作,没有限定哪种类别的客体可以使用,还可以被继承。另一种定义的方式是通过class语句,但是calss语句后面的名称必须是某种客体限制类别,这也意味着通过class语句定义的操作只能使用在相应的客体限制类别中。class语句可以继承common语句中定义的操作。

6. 类型强制规则文件

目录中凡是以te结尾的文件都属于类型强制规则文件(Type Enforcement)。它主要有类型定义和规则定义两部分组成。我们看看su.te文件的内容:

# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;

userdebug_or_eng(`
  # Domain used for su processes, as well as for adbd and adb shell
  # after performing an adb root command.  The domain definition is
  # wrapped to ensure that it does not exist at all on -user builds.
  type su, domain;
  domain_auto_trans(shell, su_exec, su)

  # Allow dumpstate to call su on userdebug / eng builds to collect
  # additional information.
  domain_auto_trans(dumpstate, su_exec, su)

  # su is also permissive to permit setenforce.
  permissive su;

  # Add su to various domains
  net_domain(su)
  app_domain(su)

  dontaudit su self:capability_class_set *;
  dontaudit su kernel:security *;
  dontaudit su kernel:system *;
  dontaudit su self:memprotect *;
  dontaudit su domain:process *;
  dontaudit su domain:fd *;
  dontaudit su domain:dir *;
  dontaudit su domain:lnk_file *;
  dontaudit su domain:{ fifo_file file } *;
  dontaudit su domain:socket_class_set *;
  dontaudit su domain:ipc_class_set *;
  dontaudit su domain:key *;
  dontaudit su fs_type:filesystem *;
  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
  dontaudit su node_type:node *;
  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
  dontaudit su netif_type:netif *;
  dontaudit su port_type:socket_class_set *;
  dontaudit su port_type:{ tcp_socket dccp_socket } *;
  dontaudit su domain:peer *;
  dontaudit su domain:binder *;
  dontaudit su property_type:property_service *;
')

su.te中定义了两种类型:su和su_exec。su用在进程的安全上下文中,su_exec则用在文件的安全上下文中。su.te中还调用了两个宏,domain_auto_trans宏我们前面已经分析过了,用来规定在shell执行su文件时将进程转移到su域。unconfined_domain宏则用来把su域定义成一个不受限制的域。

7. TE的宏定义文件te_macros

te_macros 文件中定义了在TE规则文件中用到的宏。前面我们已经介绍了domain_auto_trans宏。下面我们再看看unconfined_domain宏是如何定义的:

define(`unconfined_domain', `

typeattribute $1 mlstrustedsubject;

typeattribute $1 unconfineddomain;

')

unconfined_domain中使用了typeattribute语句。 typeattribute语句的作用是指定类型(type)的属性,我们知道定义type时可以在后面用逗号分割后指定属性,typeattribute语句可以给定义好的类型增加属性。因此unconfined_domain(su)的结果是给域su增加了mlstrustedsubject和unconfineddomain两种属性。这两种属性分别代表了系统中所有可信任的客体和不受限制的主体,因此su域将拥有系统中类似以前系统中超级用户的权限。这里虽然通过规则给了su域相当大的权限,但是也能通过修改规则来限制su的权限。这就是SELinux的强大之处,它能灵活的通过配置文件来修改任何的访问权限。当然这也对系统管理员的能力提出了更高的要求。所有通常我们不需要去修改Android中的这些配置文件,但是我们需要能理解它们的含义。

8. file_contexts文件

file_contexts文件保存的是系统中所有文件的安全上下文定义,文件部分内容如下:

下面我们看看文件file_contexts的内容。

###########################################
# Root
/           u:object_r:rootfs:s0

# Data files
/adb_keys       u:object_r:adb_keys_file:s0
/default\.prop      u:object_r:rootfs:s0
/fstab\..*      u:object_r:rootfs:s0
/init\..*       u:object_r:rootfs:s0
/res(/.*)?      u:object_r:rootfs:s0
/ueventd\..*        u:object_r:rootfs:s0

# Executables
/charger        u:object_r:rootfs:s0
/init           u:object_r:rootfs:s0
/sbin(/.*)?     u:object_r:rootfs:s0

# Empty directories
/lost\+found        u:object_r:rootfs:s0
/proc           u:object_r:rootfs:s0

# SELinux policy files
/file_contexts      u:object_r:rootfs:s0
/property_contexts  u:object_r:rootfs:s0
/seapp_contexts     u:object_r:rootfs:s0
/sepolicy       u:object_r:rootfs:s0

##########################
# Devices
#
/dev(/.*)?      u:object_r:device:s0
/dev/akm8973.*      u:object_r:sensors_device:s0
/dev/accelerometer  u:object_r:sensors_device:s0
/dev/adf[0-9]*      u:object_r:graphics_device:s0
/dev/adf-interface[0-9]*\.[0-9]*    u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]*   u:object_r:graphics_device:s0
/dev/alarm      u:object_r:alarm_device:s0
/dev/android_adb.*  u:object_r:adb_device:s0
/dev/ashmem     u:object_r:ashmem_device:s0
/dev/audio.*        u:object_r:audio_device:s0
/dev/binder     u:object_r:binder_device:s0
/dev/block(/.*)?    u:object_r:block_device:s0
/dev/block/loop[0-9]*   u:object_r:loop_device:s0
/dev/block/ram[0-9]*    u:object_r:ram_device:s0
/dev/bus/usb(.*)?       u:object_r:usb_device:s0
/dev/cam        u:object_r:camera_device:s0
/dev/console        u:object_r:console_device:s0
/dev/cpuctl(/.*)?   u:object_r:cpuctl_device:s0
/dev/device-mapper  u:object_r:dm_device:s0
/dev/eac        u:object_r:audio_device:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/full       u:object_r:full_device:s0
/dev/fuse       u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random      u:object_r:hw_random_device:s0
/dev/input(/.*)     u:object_r:input_device:s0
/dev/iio:device[0-9]+   u:object_r:iio_device:s0
/dev/ion        u:object_r:ion_device:s0
/dev/kmem       u:object_r:kmem_device:s0
/dev/log(/.*)?      u:object_r:log_device:s0
/dev/mem        u:object_r:kmem_device:s0
/dev/modem.*        u:object_r:radio_device:s0
/dev/mpu        u:object_r:gps_device:s0
/dev/mpuirq     u:object_r:gps_device:s0
/dev/mtd(/.*)?      u:object_r:mtd_device:s0
/dev/mtp_usb        u:object_r:mtp_device:s0
/dev/pn544      u:object_r:nfc_device:s0
/dev/ppp        u:object_r:ppp_device:s0
/dev/ptmx       u:object_r:ptmx_device:s0
/dev/pvrsrvkm       u:object_r:gpu_device:s0
/dev/kmsg       u:object_r:kmsg_device:s0
/dev/null       u:object_r:null_device:s0
/dev/nvhdcp1        u:object_r:video_device:s0
/dev/random     u:object_r:random_device:s0
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/snd(/.*)?      u:object_r:audio_device:s0
/dev/socket(/.*)?   u:object_r:socket_device:s0
/dev/socket/adbd    u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd   u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate   u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
/dev/socket/gps     u:object_r:gps_socket:s0
/dev/socket/installd    u:object_r:installd_socket:s0
/dev/socket/lmkd        u:object_r:lmkd_socket:s0
/dev/logd_debug     u:object_r:logd_debug:s0
/dev/socket/logd    u:object_r:logd_socket:s0
/dev/socket/logdr   u:object_r:logdr_socket:s0
/dev/socket/logdw   u:object_r:logdw_socket:s0
/dev/socket/mdns    u:object_r:mdns_socket:s0
/dev/socket/mdnsd   u:object_r:mdnsd_socket:s0
/dev/socket/mtpd    u:object_r:mtpd_socket:s0
/dev/socket/netd    u:object_r:netd_socket:s0
/dev/socket/property_service    u:object_r:property_socket:s0
/dev/socket/racoon  u:object_r:racoon_socket:s0
/dev/socket/rild    u:object_r:rild_socket:s0
/dev/socket/rild-debug  u:object_r:rild_debug_socket:s0
/dev/socket/vold    u:object_r:vold_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote  u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary    u:object_r:zygote_socket:s0
/dev/spdif_out.*    u:object_r:audio_device:s0
/dev/tegra.*        u:object_r:video_device:s0
/dev/tf_driver      u:object_r:tee_device:s0
/dev/tty        u:object_r:owntty_device:s0
/dev/tty[0-9]*      u:object_r:tty_device:s0
/dev/ttyS[0-9]*     u:object_r:serial_device:s0
/dev/tun        u:object_r:tun_device:s0
/dev/uhid       u:object_r:uhid_device:s0
/dev/uinput     u:object_r:uhid_device:s0
/dev/uio[0-9]*      u:object_r:uio_device:s0
/dev/urandom        u:object_r:urandom_device:s0
/dev/usb_accessory  u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]*   u:object_r:vcs_device:s0
/dev/video[0-9]*    u:object_r:video_device:s0
/dev/watchdog       u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero       u:object_r:zero_device:s0
/dev/__kmsg__       u:object_r:klog_device:s0
/dev/__properties__ u:object_r:properties_device:s0
#############################
# System files
#
/system(/.*)?       u:object_r:system_file:s0
/system/bin/sh      --  u:object_r:shell_exec:s0
/system/bin/run-as  --  u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/app_process32   u:object_r:zygote_exec:s0
/system/bin/app_process64   u:object_r:zygote_exec:s0
/system/bin/servicemanager  u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger  u:object_r:surfaceflinger_exec:s0
/system/bin/drmserver   u:object_r:drmserver_exec:s0
/system/bin/dumpstate   u:object_r:dumpstate_exec:s0
/system/bin/vold    u:object_r:vold_exec:s0
/system/bin/netd    u:object_r:netd_exec:s0
/system/bin/rild    u:object_r:rild_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/mdnsd   u:object_r:mdnsd_exec:s0
/system/bin/installd    u:object_r:installd_exec:s0
/system/bin/keystore    u:object_r:keystore_exec:s0
/system/bin/debuggerd   u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
/system/bin/wpa_supplicant  u:object_r:wpa_exec:s0
/system/bin/sdcard      u:object_r:sdcardd_exec:s0
/system/bin/dhcpcd      u:object_r:dhcp_exec:s0
/system/bin/mtpd    u:object_r:mtp_exec:s0
/system/bin/pppd    u:object_r:ppp_exec:s0
/system/bin/tf_daemon   u:object_r:tee_exec:s0
/system/bin/racoon  u:object_r:racoon_exec:s0
/system/xbin/su     u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
/system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
/system/bin/hostapd     u:object_r:hostapd_exec:s0
/system/bin/clatd   u:object_r:clatd_exec:s0
/system/bin/lmkd        u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd        u:object_r:logd_exec:s0
/system/bin/uncrypt     u:object_r:uncrypt_exec:s0
/system/bin/logwrapper  u:object_r:system_file:s0
/system/bin/vdc         u:object_r:vdc_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat     u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat    u:object_r:dex2oat_exec:s0

#############################
# Vendor files
#
/vendor(/.*)?       u:object_r:system_file:s0
/vendor/bin/gpsd    u:object_r:gpsd_exec:s0
#############################
# Data files
#
/data(/.*)?     u:object_r:system_data_file:s0
/data/.layout_version       u:object_r:install_data_file:s0
/data/backup(/.*)?      u:object_r:backup_data_file:s0
/data/secure/backup(/.*)?   u:object_r:backup_data_file:s0
/data/security(/.*)?    u:object_r:security_file:s0
/data/system/ndebugsocket   u:object_r:system_ndebug_socket:s0
/data/drm(/.*)?     u:object_r:drm_data_file:s0
/data/gps(/.*)?     u:object_r:gps_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)?     u:object_r:anr_data_file:s0
/data/app(/.*)?                       u:object_r:apk_data_file:s0
/data/app/vmdl.*\.tmp(/.*)?           u:object_r:apk_tmp_file:s0
/data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)?  u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)?   u:object_r:shell_data_file:s0
/data/media(/.*)?   u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)?    u:object_r:media_data_file:s0
/data/property(/.*)?    u:object_r:property_data_file:s0

# Misc data
/data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
/data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)?      u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
/data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
/data/misc/media(/.*)?          u:object_r:media_data_file:s0
/data/misc/net(/.*)?            u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
/data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
/data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0

# Wallpaper file for other users
/data/system/users/[0-9]+/wallpaper     u:object_r:wallpaper_file:s0
#############################
# efs files
#
/efs(/.*)?      u:object_r:efs_file:s0
#############################
# Cache files
#
/cache(/.*)?        u:object_r:cache_file:s0
/cache/.*\.data u:object_r:cache_backup_file:s0
/cache/.*\.restore  u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this directory
/cache/backup(/.*)? u:object_r:cache_backup_file:s0
#############################
# sysfs files
#
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper --    u:object_r:usermodehelper:s0
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0

#############################
# asec containers
/mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0
/mnt/asec/[^/]+/lib(/.*)?   u:object_r:asec_public_file:s0
/data/app-asec(/.*)?        u:object_r:asec_image_file:s0

file_contexts文件的格式比较简单,每行的前半部分是文件的路径,后面是它的安全上下文的定义。从文件可以看到,这里的路径定义也支持通配符。

9. property_contexts文件

property_contexts文件中保存的是系统中所有Android属性的安全上下文定义,内容如下:

##########################
# property service keys
#
#
net.rmnet               u:object_r:net_radio_prop:s0
net.gprs                u:object_r:net_radio_prop:s0
net.ppp                 u:object_r:net_radio_prop:s0
net.qmi                 u:object_r:net_radio_prop:s0
net.lte                 u:object_r:net_radio_prop:s0
net.cdma                u:object_r:net_radio_prop:s0
net.dns                 u:object_r:net_radio_prop:s0
sys.usb.config          u:object_r:system_radio_prop:s0
ril.                    u:object_r:radio_prop:s0
gsm.                    u:object_r:radio_prop:s0
persist.radio           u:object_r:radio_prop:s0

net.                    u:object_r:system_prop:s0
dev.                    u:object_r:system_prop:s0
runtime.                u:object_r:system_prop:s0
hw.                     u:object_r:system_prop:s0
sys.                    u:object_r:system_prop:s0
sys.powerctl            u:object_r:powerctl_prop:s0
service.                u:object_r:system_prop:s0
wlan.                   u:object_r:system_prop:s0
dhcp.                   u:object_r:dhcp_prop:s0
dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
bluetooth.              u:object_r:bluetooth_prop:s0

debug.                  u:object_r:debug_prop:s0
debug.db.               u:object_r:debuggerd_prop:s0
log.                    u:object_r:shell_prop:s0
service.adb.root        u:object_r:shell_prop:s0
service.adb.tcp.port    u:object_r:shell_prop:s0

persist.audio.          u:object_r:audio_prop:s0
persist.logd.           u:object_r:logd_prop:s0
persist.sys.            u:object_r:system_prop:s0
persist.service.        u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security.       u:object_r:system_prop:s0

# selinux non-persistent properties
selinux.                u:object_r:security_prop:s0

# default property context
*                       u:object_r:default_prop:s0

# data partition encryption properties
vold.                   u:object_r:vold_prop:s0
crypto.                 u:object_r:vold_prop:s0

# ctl properties
ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_               u:object_r:ctl_fuse_prop:s0
ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
ctl.dhcpcd_bt-pan       u:object_r:ctl_dhcp_pan_prop:s0
ctl.                    u:object_r:ctl_default_prop:s0

# NFC properties
nfc.                    u:object_r:nfc_prop:s0

property_contexts文件的格式也相当简单,每行前面是属性,后面是它对应的安全上下文。

参考文件

SEAndroid的各种策略文件

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏黑泽君的专栏

day59_BOS项目_11

第一步:创建一个流程实例管理ProcessInstanceAction,提供list()方法,查询流程实例列表数据

1223
来自专栏LEo的网络日志

tempfile.NamedTemporaryFile创建临时文件在windows没有权限打开

4878
来自专栏晓晨的专栏

ASP.NET Core 依赖注入(DI)简介

6124
来自专栏JackieZheng

RabbitMQ入门-从HelloWorld开始

从读者的反馈谈RabbitMQ 昨天发完《RabbitMQ入门-初识RabbitMQ》,我陆陆续续收到一些反馈。鉴于部分读者希望结合实例来讲 期待下篇详细,最好...

2315
来自专栏菩提树下的杨过

ZooKeeper 笔记(5) ACL(Access Control List)访问控制列表

zk做为分布式架构中的重要中间件,通常会在上面以节点的方式存储一些关键信息,默认情况下,所有应用都可以读写任何节点,在复杂的应用中,这不太安全,ZK通过ACL机...

8076
来自专栏Seebug漏洞平台

Mirai源码分析

1. 背景概述 最近的德国断网事件让Mirai恶意程序再次跃入公众的视线,相对而言,目前的IoT领域对于恶意程序还是一片蓝海,因此吸引了越来越多的人开始涉足这趟...

4907
来自专栏YG小书屋

ES5.6 Bulk源码解析

3993
来自专栏JackieZheng

RabbitMQ入门-从HelloWorld开始

从读者的反馈谈RabbitMQ 昨天发完《RabbitMQ入门-初识RabbitMQ》,我陆陆续续收到一些反馈。鉴于部分读者希望结合实例来讲 期待下篇详细,最好...

2099
来自专栏Python

使用python的email、smtplib、poplib模块收发邮件

https://blog.csdn.net/weixin_35955795/article/details/52881044

650
来自专栏我的博客

ThinkPHP3.1.2笔记

1.开启trace 方法一:在配置文件中添加(默认在config.php,如果定义debug模式,可以定义在debug.php) SHOW_PAGE_TRAC...

2638

扫码关注云+社区

领取腾讯云代金券