大家好,又见面了,我是你们的朋友全栈君。
开机启动 init 类 system/core/init/main.cpp
int main(int argc, char** argv) {
#if __has_feature(address_sanitizer)
__asan_set_error_report_callback(AsanReportCallback);
#endif
if (!strcmp(basename(argv[0]), "ueventd")) {
return ueventd_main(argc, argv);
}
if (argc > 1) {
if (!strcmp(argv[1], "subcontext")) {
android::base::InitLogging(argv, &android::base::KernelLogger);
const BuiltinFunctionMap& function_map = GetBuiltinFunctionMap();
return SubcontextMain(argc, argv, &function_map);
}
if (!strcmp(argv[1], "selinux_setup")) {
return SetupSelinux(argv);
}
if (!strcmp(argv[1], "second_stage")) {
return SecondStageMain(argc, argv);
}
}
return FirstStageMain(argc, argv);
}
这里关键执行 SetupSelinux 调用,函数在 system/core/init/selinux.cpp 类中,这个类主要是初始化的 SELinux 操作。
SetupSelinux 函数中关注 SelinuxInitialize 函数,执行加载 policy 和设置 selinux 默认值。
enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
// 根据系统 androidboot.selinux k-v判断是否是关闭 selinux
EnforcingStatus StatusFromCmdline() {
EnforcingStatus status = SELINUX_ENFORCING;
ImportKernelCmdline([&](const std::string& key, const std::string& value) {
if (key == "androidboot.selinux" && value == "permissive") {
status = SELINUX_PERMISSIVE;
}
});
return status;
}
// 判断 selinux 状态
bool IsEnforcing() {
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
}
void SelinuxInitialize() {
LOG(INFO) << "Loading SELinux policy";
if (!LoadPolicy()) {
LOG(FATAL) << "Unable to load SELinux policy";
}
bool kernel_enforcing = (security_getenforce() == 1);
bool is_enforcing = IsEnforcing();
if (kernel_enforcing != is_enforcing) {
// 设置 selinux 开启关闭
if (security_setenforce(is_enforcing)) {
PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
<< ") failed";
}
}
if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
}
}
security_setenforce 函数是 libselinux 库中,代码路径 external/selinux/libselinux/src/setenforce.c
int security_setenforce(int value)
{
int fd, ret;
char path[PATH_MAX];
char buf[20];
if (!selinux_mnt) {
errno = ENOENT;
return -1;
}
snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
return -1;
snprintf(buf, sizeof buf, "%d", value);
ret = write(fd, buf, strlen(buf));
close(fd);
if (ret < 0)
return -1;
return 0;
}
向对应节点写入数据。 selinux_mnt 定义在 external/selinux/libselinux/src/policy.h 中
/* Preferred selinux mount location */
#define SELINUXMNT "/sys/fs/selinux"
#define OLDSELINUXMNT "/selinux"
/* selinuxfs mount point */
extern char *selinux_mnt;
#define FILECONTEXTS "/etc/security/selinux/file_contexts"
#define DEFAULT_POLICY_VERSION 15
#endif
在 external/selinux/libselinux/src/init.c 中赋的值
/* 验证selinux文件系统的装载点是否具有selinuxfs。
*如果文件系统存在
*安装了selinux文件系统,
*文件系统是可读/写的
*然后将其设置为默认文件系统。
*/
static int verify_selinuxmnt(const char *mnt)
{
struct statfs sfbuf;
int rc;
do {
rc = statfs(mnt, &sfbuf);
} while (rc < 0 && errno == EINTR);
if (rc == 0) {
if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
struct statvfs vfsbuf;
rc = statvfs(mnt, &vfsbuf);
if (rc == 0) {
if (!(vfsbuf.f_flag & ST_RDONLY)) {
// 进行赋值
set_selinuxmnt(mnt);
}
return 0;
}
}
}
return -1;
}
...
static void init_selinuxmnt(void)
{
char *buf = NULL, *p;
FILE *fp = NULL;
size_t len;
ssize_t num;
if (selinux_mnt)
return;
// 优先 SELINUXMNT 值,在 external/selinux/libselinux/src/policy.h 中声明定义
if (verify_selinuxmnt(SELINUXMNT) == 0) return;
if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
...
}
...
void set_selinuxmnt(const char *mnt)
{
// 最终赋值
selinux_mnt = strdup(mnt);
}
即 selinux_mnt 这个目录路径等于 /sys/fs/selinux 。设置 selinux 值向节点 /sys/fs/selinux/enforce
中写入值,通过这个节点值的读写和驱动关联起来。kernel 层通过节点的写入读出执行相应操作。
节点的相关操作类 kernel/msm-4.19/security/selinux/selinuxfs.c
static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
char tmpbuf[TMPBUFLEN];
ssize_t length;
length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
enforcing_enabled(fsi->state));
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
// 这个宏大致是表示 debug 版本
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
struct selinux_state *state = fsi->state;
char *page = NULL;
ssize_t length;
int old_value, new_value;
if (count >= PAGE_SIZE)
return -ENOMEM;
/* No partial writes. */
if (*ppos != 0)
return -EINVAL;
page = memdup_user_nul(buf, count);
if (IS_ERR(page))
return PTR_ERR(page);
length = -EINVAL;
if (sscanf(page, "%d", &new_value) != 1)
goto out;
new_value = !!new_value;
old_value = enforcing_enabled(state);
if (new_value != old_value) {
length = avc_has_perm(&selinux_state,
current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETENFORCE,
NULL);
if (length)
goto out;
audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
"enforcing=%d old_enforcing=%d auid=%u ses=%u"
" enabled=%d old-enabled=%d lsm=selinux res=1",
new_value, old_value,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current),
selinux_enabled, selinux_enabled);
enforcing_set(state, new_value);
if (new_value)
avc_ss_reset(state->avc, 0);
selnl_notify_setenforce(new_value);
selinux_status_update_setenforce(state, new_value);
if (!new_value)
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
}
length = count;
out:
kfree(page);
return length;
}
#else
#define sel_write_enforce NULL
#endif
static const struct file_operations sel_enforce_ops = {
.read = sel_read_enforce,
.write = sel_write_enforce,
.llseek = generic_file_llseek,
};
读取文件时执行 sel_read_enforce ,写入时执行 sel_write_enforce
读取函数比较简单,通过 enforcing_enabled 获取,enforcing_enabled 函数包括下面 write 中的相关函数 enforcing_set 都在文件 kernel/msm-4.19/security/selinux/include/security.h 中。
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static inline bool enforcing_enabled(struct selinux_state *state)
{
return state->enforcing;
}
static inline void enforcing_set(struct selinux_state *state, bool value)
{
state->enforcing = value;
}
#else
static inline bool enforcing_enabled(struct selinux_state *state)
{
return true;
}
static inline void enforcing_set(struct selinux_state *state, bool value)
{
}
#endif
这里也是通过 CONFIG_SECURITY_SELINUX_DEVELOP 宏进行区分,user版本无法进行设置修改的意思。
enforcing_enabled 主要作用在avc判断上,源码文件 kernel/msm-4.19/security/selinux/avc.c
static noinline int avc_denied(struct selinux_state *state,
u32 ssid, u32 tsid,
u16 tclass, u32 requested,
u8 driver, u8 xperm, unsigned int flags,
struct av_decision *avd)
{
audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, " TEST %d", flags);
if (flags & AVC_STRICT)
return -EACCES;
if (enforcing_enabled(state) &&
!(avd->flags & AVD_FLAGS_PERMISSIVE))
return -EACCES;
avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver,
xperm, ssid, tsid, tclass, avd->seqno, NULL, flags);
return 0;
}
在这里通过判断是否执行 avc denied ,然后执行授权 AVC_CALLBACK_GRANT 。
system/bin 目录下有 setenforce 和 getenforce 两个可执行文件,相关源码位于
external/toybox/toys/android/setenforce.c
void setenforce_main(void)
{
char *new = *toys.optargs;
int state, ret;
if (!is_selinux_enabled()) error_exit("SELinux is disabled");
else if (!strcmp(new, "1") || !strcasecmp(new, "enforcing")) state = 1;
else if (!strcmp(new, "0") || !strcasecmp(new, "permissive")) state = 0;
else error_exit("Invalid state: %s", new);
ret = security_setenforce(state);
if (ret == -1) perror_msg("Couldn't set enforcing status to '%s'", new);
}
这里的 security_setenforce 函数即调用的上面的 libselinux 库中函数,流程一致
external/toybox/toys/android/getenforce.c
void getenforce_main(void)
{
if (!is_selinux_enabled()) puts("Disabled");
else {
int ret = security_getenforce();
if (ret == -1) perror_exit("Couldn't get enforcing status");
else puts(ret ? "Enforcing" : "Permissive");
}
}
同样的,这里 security_getenforce 也是调用的 libselinux 库,对应的源码 external/selinux/libselinux/src/getenforce.c 中函数
int security_getenforce(void)
{
int fd, ret, enforce = 0;
char path[PATH_MAX];
char buf[20];
if (!selinux_mnt) {
errno = ENOENT;
return -1;
}
snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd < 0)
return -1;
memset(buf, 0, sizeof buf);
ret = read(fd, buf, sizeof buf - 1);
close(fd);
if (ret < 0)
return -1;
if (sscanf(buf, "%d", &enforce) != 1)
return -1;
return !!enforce;
}
对节点 sys/fs/selinux/enforce 进行读取。
由于这个 sys/fs/selinux/enforce 节点权限是 600 的,所以必须是 root 后才能操作。
发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/153555.html原文链接:https://javaforall.cn