在external/sepolicy目錄 存放了很多SELinux的策略定義文件鲁豪,在類似device/lge/mako/sepolicy目錄下也放了策略文件,作為指定的機(jī)型的策略定義律秃。
文件描述概述
- roles 角色定義
- users selinux 用戶定義
- attributes type所有可能包含的屬性
- security_classes 所有客體的類型
- access_vectors 所有允許的權(quán)限操作
- *.te 類型強(qiáng)制規(guī)則文件
- te_macros TE的宏定義文件te_macros
- file_contexts 文件系統(tǒng)中定義的各文件的標(biāo)簽
- genfs_contexts 虛擬文件系統(tǒng)的安全上下文設(shè)置規(guī)則
- mac_permissions.xml 給不同簽名的App分配不同的seinfo字符串爬橡, 這個(gè)seinfo描述的其實(shí)并不是安全上下文中的Type,它是用來在另外一個(gè)文件external/sepolicy/seapp_contexts中查找對應(yīng)的Type的棒动。
- seapp_contexts 定義app的Type
- service_contexts 系統(tǒng)服務(wù)在啟動(dòng)時(shí)是通過在文件service_contexts匹配對應(yīng)名稱的上下文來設(shè)置
- initial_sid_contexts
- port_contexts
- property_contexts
1. 角色定義文件roles
角色定義文件用來定義SELinux系統(tǒng)的角色糙申。文件roles的內(nèi)容如下:
role r;
role r types domain;
從這里可以看到,SEAndroid實(shí)際上只定義了一種角色r船惨。
2. 用戶定義文件users
用戶定義文件用來定義用戶柜裸,前面我們介紹了,SELinux中的用戶可以有三種粱锐,但是SEAndroid中只定義了一種u疙挺,下面是文件user的內(nèi)容:
user u roles { r } level s0 range s0 - mls_systemhigh;
無論是user,還是role怜浅,在SEAndroid目前的定義中都只有一種铐然,所以暫時(shí)也就沒有大的用處。
3. 屬性定義文件attributes
屬性定義文件attributes中定義了所有type定義中需要用到的屬性值恶座,如下所示:
######################################
# Attribute declarations
#
# All types used for devices.
attribute dev_type;
# All types used for processes.
attribute domain;
# All types used for filesystems.
attribute fs_type;
# All types used for context= mounts.
attribute contextmount_type;
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
attribute file_type;
# All types used for domain entry points.
attribute exec_type;
# All types used for /data files.
attribute data_file_type;
# All types use for sysfs files.
attribute sysfs_type;
# Attribute used for all sdcards
attribute sdcard_type;
# All types used for nodes/hosts.
attribute node_type;
# All types used for network interfaces.
attribute netif_type;
# All types used for network ports.
attribute port_type;
# All types used for property service
attribute property_type;
# All types used for services managed by service_manager.
attribute service_manager_type;
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down. 表示系統(tǒng)中所有受信任的主體
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher 表示系統(tǒng)中所有受信任的客體
attribute mlstrustedobject;
# Domains that are allowed all permissions ("unconfined").
attribute unconfineddomain;
# All domains used for apps.
attribute appdomain;
# All domains used for apps with network access.
attribute netdomain;
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
# All domains used for binder service domains.
attribute binderservicedomain;
4. Class定義文件security_classes
在規(guī)則定義語句中會用到客體限制類別(Object Class)搀暑,文件security_classes定義了所有系統(tǒng)中用到的class,如下所示:
# FLASK
#
# Define the security object classes
#
# Classes marked as userspace are classes
# for userspace object managers
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
#
# userspace object manager classes
#
# passwd/chfn/chsh
class passwd # userspace
# SE-X Windows stuff (more classes below)
class x_drawable # userspace
class x_screen # userspace
class x_gc # userspace
class x_font # userspace
class x_colormap # userspace
class x_property # userspace
class x_selection # userspace
class x_cursor # userspace
class x_client # userspace
class x_device # userspace
class x_server # userspace
class x_extension # userspace
# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket
class dbus # userspace
class nscd # userspace
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
class appletalk_socket
class packet
# Kernel access key retention
class key
class context # userspace
class dccp_socket
class memprotect
class db_database # userspace
class db_table # userspace
class db_procedure # userspace
class db_column # userspace
class db_tuple # userspace
class db_blob # userspace
# network peer labels
class peer
# Capabilities >= 32
class capability2
# More SE-X Windows stuff
class x_resource # userspace
class x_event # userspace
class x_synthetic_event # userspace
class x_application_data # userspace
# kernel services that need to override task security, e.g. cachefiles
class kernel_service
class tun_socket
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
# More Database stuff
class db_schema # userspace
class db_view # userspace
class db_sequence # userspace
class db_language # userspace
class binder
class zygote
# Property service
class property_service # userspace
# Service manager
class service_manager # userspace
# Keystore Key
class keystore_key # userspace
# FLASK
security_classes文件比較長奥裸,這里只列舉了其中的一部分险掀,class的定義比較容易理解,基本上是對系統(tǒng)資源一個(gè)細(xì)化的類別定義湾宙。定義客體的類型(type)時(shí)樟氢,附加屬性相當(dāng)于指定了客體能代表的一個(gè)比較粗的范圍,在allow規(guī)則中加上客體限制類別后侠鳄,相當(dāng)于把客體限制到了一個(gè)更小的范圍埠啃。
5. 操作定義文件access_vectors
allow語句的最后一項(xiàng)為允許的操作,所有的操作都在文件access_vectors中定義伟恶,文件的部分內(nèi)容如下:
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common prefix for userspace database object access vectors.
#
common database
{
create
drop
getattr
setattr
relabelfrom
relabelto
}
#
# Define a common prefix for pointer and keyboard access vectors.
#
common x_device
{
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove
create
destroy
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
open
audit_access
execmod
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
class lnk_file
inherits file
{
open
audit_access
execmod
}
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
class blk_file
inherits file
{
open
audit_access
execmod
}
class sock_file
inherits file
{
open
audit_access
execmod
}
class fifo_file
inherits file
{
open
audit_access
execmod
}
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
dccp_recv
dccp_send
recvfrom
sendto
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
dccp_recv
dccp_send
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
read_policy
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the capability2 class.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
syslog
wake_alarm
block_suspend
}
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
class x_drawable
{
create
destroy
read
write
blend
getattr
setattr
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive
}
class x_screen
{
getattr
setattr
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show
}
class x_gc
{
create
destroy
getattr
setattr
use
}
class x_font
{
create
destroy
getattr
add_glyph
remove_glyph
use
}
class x_colormap
{
create
destroy
read
write
getattr
add_color
remove_color
install
uninstall
use
}
class x_property
{
create
destroy
read
write
append
getattr
setattr
}
class x_selection
{
read
write
getattr
setattr
}
class x_cursor
{
create
destroy
read
write
getattr
setattr
use
}
class x_client
{
destroy
getattr
setattr
manage
}
class x_device
inherits x_device
class x_server
{
getattr
setattr
record
debug
grab
manage
}
class x_extension
{
query
use
}
class x_resource
{
read
write
}
class x_event
{
send
receive
}
class x_synthetic_event
{
send
receive
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_ip6fw_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
getserv
shmemserv
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
flow_in # deprecated
flow_out # deprecated
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class context
{
translate
contains
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
class db_database
inherits database
{
access
install_module
load_module
get_param # deprecated
set_param # deprecated
}
class db_table
inherits database
{
use # deprecated
select
update
insert
delete
lock
}
class db_procedure
inherits database
{
execute
entrypoint
install
}
class db_column
inherits database
{
use # deprecated
select
update
insert
}
class db_tuple
{
relabelfrom
relabelto
use # deprecated
select
update
insert
delete
}
class db_blob
inherits database
{
read
write
import
export
}
# network peer labels
class peer
{
recv
}
class x_application_data
{
paste
paste_after_confirm
copy
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
{
attach_queue
}
class x_pointer
inherits x_device
class x_keyboard
inherits x_device
class db_schema
inherits database
{
search
add_name
remove_name
}
class db_view
inherits database
{
expand
}
class db_sequence
inherits database
{
get_value
next_value
set_value
}
class db_language
inherits database
{
implement
execute
}
class binder
{
impersonate
call
set_context_mgr
transfer
}
class zygote
{
specifyids
specifyrlimits
specifyinvokewith
specifyseinfo
}
class property_service
{
set
}
class service_manager
{
add
find
list
}
class keystore_key
{
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
reset_uid
sync_uid
password_uid
}
access_vectors文件通過兩種方式定義操作碴开,一種方式是通過common語句,這種方式定義的操作是一種公共的操作博秫,沒有限定哪種類別的客體可以使用潦牛,還可以被繼承。另一種定義的方式是通過class語句挡育,但是calss語句后面的名稱必須是某種客體限制類別巴碗,這也意味著通過class語句定義的操作只能使用在相應(yīng)的客體限制類別中。class語句可以繼承common語句中定義的操作即寒。
6. 類型強(qiáng)制規(guī)則文件
目錄中凡是以te結(jié)尾的文件都屬于類型強(qiáng)制規(guī)則文件(Type Enforcement)橡淆。它主要有類型定義和規(guī)則定義兩部分組成。我們看看su.te文件的內(nèi)容:
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
type su, domain;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
domain_auto_trans(dumpstate, su_exec, su)
# su is also permissive to permit setenforce.
permissive su;
# Add su to various domains
net_domain(su)
app_domain(su)
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
dontaudit su kernel:system *;
dontaudit su self:memprotect *;
dontaudit su domain:process *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
dontaudit su domain:lnk_file *;
dontaudit su domain:{ fifo_file file } *;
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
dontaudit su fs_type:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit su netif_type:netif *;
dontaudit su port_type:socket_class_set *;
dontaudit su port_type:{ tcp_socket dccp_socket } *;
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
')
su.te中定義了兩種類型:su和su_exec母赵。su用在進(jìn)程的安全上下文中逸爵,su_exec則用在文件的安全上下文中。su.te中還調(diào)用了兩個(gè)宏凹嘲,domain_auto_trans宏我們前面已經(jīng)分析過了师倔,用來規(guī)定在shell執(zhí)行su文件時(shí)將進(jìn)程轉(zhuǎn)移到su域。unconfined_domain宏則用來把su域定義成一個(gè)不受限制的域周蹭。
7. TE的宏定義文件te_macros
te_macros 文件中定義了在TE規(guī)則文件中用到的宏溯革。前面我們已經(jīng)介紹了domain_auto_trans宏。下面我們再看看unconfined_domain宏是如何定義的:
define(`unconfined_domain', `
typeattribute $1 mlstrustedsubject;
typeattribute $1 unconfineddomain;
')
unconfined_domain中使用了typeattribute語句谷醉。 typeattribute語句的作用是指定類型(type)的屬性致稀,我們知道定義type時(shí)可以在后面用逗號分割后指定屬性,typeattribute語句可以給定義好的類型增加屬性俱尼。因此unconfined_domain(su)的結(jié)果是給域su增加了mlstrustedsubject和unconfineddomain兩種屬性抖单。這兩種屬性分別代表了系統(tǒng)中所有可信任的客體和不受限制的主體,因此su域?qū)碛邢到y(tǒng)中類似以前系統(tǒng)中超級用戶的權(quán)限遇八。這里雖然通過規(guī)則給了su域相當(dāng)大的權(quán)限矛绘,但是也能通過修改規(guī)則來限制su的權(quán)限。這就是SELinux的強(qiáng)大之處刃永,它能靈活的通過配置文件來修改任何的訪問權(quán)限货矮。當(dāng)然這也對系統(tǒng)管理員的能力提出了更高的要求。所有通常我們不需要去修改Android中的這些配置文件斯够,但是我們需要能理解它們的含義囚玫。
8. file_contexts文件
file_contexts文件保存的是系統(tǒng)中所有文件的安全上下文定義喧锦,文件部分內(nèi)容如下:
下面我們看看文件file_contexts的內(nèi)容。
###########################################
# Root
/ u:object_r:rootfs:s0
# Data files
/adb_keys u:object_r:adb_keys_file:s0
/default\.prop u:object_r:rootfs:s0
/fstab\..* u:object_r:rootfs:s0
/init\..* u:object_r:rootfs:s0
/res(/.*)? u:object_r:rootfs:s0
/ueventd\..* u:object_r:rootfs:s0
# Executables
/charger u:object_r:rootfs:s0
/init u:object_r:rootfs:s0
/sbin(/.*)? u:object_r:rootfs:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
/proc u:object_r:rootfs:s0
# SELinux policy files
/file_contexts u:object_r:rootfs:s0
/property_contexts u:object_r:rootfs:s0
/seapp_contexts u:object_r:rootfs:s0
/sepolicy u:object_r:rootfs:s0
##########################
# Devices
#
/dev(/.*)? u:object_r:device:s0
/dev/akm8973.* u:object_r:sensors_device:s0
/dev/accelerometer u:object_r:sensors_device:s0
/dev/adf[0-9]* u:object_r:graphics_device:s0
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/alarm u:object_r:alarm_device:s0
/dev/android_adb.* u:object_r:adb_device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/full u:object_r:full_device:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/input(/.*) u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/kmem u:object_r:kmem_device:s0
/dev/log(/.*)? u:object_r:log_device:s0
/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mpu u:object_r:gps_device:s0
/dev/mpuirq u:object_r:gps_device:s0
/dev/mtd(/.*)? u:object_r:mtd_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pn544 u:object_r:nfc_device:s0
/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
/dev/socket/gps u:object_r:gps_socket:s0
/dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/lmkd u:object_r:lmkd_socket:s0
/dev/logd_debug u:object_r:logd_debug:s0
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tegra.* u:object_r:video_device:s0
/dev/tf_driver u:object_r:tee_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:urandom_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__kmsg__ u:object_r:klog_device:s0
/dev/__properties__ u:object_r:properties_device:s0
#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/tf_daemon u:object_r:tee_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat u:object_r:dex2oat_exec:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
/vendor/bin/gpsd u:object_r:gpsd_exec:s0
#############################
# Data files
#
/data(/.*)? u:object_r:system_data_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/security(/.*)? u:object_r:security_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/vmdl.*\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
# Wallpaper file for other users
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
#############################
# efs files
#
/efs(/.*)? u:object_r:efs_file:s0
#############################
# Cache files
#
/cache(/.*)? u:object_r:cache_file:s0
/cache/.*\.data u:object_r:cache_backup_file:s0
/cache/.*\.restore u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this directory
/cache/backup(/.*)? u:object_r:cache_backup_file:s0
#############################
# sysfs files
#
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
file_contexts文件的格式比較簡單抓督,每行的前半部分是文件的路徑燃少,后面是它的安全上下文的定義。從文件可以看到铃在,這里的路徑定義也支持通配符阵具。
9. property_contexts文件
property_contexts文件中保存的是系統(tǒng)中所有Android屬性的安全上下文定義,內(nèi)容如下:
##########################
# property service keys
#
#
net.rmnet u:object_r:net_radio_prop:s0
net.gprs u:object_r:net_radio_prop:s0
net.ppp u:object_r:net_radio_prop:s0
net.qmi u:object_r:net_radio_prop:s0
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
net.dns u:object_r:net_radio_prop:s0
sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
persist.radio u:object_r:radio_prop:s0
net. u:object_r:system_prop:s0
dev. u:object_r:system_prop:s0
runtime. u:object_r:system_prop:s0
hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
service. u:object_r:system_prop:s0
wlan. u:object_r:system_prop:s0
dhcp. u:object_r:dhcp_prop:s0
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
bluetooth. u:object_r:bluetooth_prop:s0
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
log. u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
persist.audio. u:object_r:audio_prop:s0
persist.logd. u:object_r:logd_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
# selinux non-persistent properties
selinux. u:object_r:security_prop:s0
# default property context
* u:object_r:default_prop:s0
# data partition encryption properties
vold. u:object_r:vold_prop:s0
crypto. u:object_r:vold_prop:s0
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
ctl.bugreport u:object_r:ctl_bugreport_prop:s0
ctl.dhcpcd_bt-pan u:object_r:ctl_dhcp_pan_prop:s0
ctl. u:object_r:ctl_default_prop:s0
# NFC properties
nfc. u:object_r:nfc_prop:s0
property_contexts文件的格式也相當(dāng)簡單定铜,每行前面是屬性阳液,后面是它對應(yīng)的安全上下文。
