Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

SE Linux Policy Information Thread

OP moonbutt74

2nd September 2014, 05:28 PM   |  #1  
moonbutt74's Avatar
OP Senior Member
Thanks Meter: 365
 
781 posts
Join Date:Joined: May 2014
okay, so this will be dedicated to what information i can find on understanding and defining sepolicy
really for any device. It's not meant to be a Q&A but as an evolving source of reference. The approach
towards the gathering of the information will be in a pick and pack format. Anyone who's ever worked in a warehouse
will know how that is.

Skipping through rationale, selling points, and philosophy, here is the first bit of info i've been wanting to know for a while. And maybe will help with cm11.

from this site - http://events.linuxfoundation.org/si...id_smalley.pdf

Quote:

SELinux Labeling:
Each process and object is labeled with a security context.
–
A string of the form “user:role:type:level”.
–
Only the type field is used in AOSP presently.
•
Process types are also called domains.
•
Domains and types are security equivalence classes.
–
Identifiers for processes and objects in policy.
–
Same domain/type => same access.

SELinux Policy:

The security policy configuration defines:
–
how to label processes and objects with domains and types,
–
how domains can interact with each other (e.g. signals, IPC, ptrace), and how domains can access types.
•
No processes are exempt from the policy.
–
Not overridden by uid-0 or Linux capabilities.
–
Only notion of “unconfined” is policy-defined.

SELinux Possible States

Disabled=Not enabled in the kernel or disabled via kernel parameter.
•
Permissive=Just logs denials but does not enforce them.
•
Enforcing=Logs and enforces denials for all enforcing domains (processes).

Per-Domain Permissive
–
Permissive for specific domains (processes).
–
Specified in policy on a per-domain basis.
–
Enables incremental application of SELinux to an ever increasing portion of the system.
–
Enables policy development for new services and apps while keeping the rest of the system enforcing.

Last edited by moonbutt74; 2nd September 2014 at 07:20 PM.
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ View ]
2nd September 2014, 05:35 PM   |  #2  
moonbutt74's Avatar
OP Senior Member
Thanks Meter: 365
 
781 posts
Join Date:Joined: May 2014
The state of SELinux in...
AOSP
Quote:

Android 4.2 or earlier: Disabled.

Android 4.3: Permissive.

With all domains permissive + unconfined.

Android 4.4: Enforcing. Enforcing for installd netd, vold, and zygote.

Permissive for app domains (logging denials).
Permissive + unconfined for all other domains.


Samsung Knox
Quote:

First included in Galaxy S4 (4.2.2) but in permissive by default.

4.3 and later updates switched to enforcing mode.

No permissive domains (all enforcing).

Only kernel and init domains are unconfined.

Policy originally derived from our policy, but customized by Samsung

Last edited by moonbutt74; 2nd September 2014 at 05:37 PM.
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ View ]
2nd September 2014, 05:58 PM   |  #3  
moonbutt74's Avatar
OP Senior Member
Thanks Meter: 365
 
781 posts
Join Date:Joined: May 2014
On-Device Policy Files
On-Device Policy Files

/sepolicy: Kernel binary policy
/file_contexts: File security contexts
/property_contexts: Property security contexts
/seapp_contexts: App security contexts
/system/etc/security/mac_permissions.xml: App certificate to seinfo mapping

On mac_permissions.xml
●At build time, mac_permissions.xml signature tag names (e.g. @platform) are rewritten to the actual
certificate value extracted from .pem file specified by external/sepolicy/keys.conf
.●build/tools/releasetools/sign_target_files_apks rewrites mac_permissions.xml with updated certificate values for new keys.


System Apps by Certificate
●mac_permissions.xml:
<signer signature= @platform" >
<seinfo value="platform" />
</signer>

seapp_contexts:
user=_app seinfo=platform domain=platform_app
type= app_data_file
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes