Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,809,424 Members 35,931 Now Online
XDA Developers Android and Mobile Development Forum

SE Linux Policy Information Thread

Tip us?
 
moonbutt74
Old
(Last edited by moonbutt74; 2nd September 2014 at 06:20 PM.)
#1  
moonbutt74's Avatar
Senior Member - OP
Thanks Meter 289
Posts: 642
Join Date: May 2014
Info 2 SE Linux Policy Information Thread

okay, so this will be dedicated to what information i can find on understanding and defining sepolicy
really for any device. It's not meant to be a Q&A but as an evolving source of reference. The approach
towards the gathering of the information will be in a pick and pack format. Anyone who's ever worked in a warehouse
will know how that is.

Skipping through rationale, selling points, and philosophy, here is the first bit of info i've been wanting to know for a while. And maybe will help with cm11.

from this site - http://events.linuxfoundation.org/si...id_smalley.pdf

Quote:
SELinux Labeling:
Each process and object is labeled with a security context.
–
A string of the form “user:role:type:level”.
–
Only the type field is used in AOSP presently.
•
Process types are also called domains.
•
Domains and types are security equivalence classes.
–
Identifiers for processes and objects in policy.
–
Same domain/type => same access.

SELinux Policy:

The security policy configuration defines:
–
how to label processes and objects with domains and types,
–
how domains can interact with each other (e.g. signals, IPC, ptrace), and how domains can access types.
•
No processes are exempt from the policy.
–
Not overridden by uid-0 or Linux capabilities.
–
Only notion of “unconfined” is policy-defined.

SELinux Possible States

Disabled=Not enabled in the kernel or disabled via kernel parameter.
•
Permissive=Just logs denials but does not enforce them.
•
Enforcing=Logs and enforces denials for all enforcing domains (processes).

Per-Domain Permissive
–
Permissive for specific domains (processes).
–
Specified in policy on a per-domain basis.
–
Enables incremental application of SELinux to an ever increasing portion of the system.
–
Enables policy development for new services and apps while keeping the rest of the system enforcing.
?quam similis est corvum e scrinium
DVDA DEV-HOST Include Syntax Mount Options

Kernel Sources Samsung Galaxty Tab 3 10.1
5210 Kernel Source 5200 Kernel Source 5220 Kernel Source
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ Click to Expand ]
 
moonbutt74
Old
(Last edited by moonbutt74; 2nd September 2014 at 04:37 PM.)
#2  
moonbutt74's Avatar
Senior Member - OP
Thanks Meter 289
Posts: 642
Join Date: May 2014
Default The state of SELinux in...

AOSP
Quote:
Android 4.2 or earlier: Disabled.

Android 4.3: Permissive.

With all domains permissive + unconfined.

Android 4.4: Enforcing. Enforcing for installd netd, vold, and zygote.

Permissive for app domains (logging denials).
Permissive + unconfined for all other domains.

Samsung Knox
Quote:
First included in Galaxy S4 (4.2.2) but in permissive by default.

4.3 and later updates switched to enforcing mode.

No permissive domains (all enforcing).

Only kernel and init domains are unconfined.

Policy originally derived from our policy, but customized by Samsung
?quam similis est corvum e scrinium
DVDA DEV-HOST Include Syntax Mount Options

Kernel Sources Samsung Galaxty Tab 3 10.1
5210 Kernel Source 5200 Kernel Source 5220 Kernel Source
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ Click to Expand ]
 
moonbutt74
Old
#3  
moonbutt74's Avatar
Senior Member - OP
Thanks Meter 289
Posts: 642
Join Date: May 2014
Default On-Device Policy Files

On-Device Policy Files

/sepolicy: Kernel binary policy
/file_contexts: File security contexts
/property_contexts: Property security contexts
/seapp_contexts: App security contexts
/system/etc/security/mac_permissions.xml: App certificate to seinfo mapping

On mac_permissions.xml
●At build time, mac_permissions.xml signature tag names (e.g. @platform) are rewritten to the actual
certificate value extracted from .pem file specified by external/sepolicy/keys.conf
.●build/tools/releasetools/sign_target_files_apks rewrites mac_permissions.xml with updated certificate values for new keys.


System Apps by Certificate
●mac_permissions.xml:
<signer signature= @platform" >
<seinfo value="platform" />
</signer>

seapp_contexts:
user=_app seinfo=platform domain=platform_app
type= app_data_file
?quam similis est corvum e scrinium
DVDA DEV-HOST Include Syntax Mount Options

Kernel Sources Samsung Galaxty Tab 3 10.1
5210 Kernel Source 5200 Kernel Source 5220 Kernel Source
The Following 2 Users Say Thank You to moonbutt74 For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes