Android Selinux详解[四]--新增服务标签相关
在工作过程中,SElinux常用的有以下几个文件可用于新增标签
| 可用于加标签的文件名 | 含义 | 对应的声明文件名(一般会声明的地方,根本上放哪里都可以) |
|---|---|---|
| file_contexts | 给 文件/目录/节点 新增标签 | file.te |
| genfs_contexts | 给节点新增标签,与上一个不同的是,不用执行restorecon操作 | file.te |
| hwservice_contexts | 给hal服务新增标签 | hwservice.te |
| property_contexts | 给属性新增标签 | property.te |
| seapp_contexts | 给APP新增标签 | untrusted_app.te app.te...等等 |
| service_contexts | 给系统服务新增标签 | service.te |
service有以下几种声明,相应解释如下
| service type声明类型 | 解释 |
|---|---|
| system_server_service | All service_manager types created by system_server |
| app_api_service | services which should be available to all but isolated apps |
| ephemeral_app_api_service | services which should be available to all ephemeral apps |
| system_api_service | services which export only system_api |
| protected_service | services which are explicitly disallowed for untrusted apps to access |
| vendor_service | services which served by vendor and also using the copy of libbinder on system (for instance via libbinder_ndk). services using a different copy of libbinder currently need their own context manager (e.g. vndservicemanager) |
| service_manager_type | 由于系统服务最后都是添加到service manager中管理的,所以系统服务的type声明都会有携带此type。 |
Android源码中有很多服务相关的标签声明,比如如下:
http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/public/service.te
可以看到,有如下几种标签声明
service manage直接add的service
type audioserver_service, service_manager_type;system server创建的service,如果是新增的java层系统服务,并且由system server拉起,则基本都是如下声明
type battery_service, system_server_service, service_manager_type;带有system_api_service的说明只有system api的服务
type adb_service, system_api_service, system_server_service, service_manager_type;带有app_api_service的声明说明除了isolated apps外,其他APP都可以访问的
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;hal服务声明
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
在sepolicy/public/service.te这里还有一个neverallow,此neverallow意思为不允许domain与对非service_manager_type vndservice_manager_type类型的service进行add find权限。
# servicemanager handles registering or looking up named services.
# It does not make sense to register or lookup something which is not a service.
# Trigger a compile error if this occurs.
neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
服务的type声明是和你的功能强相关的,你可以根据你的功能去进行相应的type声明。
假如你新增了一个系统java service,那么一般声明如下,也就是说必须携带system_server_service和service_manager_type,其他的看情况
type xxx_service, system_server_service, service_manager_type;
type xxx_service, system_api_service, system_server_service, service_manager_type;
type xxx_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
假设你新增了一个native层service,那么一般的声明如下,也就是说必须携带service_manager_type,并且不能携带system_server_service:
type yyy_service, service_manager_type;
type yyy_service, app_api_service, service_manager_type;
type yyy_service, app_api_service, system_api_service, service_manager_type;
所以经过上述解释,是否对服务该怎样进行type有一定的了解了呢。
假设你新增了一个hal层service,那么一般的声明如下,也就是说必须携带vendor_service和service_manager_type:
type zzz_service, vendor_service, service_manager_type;