【SELinux】通过neverallow语句来认知“属性”的意义

关于neverallow

 

对于类型为system_server_service 的服务,由于设置了

add_service(system_server, system_server_service);

 

里面调用了neverallow,

add_service是个宏,定义在

system/sepolicy/public/te_macros

 

556###########################################
557# add_service(domain, service)
558# Ability for domain to add a service to service_manager
559# and find it. It also creates a neverallow preventing
560# others from adding it.
561define(`add_service', `
562  allow $1 $2:service_manager { add find };
563  neverallow { domain -$1 } $2:service_manager add;
564')

 

neverallow { domain -$1 } $2:service_manager add;

 

 

只允许system_server域来对其进行add操作

 

我们观察到,

type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

比如

type slam_service,  app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

 

里面有多个属性,由于每个type会有子属性的特性,是否可以在其他属性中去增加add权限,来达到让该type有add权限,

 

allow shell ephemeral_app_api_service:service_manager add;

 

尝试让shell有对ephemeral_app_api_service的add权限,来达到shell对slam_service有add权限

结果,编译报错

 

libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell device_identifiers_service:service_manager { add };

libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell registry_service:service_manager { add };

libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell appwidget_service:service_manager { add };

libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell launcherapps_service:service_manager { add };

。。。

libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell power_service:service_manager { add };

 

 

device_identifiers_service的定义为

 type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

也就是说,在解析

allow shell ephemeral_app_api_service:service_manager add;

的时候,把所有定义了

ephemeral_app_api_service属性的type比如device_identifiers_service都代入到这个语句中,

allow shell device_identifiers_service:service_manager { add };

 

这里和system_server.te中的neverallow发生了冲突。

可以这么理解,进行赋权的时候,对属性会进行关联分析

 

 

属性值具有张力,会扩充到其主type中,对属性的操作权限会扩展到对应的主type中,

当两种张力冲突时,就会出错

 

比如

allow ephemeral_app ephemeral_app_api_service:service_manager find;

 

ephemeral_app有对ephemeral_app_api_service的find权限,

由于

type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

 

ephemeral_app有对account_service的find权限

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值