关于neverallow
对于类型为system_server_service 的服务,由于设置了
add_service(system_server, system_server_service);
里面调用了neverallow,
add_service是个宏,定义在
system/sepolicy/public/te_macros
556###########################################
557# add_service(domain, service)
558# Ability for domain to add a service to service_manager
559# and find it. It also creates a neverallow preventing
560# others from adding it.
561define(`add_service', `
562 allow $1 $2:service_manager { add find };
563 neverallow { domain -$1 } $2:service_manager add;
564')
neverallow { domain -$1 } $2:service_manager add;
只允许system_server域来对其进行add操作
我们观察到,
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
比如
type slam_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
里面有多个属性,由于每个type会有子属性的特性,是否可以在其他属性中去增加add权限,来达到让该type有add权限,
即
allow shell ephemeral_app_api_service:service_manager add;
尝试让shell有对ephemeral_app_api_service的add权限,来达到shell对slam_service有add权限
结果,编译报错
libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell device_identifiers_service:service_manager { add };
libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell registry_service:service_manager { add };
libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell appwidget_service:service_manager { add };
libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell launcherapps_service:service_manager { add };
。。。
libsepol.report_failure: neverallow on line 558 of system/sepolicy/private/system_server.te (or line 30393 of policy.conf) violated by allow shell power_service:service_manager { add };
device_identifiers_service的定义为
也就是说,在解析
allow shell ephemeral_app_api_service:service_manager add;
的时候,把所有定义了
ephemeral_app_api_service属性的type比如device_identifiers_service都代入到这个语句中,
即
allow shell device_identifiers_service:service_manager { add };
这里和system_server.te中的neverallow发生了冲突。
可以这么理解,进行赋权的时候,对属性会进行关联分析
属性值具有张力,会扩充到其主type中,对属性的操作权限会扩展到对应的主type中,
当两种张力冲突时,就会出错
比如
allow ephemeral_app ephemeral_app_api_service:service_manager find;
ephemeral_app有对ephemeral_app_api_service的find权限,
由于
ephemeral_app有对account_service的find权限