在工作过程中,SElinux常用的有以下几个文件可用于新增标签
可用于加标签的文件名 | 含义 | 对应的声明文件名(一般会声明的地方,根本上放哪里都可以) |
---|---|---|
file_contexts | 给 文件/目录/节点 新增标签 | file.te |
genfs_contexts | 给节点新增标签,与上一个不同的是,不用执行restorecon操作 | file.te |
hwservice_contexts | 给hal服务新增标签 | hwservice.te |
property_contexts | 给属性新增标签 | property.te |
seapp_contexts | 给APP新增标签 | untrusted_app.te app.te...等等 |
service_contexts | 给系统服务新增标签 | service.te |
hwservice在源码中可以看看,主要有如下几种声明类型
hwservice.te - OpenGrok cross reference for /system/sepolicy/public/hwservice.te
type default_android_hwservice, hwservice_manager_type, protected_hwservice; type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice; type hal_codec2_hwservice, hwservice_manager_type; type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
在sepolicy/public/service.te中还有一个neverallow,此neverallow意思为不允许domain对非hwservice_manager_type的hal service进行add find权限
neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
hwservice用到的几种type解释如下:
type声明类型 | 解释 |
---|---|
hwservice_manager_type | 所有hal服务都需要加此声明 |
same_process_hwservice | All HwBinder services guaranteed to be passthrough. These services always run in the process of their clients, and thus operate with the same access as their clients. |
coredomain_hwservice | All HwBinder services guaranteed to be offered only by core domain components |
protected_hwservice | All HwBinder services that untrusted apps can't directly access |