Android Selinux详解[八]--常用sepolicy函数和权限组说明

te_macros中的函数以及global_macros权限组是我们在加sepolicy策略或者读sepolicy策略时经常碰到的，我们需要对其有所了解。

一）te_macros

te_macros中有很多函数，比如domain_auto_trans, r_dir_file等等，见源码中定义的地方

te_macros - OpenGrok cross reference for /system/sepolicy/public/te_macros

举例一两个看一下

1. domain_trans

#####################################
# domain_trans(olddomain, type, newdomain)   用法-有三个入参，从旧的domain转为新的domain
含义如下：
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
--具体函数内容
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute map };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr map };
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')

如：

domain_trans(init, shell_exec, shell)--将shell_exec通过init转为shell

domain_trans(init, init_exec, ueventd)--将init_exec通过init转为ueventd

domain_trans(init, init_exec, vendor_init)--将init_exec通过init转为vendor_init

2. r_dir_file

#####################################
# r_dir_file(domain, type)
  用法---两个入参
含义如下：
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
--具体函数内容
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

如：

r_dir_file(heapprofd, nativetest_data_file)--允许heapprofd对nativetest_data_file的文件夹拥有r_dir_perms权限，对文件拥有r_file_perms权限

 一）global_macros

这里面放的是系统常用的一系列权限组的代替名字，见源码

global_macros - OpenGrok cross reference for /system/sepolicy/public/global_macros

 比如x_file_perms代表{ getattr execute execute_no_trans map }这一些列权限，这样在.te文件中加权限就可以用这一条权限x_file_perms代表这一堆{ getattr execute execute_no_trans map }权限了，使得.te文件可读性以及美观性更强。

1. 常用的权限组

#####################################
# Common groupings of permissions.
#
define(`x_file_perms', `{ getattr execute execute_no_trans map }')
define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
define(`w_file_perms', `{ open append write lock map }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')

define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
define(`w_dir_perms', `{ open search write add_name remove_name lock }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')

define(`r_ipc_perms', `{ getattr read associate unix_read }')
define(`w_ipc_perms', `{ write unix_write }')
define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')

socket相关的如下：
#####################################
# Common socket permission sets.
define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
define(`create_socket_perms', `{ create rw_socket_perms }')
define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')