本文详细介绍了Android 4.4.2中SELinux的MAC(强制访问控制)机制,特别是mac_permissions.xml文件的生成、编译过程。mac_permissions.xml用于定义权限规则,包括签名、权限允许与拒绝、包名规则等。在构建系统中,通过插入特定的证书信息来生成最终的配置文件。此外,还提到了生成和使用私钥的注意事项,以及如何更新keys.conf以确保生产环境的安全性。
Middleware MAC:
mac_permissions.xml 文件:
Rules:
* A signature is a hex encoded X.509 certificate and is required for each signer tag.
* A <signer signature="" > element may have multiple child elements:
allow-permission : produces a set of maximal allowed permissions (whitelist).
deny-permission : produces a blacklist of permissions to deny.
allow-all : a wildcard tag that will allow every permission requested.
package : a complex tag which itself defines allow, deny, and wildcard sub elements for
a specific package name protected by the signature
* Zero or more global <package name=""> tags are allowed. These tags allow a policy
to be set outside any signature for specific package names.
* A <default> tag is allowed that can contain install policy for all apps not signed
mac_permissions.xml 文件:
Rules:
* A signature is a hex encoded X.509 certificate and is required for each signer tag.
* A <signer signature="" > element may have multiple child elements:
allow-permission : produces a set of maximal allowed permissions (whitelist).
deny-permission : produces a blacklist of permissions to deny.
allow-all : a wildcard tag that will allow every permission requested.
package : a complex tag which itself defines allow, deny, and wildcard sub elements for
a specific package name protected by the signature
* Zero or more global <package name=""> tags are allowed. These tags allow a policy
to be set outside any signature for specific package names.
* A <default> tag is allowed that can contain install policy for all apps not signed
最低0.47元/天 解锁文章
扫一扫
5428
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
