Overall overview of SE for Android series (ii)

Supported Mac Services
Mac and Mmac features Overview:
The standard SELinux MAC strategy is based on type enforcement (TE, that is, type mandatory access)/multi-level security (MLS, that is, multiple-level safety mechanism), or it can be understood as a white list mechanism;
The package and signature tags in the Install mmac policy support the use of the SetInfo tag to specify the context of the application (security contexts, referred to as runtime domain). This policy only takes effect for pre-installed applications, and third party applications cannot be specified in this way, all third-party applications can only be matched by tags, and the Seinfo value is "default". (Translator note, this will make you look dizzy, suggest to find Mac_permissions.xml file to look at)
The seandroid Install MMAC policy also enables you to check whether the list of permissions requested by the application is allowed. If it is not allowed, then the application cannot be installed. In addition, if the app is already installed on the phone, then the policy updates and conflicts with it, then the application will not run. The actions allowed by the configuration file are: Allow (allowed), deny (Deny) and allow all permissions (allow all permissions). The inspection process is as follows:
When a Third-party application is installed or upgraded, its list of permissions is checked. If there is any permission that is not allowed in, then the application installation or upgrade process will fail;
Pre-installed applications, their upgrade process, the system will also go to do a permission check. If there are disallowed permissions in the package or signature label, the upgrade fails. If there is a permission, the upgrade process also fails if the package or signature tags are not explicitly declared as allow, and the default label is declared as Deny;
The role of the Intent MMAC strategy is to determine whether Intent can be distributed to several other components. The policy will block all intent distributions that are not defined as allowed. This is an optional policy and does not require custom selinux policy support, but it can validate the security context of the principal.
The content Provider mmac policy role is to determine whether the content Provider access request is allowed. Policy will block all access requests that are not defined as allowed. The current version supports use, read, and read/write three kinds of permissions. This is an optional strategy and does not require customized SELinux policy support.
The role of the Revoke permissions policy is to determine whether permissions are checked during run, and if permissions are revoked, the permissions become denied (that is, other permissions are allowed except that the specified permissions are converted to denied). This is an optional strategy and does not require customized SELinux policy support.

Changes introduced by Android to support Mac
SE for Android adds SELinux support for the Android kernel, while also achieving the following goals in user space:
Define all privileged daemons to prevent permissions from being abused and minimize their destruction;
Construction of the sandbox, so that applications and applications and systems are isolated from each other;
Prevent the application of the right to raise;
Using MMAC strategy, the application of the permissions in the process of installation and operation become controllable;
Provide a centralized, analytical strategy;
These objectives are implemented by the following modifications:
The security annotation of YAFFS2 file system is realized.
File system mirroring files (YAFFS2 and EXT4) compile-time annotations;
provide annotation function for Recovery Console and program update;
Kernel-based binder IPC permission detection;
To implement the annotation function of the service sockets and the local socket file (socket files) generated by the INIT process;
To realize the annotation function of the device node (device nodes) produced by the UEVENTD process;
Provide flexible and easily configurable annotation function for application and application data folders;
Minimize the available ports for selinux user space;
The SELinux interface of JNI mode is provided.
Provides user-space-level permission checks for the use of zygote socket commands;
For the use of Android properties provides user space level of authority checks;
Write the TE policy file specifically for Android;
Define domain for all system services and applications;
Use MLS class isolation application;
SE's changes to the Android project
External/libselinux
Provides a library of functions that selinux user space and integrates them into the device. The library in the original version of the basically to adapt to Android and added a column of functions, as follows:
Selinux_android_setcontext
Using this function, you can set the correct domain context for the application, which computes the correct context using the information stored in the Seapp_contexts file. In the initialization phase, the function also calls Selinux_android_seapp_context_reload to load the seapp_contexts file and sort each item inside, as detailed in the "Seapp_contexts File" section.
The function is invoked by Dalvik/vm/native/dalvik-system-zygote.cpp and SYSTEM/CORE/RUN-AS/RUN-AS.C.
Selinux_android_setfilecon2
Using this function, you can set the normal context for the application folder and file, which computes the correct context using the information stored in the Seapp_contexts file. In the initialization phase, the function also calls Selinux_android_seapp_context_reload to load the seapp_contexts file and sort each item inside, as detailed in the "Seapp_contexts File" section.
When the application is installed, the function is called by FRAMEWORKS/BASE/CMDS/INSTALLD/COMMANDS.C.
Selinux_android_restorecon
Using this function, the context of the file can be restored to the initial configuration in the File_contexts file. This function is called more than once during the process of initial and installation.
Selinux_android_load_policy
If SELinux is turned on, the function can be used to load the SELinux file system and load the policy file into the kernel by calling Selinux_android_reload_policy.
Selinux_android_reload_policy
Load the policy file into the kernel. The function is called by SYSTEM/CORE/INIT.C.
External/libsepol
Provides a library of policy tools for user space. This part of the code is the same as SELinux and is not integrated into the device.
External/checkpolicy
Provides a policy construction tool. This part of the code is the same as SELinux and is not integrated into the device (so the policy must be constructed in the host development environment).
External/sepolicy
This se for Android-specific section contains various policy modules (*.te files), class/permissoin files, and so on. All policy modules are constructed based on the Android.mk file and will eventually be integrated with other configuration files (file_contexts, seapp_contexts and property_contexts) to the device (compiled into a sepolicy file). There are also some tools that can be added to the policy based on different devices, which are described in detail in the "Policy Building" section.
The policy file is described in detail in the "SELinux Mac Profile" section. The relevant tools are also described in detail in the "Policy Building Tools" section.
It also contains a class definition for SE for Android, which can be viewed in detail in the "Se for Android Classes and Permissions" section.
This folder also contains the install MMAC, Intent mmac, Content Permission mmac policy, and if so, refer to the SE for in the overall overview (i) of the SE for Android series. Android Project compilation "section.
External/mac-policy
This includes the policy profile (revoke_permission.xml) of revoke permission, which allows you to dynamically undo the permissions of Android. If the project option chooses Revoke_perms, the folder will be included.
Build
Make modifications to se for Android.
Dalvik
When the process is fork, the domain context setting is used Selinux_android_setcontext.
Libcore
SetInfo and nicename Two incoming parameters were added to the Zygote.java (translator note, –setinfo and –nicename two configurations are added to the zygote Command command)
Frameworks/base
jni--added Sellinux function support, such as isselinuxenabled and Setfscreatecon.
SELinux the definition of Java classes and methods.
Zygote The security context check for the connector.
Provides file permission management for Package Manager and various service (translator, not quite clear here)
Add Mmac Frame
System/core
Support SELinux's toolbox, such as Load_policy, Runcon
Support for SELinux system initialization, such as Init,init.rc
Support SELinux's review service (AUDITTD)
System/extras
Support for SELinux EXT4 file systems
Kernel
More than one kernel has been added for LSM and SELinux support, and the seforandroid-building for a Device can be viewed in detail.
There are several versions of the Android kernel (currently 3.4, the simulator uses goldfish), so the latest version of the SELinux is not generally integrated into seforandroid. The kernel changes are described in detail in the "kernel LSM and SELinux support" section.
Device
For more information on supporting devices, you can view seforandroid-building for a Device
You can modify the device's profile customization policy file, see the "Building Policy Files" section in detail

http://blog.csdn.net/l173864930/article/details/17232547