selinux misc

selinux misc

selinux class definition in te file

system/sepolicy/private/access_vectors

7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13    ioctl
14    read
15    write
16    create
17    getattr
18    setattr
19    lock
20    relabelfrom
21    relabelto
22    append
23    map
24    unlink
25    link
26    rename
27    execute
28    quotaon
29    mounton
30}

 

158class dir
159inherits file
160{
161    add_name
162    remove_name
163    reparent
164    search
165    rmdir
166    open
167    audit_access
168    execmod
169}
170
171class file
172inherits file
173{
174    execute_no_trans
175    entrypoint
176    execmod
177    open
178    audit_access
179}
180
181class lnk_file
182inherits file
183{
184    open
185    audit_access
186    execmod
187}
188
189class chr_file
190inherits file
191{
192    execute_no_trans
193    entrypoint
194    execmod
195    open
196    audit_access
197}

 

perf_event class

class perf_event {
        open
        cpu
        kernel
        tracepoint
        read
        write
}

 

 

macro definitions

system/sepolicy/prebuilts/api/29.0/public]$ ls *macro*
global_macros  ioctl_macros  neverallow_macros  te_macros

比如在global_macros里define了：

file:

define(`x_file_perms', `{ getattr execute execute_no_trans map }')
define(`r_file_perms', `{ getattr open read ioctl lock map }')
define(`w_file_perms', `{ open append write lock map }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')

 dir:

define(`r_dir_perms', `{ open getattr read search ioctl lock }')
define(`w_dir_perms', `{ open search write add_name remove_name lock }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')

 

audit2allow

[ 45.806087] type=1400 audit(1632056806.209:79): avc: denied { cpu } for comm="kworker/1:0" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=0

 

将上述selinux denial log保存至一个文本文档，再执行如下的cmd，输出结果如下，将输出结果添加至kernel.te即可：

audit2allow < selinux_denial.log

#============= kernel ==============
allow kernel self:perf_event cpu;

sepolicy-analyze tool

这个tool的帮助信息如下：

out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze
out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze must be called on a policy file with a component and the appropriate arguments specified
out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze <policy-file>:
        dups
        neverallow [-w|--warn] [-d|--debug] [-n|--neverallows <neverallow-rules>] | [-f|--file <neverallow-file>]
        permissive
        typecmp [-d|--diff] [-e|--equiv]
        booleans
        attribute 

 

示例1

out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy attribute super_block_device_type
super_block_device

上面这条命令表示拥有super_block_device_type attribute的context为super_block_device，可以在如下文件里看到super_block_device context附加上了super_block_device_type attribute：

system/sepolicy/public/device.te
type super_block_device, super_block_device_type, dev_type;

 

上面type命令的格式是：

type some_contexts, some_attribute1, [some_attribute2];

含义表示define一个some_contexts，给它附加上some_attribute1, [some_attribute2] attribute

实例2：

下面cmd表示列出拥有coredomain attribute的context，可以看到拥有此attribute的context有很多：

out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze  out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy  attribute coredomain
adbd
apexd
app_zygote
ashmemd
audioserver
blkid
blkid_untrusted
bluetooth
bootanim
bootstat
bufferhubd
cameraserver
charger
clatd
crash_dump
dhcp
dnsmasq
drmserver
...

 

示例3：

下面cmd表示列出precompiled_sepolicy file里包含的所有attribute：

out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze  out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy  attribute --list
pdx_display_manager_endpoint_socket_type
pdx_display_screenshot_endpoint_socket_type
file_type
hal_screenrecord_mediatek_server
exec_type
hal_usb_server
property_type
binderservicedomain
node_type
hal_broadcastradio_server
proc_type
port_type
pdx_channel_socket_type
hal_tv_mtkdmservice_server

 

如下cmd，可以看出halserverdomain attribute关联到了hal_wifi_supplicant_default type

out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze  out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy  attribute halserverdomain |grep hal_wifi_supplicant_default
hal_wifi_supplicant_default

 

看下这个attribute是在哪里define的，在attributes文件里define：

system/sepolicy/prebuilts/api/29.0/public/attributes

# All HAL servers
attribute halserverdomain;

 

看下hal_wifi_supplicant_default type是在哪里关联halserverdomain attribute的。

system/sepolicy/vendor/hal_wifi_supplicant_default.te

hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)

 

看下hal_server_domain是怎么define的：

system/sepolicy/prebuilts/api/29.0/public/te_macros

define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')

 

在上面的define里，可以看到type $1(hal_wifi_supplicant_default)关联了halserverdomain attribute

看下hal_wifi_supplicant_default type是在哪里define的，在如下位置：

system/sepolicy/vendor/hal_wifi_supplicant_default.te
type hal_wifi_supplicant_default, domain;

 

 

te文件里排除一个domain

在domain前面加上一个-表示排除这个domain，下面一行表示domain对block_device是neverallow，除了kernel、init、recovery等：

neverallow { domain -kernel -init -recovery -vold -uncrypt -emsd -rild -radio_config} block_device:blk_file { open read write };

 

typeattribute

在一个地方define type（context），在另外一个地方将这个type关联attribute，如下typeattribute是将httpd_user_content_t type关联file_type、httpdcontent两个attribute：

type httpd_user_content_t; 
typeattribute httpd_user_content_t file_type, httpdcontent;

 可以同时define一个type并同时关联attribute：

define httpd_user_content_t type，并关联file_type、httpdcontent两个attribute：

type httpd_user_content_t file_type, httpdcontent;

 

attribute definition

system/sepolicy/public/attributes

attribute dev_type;

# All types used for processes.
attribute domain;

attribute fs_type;

# All types used for context= mounts.
attribute contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute file_type;

# All types used for domain entry points.
attribute exec_type;

# All types used for /data files.
attribute data_file_type;