Android SELinux中是否可以使用包名作为域名？

Question

Android SELinux( or you can say SEAndroid) defines many domains which include system_app, platform_app, isolated_app, etc.

Each domain has different meanings, for example, system_app includes all the apps which share the system uid, and the platform_app includes all the apps which sign the platform key.

All the SE files are located in external/sepolicy, I can modify the rules from these files.

Is it possible to define a new domain which points to a specified package name (For example, com.google.android.music)?

I do not find any document or example about that, so I am not sure how to do that.

I will appreciate any suggestions or comments.

Thank you.

Answer 1

After a long research, I find a way to define a new domain for a specified package

Define a new domain in seapp_contexts

like this,

user=_app domain=googlemusic seinfo=platform name=com.google.android.music type=app_data_file

then define the permission of a new domain googlemusic

create a te file called googlemusic.te

type googlemusic_app,domain

app_domain(googlemusic)

#more permissions

Answer 2

Just to update @alec.tu answer for Android 12 - in the googlemusic.te file the 2 first lines should be:

typeattribute googlemusic_app coredomain;
app_domain(googlemusic_app)

And another new file - system/sepolicy/public/googlemusic_app.te should be created with the content:

type googlemusic_app, domain;

Answer 3

Okay, to whoever is trying to achieve this: in AOSP 11, if you are getting an error when building that contains anything with "neverallow", you need to specify a domain for your app. I was getting this error while trying this in platform_app.te file in device/ yourvendor / yourdevice /sepolicy by writing a line: allow platform_app sysfs:file { getattr open read };.

The build stopped on error while breaking the neverallow rule.

Solution is to open file seapp_contexts and then add a line:

Explanation:

user=_app domain=*you can name it whatever you want, lets say selinuxtest, but you have to add "_app", so it should be selinuxtest_app seinfo=platform name=com. yourappname . whatever type=app_data_file levelFrom=all

Example:

user=_app domain=selinuxtest_app seinfo=platform name=com.testapplication.myname type=app_data_file levelFrom=all

then create a file in the same folder as platform_app.te, in our case it should be selinuxtest.te, and simply put this into it:

Explanation:

type yourappdomainname & "_app" , domain; app_domain( yourappdomainname & "_app" )

Example:

type selinuxtest_app, domain; app_domain(selinuxtest_app)

allow selinuxtest_app sysfs:file { getattr open read };

voila! It works like that, access granted just for your very own app/apps.