是否可以将SELinux策略与Android权限连接?
[英]Is it possible to connect SELinux policy with Android permissions?
问题描述
I'd like to grant Android permissions (eg android.permission.DELETE_PACKAGES, which has protectionLevel=system|signature) to apps signed by a given signature and/or with a given package name from SELinux policies, but so far I haven't found a way that works. 
我想授予Android权限(例如android.permission.DELETE_PACKAGES,其具有protectionLevel = system | signature),以通过SELinux策略使用给定签名和/或给定包名称签名的应用程序,但是到目前为止,我还没有找到了一种可行的方法。 The mac_permissions.xml file used to accept an allow-permission tag that accepted Android permission strings, but based on the Lollipop code that parses it, that tag doesn't seem to be supported anymore. mac_permissions.xml文件用于接受允许权限标签,该标签接受Android权限字符串,但是基于解析它的Lollipop代码 ,该标签似乎不再受支持。 I tried using it anyway, and it definitely seemed to be ignored by the system. 无论如何,我都尝试使用它,并且它肯定似乎被系统忽略了。
Ideally, I'd only have to add/modify SELinux policy files as opposed to core AndroidManifest files that declare the restricted permissions and specify their protection levels. 理想情况下,我只需要添加/修改SELinux策略文件,而不是声明限制权限并指定其保护级别的核心AndroidManifest文件。 Assume that apps with the given signature/package wouldn't otherwise be granted said permissions by PackageManager because they lack any of the special privileges that Android permission protection levels recognize (signed by platform cert, installed in /system, etc.), and that the permission is a system permission (ie declared by the frameworks/base/core/res AndroidManifest ) that is declared at OS build time. 假设具有给定签名/程序包的应用不会被PackageManager授予所述权限,因为它们缺少Android权限保护级别可以识别的任何特殊特权(由平台证书签名,安装在/ system等),并且该权限是在操作系统构建时声明的系统权限(即,由frameworks / base / core / res AndroidManifest声明)。
Is there a way to allow a given app signature/package to use a given Android permission from SELinux? 有没有办法允许给定的应用程序签名/程序包使用SELinux的给定Android权限?
1 个解决方案
解决方案1
2 已采纳 2016-06-13 19:20:59
All the MMAC work was abandoned by the SE for Android project as none of it was accepted upstream. SE的所有MMAC工作都被SE for Android项目放弃,因为上游都没有接受。 Currently, there is no supported mechanism for associating package permissions to SE Linux policy. 当前,没有支持将软件包权限与SE Linux策略相关联的机制。 If your building Android, one could restore that work in their tree, the branches to start with are the seandroid branches here: https://bitbucket.org/seandroid/frameworks-base/branches/ 如果您正在构建Android,则可以在其树中恢复该工作,则从此处开始的分支是seandroid分支: https ://bitbucket.org/seandroid/frameworks-base/branches/
However, the most up-to-date branches with the code are over a year old. 但是,使用该代码的最新分支已使用了一年多。 So you may have porting issues. 因此,您可能会遇到移植问题。
Also, that code uses the mac_permissions.xml file for controlling access, but the EOPS, extended operations changes would also be of use, you can read up about it in its config file: https://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at=seandroid-5.1.1&fileviewer=file-view-default 同样,该代码使用mac_permissions.xml文件控制访问,但是EOPS扩展操作更改也将有用,您可以在其配置文件中了解它: https : //bitbucket.org/seandroid/external- sepolicy / src / ccb97c52cda2bac69c0499b3c76bc8e0d28d636c / eops.xml?at = seandroid-5.1.1&fileviewer = file-view-default
Bear in mind, the install time permission checks and the eops changes, while providing a form of mandatory access controls, don't really use core SE Linux technologies. 请记住,安装时间权限检查和eops更改虽然提供了一种强制性的访问控制形式,但实际上并没有使用SE Linux核心技术。 By that, it can be used with or without an selnux enabled kernel. 这样,可以在启用或不启用selnux的内核中使用它。
If one really wanted to couple SE Linux to permission strings, it would require significant effort to label the permissions, and have Package Manager Service (PMS) and Activity Manager Service (AMS) compute whether or not access is allowed. 如果确实希望将SE Linux与权限字符串耦合,则需要花费大量精力来标记权限,并让程序包管理器服务(PMS)和活动管理器服务(AMS)计算是否允许访问。
However, now that per-application android permission controls are available, most of the work is no longer needed. 但是,既然每个应用程序都具有android权限控制,则不再需要大部分工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.