简体   繁体   中英

what is the relationship between SEAndroid policy and Android permissions?

I think Android permissions is a kind of DAC mechanism, because the permissions are mapping to the group id in Linux Kernel. SEAndroid is a MAC mechanism. And the MAC check is after the DAC check.

But I don't understand the relationship between them. How they cooperate to check one action in app should be allowed or denied?

And I want to know how the CHECK action implemented in source code(permission check and SEAndroid policy check). But I can't find the related source code in Android and Linux Kernel.

In the paper Security Enhanced (SE) Android: Bringing Flexible MAC to Android , it is said that

For conventional third party app installs, installation of the app is aborted if the policy denies one of the requested permissions.

I also want to know the detail implementation from source code. But I don't know where it is.

Is there anyone familiar with Android and Linux Kernel can help me?

I am assuming that when you refer to Android Permissions you refer to the Android System Permissions (ie READ_LOGS, READ_HISTORY_BOOKMARKS, WRITE_HISTORY_BOOKMARKS etc).

All the SEAndroid support for MMAC (and system permission enforcement) was abandon and all source code was removed from AOSP. Please refer to this answer for more details.

The SEAndroid MAC mechanism is implemented in the deepest layers of the Android stack and provides access control of the most fundamental operations (ie read/write file, open/close socket, bind etc). This is achieved by placing LSM (Linux Security Modules) hooks right into the kernel. This what makes the SEAndroid MAC module so strong.

On the other hand, the Android permission system is actually implemented by the high level "JAVA API level framework" and by components such as: PackageManager, ServiceManager, ActivityManager etc. Letting SEAndroid handle enforcement of those high level components might be missing the point (But this is only my personal opinion).

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM