是否可以将SELinux策略与Android权限连接? [英] Is it possible to connect SELinux policy with Android permissions?
问题描述
我想向SELinux策略中由给定签名和/或给定包名称签名的应用授予Android权限(例如android.permission.DELETE_PACKAGES,其具有protectionLevel = system | signature).还没有找到一种可行的方法. mac_permissions.xml文件用于接受允许权限标签,该标签接受Android权限字符串,但
I'd like to grant Android permissions (e.g. android.permission.DELETE_PACKAGES, which has protectionLevel=system|signature) to apps signed by a given signature and/or with a given package name from SELinux policies, but so far I haven't found a way that works. The mac_permissions.xml file used to accept an allow-permission tag that accepted Android permission strings, but based on the Lollipop code that parses it, that tag doesn't seem to be supported anymore. I tried using it anyway, and it definitely seemed to be ignored by the system.
理想情况下,我只需要添加/修改SELinux策略文件,而不是声明限制权限并指定其保护级别的核心AndroidManifest文件.假设具有给定签名/程序包的应用不会被PackageManager授予所述权限,因为它们缺少Android权限保护级别可识别的任何特殊特权(由平台证书签名,安装在/system等),并且该权限是系统权限(即由 frameworks/base/core/res AndroidManifest )是在操作系统构建时声明的.
Ideally, I'd only have to add/modify SELinux policy files as opposed to core AndroidManifest files that declare the restricted permissions and specify their protection levels. Assume that apps with the given signature/package wouldn't otherwise be granted said permissions by PackageManager because they lack any of the special privileges that Android permission protection levels recognize (signed by platform cert, installed in /system, etc.), and that the permission is a system permission (i.e. declared by the frameworks/base/core/res AndroidManifest) that is declared at OS build time.
是否有一种方法可以允许给定的应用程序签名/程序包使用SELinux的给定Android权限?
Is there a way to allow a given app signature/package to use a given Android permission from SELinux?
推荐答案
SE的所有MMAC工作都被SE for Android项目放弃,因为上游都不接受.当前,没有支持将软件包权限与SE Linux策略相关联的机制.如果您正在构建Android,可以在其树中恢复该工作,则从此处开始的分支是seandroid分支:
All the MMAC work was abandoned by the SE for Android project as none of it was accepted upstream. Currently, there is no supported mechanism for associating package permissions to SE Linux policy. If your building Android, one could restore that work in their tree, the branches to start with are the seandroid branches here: https://bitbucket.org/seandroid/frameworks-base/branches/
但是,最新的带有代码的分支已有超过一年的历史.因此,您可能会遇到移植问题.
However, the most up-to-date branches with the code are over a year old. So you may have porting issues.
此外,该代码使用mac_permissions.xml文件控制访问,但是EOPS扩展操作更改也将有用,您可以在其配置文件中进行阅读: https ://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at = seandroid-5.1.1& fileviewer = file-view-default
Also, that code uses the mac_permissions.xml file for controlling access, but the EOPS, extended operations changes would also be of use, you can read up about it in its config file: https://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at=seandroid-5.1.1&fileviewer=file-view-default
请记住,安装时间权限检查和eops更改虽然提供了一种强制性的访问控制形式,但实际上并没有使用SE Linux核心技术.这样,可以在启用或不启用selnux的内核中使用它.
Bear in mind, the install time permission checks and the eops changes, while providing a form of mandatory access controls, don't really use core SE Linux technologies. By that, it can be used with or without an selnux enabled kernel.
如果真的想将SE Linux与权限字符串耦合,则需要花费大量精力来标记权限,并让Package Manager Service(PMS)和Activity Manager Service(AMS)计算是否允许访问.
If one really wanted to couple SE Linux to permission strings, it would require significant effort to label the permissions, and have Package Manager Service (PMS) and Activity Manager Service (AMS) compute whether or not access is allowed.
但是,现在每个应用程序都具有android权限控制,不再需要大部分工作.
However, now that per-application android permission controls are available, most of the work is no longer needed.
这篇关于是否可以将SELinux策略与Android权限连接?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
