rick.chan
parent
c77744442f
commit
4435c8602e
|
|
@ -371,9 +371,9 @@ attribute netdomain;
|
|||
attribute binderservicedomain;
|
||||
```
|
||||
|
||||
### 4.5.class
|
||||
### 4.5.Class 和 Permission
|
||||
|
||||
客体的具体类别。用 class 来定义一个客体类别,具体定义方式如下:
|
||||
Class 指客体的具体类别。用 class 来定义一个客体类别,具体定义方式如下:
|
||||
|
||||
```bash
|
||||
# [external/sepolicy/security_classes示例]
|
||||
|
|
@ -394,9 +394,7 @@ class binder # Android 平台特有的 binder
|
|||
class zygote # Android 平台特有的 zygote
|
||||
```
|
||||
|
||||
### 4.6.perm_set
|
||||
|
||||
具体的操作,系统的定义在 external/sepolicy/access_vectors。有两种定义方法。
|
||||
Permission 指具体的操作,系统的定义在 external/sepolicy/access_vectors。有两种定义方法。
|
||||
|
||||
用 common 命令定义:
|
||||
|
||||
|
|
@ -459,7 +457,22 @@ external/sepolicy/te_macros
|
|||
external/sepolicy/***.te
|
||||
```
|
||||
|
||||
### 4.7.TE 的正则表达式和集合
|
||||
一般常用的 Class 和 Permission 如下表:
|
||||
|
||||
| Class | Permission |
|
||||
|------------|------------|
|
||||
| file | ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton |
|
||||
| directory | add_name remove_name reparent search rmdir open audit_access execmod |
|
||||
| socket | ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind |
|
||||
| filesystem | mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget |
|
||||
| process | fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate |
|
||||
| security | compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy |
|
||||
| capability | chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap |
|
||||
| tcp_socket | create connect name_connect lock append bind name_bind listen accept recvfrom sendto read write getattr setattr getopt setopt |
|
||||
| sock_file | open read write |
|
||||
| chr_file | create open read write map ioctl |
|
||||
|
||||
### 4.6.TE 的正则表达式和集合
|
||||
|
||||
TE 文件支持正则表达式,从下面可以看到,通配符是常用的通配符,可以度娘
|
||||
|
||||
|
|
@ -504,7 +517,7 @@ allow user_t bin_t : { file dir } ~{ read getattr };
|
|||
allow domain { exec_type -sbin_t } : file execute;
|
||||
```
|
||||
|
||||
### 4.8.TE 的类型转换规则
|
||||
### 4.7.TE 的类型转换规则
|
||||
|
||||
为什么要转换类型?
|
||||
|
||||
|
|
@ -515,7 +528,7 @@ init 进程拥有系统的最高权限,如果由 Init 进程 fork,exec 出
|
|||
1. 主体的域的转换
|
||||
2. 客体的转换
|
||||
|
||||
#### 4.8.1.域的转换
|
||||
#### 4.7.1.域的转换
|
||||
|
||||
type_transition 的完整格式为:
|
||||
|
||||
|
|
@ -542,7 +555,7 @@ allow init_t apache_t : process transition;
|
|||
allow apache_t apache_exec_t : file entrypoint;
|
||||
```
|
||||
|
||||
#### 4.8.2.客体的转换
|
||||
#### 4.7.2.客体的转换
|
||||
|
||||
例子:
|
||||
|
||||
|
|
@ -559,7 +572,7 @@ passwd_t 在 tmp_t 目录下创建文件时,该文件的类型转化为 passwd
|
|||
|
||||
如果每个转换之前都需要这样繁锁地权限声音实在很麻烦。TE里允许把这些相同的,重复使用的语句定义成一个宏,类似于函数一样。
|
||||
|
||||
### 4.9.TE 宏
|
||||
### 4.8.TE 宏
|
||||
|
||||
如果把上面 domain 转换的例子定义成一个宏,应该定义如下:
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue