공부한 나날들

SE LINUX
System extras SE Android support

Folder Name

folder	file
android/system/extras/ext4_utils/	Android.mk contents.c contents.h make_ext4fs.c make_ext4fs.h make_ext4fs_main.c mkuserimg.sh xattr.h

유일하게 추가된 소스 <!-- HTML generated using hilite.me

#include <sys/types.h>#define EXT4_XATTR_MAGIC 0xEA020000#define EXT4_XATTR_INDEX_SECURITY 6struct ext4_xattr_entry {
    __u8 e_name_len;
    __u8 e_name_index;
    __le16 e_value_offs;
    __le32 e_value_block;
    __le32 e_value_size;
    __le32 e_hash;
    char e_name[0];
};

#define EXT4_XATTR_PAD_BITS 2#define EXT4_XATTR_PAD (1<<EXT4_XATTR_PAD_BITS)#define EXT4_XATTR_ROUND (EXT4_XATTR_PAD-1)#define EXT4_XATTR_LEN(name_len) \    (((name_len) + EXT4_XATTR_ROUND + \    sizeof(struct ext4_xattr_entry)) & ~EXT4_XATTR_ROUND)#define EXT4_XATTR_SIZE(size) \    (((size) + EXT4_XATTR_ROUND) & ~EXT4_XATTR_ROUND)

파일 시스템에 뭔가 태깅을 하는 것 같다.


System core SE Android support

android/system/core/init/Android.mk#2android/system/core/init/builtins.c#2android/system/core/init/devices.c#2android/system/core/init/devices.h#2android/system/core/init/init.c#2android/system/core/init/init.h#2android/system/core/init/init_parser.c#2android/system/core/init/keywords.h#2android/system/core/init/property_service.c#2android/system/core/init/readme.txt#2android/system/core/init/util.c#2android/system/core/init/util.h#2android/system/core/rootdir/etc/init.goldfish.rc#2android/system/core/rootdir/init.rc#2android/system/core/toolbox/Android.mk#2android/system/core/toolbox/chcon.c#1android/system/core/toolbox/getenforce.c#1android/system/core/toolbox/getsebool.c#1android/system/core/toolbox/id.c#2android/system/core/toolbox/load_policy.c#1android/system/core/toolbox/ls.c#2android/system/core/toolbox/ps.c#2android/system/core/toolbox/restorecon.c#1android/system/core/toolbox/runcon.c#1android/system/core/toolbox/setenforce.c#1android/system/core/toolbox/setsebool.c#1

추가된 파일 chcon

#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <selinux/selinux.h>int chcon_main(int argc, char **argv)
{
    int rc, i;

    if (argc < 3) {
        fprintf(stderr, "usage:  %s context path...\n", argv[0]);
        exit(1);
    }

    for (i = 2; i < argc; i++) {
        rc = setfilecon(argv[i], argv[1]);
        if (rc < 0) {
            fprintf(stderr, "%s:  Could not label %s with %s:  %s\n",
                    argv[0], argv[i], argv[1], strerror(errno));
            exit(2);
        }
    }
    exit(0);
}

added file. getenforce.c

#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <selinux/selinux.h>int getenforce_main(int argc, char **argv)
{
    int rc;

    rc = is_selinux_enabled();
    if (rc <= 0) {
        printf("Disabled\n");
        return 0;
    }

    rc = security_getenforce();
    if (rc < 0) {
        fprintf(stderr, "Could not get enforcing status:  %s\n",
                strerror(errno));
        return 2;
    }

    if (rc)
        printf("Enforcing\n");
    else
        printf("Permissive\n");

    return 0;
}

added file. getsebool.c

#include <unistd.h>#include <stdlib.h>#include <stdio.h>#include <getopt.h>#include <errno.h>#include <string.h>#include <selinux/selinux.h>static void usage(const char *progname)
{
    fprintf(stderr, "usage:  %s -a or %s boolean...\n", progname, progname);
    exit(1);
}

int getsebool_main(int argc, char **argv)
{
    int i, get_all = 0, rc = 0, active, pending, len = 0, opt;
    char **names;

    while ((opt = getopt(argc, argv, "a")) > 0) {
        switch (opt) {
        case 'a':
            if (argc > 2)
                usage(argv[0]);
            if (is_selinux_enabled() <= 0) {
                fprintf(stderr, "%s:  SELinux is disabled\n",
                        argv[0]);
                return 1;
            }
            errno = 0;
            rc = security_get_boolean_names(&names, &len);
            if (rc) {
                fprintf(stderr,
                        "%s:  Unable to get boolean names:  %s\n",
                        argv[0], strerror(errno));
                return 1;
            }
            if (!len) {
                printf("No booleans\n");
                return 0;
            }
            get_all = 1;
            break;
        default:
            usage(argv[0]);
        }
    }

    if (is_selinux_enabled() <= 0) {
        fprintf(stderr, "%s:  SELinux is disabled\n", argv[0]);
        return 1;
    }
    if (!len) {
        if (argc < 2)
            usage(argv[0]);
        len = argc - 1;
        names = malloc(sizeof(char *) * len);
        if (!names) {
            fprintf(stderr, "%s:  out of memory\n", argv[0]);
            return 2;
        }
        for (i = 0; i < len; i++) {
            names[i] = strdup(argv[i + 1]);
            if (!names[i]) {
                fprintf(stderr, "%s:  out of memory\n",
                        argv[0]);
                return 2;
            }
        }
    }

    for (i = 0; i < len; i++) {
        active = security_get_boolean_active(names[i]);
        if (active < 0) {
            if (get_all && errno == EACCES)
                continue;
            fprintf(stderr, "Error getting active value for %s\n",
                    names[i]);
            rc = -1;
            goto out;
        }
        pending = security_get_boolean_pending(names[i]);
        if (pending < 0) {
            fprintf(stderr, "Error getting pending value for %s\n",
                    names[i]);
            rc = -1;
            goto out;
        }
        if (pending != active) {
            printf("%s --> %s pending: %s\n", names[i],
                   (active ? "on" : "off"),
                   (pending ? "on" : "off"));
        } else {
            printf("%s --> %s\n", names[i],
                   (active ? "on" : "off"));
        }
    }

out:
    for (i = 0; i < len; i++)
        free(names[i]);
    free(names);
    return rc;
}

added file. load_policy.c

#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <fcntl.h>#include <sys/stat.h>#include <sys/mman.h>#include <errno.h>#include <selinux/selinux.h>int load_policy_main(int argc, char **argv)
{
    int fd, rc, vers;
    struct stat sb;
    void *map;
    const char *path;

    if (argc != 2) {
        fprintf(stderr, "usage:  %s policy-file\n", argv[0]);
        exit(1);
    }

    path = argv[1];
    fd = open(path, O_RDONLY);
    if (fd < 0) {
        fprintf(stderr, "Could not open %s:  %s\n", path, strerror(errno));
        exit(2);
    }

    if (fstat(fd, &sb) < 0) {
        fprintf(stderr, "Could not stat %s:  %s\n", path, strerror(errno));
        exit(3);
    }

    map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
    if (map == MAP_FAILED) {
        fprintf(stderr, "Could not mmap %s:  %s\n", path, strerror(errno));
        exit(4);
    }

    rc = security_load_policy(map, sb.st_size);
    if (rc < 0) {
        fprintf(stderr, "Could not load %s:  %s\n", path, strerror(errno));
        exit(5);
    }
    munmap(map, sb.st_size);
    close(fd);
    exit(0);
}

resorecon

#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <sys/types.h>#include <sys/stat.h>#include <fts.h>#include <selinux/selinux.h>#include <selinux/label.h>#define FCPATH "/file_contexts"static struct selabel_handle *sehandle;
static const char *progname;
static int nochange;
static int verbose;

static void usage(void)
{
    fprintf(stderr, "usage:  %s [-f file_contexts] [-nrRv] pathname...\n", progname);
    exit(1);
}

static int restore(const char *pathname, const struct stat *sb)
{
    char *oldcontext, *newcontext;

    if (lgetfilecon(pathname, &oldcontext) < 0) {
        fprintf(stderr, "Could not get context of %s:  %s\n",
                pathname, strerror(errno));
        return -1;
    }
    if (selabel_lookup(sehandle, &newcontext, pathname, sb->st_mode) < 0) {
        fprintf(stderr, "Could not lookup context for %s:  %s\n", pathname,
                strerror(errno));
        return -1;
    }
    if (strcmp(newcontext, "<<none>>") &&
        strcmp(oldcontext, newcontext)) {
        if (verbose)
            printf("Relabeling %s from %s to %s.\n", pathname, oldcontext, newcontext);
        if (!nochange) {
            if (lsetfilecon(pathname, newcontext) < 0) {
                fprintf(stderr, "Could not label %s with %s:  %s\n",
                        pathname, newcontext, strerror(errno));
                return -1;
            }
        }
    }
    freecon(oldcontext);
    freecon(newcontext);
    return 0;
}

int restorecon_main(int argc, char **argv)
{
    struct selinux_opt seopts[] = {
        { SELABEL_OPT_PATH, FCPATH }
    };
    int ch, recurse = 0, ftsflags = FTS_PHYSICAL;

    progname = argv[0];

    do {
        ch = getopt(argc, argv, "f:nrRv");
        if (ch == EOF)
            break;
        switch (ch) {
        case 'f':
            seopts[0].value = optarg;
            break;
        case 'n':
            nochange = 1;
            break;
        case 'r':
        case 'R':
            recurse = 1;
            break;
        case 'v':
            verbose = 1;
            break;
        default:
            usage();
        }
    } while (1);

    argc -= optind;
    argv += optind;
    if (!argc)
        usage();

    sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
    if (!sehandle) {
        fprintf(stderr, "Could not load file contexts from %s:  %s\n", seopts[0].value,
                strerror(errno));
        return -1;
    }

    if (recurse) {
        FTS *fts;
        FTSENT *ftsent;
        fts = fts_open(argv, ftsflags, NULL);
        if (!fts) {
            fprintf(stderr, "Could not traverse filesystems (first was %s):  %s\n",
                    argv[0], strerror(errno));
            return -1;
        }
        while ((ftsent = fts_read(fts))) {
            switch (ftsent->fts_info) {
            case FTS_DP:
                break;
            case FTS_DNR:
            case FTS_ERR:
            case FTS_NS:
                fprintf(stderr, "Could not access %s:  %s\n", ftsent->fts_path,
                        strerror(errno));
                fts_set(fts, ftsent, FTS_SKIP);
                break;
            default:
                if (restore(ftsent->fts_path, ftsent->fts_statp) < 0)
                    fts_set(fts, ftsent, FTS_SKIP);
                break;
            }
        }
    } else {
        int i, rc;
        struct stat sb;

        for (i = 0; i < argc; i++) {
            rc = lstat(argv[i], &sb);
            if (rc < 0) {
                fprintf(stderr, "Could not stat %s:  %s\n", argv[i],
                        strerror(errno));
                continue;
            }
            restore(argv[i], &sb);
        }
    }

    return 0;
}

runcon

#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <errno.h>#include <selinux/selinux.h>int runcon_main(int argc, char **argv)
{
    int rc;

    if (argc < 3) {
        fprintf(stderr, "usage:  %s context program args...\n", argv[0]);
        exit(1);
    }

    rc = setexeccon(argv[1]);
    if (rc < 0) {
        fprintf(stderr, "Could not set context to %s:  %s\n", argv[1], strerror(errno));
        exit(2);
    }

    argv += 2;
    argc -= 2;
    execvp(argv[0], argv);
    fprintf(stderr, "Could not exec %s:  %s\n", argv[0], strerror(errno));
    exit(3);
}

setEnforce

#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <ctype.h>#include <string.h>#include <strings.h>#include <errno.h>#include <selinux/selinux.h>void usage(const char *progname)
{
    fprintf(stderr, "usage:  %s [ Enforcing | Permissive | 1 | 0 ]\n",
            progname);
    exit(1);
}

int setenforce_main(int argc, char **argv)
{
    int rc = 0;
    if (argc != 2) {
        usage(argv[0]);
    }

    if (is_selinux_enabled() <= 0) {
        fprintf(stderr, "%s: SELinux is disabled\n", argv[0]);
        return 1;
    }
    if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) {
        rc = security_setenforce(atoi(argv[1]));
    } else {
        if (strcasecmp(argv[1], "enforcing") == 0) {
            rc = security_setenforce(1);
        } else if (strcasecmp(argv[1], "permissive") == 0) {
            rc = security_setenforce(0);
        } else
            usage(argv[0]);
    }
    if (rc < 0) {
        fprintf(stderr, "%s:  Could not set enforcing status:  %s\n",
                argv[0], strerror(errno));
        return 2;
    }
    return 0;
}

setsebool

#include <unistd.h>#include <stdlib.h>#include <stdio.h>#include <string.h>#include <sys/stat.h>#include <fcntl.h>#include <errno.h>#include <selinux/selinux.h>#include <errno.h>static int do_setsebool(int nargs, char **args) {
    SELboolean *b = alloca(nargs * sizeof(SELboolean));
    char *v;
    int i;

    if (is_selinux_enabled() <= 0)
        return 0;

    for (i = 1; i < nargs; i++) {
        char *name = args[i];
        v = strchr(name, '=');
        if (!v) {
            fprintf(stderr, "setsebool: argument %s had no =\n", name);
            return -1;
        }
        *v++ = 0;
        b[i-1].name = name;
        if (!strcmp(v, "1") || !strcasecmp(v, "true") || !strcasecmp(v, "on"))
            b[i-1].value = 1;
        else if (!strcmp(v, "0") || !strcasecmp(v, "false") || !strcasecmp(v, "off"))
            b[i-1].value = 0;
        else {
            fprintf(stderr, "setsebool: invalid value %s\n", v);
            return -1;
        }
    }

    if (security_set_boolean_list(nargs - 1, b, 0) < 0)
    {
        fprintf(stderr, "setsebool: unable to set booleans: %s", strerror(errno));
        return -1;
    }

    return 0;
}

int setsebool_main(int argc, char **argv)
{
    if (argc < 2) {
        fprintf(stderr, "Usage:  %s name=value...\n", argv[0]);
        exit(1);
    }

    return do_setsebool(argc, argv);
}

init.rc

added	setcon u:r:init:s0
added	restorecon	cache cache/recovery /data
ueventd
added	seclabel u:r:ueventd:s0
adbd
added	seclabel u:r:adbd:s0

init.goldfish.rc

on boot
setsebool in_qemu=1 restorecon /sys/qemu_trace/process_name restorecon /sys/qemu_trace/state restorecon /sys/qemu_trace/symbol

util.h

int make_dir(const char *path, mode_t mode); int restorecon(const char *pathname);

property_service.c

static int check_mac_perms(const char *name, char *sctx)
{
#ifdef HAVE_SELINUX
    if (is_selinux_enabled() > 0) {

        char *tctx = NULL;
        const char *class = "property_service", *perm = "set";
        int result = 0;

        if (!sctx)
            return 0;

        if (!sehandle_prop)
            goto err;

        if (selabel_lookup(sehandle_prop, &tctx, name, 1) != 0)
            goto err;

        if (selinux_check_access(sctx, tctx, class, perm, name) == 0)
            result = 1;

        freecon(tctx);
    err:
        return result;

    }
#endif
    return 1;
}

static int check_control_mac_perms(const char *name, char *sctx)
{
#ifdef HAVE_SELINUX

    /*     *  Create a name prefix out of ctl.<service name>     *  The new prefix allows the use of the existing     *  property service backend labeling while avoiding     *  mislabels based on true property prefixes.     */
    char ctl_name[PROP_VALUE_MAX+4];
    int ret = snprintf(ctl_name, sizeof ctl_name, "ctl.%s", name);

    if (ret < 0 || (size_t) ret >= sizeof ctl_name)
        return 0;

    return check_mac_perms(ctl_name, sctx);

#endif
    return 1;
}

keywords.h has all of funcitons name

Packages app SEAndroidManager

android/packages/apps/SEAndroidManager/Android.mk#1android/packages/apps/SEAndroidManager/AndroidManifest.xml#1android/packages/apps/SEAndroidManager/CleanSpec.mk#1android/packages/apps/SEAndroidManager/NOTICE#1android/packages/apps/SEAndroidManager/jni/Android.mk#1android/packages/apps/SEAndroidManager/jni/exception.c#1android/packages/apps/SEAndroidManager/jni/exception.h#1android/packages/apps/SEAndroidManager/jni/klogctl.c#1android/packages/apps/SEAndroidManager/jni/klogctl.h#1android/packages/apps/SEAndroidManager/proguard.flags#1android/packages/apps/SEAndroidManager/project.properties#1android/packages/apps/SEAndroidManager/res/drawable-hdpi/ic_menu_moreoverflow.png#1android/packages/apps/SEAndroidManager/res/drawable-hdpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/drawable-ldpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/drawable-mdpi/ic_menu_moreoverflow.png#1android/packages/apps/SEAndroidManager/res/drawable-mdpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/drawable-xhdpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/layout/avc_denied_options.xml#1android/packages/apps/SEAndroidManager/res/layout/log_denied_reader.xml#1android/packages/apps/SEAndroidManager/res/layout/selinux_manage_booleans.xml#1android/packages/apps/SEAndroidManager/res/layout/selinux_manage_booleans_item.xml#1android/packages/apps/SEAndroidManager/res/menu/menu_action_bar.xml#1android/packages/apps/SEAndroidManager/res/values/strings.xml#1android/packages/apps/SEAndroidManager/res/xml/disabled_headers.xml#1android/packages/apps/SEAndroidManager/res/xml/enabled_headers.xml#1android/packages/apps/SEAndroidManager/res/xml/selinux_enforcing_fragment.xml#1android/packages/apps/SEAndroidManager/res/xml/selinux_not_enabled.xml#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/KLogCtl.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/LogCallback.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/LogDeniedReaderFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/RestoreSettings.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SEAndroidManager.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SELinuxBooleanFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SELinuxDisabledFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SELinuxEnforcingFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/logreaders/KLogReader.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/logreaders/LogcatReader.java#1

Packages app Settings SE Android support

strings.xml
device_info_settings.xml
DeviceInfoSettings.java

android/packages/apps/Settings/res/values/strings.xml#2android/packages/apps/Settings/res/xml/device_info_settings.xml#2android/packages/apps/Settings/src/com/android/settings/DeviceInfoSettings.java#2

Questions
what is the pre/post fix "con"? context means all of objects. -->