System extras SE Android support
Folder Name
folder | file |
---|---|
android/system/extras/ext4_utils/ | Android.mk contents.c contents.h make_ext4fs.c make_ext4fs.h make_ext4fs_main.c mkuserimg.sh xattr.h |
유일하게 추가된 소스 <!-- HTML generated using hilite.me
#include <sys/types.h>#define EXT4_XATTR_MAGIC 0xEA020000#define EXT4_XATTR_INDEX_SECURITY 6struct ext4_xattr_entry { __u8 e_name_len; __u8 e_name_index; __le16 e_value_offs; __le32 e_value_block; __le32 e_value_size; __le32 e_hash; char e_name[0]; }; #define EXT4_XATTR_PAD_BITS 2#define EXT4_XATTR_PAD (1<<EXT4_XATTR_PAD_BITS)#define EXT4_XATTR_ROUND (EXT4_XATTR_PAD-1)#define EXT4_XATTR_LEN(name_len) \ (((name_len) + EXT4_XATTR_ROUND + \ sizeof(struct ext4_xattr_entry)) & ~EXT4_XATTR_ROUND)#define EXT4_XATTR_SIZE(size) \ (((size) + EXT4_XATTR_ROUND) & ~EXT4_XATTR_ROUND)
파일 시스템에 뭔가 태깅을 하는 것 같다.
System core SE Android support
android/system/core/init/Android.mk#2android/system/core/init/builtins.c#2android/system/core/init/devices.c#2android/system/core/init/devices.h#2android/system/core/init/init.c#2android/system/core/init/init.h#2android/system/core/init/init_parser.c#2android/system/core/init/keywords.h#2android/system/core/init/property_service.c#2android/system/core/init/readme.txt#2android/system/core/init/util.c#2android/system/core/init/util.h#2android/system/core/rootdir/etc/init.goldfish.rc#2android/system/core/rootdir/init.rc#2android/system/core/toolbox/Android.mk#2android/system/core/toolbox/chcon.c#1android/system/core/toolbox/getenforce.c#1android/system/core/toolbox/getsebool.c#1android/system/core/toolbox/id.c#2android/system/core/toolbox/load_policy.c#1android/system/core/toolbox/ls.c#2android/system/core/toolbox/ps.c#2android/system/core/toolbox/restorecon.c#1android/system/core/toolbox/runcon.c#1android/system/core/toolbox/setenforce.c#1android/system/core/toolbox/setsebool.c#1
추가된 파일 chcon
#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <selinux/selinux.h>int chcon_main(int argc, char **argv) { int rc, i; if (argc < 3) { fprintf(stderr, "usage: %s context path...\n", argv[0]); exit(1); } for (i = 2; i < argc; i++) { rc = setfilecon(argv[i], argv[1]); if (rc < 0) { fprintf(stderr, "%s: Could not label %s with %s: %s\n", argv[0], argv[i], argv[1], strerror(errno)); exit(2); } } exit(0); }
added file. getenforce.c
#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <selinux/selinux.h>int getenforce_main(int argc, char **argv) { int rc; rc = is_selinux_enabled(); if (rc <= 0) { printf("Disabled\n"); return 0; } rc = security_getenforce(); if (rc < 0) { fprintf(stderr, "Could not get enforcing status: %s\n", strerror(errno)); return 2; } if (rc) printf("Enforcing\n"); else printf("Permissive\n"); return 0; }
#include <unistd.h>#include <stdlib.h>#include <stdio.h>#include <getopt.h>#include <errno.h>#include <string.h>#include <selinux/selinux.h>static void usage(const char *progname) { fprintf(stderr, "usage: %s -a or %s boolean...\n", progname, progname); exit(1); } int getsebool_main(int argc, char **argv) { int i, get_all = 0, rc = 0, active, pending, len = 0, opt; char **names; while ((opt = getopt(argc, argv, "a")) > 0) { switch (opt) { case 'a': if (argc > 2) usage(argv[0]); if (is_selinux_enabled() <= 0) { fprintf(stderr, "%s: SELinux is disabled\n", argv[0]); return 1; } errno = 0; rc = security_get_boolean_names(&names, &len); if (rc) { fprintf(stderr, "%s: Unable to get boolean names: %s\n", argv[0], strerror(errno)); return 1; } if (!len) { printf("No booleans\n"); return 0; } get_all = 1; break; default: usage(argv[0]); } } if (is_selinux_enabled() <= 0) { fprintf(stderr, "%s: SELinux is disabled\n", argv[0]); return 1; } if (!len) { if (argc < 2) usage(argv[0]); len = argc - 1; names = malloc(sizeof(char *) * len); if (!names) { fprintf(stderr, "%s: out of memory\n", argv[0]); return 2; } for (i = 0; i < len; i++) { names[i] = strdup(argv[i + 1]); if (!names[i]) { fprintf(stderr, "%s: out of memory\n", argv[0]); return 2; } } } for (i = 0; i < len; i++) { active = security_get_boolean_active(names[i]); if (active < 0) { if (get_all && errno == EACCES) continue; fprintf(stderr, "Error getting active value for %s\n", names[i]); rc = -1; goto out; } pending = security_get_boolean_pending(names[i]); if (pending < 0) { fprintf(stderr, "Error getting pending value for %s\n", names[i]); rc = -1; goto out; } if (pending != active) { printf("%s --> %s pending: %s\n", names[i], (active ? "on" : "off"), (pending ? "on" : "off")); } else { printf("%s --> %s\n", names[i], (active ? "on" : "off")); } } out: for (i = 0; i < len; i++) free(names[i]); free(names); return rc; }
added file. load_policy.c
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <fcntl.h>#include <sys/stat.h>#include <sys/mman.h>#include <errno.h>#include <selinux/selinux.h>int load_policy_main(int argc, char **argv) { int fd, rc, vers; struct stat sb; void *map; const char *path; if (argc != 2) { fprintf(stderr, "usage: %s policy-file\n", argv[0]); exit(1); } path = argv[1]; fd = open(path, O_RDONLY); if (fd < 0) { fprintf(stderr, "Could not open %s: %s\n", path, strerror(errno)); exit(2); } if (fstat(fd, &sb) < 0) { fprintf(stderr, "Could not stat %s: %s\n", path, strerror(errno)); exit(3); } map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "Could not mmap %s: %s\n", path, strerror(errno)); exit(4); } rc = security_load_policy(map, sb.st_size); if (rc < 0) { fprintf(stderr, "Could not load %s: %s\n", path, strerror(errno)); exit(5); } munmap(map, sb.st_size); close(fd); exit(0); }
resorecon
#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <sys/types.h>#include <sys/stat.h>#include <fts.h>#include <selinux/selinux.h>#include <selinux/label.h>#define FCPATH "/file_contexts"static struct selabel_handle *sehandle; static const char *progname; static int nochange; static int verbose; static void usage(void) { fprintf(stderr, "usage: %s [-f file_contexts] [-nrRv] pathname...\n", progname); exit(1); } static int restore(const char *pathname, const struct stat *sb) { char *oldcontext, *newcontext; if (lgetfilecon(pathname, &oldcontext) < 0) { fprintf(stderr, "Could not get context of %s: %s\n", pathname, strerror(errno)); return -1; } if (selabel_lookup(sehandle, &newcontext, pathname, sb->st_mode) < 0) { fprintf(stderr, "Could not lookup context for %s: %s\n", pathname, strerror(errno)); return -1; } if (strcmp(newcontext, "<<none>>") && strcmp(oldcontext, newcontext)) { if (verbose) printf("Relabeling %s from %s to %s.\n", pathname, oldcontext, newcontext); if (!nochange) { if (lsetfilecon(pathname, newcontext) < 0) { fprintf(stderr, "Could not label %s with %s: %s\n", pathname, newcontext, strerror(errno)); return -1; } } } freecon(oldcontext); freecon(newcontext); return 0; } int restorecon_main(int argc, char **argv) { struct selinux_opt seopts[] = { { SELABEL_OPT_PATH, FCPATH } }; int ch, recurse = 0, ftsflags = FTS_PHYSICAL; progname = argv[0]; do { ch = getopt(argc, argv, "f:nrRv"); if (ch == EOF) break; switch (ch) { case 'f': seopts[0].value = optarg; break; case 'n': nochange = 1; break; case 'r': case 'R': recurse = 1; break; case 'v': verbose = 1; break; default: usage(); } } while (1); argc -= optind; argv += optind; if (!argc) usage(); sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1); if (!sehandle) { fprintf(stderr, "Could not load file contexts from %s: %s\n", seopts[0].value, strerror(errno)); return -1; } if (recurse) { FTS *fts; FTSENT *ftsent; fts = fts_open(argv, ftsflags, NULL); if (!fts) { fprintf(stderr, "Could not traverse filesystems (first was %s): %s\n", argv[0], strerror(errno)); return -1; } while ((ftsent = fts_read(fts))) { switch (ftsent->fts_info) { case FTS_DP: break; case FTS_DNR: case FTS_ERR: case FTS_NS: fprintf(stderr, "Could not access %s: %s\n", ftsent->fts_path, strerror(errno)); fts_set(fts, ftsent, FTS_SKIP); break; default: if (restore(ftsent->fts_path, ftsent->fts_statp) < 0) fts_set(fts, ftsent, FTS_SKIP); break; } } } else { int i, rc; struct stat sb; for (i = 0; i < argc; i++) { rc = lstat(argv[i], &sb); if (rc < 0) { fprintf(stderr, "Could not stat %s: %s\n", argv[i], strerror(errno)); continue; } restore(argv[i], &sb); } } return 0; }
runcon
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <errno.h>#include <selinux/selinux.h>int runcon_main(int argc, char **argv) { int rc; if (argc < 3) { fprintf(stderr, "usage: %s context program args...\n", argv[0]); exit(1); } rc = setexeccon(argv[1]); if (rc < 0) { fprintf(stderr, "Could not set context to %s: %s\n", argv[1], strerror(errno)); exit(2); } argv += 2; argc -= 2; execvp(argv[0], argv); fprintf(stderr, "Could not exec %s: %s\n", argv[0], strerror(errno)); exit(3); }
setEnforce
#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <ctype.h>#include <string.h>#include <strings.h>#include <errno.h>#include <selinux/selinux.h>void usage(const char *progname) { fprintf(stderr, "usage: %s [ Enforcing | Permissive | 1 | 0 ]\n", progname); exit(1); } int setenforce_main(int argc, char **argv) { int rc = 0; if (argc != 2) { usage(argv[0]); } if (is_selinux_enabled() <= 0) { fprintf(stderr, "%s: SELinux is disabled\n", argv[0]); return 1; } if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) { rc = security_setenforce(atoi(argv[1])); } else { if (strcasecmp(argv[1], "enforcing") == 0) { rc = security_setenforce(1); } else if (strcasecmp(argv[1], "permissive") == 0) { rc = security_setenforce(0); } else usage(argv[0]); } if (rc < 0) { fprintf(stderr, "%s: Could not set enforcing status: %s\n", argv[0], strerror(errno)); return 2; } return 0; }
setsebool
#include <unistd.h>#include <stdlib.h>#include <stdio.h>#include <string.h>#include <sys/stat.h>#include <fcntl.h>#include <errno.h>#include <selinux/selinux.h>#include <errno.h>static int do_setsebool(int nargs, char **args) { SELboolean *b = alloca(nargs * sizeof(SELboolean)); char *v; int i; if (is_selinux_enabled() <= 0) return 0; for (i = 1; i < nargs; i++) { char *name = args[i]; v = strchr(name, '='); if (!v) { fprintf(stderr, "setsebool: argument %s had no =\n", name); return -1; } *v++ = 0; b[i-1].name = name; if (!strcmp(v, "1") || !strcasecmp(v, "true") || !strcasecmp(v, "on")) b[i-1].value = 1; else if (!strcmp(v, "0") || !strcasecmp(v, "false") || !strcasecmp(v, "off")) b[i-1].value = 0; else { fprintf(stderr, "setsebool: invalid value %s\n", v); return -1; } } if (security_set_boolean_list(nargs - 1, b, 0) < 0) { fprintf(stderr, "setsebool: unable to set booleans: %s", strerror(errno)); return -1; } return 0; } int setsebool_main(int argc, char **argv) { if (argc < 2) { fprintf(stderr, "Usage: %s name=value...\n", argv[0]); exit(1); } return do_setsebool(argc, argv); }
init.rc
added | setcon u:r:init:s0 | ||
added | restorecon | cache cache/recovery /data | |
ueventd | |||
---|---|---|---|
added | seclabel u:r:ueventd:s0 | ||
adbd | |||
added | seclabel u:r:adbd:s0 |
init.goldfish.rc
on boot |
---|
setsebool in_qemu=1 restorecon /sys/qemu_trace/process_name restorecon /sys/qemu_trace/state restorecon /sys/qemu_trace/symbol |
util.h
int make_dir(const char *path, mode_t mode); int restorecon(const char *pathname); |
---|
property_service.c
static int check_mac_perms(const char *name, char *sctx) { #ifdef HAVE_SELINUX if (is_selinux_enabled() > 0) { char *tctx = NULL; const char *class = "property_service", *perm = "set"; int result = 0; if (!sctx) return 0; if (!sehandle_prop) goto err; if (selabel_lookup(sehandle_prop, &tctx, name, 1) != 0) goto err; if (selinux_check_access(sctx, tctx, class, perm, name) == 0) result = 1; freecon(tctx); err: return result; } #endif return 1; } static int check_control_mac_perms(const char *name, char *sctx) { #ifdef HAVE_SELINUX /* * Create a name prefix out of ctl.<service name> * The new prefix allows the use of the existing * property service backend labeling while avoiding * mislabels based on true property prefixes. */ char ctl_name[PROP_VALUE_MAX+4]; int ret = snprintf(ctl_name, sizeof ctl_name, "ctl.%s", name); if (ret < 0 || (size_t) ret >= sizeof ctl_name) return 0; return check_mac_perms(ctl_name, sctx); #endif return 1; }
keywords.h has all of funcitons name
Packages app SEAndroidManager
android/packages/apps/SEAndroidManager/Android.mk#1android/packages/apps/SEAndroidManager/AndroidManifest.xml#1android/packages/apps/SEAndroidManager/CleanSpec.mk#1android/packages/apps/SEAndroidManager/NOTICE#1android/packages/apps/SEAndroidManager/jni/Android.mk#1android/packages/apps/SEAndroidManager/jni/exception.c#1android/packages/apps/SEAndroidManager/jni/exception.h#1android/packages/apps/SEAndroidManager/jni/klogctl.c#1android/packages/apps/SEAndroidManager/jni/klogctl.h#1android/packages/apps/SEAndroidManager/proguard.flags#1android/packages/apps/SEAndroidManager/project.properties#1android/packages/apps/SEAndroidManager/res/drawable-hdpi/ic_menu_moreoverflow.png#1android/packages/apps/SEAndroidManager/res/drawable-hdpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/drawable-ldpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/drawable-mdpi/ic_menu_moreoverflow.png#1android/packages/apps/SEAndroidManager/res/drawable-mdpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/drawable-xhdpi/ic_menu_refresh.png#1android/packages/apps/SEAndroidManager/res/layout/avc_denied_options.xml#1android/packages/apps/SEAndroidManager/res/layout/log_denied_reader.xml#1android/packages/apps/SEAndroidManager/res/layout/selinux_manage_booleans.xml#1android/packages/apps/SEAndroidManager/res/layout/selinux_manage_booleans_item.xml#1android/packages/apps/SEAndroidManager/res/menu/menu_action_bar.xml#1android/packages/apps/SEAndroidManager/res/values/strings.xml#1android/packages/apps/SEAndroidManager/res/xml/disabled_headers.xml#1android/packages/apps/SEAndroidManager/res/xml/enabled_headers.xml#1android/packages/apps/SEAndroidManager/res/xml/selinux_enforcing_fragment.xml#1android/packages/apps/SEAndroidManager/res/xml/selinux_not_enabled.xml#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/KLogCtl.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/LogCallback.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/LogDeniedReaderFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/RestoreSettings.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SEAndroidManager.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SELinuxBooleanFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SELinuxDisabledFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/SELinuxEnforcingFragment.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/logreaders/KLogReader.java#1android/packages/apps/SEAndroidManager/src/com/android/seandroid_manager/logreaders/LogcatReader.java#1
Packages app Settings SE Android support
strings.xml |
---|
device_info_settings.xml |
DeviceInfoSettings.java |
android/packages/apps/Settings/res/values/strings.xml#2android/packages/apps/Settings/res/xml/device_info_settings.xml#2android/packages/apps/Settings/src/com/android/settings/DeviceInfoSettings.java#2
Questions
what is the pre/post fix "con"? context means all of objects. -->
댓글 없음:
댓글 쓰기
국정원의 댓글 공작을 지탄합니다.