file contexts and .te files

-
selinux-implementation
good-question-SO
visual_guide_to_sepolicy


Policy files

Files that end with *.te are SELinux policy source files, which define domains and their labels. You may need to create new policy files in /device/manufacturer/device-name/sepolicy, but you should try to update existing files where possible.

 Context files

Context files are where you specify labels for your objects.
  • file_contexts assigns labels to files and is used by various userspace components. As you create new policies, create or update this file to assign new labels to files. To apply new file_contexts, rebuild the filesystem image or run restorecon on the file to be relabeled. On upgrades, changes to file_contexts are automatically applied to the system and userdata partitions as part of the upgrade. Changes can also be automatically applied on upgrade to other partitions by adding restorecon_recursive calls to your init.board.rc file after the partition has been mounted read-write.
  • seapp_contexts assigns labels to app processes and /data/data directories. This configuration is read by the zygote process on each app launch and by installd during startup.
  • mac_permissions.xml assigns a seinfo tag to apps based on their signature and optionally their package name. The seinfo tag can then be used as a key in the seapp_contexts file to assign a specific label to all apps with that seinfo tag. This configuration is read by system_server during startup.

formate to understand sepolicy:

1.

file_contexts
            /dev/foo     u:object_r:source_type:s0


policy.te
           allow ​ source_type ​ ​ target_type: target_class ​ ​ permission(s)

So this means
"allow source_type to do permitted actions on target_class of target_type "

2.

file_context
          /dev/catfile      u:object_r:cat_chow:s0

cat.te
          type cat, domain
          allow cat cat_chow:food eat

"allow cat to eat food of type cat_chow "

3.

file_contexts
          /dev/mma8x5x   u:object_r:sensors_device:s0

sensors.te
          type sensors, domain
          allow sensors sensors_device:chr_file  rw_file_perms

"allow sensors to do rw on chr_file of type sensors_device"



Comments

Post a Comment

Popular posts from this blog

dev_get_platdata understanding

-
So I see this type of code in platform driver inside kernel, struct gpio_led_platform_data *pdata = dev_get_platdata(&pdev->dev); or this, struct aat2870_platform_data *pdata = dev_get_platdata(&client->dev); So how dev_ get_platdata is helping us. In device.h the definition here is, static inline void *dev_get_platdata(const struct device *dev) { return dev->platform_data; } So if I see from kernel it is always done for to get platform specific data. Like Here is a definition of platform_device, in platform_device.h struct platform_device { const char *name; int id; bool id_auto; struct device dev;  <-------------------- u32 num_resources; struct resource *resource; const struct platform_device_id *id_entry; char *driver_override; /* Driver name to force a match */ /* MFD cell pointer */ struct mfd_cell *mfd_cell; /* arch specific additions */ struct pdev_archdata archdata; }; further struct devic...
Read more

Getting started with pinctrl subsystem linux

-
A pin controller is a piece of hardware, usually a set of registers, that can control PINs. It may be able to multiplex, bias, set load capacitance, set drive strength, etc. for individual pins or groups of pins.   PINMUX   PINCONF - electronic properties e.g. high impedance, tristate, input pin to VDD or GND using a certain resistor value - pull up and pull down so that the pin has a stable value when nothing is driving the rail it is connected to, or when it’s unconnected. Pin configuration can be programmed by adding configuration entries into the mapping table     say that we have a group of pins dealing with an SPI interface on { 0, 8, 16, 24 }, and a group of pins dealing with an I2C interface on pins on { 24, 25 }.   make a group static const unsigned int spi0_pins[] = { 0, 8, 16, 24 }; static const unsigned int i2c0_pins[] = { 24, 25 }; //combine them  static const struct foo_group foo_groups[] = { { .name = "spi0_grp", ...
Read more

How to take systrace in android

-
Image
Install python 2.7 . As systrace does not support python 3.6. Python has its own package manager 'pip'. Use it to install new packages.         download python2.7 install pywin32 and six module on windows. Open power shell in C:/Python27/Scripts path,          pip install pywin32          pip install six   Above packages are not required to be installed on Ubuntu. But if you want other packages of python, we have to install python-pip, however not required for systrace.           sudo apt install python-pip        Then do pip list to see what packages are installed in Ubuntu. Install android studio        Start android studio from the downloaded android studio. That will        have a script to start an...
Read more