我正在扩展Android SELinux政策以支持专有系统服务。在Android中,system_app域是为特权系统应用程序定义的。我希望我的专有服务具有与system_app域中定义的完全相同的权限以及一些附加功能。是否可以在不更改system_app域定义或复制它的情况下执行此操作? SELinux中是否存在某种域的继承机制?
答案 0 :(得分:3)
The SELinux policies on Android do not allow for this capability as you require (requires modification). However, if you look at how types are defined, via the keyword type, it allows one to define a new type and also assign it attributes. Another keyword, typeattribute, allows for the assignment of an attribute to a type post declaration.
For instance:
type foo, kitten, dog;
Is the same as:
type foo, dog;
typeattribute foo, kitten;
Note that all the attributes must be declared via the attribute keyword:
attribute kitten;
attribute dog;
You can think of this, as type foo extends kitten and dog. However, system_app is a type, not an attribute, and thus cannot be extended.
At one point in time, I wished to do something very similair and tried to make all the types in the base policy application domains go away and make them attributes for this reason. It was ultimatley abandoned:
https://android-review.googlesource.com/#/c/58741/
However, by applying that same idiom, you could achieve your desired outcome.