Contents Previous Next

Policy

The SE for Android policy sources are located under external/sepolicy. The policy consists of source files used to generate the SELinux kernel policy file, a file_contexts configuration, a property_contexts configuration, a seapp_contexts configuration, and a mac_permissions.xml configuration. The file_contexts configuration is used to label files at build time (e.g. the system partition) and at runtime (e.g. device nodes, service socket files, /data directories created by init.rc, ...). The property_contexts configuration is used to specify the security context of Android properties for permission checking purposes. The seapp_contexts configuration is used to label app processes and app package directories. The mac_permissions.xml configuration is the middleware MAC policy. The property_contexts, seapp_contexts, and mac_permissions.xml configurations are unique to SE for Android (i.e. they were not part of the regular SELinux policy).

Device-specific policy can be specified by defining BOARD_SEPOLICY* variables in a BoardConfig.mk file under the device/vendor/device or vendor/vendor/device directories. An example can be found in device/lge/hammerhead/BoardConfig.mk, which defines these variables to reference device-specific policy files under device/lge/hammerhead/sepolicy. Documentation for per-device policy can be found in external/sepolicy/README.

SELinux kernel policy is presently compiled as part of the Android build and added to the ramdisk image so that it can be loaded by init very early in boot, before mounting the system partition. Once the data partition has been mounted, policy can be updated by placing policy files under /data/security/current, and setting the selinux.reload_policy property to 1 (setprop selinux.reload_policy 1). The init.rc file sets this property from post-fs-data to reload policy from /data/security if present. Policy updates are only loaded if the /data/security/current/selinux_version file matches the /selinux_version file; this prevents loading an older policy update after an OTA. All of the policy files (i.e. selinux_version, sepolicy, *_contexts, mac_permissions.xml) must be present under /data/security/current in order for a policy update to work correctly.


Contents Previous Next