The following is the result of executing this command on the Android 8.1. emulator (few processes that need to be modified in development such as kernel and init are removed):
As you can see, There are several main processes
and then look at the SELinux tags of files/directories under the /data/data directory:
There are basically two types, and some special directories have special tags. (There are many labels in other directories. Look at the labels in this directory. The main label is that the app directory has C512, and c768 is different from other directories.)
These labels are all defined by the SELinux security context file. In the following files, Object labels of non-process classes such as related files, devices and services (names) are defined.
SELinux labels of java world processes are defined by seapp_contexts files. According to the relevant information of starting Java processes, Combining the conditions in seapp_contexts to tag the java process with selinux
This file defines the tag setting strategy of android's default app security context:
These configurations will be matched in the process of calling selinux_android_setcontext when Zygote fork exits the app process
For example, write a minTargetSdkVersion> =26 hello world apk installed and started, obviously its user=_app seinfo! =platform (judged by signature), according to whether the compiled app TargetSdkVersion is >; =26 (without this configuration, minTargetSdkVersion=26 means minTargetSdkVersion=) will finally match this one:
Then the process will be set with the security context label U: r: untrusted _ app: S: C512, C768 (C512, C768 This field is typed according to the levelFrom=user)
Please read the notes in front of seapp_contexts carefully
Some configuration items include seinfo=platform, which means that a process that matches this item must have a platform signature. The specific signature that the platform matches is defined in the following file
You can also customize other seinfo to correspond to different signatures to configure seapp_contexts.
tags of other native processes mentioned above, such as logd, servicemanager, native service hal service, other native service processes of Android, such as surfaceflinger mediaserver, etc. It is mainly set in the following two ways:
The other way is to take the surfaceflinger process as an example. Its corresponding policy file:
has the following definition:
It is expanded according to its macro definition
So the compiled init _ daemon _ domain (surfaceflinger)
is expanded for the first time:
For the second time:
Finally:
So it is similar to the native process initiated by init/ Service, whose label is either specified by seclable command in init.rc or declared by the macro init_daemon_domain () in its corresponding. te file, is transferred from the init process domain to the domain declared by init_daemon_domain ().