CN112783573A - SELinux strategy configuration system and method for multiple user-defined services - Google Patents
SELinux strategy configuration system and method for multiple user-defined services Download PDFInfo
- Publication number
- CN112783573A CN112783573A CN202110096327.3A CN202110096327A CN112783573A CN 112783573 A CN112783573 A CN 112783573A CN 202110096327 A CN202110096327 A CN 202110096327A CN 112783573 A CN112783573 A CN 112783573A
- Authority
- CN
- China
- Prior art keywords
- attributes
- service
- file
- selinux
- custom
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 30
- 230000007246 mechanism Effects 0.000 claims abstract description 8
- 230000008569 process Effects 0.000 claims description 18
- 238000012423 maintenance Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000010606 normalization Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
- G06F9/4451—User profiles; Roaming
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a SELinux strategy configuration system for a plurality of self-defined services, wherein an attribute definition module of the SELinux strategy configuration system is used for defining attributes of android files of an android system according to a SELinux framework mechanism; the operation authority definition module is used for storing the strategy rules of the custom system service which needs to be configured in the operation authority storage file of the attributes; the service and attribute association module is used for associating the custom system service with attributes of the attributes files by using statements of the attributes assigned to the service in the files storing the policy rules of the custom system service, so that the custom system service has the corresponding attributes of the attributes files. The invention can reduce the workload of SELinux strategy rule maintenance of a plurality of self-defined system services.
Description
Technical Field
The invention relates to the technical field of computer control strategies, in particular to a SELinux strategy configuration system and a SELinux strategy configuration method for multiple user-defined services.
Background
A SELinux (Security-Enhanced Linux, a mandatory access control Security module in Linux systems) policy is a set of type-enforced (TE) policies defined together with a set of statements and rules. The rules of the method control the access authority of a host (normally running process) to objects (files, directories, sockets and the like), and mainly focus on program access control decisions. The Android platform development can not add SELinux strategy permission to the process where the module is responsible, some processes where the module is located are the original Android processes, some processes where the module is located are the new added processes of the Android system, the new added processes are generally custom system services added by developers, SELinux strategy rules of the new added processes need to be added independently, and otherwise, the operation is forbidden. For the self-defined system service, if a set of strategy rules is correspondingly added to one service, after more self-defined services are provided, the modification and maintenance of each service strategy rule are complicated, and the workload is large.
Disclosure of Invention
The invention aims to provide a system and a method for SELinux policy configuration of multiple user-defined services, which can reduce the workload of SELinux policy rule maintenance of multiple user-defined system services.
In order to achieve the purpose, the SELinux policy configuration system for multiple self-defined services, which is designed by the invention, comprises an attribute definition module, an operation authority definition module and a service and attribute association module, wherein the attribute definition module is used for defining attributes of an android system according to a SELinux framework mechanism;
the operation authority definition module is used for storing the strategy rules of the custom system service which needs to be configured in the operation authority storage file of the attributes;
the service and attribute association module is used for associating the custom system service with attributes of attributes in the file storing the policy rules of the custom system service, so that the custom system service has corresponding attributes of the attributes.
The invention has the beneficial effects that:
the invention realizes module design in selinux strategy rule configuration, simplifies work in subsequent maintenance and modification of strategy files, and is not easy to miss or make mistakes.
The advantage of modularization in the invention is function multiplexing in software development, and the code maintainability is improved. The operation authority is multiplexed, and the maintainability of the strategy rule is improved.
The invention defines the public operation authority of the user-defined service in the operation authority definition module in a centralized way, the purpose of the centralized definition of the public operation authority is to realize the multiplexing of the operation authority, when the user-defined service is associated with the attribute with the authority defined by the operation authority definition module, the operation authority of a plurality of user-defined system services can be directly modified (namely, the operation authority definition module is modified) by subsequently adding or removing the operation authorities of the user-defined system services, the strategy file corresponding to the user-defined service is not required to be modified, the operation authority can be modified only once after modularization, and if the modularization is not carried out, the modification is carried out for a plurality of times, so the configuration.
On the other hand, when the custom services are associated with the same attribute, the custom services all have the same attribute type, and the custom services can be regarded as a module or a group. When the operation rights of the services are prohibited, only the attribute types associated with the services need to be prohibited, and each service does not need to be prohibited one by one. This also reduces the configuration effort.
Drawings
FIG. 1 is a block diagram of the present invention;
fig. 2 is a schematic diagram of embodiment 1.
The system comprises a service and attribute association module, an attribute definition module, an operation authority definition module and an operation authority definition module, wherein the service and attribute association module comprises 1-an attribute definition module, 2-an operation authority definition module and 3-a service and attribute association module.
Detailed Description
The invention is described in further detail below with reference to the following figures and specific examples:
as shown in fig. 1, the SELinux policy configuration system for multiple custom services includes an attribute definition module 1, an operation authority definition module 2, and a service and attribute association module 3, where the attribute definition module 1 is configured to define attributes of an attributes file of an android system according to a SELinux framework mechanism, the attribute name of the attributes file is the same as the file name of a common SELinux policy rule, and the attribute name of the attributes file in this embodiment is defined as normal _ service;
the operation authority definition module 2 is used for storing the policy rules of the custom system service to be configured in the operation authority saving file normal _ service.te (all the operation authorities owned by the defined normal _ service attributes in the file) of the attributes, wherein the normal _ service.te is the policy file of the normal _ service attributes;
the service and attribute association module 3 is configured to associate the custom system service with attributes of attributes in a file storing policy rules of the custom system service (a service with a customized function added by a developer according to requirements), so that the custom system service has corresponding attributes of custom system service.
Each user-defined service needs corresponding operation authority, the operation authorities are defined in a policy file, one service corresponds to one policy file, and the policy files are named by service process names. The invention defines all the common operation authorities of the self-defined service in a file, namely a normal _ service.te file, which is also a strategy file.
In the technical scheme, the customized system service is a requirement customized service which is added to the android system by a developer according to requirements. Each service has its own policy rule file (the file name is the name of the service process, and the extension type is ". te"), and all the SELinux policy rules about the service are defined in the xxx.
In the above technical solution, the specific method for defining attributes of an android system by the attribute definition module 1 according to the SELinux framework mechanism is to add an attribute name at the end of the attributes file name, that is, to be an attribute normal _ service. All identifiable attributes are defined in the attributes file.
In the above technical solution, the policy rule of the customized system service is a common policy rule for all services.
In the above technical solution, the file name of the operation authority storage file of the attributes files is an extension name, te, added at the end of the attribute name of the attributes files.
In the above technical solution, the customized system service has a corresponding process name, and the file name of the policy rule of the customized system service is an extension name te added to the end of the corresponding process name. Each service in the android system is a process, and the policy file corresponding to the service is named by the process name of the service.
In the above technical solution, the association method of the custom system service and attributes of the attributes is to add an association statement into a file of a policy rule of the custom system service, where a syntax rule of the association statement is a sequential arrangement of typeattribute key words, type names and attribute names, such as typeattribute service n normal _ service. The above scheme makes the service n service have the attribute of normal _ service. The invention first declares an attribute in attribute, such as: a normal _ service attribute; then defining the function or operation authority of the attribute in normal _ service.te; and finally, the attribute is used to associate the custom service with the attribute, so that the custom service has the operation authority brought by the attribute.
the typeattribute keyword is defined by the android platform system SELinux policy language syntax. the main role of typeattribute key is to specify attributes to a service, the statements are as follows: typeattrib service n normal _ service, service n has the attribute normal _ service, and has all the operation rights defined in normal _ service.
In the above technical solution, the attribute keyword is used to define an attribute, and the attribute is defined in the attributes file.
In the above technical solution, the definition of the SELinux policy rule is determined according to the functional requirements of the user-defined service, for example, if the service needs to access a system file, the service needs to open the right of reading the system file operation, and the definition mode according to the SELinux policy language syntax is as follows:
allow service1 system_data_file:file{read}
this policy statement: allow is a policy language keyword that represents allowed intents; service1 is a custom service, system _ data _ file: file is the system file type, { read } indicates a read operation.
Definition of common attribute type: a new te file is added as follows: te, defining SELinux policy rules that are common to all custom services. Depending on the android system framework, the public attribute is defined in an attribute file of an android system directory system/strategy/public (the file is a file of the original defined attribute of the android system framework and belongs to a native file), and the definition method comprises the following steps: attribute normal _ service; attributes is a key word of the SELinux policy language and is used for declaring attributes, and the normal _ service represents an attribute type, and the type is the same as the name of the newly added normal _ service.
A SELinux strategy configuration method for a plurality of self-defined services is characterized by comprising the following steps:
step 1: defining attributes of an android system according to a SELinux framework mechanism, wherein the attribute name of the attributes is the same as the file name of a common SELinux strategy rule;
step 2: saving the strategy rules of the custom system service which needs to be configured in the operation authority saving file of attributes of the attributes;
and step 3: the self-defined system service is associated with attributes of the attributes by using statements which specify the attributes for the service in the file which stores the policy rules of the self-defined system service, so that the self-defined system service has the corresponding attributes of the.
After the three steps are completed, namely after the attributes are associated, it can be understood that all the custom system services associated with the normal _ service attributes are equivalent to being grouped, and the custom system services inherit the policy rules of the normal _ service, so that the allow statement policy rules (allow is a keyword of an SElinux policy statement and represents that a subject is allowed to perform allowed operations on an object.
Example 1: self-defining a system service strategy rule and adding an allow statement rule scene;
the scenario is uniformly defined by the allow statement policy rules of a plurality of self-defined system services. The allow statement defines the operation authority of the subject on the object, the scene self-defined system service is the subject, the same authority operation is carried out on the same object, and at the moment, a plurality of self-defined system services can be normalized into a subject normal _ service. If multiple custom services all have read rights to a1, for example:
the custom system service 1(service1) has read right to the file of A1, and the allow statement is:
allow service1 A1:file{read}
other custom system services also have read right for the file of A1, but because all the custom services are associated with the normal _ service attribute, it is not necessary to add an allow statement for each service, and only the statement allow _ service A1: file { read } is added to the normal _ service. te file, as shown in FIG. 2, at this time, the custom system services associated with the normal _ service attribute all have read right for the file of A1.
Example 2: the user-defined system service strategy rule modifies a newAllow statement rule scene;
this scenario is a nerverallow statement policy rule normalization enforcement for multiple custom system services. The newAllow statement is to prohibit the subject from performing an authorized operation on the object, for example:
neverallow domain system_file:file read
at this time, the subject is domain (indicating the process type, wherein the custom system service default is the process type), the object is system _ file, and the prohibition is sometimes required to be removed, and the removal syntax is indicated by a symbol "-", such as-normal _ service, indicating that the file read permission limitation of normal _ service on system _ file is removed.
When a plurality of self-defined system services are allowed to have the right to read the file of the system _ file, the implementation of the normal _ service can be normalized, and the statement is modified as follows:
neverallow{domain–normal_service}system_file:file read
here normalization removes normal _ service and can be effected across multiple custom system services. If normalization is not performed, the statement should be:
neverallow{domain–service1–service2……-serviceN}system_file:file read
it can be seen that the normalized statement is significantly simplified.
Details not described in this specification are within the skill of the art that are well known to those skilled in the art.
Claims (10)
1. A SELinux strategy configuration system for a plurality of custom services is characterized in that: the system comprises an attribute definition module (1), an operation authority definition module (2) and a service and attribute association module (3), wherein the attribute definition module (1) is used for defining attributes of an android system according to a SELinux framework mechanism;
the operation authority definition module (2) is used for saving the policy rules of the custom system service to be configured in the operation authority saving file of the attributes;
the service and attribute association module (3) is used for associating the custom system service with attributes of attributes in a file storing the policy rules of the custom system service, so that the custom system service has corresponding attributes of the attributes.
2. A SELinux policy configuration system for multiple custom services according to claim 1, wherein: the attribute definition module (1) adds an attribute name at the end of an attributes file name according to a specific method for defining attributes of an android system according to a SELinux framework mechanism.
3. A SELinux policy configuration system for multiple custom services according to claim 1, wherein: the policy rule of the self-defined system service is a common policy rule of all services.
4. A SELinux policy configuration system for multiple custom services according to claim 3, wherein: and adding an extension name te at the tail of the attribute name of the attributes file to the file name of the operation authority storage file of the attributes file.
5. A SELinux policy configuration system for multiple custom services according to claim 1, wherein: the custom system service has a corresponding process name, and the file name of the policy rule of the custom system service adds an extension name, te, to the end of the corresponding process name.
6. A SELinux policy configuration system for multiple custom services according to claim 1, wherein: the method for associating the custom system service with attributes of the attributes files comprises the steps of adding associated sentences into the files of the strategy rules of the custom system service, wherein the grammar rules of the associated sentences are typeattribute keywords, type names and attribute names which are sequentially arranged.
7. A SELinux policy configuration system for multiple custom services according to claim 6, further comprising: the typeattribute key is used to specify attributes.
8. A SELinux policy configuration system for multiple custom services according to claim 1, wherein: the attribute name of the attributes file is the same as the file name of the common SELinux policy rule.
9. A SELinux policy configuration system for multiple custom services according to claim 1, wherein: the attribute key is used to define an attribute, and the attribute is defined in the attributes file.
10. A SELinux strategy configuration method for a plurality of self-defined services is characterized by comprising the following steps:
step 1: defining attributes of an android system according to a SELinux framework mechanism, wherein the attribute name of the attributes is the same as the file name of a common SELinux strategy rule;
step 2: saving the strategy rules of the custom system service which needs to be configured in the operation authority saving file of attributes of the attributes;
and step 3: and associating the custom system service with attributes of the attributes files by using statements for assigning the attributes to the service in the file storing the policy rules of the custom system service, so that the custom system service has the corresponding attributes of the attributes files.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110096327.3A CN112783573A (en) | 2021-01-25 | 2021-01-25 | SELinux strategy configuration system and method for multiple user-defined services |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110096327.3A CN112783573A (en) | 2021-01-25 | 2021-01-25 | SELinux strategy configuration system and method for multiple user-defined services |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112783573A true CN112783573A (en) | 2021-05-11 |
Family
ID=75758950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110096327.3A Pending CN112783573A (en) | 2021-01-25 | 2021-01-25 | SELinux strategy configuration system and method for multiple user-defined services |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112783573A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113568879A (en) * | 2021-09-18 | 2021-10-29 | 统信软件技术有限公司 | File attribute adding method, computing device and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592092A (en) * | 2012-01-09 | 2012-07-18 | 中标软件有限公司 | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem |
-
2021
- 2021-01-25 CN CN202110096327.3A patent/CN112783573A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592092A (en) * | 2012-01-09 | 2012-07-18 | 中标软件有限公司 | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem |
Non-Patent Citations (2)
| Title |
|---|
| 佚名: ""SELinux策略语言--类型强制(编写TE规则)"", 《HTTPS://BLOG.CSDN.NET/MYARROW/ARTICLE/DETAILS/10105961》 * |
| 佚名: ""简述Android中SELinux的TE"", 《HTTPS://CLOUD.TENCENT.COM/DEVELOPER/ARTICLE/1740707》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113568879A (en) * | 2021-09-18 | 2021-10-29 | 统信软件技术有限公司 | File attribute adding method, computing device and storage medium |
| CN113568879B (en) * | 2021-09-18 | 2021-12-07 | 统信软件技术有限公司 | File attribute adding method, computing device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5956507A (en) | Dynamic alteration of operating system kernel resource tables | |
| Wilkes et al. | The Cambridge CAP computer and its operating system | |
| CN114096956A (en) | Method and device for representing database operation layer | |
| US5627967A (en) | Automated generation on file access control system commands in a data processing system with front end processing of a master list | |
| US5832511A (en) | Workgroup network manager for controlling the operation of workstations within the computer network | |
| US5586322A (en) | Workgroup organized network manager with workstation comparison system | |
| US6826604B2 (en) | Input/output device information management system for multi-computer system | |
| RU2377634C2 (en) | Licensing program interface | |
| CN101556634B (en) | Method and system for managing and controlling using authority of external apparatus | |
| CN101755271A (en) | Method and apparatus for managing access privilege in cldc osgi environment | |
| CN102592092A (en) | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem | |
| CN112783573A (en) | SELinux strategy configuration system and method for multiple user-defined services | |
| CN114650170B (en) | Cross-cluster resource management method, device, equipment and storage medium | |
| CN117421329A (en) | Data processing method and device for unified data management and control, electronic equipment and medium | |
| CN110377298B (en) | Distributed cluster upgrading method and distributed cluster | |
| CN113127852B (en) | SE application management method and device based on chip card and storage medium | |
| CN114254371A (en) | Data permission processing method and device and server | |
| CN113010492A (en) | Database access method and device | |
| EP1008045B1 (en) | File system primitive allowing reprocessing of i/o requests by multiple drivers in a layered driver i/o system | |
| CN114329371B (en) | Database user authority management module | |
| CA2365687A1 (en) | Mechanism for invocation of user-defined routines in a multi-threaded database environment | |
| US20230396622A1 (en) | Application access control configuration | |
| CN118349990A (en) | Method and device for managing and controlling main behavior permission | |
| CN113886428A (en) | Business method based dynamic SQL generation method and device | |
| CN118656086A (en) | Low-code application replication method based on SaaS multi-tenant |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210511 |
|
| RJ01 | Rejection of invention patent application after publication |