DAC自主访问控制
程序员文章站
2022-03-14 20:36:02
...
DAC自主访问控制
DAC简介
- DAC(Discretinoary Access Control),自主访问控制。它是传统的Linux访问控制方式。资源所有者负责管理访问控制权限,并通过ACL(Acess Control List)管理非所有者权限。
- DAC思想:进程与其执行用户,拥有相同的权限。
- 例如:进程A,以root用户执行,进程A就拥有了root用户的权限。
- 基于DAC的安全策略,可以简单理解为常见的文件资源的读、写、执行,三个权限。
ll test.sh
#test.sh的权限为
#所有者linuo : rwx ,读写执行.
#用户组linduo: rwx,读写执行.
#其他:r-x。读执行。
-rwxrwxr-x 1 linduo linduo 40 1月 18 11:52 test.sh*
Android文件权限
- 这里配置Android系统,讲一下DAC的实际应用。
- Android也采用DAC策略,设置文件权限。
- android_filesystem_config.h 定义了AID(可以理解为UID)
// https://android.googlesource.com/platform/system/core/+/master/libcutils/include/private/android_filesystem_config.h
// system/core/include/private/android_filesystem_config.h
/*
* Copyright (C) 2007 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* This file is consumed by build/tools/fs_config and is used
* for generating various files. Anything #define AID_<name>
* becomes the mapping for getpwnam/getpwuid, etc. The <name>
* field is lowercased.
* For example:
* #define AID_FOO_BAR 6666 becomes a friendly name of "foo_bar"
*
* The above holds true with the exception of:
* mediacodec
* mediaex
* mediadrm
* Whose friendly names do not match the #define statements.
*
* Additionally, AID_OEM_RESERVED_START and AID_OEM_RESERVED_END
* can be used to define reserved OEM ranges used for sanity checks
* during the build process. The rules are, they must end with START/END
* The proper convention is incrementing a number like so:
* AID_OEM_RESERVED_START
* AID_OEM_RESERVED_1_START
* AID_OEM_RESERVED_2_START
* ...
* The same applies to the END.
* They are not required to be in order, but must not overlap each other and
* must define a START and END'ing range. START must be smaller than END.
*/
#ifndef _ANDROID_FILESYSTEM_CONFIG_H_
#define _ANDROID_FILESYSTEM_CONFIG_H_
#include <sys/types.h>
#if !defined(__ANDROID_VNDK__) && !defined(EXCLUDE_FS_CONFIG_STRUCTURES)
#include <private/fs_config.h>
#endif
/* This is the master Users and Groups config for the platform.
* DO NOT EVER RENUMBER
*/
#define AID_ROOT 0 /* traditional unix root user */
/* The following are for LTP and should only be used for testing */
#define AID_DAEMON 1 /* traditional unix daemon owner */
#define AID_BIN 2 /* traditional unix binaries owner */
#define AID_SYSTEM 1000 /* system server */
#define AID_RADIO 1001 /* telephony subsystem, RIL */
#define AID_BLUETOOTH 1002 /* bluetooth subsystem */
#define AID_GRAPHICS 1003 /* graphics devices */
#define AID_INPUT 1004 /* input devices */
#define AID_AUDIO 1005 /* audio devices */
#define AID_CAMERA 1006 /* camera devices */
#define AID_LOG 1007 /* log devices */
#define AID_COMPASS 1008 /* compass device */
#define AID_MOUNT 1009 /* mountd socket */
#define AID_WIFI 1010 /* wifi subsystem */
#define AID_ADB 1011 /* android debug bridge (adbd) */
#define AID_INSTALL 1012 /* group for installing packages */
#define AID_MEDIA 1013 /* mediaserver process */
#define AID_DHCP 1014 /* dhcp client */
#define AID_SDCARD_RW 1015 /* external storage write access */
#define AID_VPN 1016 /* vpn system */
#define AID_KEYSTORE 1017 /* keystore subsystem */
#define AID_USB 1018 /* USB devices */
#define AID_DRM 1019 /* DRM server */
#define AID_MDNSR 1020 /* MulticastDNSResponder (service discovery) */
#define AID_GPS 1021 /* GPS daemon */
#define AID_UNUSED1 1022 /* deprecated, DO NOT USE */
#define AID_MEDIA_RW 1023 /* internal media storage write access */
#define AID_MTP 1024 /* MTP USB driver access */
#define AID_UNUSED2 1025 /* deprecated, DO NOT USE */
#define AID_DRMRPC 1026 /* group for drm rpc */
#define AID_NFC 1027 /* nfc subsystem */
#define AID_SDCARD_R 1028 /* external storage read access */
#define AID_CLAT 1029 /* clat part of nat464 */
#define AID_LOOP_RADIO 1030 /* loop radio devices */
#define AID_MEDIA_DRM 1031 /* MediaDrm plugins */
#define AID_PACKAGE_INFO 1032 /* access to installed package details */
#define AID_SDCARD_PICS 1033 /* external storage photos access */
#define AID_SDCARD_AV 1034 /* external storage audio/video access */
#define AID_SDCARD_ALL 1035 /* access all users external storage */
#define AID_LOGD 1036 /* log daemon */
#define AID_SHARED_RELRO 1037 /* creator of shared GNU RELRO files */
#define AID_DBUS 1038 /* dbus-daemon IPC broker process */
#define AID_TLSDATE 1039 /* tlsdate unprivileged user */
#define AID_MEDIA_EX 1040 /* mediaextractor process */
#define AID_AUDIOSERVER 1041 /* audioserver process */
#define AID_METRICS_COLL 1042 /* metrics_collector process */
#define AID_METRICSD 1043 /* metricsd process */
#define AID_WEBSERV 1044 /* webservd process */
#define AID_DEBUGGERD 1045 /* debuggerd unprivileged user */
#define AID_MEDIA_CODEC 1046 /* mediacodec process */
#define AID_CAMERASERVER 1047 /* cameraserver process */
#define AID_FIREWALL 1048 /* firewalld process */
#define AID_TRUNKS 1049 /* trunksd process (TPM daemon) */
#define AID_NVRAM 1050 /* Access-controlled NVRAM */
#define AID_DNS 1051 /* DNS resolution daemon (system: netd) */
#define AID_DNS_TETHER 1052 /* DNS resolution daemon (tether: dnsmasq) */
#define AID_WEBVIEW_ZYGOTE 1053 /* WebView zygote process */
#define AID_VEHICLE_NETWORK 1054 /* Vehicle network service */
#define AID_MEDIA_AUDIO 1055 /* GID for audio files on internal media storage */
#define AID_MEDIA_VIDEO 1056 /* GID for video files on internal media storage */
#define AID_MEDIA_IMAGE 1057 /* GID for image files on internal media storage */
#define AID_TOMBSTONED 1058 /* tombstoned user */
#define AID_MEDIA_OBB 1059 /* GID for OBB files on internal media storage */
#define AID_ESE 1060 /* embedded secure element (eSE) subsystem */
#define AID_OTA_UPDATE 1061 /* resource tracking UID for OTA updates */
#define AID_AUTOMOTIVE_EVS 1062 /* Automotive rear and surround view system */
#define AID_LOWPAN 1063 /* LoWPAN subsystem */
#define AID_HSM 1064 /* hardware security module subsystem */
#define AID_RESERVED_DISK 1065 /* GID that has access to reserved disk space */
#define AID_STATSD 1066 /* statsd daemon */
#define AID_INCIDENTD 1067 /* incidentd daemon */
#define AID_SECURE_ELEMENT 1068 /* secure element subsystem */
#define AID_LMKD 1069 /* low memory killer daemon */
#define AID_LLKD 1070 /* live lock daemon */
#define AID_IORAPD 1071 /* input/output readahead and pin daemon */
#define AID_GPU_SERVICE 1072 /* GPU service daemon */
#define AID_NETWORK_STACK 1073 /* network stack service */
#define AID_GSID 1074 /* GSI service daemon */
/* Changes to this file must be made in AOSP, *not* in internal branches. */
#define AID_SHELL 2000 /* adb and debug shell user */
#define AID_CACHE 2001 /* cache access */
#define AID_DIAG 2002 /* access to diagnostic resources */
/* The range 2900-2999 is reserved for OEM, and must never be
* used here */
#define AID_OEM_RESERVED_START 2900
#define AID_OEM_RESERVED_END 2999
/* The 3000 series are intended for use as supplemental group id's only.
* They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
#define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW 3004 /* can create raw INET sockets */
#define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */
#define AID_NET_BW_STATS 3006 /* read bandwidth statistics */
#define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */
#define AID_READPROC 3009 /* Allow /proc read access */
#define AID_WAKELOCK 3010 /* Allow system wakelock read/write access */
#define AID_UHID 3011 /* Allow read/write to /dev/uhid node */
/* The range 5000-5999 is also reserved for OEM, and must never be used here. */
#define AID_OEM_RESERVED_2_START 5000
#define AID_OEM_RESERVED_2_END 5999
#define AID_EVERYBODY 9997 /* shared between all apps in the same profile */
#define AID_MISC 9998 /* access to misc storage */
#define AID_NOBODY 9999
#define AID_APP 10000 /* TODO: switch users over to AID_APP_START */
#define AID_APP_START 10000 /* first app user */
#define AID_APP_END 19999 /* last app user */
#define AID_CACHE_GID_START 20000 /* start of gids for apps to mark cached data */
#define AID_CACHE_GID_END 29999 /* end of gids for apps to mark cached data */
#define AID_EXT_GID_START 30000 /* start of gids for apps to mark external data */
#define AID_EXT_GID_END 39999 /* end of gids for apps to mark external data */
#define AID_EXT_CACHE_GID_START 40000 /* start of gids for apps to mark external cached data */
#define AID_EXT_CACHE_GID_END 49999 /* end of gids for apps to mark external cached data */
#define AID_SHARED_GID_START 50000 /* start of gids for apps in each user to share */
#define AID_SHARED_GID_END 59999 /* end of gids for apps in each user to share */
/*
* This is a magic number in the kernel and not something that was picked
* arbitrarily. This value is returned whenever a uid that has no mapping in the
* user namespace is returned to userspace:
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/highuid.h?h=v4.4#n40
*/
#define AID_OVERFLOWUID 65534 /* unmapped user in the user namespace */
/* use the ranges below to determine whether a process is isolated */
#define AID_ISOLATED_START 90000 /* start of uids for fully isolated sandboxed processes */
#define AID_ISOLATED_END 99999 /* end of uids for fully isolated sandboxed processes */
#define AID_USER 100000 /* TODO: switch users over to AID_USER_OFFSET */
#define AID_USER_OFFSET 100000 /* offset for uid ranges for each user */
/*
* android_ids has moved to pwd/grp functionality.
* If you need to add one, the structure is now
* auto-generated based on the AID_ constraints
* documented at the top of this header file.
* Also see build/tools/fs_config for more details.
*/
#endif
- fs_config.cpp 预定义了目录的权限
// https://android.googlesource.com/platform/system/core/+/master/libcutils/fs_config.cpp
// system/core/libcutils /fs_config.cpp
/*
* Copyright (C) 2007 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <private/fs_config.h>
// This file is used to define the properties of the filesystem
// images generated by build tools (mkbootfs and mkyaffs2image) and
// by the device side of adb.
#define LOG_TAG "fs_config"
#include <errno.h>
#include <fcntl.h>
#include <fnmatch.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string>
#include <android-base/strings.h>
#include <log/log.h>
#include <private/android_filesystem_config.h>
#include <utils/Compat.h>
#ifndef O_BINARY
#define O_BINARY 0
#endif
using android::base::EndsWith;
using android::base::StartsWith;
// My kingdom for <endian.h>
static inline uint16_t get2LE(const uint8_t* src) {
return src[0] | (src[1] << 8);
}
static inline uint64_t get8LE(const uint8_t* src) {
uint32_t low, high;
low = src[0] | (src[1] << 8) | (src[2] << 16) | (src[3] << 24);
high = src[4] | (src[5] << 8) | (src[6] << 16) | (src[7] << 24);
return ((uint64_t)high << 32) | (uint64_t)low;
}
#define ALIGN(x, alignment) (((x) + ((alignment)-1)) & ~((alignment)-1))
// Rules for directories.
// These rules are applied based on "first match", so they
// should start with the most specific path and work their
// way up to the root.
// 这里!!!定义了相应目录的预定权限
static const struct fs_path_config android_dirs[] = {
// clang-format off
{ 00770, AID_SYSTEM, AID_CACHE, 0, "cache" },
{ 00555, AID_ROOT, AID_ROOT, 0, "config" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-ephemeral" },
{ 00771, AID_ROOT, AID_ROOT, 0, "data/dalvik-cache" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/data" },
{ 00771, AID_SHELL, AID_SHELL, 0, "data/local/tmp" },
{ 00771, AID_SHELL, AID_SHELL, 0, "data/local" },
{ 00770, AID_DHCP, AID_DHCP, 0, "data/misc/dhcp" },
{ 00771, AID_SHARED_RELRO, AID_SHARED_RELRO, 0, "data/misc/shared_relro" },
{ 01771, AID_SYSTEM, AID_MISC, 0, "data/misc" },
{ 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/Music" },
{ 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest64" },
{ 00775, AID_ROOT, AID_ROOT, 0, "data/preloads" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data" },
{ 00755, AID_ROOT, AID_SYSTEM, 0, "mnt" },
{ 00751, AID_ROOT, AID_SHELL, 0, "product/bin" },
{ 00750, AID_ROOT, AID_SHELL, 0, "sbin" },
{ 00777, AID_ROOT, AID_ROOT, 0, "sdcard" },
{ 00751, AID_ROOT, AID_SDCARD_R, 0, "storage" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/etc/ppp" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/vendor" },
{ 00751, AID_ROOT, AID_SHELL, 0, "system/xbin" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/apex/*/bin" },
{ 00751, AID_ROOT, AID_SHELL, 0, "vendor/bin" },
{ 00755, AID_ROOT, AID_SHELL, 0, "vendor" },
{ 00755, AID_ROOT, AID_ROOT, 0, 0 },
// clang-format on
};
#ifndef __ANDROID_VNDK__
auto __for_testing_only__android_dirs = android_dirs;
#endif
// Rules for files.
// These rules are applied based on "first match", so they
// should start with the most specific path and work their
// way up to the root. Prefixes ending in * denotes wildcard
// and will allow partial matches.
static const char sys_conf_dir[] = "/system/etc/fs_config_dirs";
static const char sys_conf_file[] = "/system/etc/fs_config_files";
// No restrictions are placed on the vendor and oem file-system config files,
// although the developer is advised to restrict the scope to the /vendor or
// oem/ file-system since the intent is to provide support for customized
// portions of a separate vendor.img or oem.img. Has to remain open so that
// customization can also land on /system/vendor, /system/oem, /system/odm,
// /system/product or /system/product_services.
//
// We expect build-time checking or filtering when constructing the associated
// fs_config_* files (see build/tools/fs_config/fs_config_generate.c)
static const char ven_conf_dir[] = "/vendor/etc/fs_config_dirs";
static const char ven_conf_file[] = "/vendor/etc/fs_config_files";
static const char oem_conf_dir[] = "/oem/etc/fs_config_dirs";
static const char oem_conf_file[] = "/oem/etc/fs_config_files";
static const char odm_conf_dir[] = "/odm/etc/fs_config_dirs";
static const char odm_conf_file[] = "/odm/etc/fs_config_files";
static const char product_conf_dir[] = "/product/etc/fs_config_dirs";
static const char product_conf_file[] = "/product/etc/fs_config_files";
static const char product_services_conf_dir[] = "/product_services/etc/fs_config_dirs";
static const char product_services_conf_file[] = "/product_services/etc/fs_config_files";
static const char* conf[][2] = {
{sys_conf_file, sys_conf_dir},
{ven_conf_file, ven_conf_dir},
{oem_conf_file, oem_conf_dir},
{odm_conf_file, odm_conf_dir},
{product_conf_file, product_conf_dir},
{product_services_conf_file, product_services_conf_dir},
};
// Do not use android_files to grant Linux capabilities. Use ambient capabilities in their
// associated init.rc file instead. See https://source.android.com/devices/tech/config/ambient.
// Do not place any new vendor/, data/vendor/, etc entries in android_files.
// Vendor entries should be done via a vendor or device specific config.fs.
// See https://source.android.com/devices/tech/config/filesystem#using-file-system-capabilities
// 这里!!!定义了相应文件资源的预定权限
static const struct fs_path_config android_files[] = {
// clang-format off
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app/*" },
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-ephemeral/*" },
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private/*" },
{ 00644, AID_APP, AID_APP, 0, "data/data/*" },
{ 00644, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/*" },
{ 00640, AID_ROOT, AID_SHELL, 0, "data/nativetest/tests.txt" },
{ 00640, AID_ROOT, AID_SHELL, 0, "data/nativetest64/tests.txt" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest/*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest64/*" },
{ 00600, AID_ROOT, AID_ROOT, 0, "default.prop" }, // legacy
{ 00600, AID_ROOT, AID_ROOT, 0, "system/etc/prop.default" },
{ 00600, AID_ROOT, AID_ROOT, 0, "odm/build.prop" },
{ 00600, AID_ROOT, AID_ROOT, 0, "odm/default.prop" },
{ 00444, AID_ROOT, AID_ROOT, 0, odm_conf_dir + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, odm_conf_file + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, oem_conf_dir + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, oem_conf_file + 1 },
{ 00600, AID_ROOT, AID_ROOT, 0, "product/build.prop" },
{ 00444, AID_ROOT, AID_ROOT, 0, product_conf_dir + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, product_conf_file + 1 },
{ 00600, AID_ROOT, AID_ROOT, 0, "product_services/build.prop" },
{ 00444, AID_ROOT, AID_ROOT, 0, product_services_conf_dir + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, product_services_conf_file + 1 },
{ 00750, AID_ROOT, AID_SHELL, 0, "sbin/fs_mgr" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/crash_dump32" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/crash_dump64" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/debuggerd" },
{ 00750, AID_ROOT, AID_ROOT, 0, "system/bin/install-recovery.sh" },
{ 00550, AID_LOGD, AID_LOGD, 0, "system/bin/logd" },
{ 00700, AID_ROOT, AID_ROOT, 0, "system/bin/secilc" },
{ 00750, AID_ROOT, AID_ROOT, 0, "system/bin/uncrypt" },
{ 00600, AID_ROOT, AID_ROOT, 0, "system/build.prop" },
{ 00444, AID_ROOT, AID_ROOT, 0, sys_conf_dir + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, sys_conf_file + 1 },
{ 00440, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.rc" },
{ 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.sh" },
{ 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.ril" },
{ 00555, AID_ROOT, AID_ROOT, 0, "system/etc/ppp/*" },
{ 00555, AID_ROOT, AID_ROOT, 0, "system/etc/rc.*" },
{ 00440, AID_ROOT, AID_ROOT, 0, "system/etc/recovery.img" },
{ 00600, AID_ROOT, AID_ROOT, 0, "vendor/build.prop" },
{ 00600, AID_ROOT, AID_ROOT, 0, "vendor/default.prop" },
{ 00444, AID_ROOT, AID_ROOT, 0, ven_conf_dir + 1 },
{ 00444, AID_ROOT, AID_ROOT, 0, ven_conf_file + 1 },
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
{ 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
// the following files have enhanced capabilities and ARE included
// in user builds.
{ 00700, AID_SYSTEM, AID_SHELL, CAP_MASK_LONG(CAP_BLOCK_SUSPEND),
"system/bin/inputflinger" },
{ 00750, AID_ROOT, AID_SHELL, CAP_MASK_LONG(CAP_SETUID) |
CAP_MASK_LONG(CAP_SETGID),
"system/bin/run-as" },
{ 00750, AID_ROOT, AID_SHELL, CAP_MASK_LONG(CAP_SETUID) |
CAP_MASK_LONG(CAP_SETGID),
"system/bin/simpleperf_app_runner" },
// Support FIFO scheduling mode in SurfaceFlinger.
{ 00755, AID_SYSTEM, AID_GRAPHICS, CAP_MASK_LONG(CAP_SYS_NICE),
"system/bin/surfaceflinger" },
// generic defaults
{ 00755, AID_ROOT, AID_ROOT, 0, "bin/*" },
{ 00640, AID_ROOT, AID_SHELL, 0, "fstab.*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "init*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "product/bin/*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "sbin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/*" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/lib/valgrind/*" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/lib64/valgrind/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/xbin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/apex/*/bin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "vendor/bin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "vendor/xbin/*" },
{ 00644, AID_ROOT, AID_ROOT, 0, 0 },
// clang-format on
};
#ifndef __ANDROID_VNDK__
auto __for_testing_only__android_files = android_files;
#endif
static size_t strip(const char* path, size_t len, const char suffix[]) {
if (len < strlen(suffix)) return len;
if (strncmp(path + len - strlen(suffix), suffix, strlen(suffix))) return len;
return len - strlen(suffix);
}
static int fs_config_open(int dir, int which, const char* target_out_path) {
int fd = -1;
if (target_out_path && *target_out_path) {
// target_out_path is the path to the directory holding content of
// system partition but as we cannot guarantee it ends with '/system'
// or with or without a trailing slash, need to strip them carefully.
char* name = NULL;
size_t len = strlen(target_out_path);
len = strip(target_out_path, len, "/");
len = strip(target_out_path, len, "/system");
if (asprintf(&name, "%.*s%s", (int)len, target_out_path, conf[which][dir]) != -1) {
fd = TEMP_FAILURE_RETRY(open(name, O_RDONLY | O_BINARY));
free(name);
}
}
if (fd < 0) {
fd = TEMP_FAILURE_RETRY(open(conf[which][dir], O_RDONLY | O_BINARY));
}
return fd;
}
// if path is "odm/<stuff>", "oem/<stuff>", "product/<stuff>",
// "product_services/<stuff>" or "vendor/<stuff>"
static bool is_partition(const std::string& path) {
static const char* partitions[] = {"odm/", "oem/", "product/", "product_services/", "vendor/"};
for (size_t i = 0; i < (sizeof(partitions) / sizeof(partitions[0])); ++i) {
if (StartsWith(path, partitions[i])) return true;
}
return false;
}
// alias prefixes of "<partition>/<stuff>" to "system/<partition>/<stuff>" or
// "system/<partition>/<stuff>" to "<partition>/<stuff>"
static bool fs_config_cmp(bool dir, const char* prefix, size_t len, const char* path, size_t plen) {
std::string pattern(prefix, len);
std::string input(path, plen);
// Massage pattern and input so that they can be used by fnmatch where
// directories have to end with /.
if (dir) {
if (!EndsWith(input, "/")) {
input.append("/");
}
if (!EndsWith(pattern, "/*")) {
if (EndsWith(pattern, "/")) {
pattern.append("*");
} else {
pattern.append("/*");
}
}
}
// no FNM_PATHNAME is set in order to match a/b/c/d with a/*
// FNM_ESCAPE is set in order to prevent using \\? and \\* and maintenance issues.
const int fnm_flags = FNM_NOESCAPE;
if (fnmatch(pattern.c_str(), input.c_str(), fnm_flags) == 0) return true;
static constexpr const char* kSystem = "system/";
if (StartsWith(input, kSystem)) {
input.erase(0, strlen(kSystem));
} else if (input.size() <= strlen(kSystem)) {
return false;
} else if (StartsWith(pattern, kSystem)) {
pattern.erase(0, strlen(kSystem));
} else {
return false;
}
if (!is_partition(pattern)) return false;
if (!is_partition(input)) return false;
return fnmatch(pattern.c_str(), input.c_str(), fnm_flags) == 0;
}
#ifndef __ANDROID_VNDK__
auto __for_testing_only__fs_config_cmp = fs_config_cmp;
#endif
void fs_config(const char* path, int dir, const char* target_out_path, unsigned* uid, unsigned* gid,
unsigned* mode, uint64_t* capabilities) {
const struct fs_path_config* pc;
size_t which, plen;
if (path[0] == '/') {
path++;
}
plen = strlen(path);
for (which = 0; which < (sizeof(conf) / sizeof(conf[0])); ++which) {
struct fs_path_config_from_file header;
int fd = fs_config_open(dir, which, target_out_path);
if (fd < 0) continue;
while (TEMP_FAILURE_RETRY(read(fd, &header, sizeof(header))) == sizeof(header)) {
char* prefix;
uint16_t host_len = get2LE((const uint8_t*)&header.len);
ssize_t len, remainder = host_len - sizeof(header);
if (remainder <= 0) {
ALOGE("%s len is corrupted", conf[which][dir]);
break;
}
prefix = static_cast<char*>(calloc(1, remainder));
if (!prefix) {
ALOGE("%s out of memory", conf[which][dir]);
break;
}
if (TEMP_FAILURE_RETRY(read(fd, prefix, remainder)) != remainder) {
free(prefix);
ALOGE("%s prefix is truncated", conf[which][dir]);
break;
}
len = strnlen(prefix, remainder);
if (len >= remainder) { // missing a terminating null
free(prefix);
ALOGE("%s is corrupted", conf[which][dir]);
break;
}
if (fs_config_cmp(dir, prefix, len, path, plen)) {
free(prefix);
close(fd);
*uid = get2LE((const uint8_t*)&(header.uid));
*gid = get2LE((const uint8_t*)&(header.gid));
*mode = (*mode & (~07777)) | get2LE((const uint8_t*)&(header.mode));
*capabilities = get8LE((const uint8_t*)&(header.capabilities));
return;
}
free(prefix);
}
close(fd);
}
for (pc = dir ? android_dirs : android_files; pc->prefix; pc++) {
if (fs_config_cmp(dir, pc->prefix, strlen(pc->prefix), path, plen)) {
break;
}
}
*uid = pc->uid;
*gid = pc->gid;
*mode = (*mode & (~07777)) | pc->mode;
*capabilities = pc->capabilities;
}
ssize_t fs_config_generate(char* buffer, size_t length, const struct fs_path_config* pc) {
struct fs_path_config_from_file* p = (struct fs_path_config_from_file*)buffer;
size_t len = ALIGN(sizeof(*p) + strlen(pc->prefix) + 1, sizeof(uint64_t));
if ((length < len) || (len > UINT16_MAX)) {
return -ENOSPC;
}
memset(p, 0, len);
uint16_t host_len = len;
p->len = get2LE((const uint8_t*)&host_len);
p->mode = get2LE((const uint8_t*)&(pc->mode));
p->uid = get2LE((const uint8_t*)&(pc->uid));
p->gid = get2LE((const uint8_t*)&(pc->gid));
p->capabilities = get8LE((const uint8_t*)&(pc->capabilities));
strcpy(p->prefix, pc->prefix);
return len;
}
- Android在编译时,通过mkbootfs等命令,读取上述预设配置,预设这些目录的初始访问权限。例如
// 设置data/app/目录下所有内容的权限为
// 所有者 AID_SYSTEM : 读4 + 写2,权限
// 所有者组AID_SYSTEM: 读权限
// 其他人: 读权限
// 0表示Capability,这里不介绍
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app/*" },
- 另外,在android kernel启动后,会通过init进程,完成对设备文件(ueventd.rc)、其他资源(init.rc)的配置。其基本配置政策,也是遵循DAC的。
# ueventdt.rc
# 这里截取一段
...
# these should not be world writable
/dev/uhid 0660 uhid uhid
/dev/uinput 0660 uhid uhid
/dev/rtc0 0640 system system
/dev/tty0 0660 root system
/dev/graphics/* 0660 root graphics
/dev/input/* 0660 root input
/dev/v4l-touch* 0660 root input
/dev/snd/* 0660 system audio
/dev/bus/usb/* 0660 root usb
/dev/mtp_usb 0660 root mtp
/dev/usb_accessory 0660 root usb
/dev/tun 0660 system vpn
...
推荐阅读