| Stephen Smalley | f6a95b9 | 2015-02-19 15:19:53 -0500 | [diff] [blame] | 1 | This directory contains a small port of libselinux for Android. |
| 2 | It was originally forked in mid-2011, circa libselinux 2.1.0. |
| 3 | Some changes have been cherry-picked from the upstream libselinux. |
| 4 | Upstream git repository is https://github.com/SELinuxProject/selinux |
| 5 | (libselinux subdirectory) and official releases are available from |
| 6 | https://github.com/SELinuxProject/selinux/wiki/Releases. |
| 7 | |
| 8 | This fork differs from upstream libselinux in at least the following ways: |
| 9 | |
| 10 | * Dependencies on glibc-specific features have been removed/replaced |
| 11 | in order to work with bionic, |
| 12 | |
| 13 | * Legacy code and compatibility interfaces have been removed, |
| 14 | |
| 15 | * Many interfaces, functions, and files are omitted since they are |
| 16 | unused in Android, |
| 17 | |
| 18 | * The python bindings are omitted since they are unused in Android, |
| 19 | |
| 20 | * The setrans (context translation) support has been removed since |
| 21 | there is no need for MLS label translation in Android and the support |
| 22 | imposes extra overhead on calls passing security contexts, |
| 23 | |
| 24 | * The SELinux policy files are all located in / rather than under |
| 25 | /etc/selinux since /etc is not available in Android until /system |
| 26 | is mounted and use fixed paths, not dependent on /etc/selinux/config, |
| 27 | |
| 28 | * The kernel policy file (sepolicy in Android, policy.N in Linux) does |
| 29 | not include a version suffix since Android does not need to support |
| 30 | booting multiple kernels, |
| 31 | |
| 32 | * The policy loading logic does not support automatic downgrading of |
| 33 | the kernel policy file to a version known to the kernel, since this |
| 34 | requires libsepol on the device and is only needed to support mixing |
| 35 | and matching kernels and userspace easily, |
| 36 | |
| 37 | * The selabel interface and label_file backend have been extended to |
| 38 | support label-by-symlink and partial matching support for use by ueventd |
| 39 | in labeling device nodes based on stable symlink names and by init for |
| 40 | optimizing its restorecon_recursive of /sys, |
| 41 | |
| 42 | * Since the fork, upstream libselinux has switched the label_file |
| 43 | backend to use a binary version of the file_contexts file |
| 44 | (file_contexts.bin) that contains precompiled versions of the pcre |
| 45 | regexes. This reduces the time to load the file_contexts |
| 46 | configuration, which in Linux can be significant due to the large |
| 47 | number of entries (> 5000). As Android has far fewer entries (~400), |
| 48 | this has not yet seemed necessary. |
| 49 | |
| 50 | * restorecon functionality, including recursive restorecon, has been |
| 51 | fully implemented within new libselinux functions, along with optimizations |
| 52 | to prune the tree walk if no change has occurred in file_contexts since |
| 53 | the last restorecon, |
| 54 | |
| 55 | * Support for new Android-specific SELinux configuration files, such |
| 56 | as seapp_contexts, property_contexts, and service_contexts, has been |
| 57 | added. |
| 58 | |
| 59 | New files added for Android: |
| 60 | * libselinux/include/selinux/android.h |
| 61 | * libselinux/src/android.c |
| 62 | * libselinux/src/label_android_property.c (later added upstream) |