SELinux在系统级增加了强制访问控制，每个VFS node均在Security Server的控制之中。IPC是系统的重要功能，未经授权的使用均会给系统带来安全隐患，所以本文重点对SEAndroid在IPC中安全功能进行分析，作为Android的主要通信工具socket和binder，在SEAndroid均增加了权限的控制，下面分别对两个进行简要的分析。
一、        binder
为了增加binder的权限控制，首先在kernel的policy中增加一个class，并且增加了几个方法，

{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", "receive"} },

# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# First we receive a Binder ref to the server, then we call it.
allow $1 $2:binder { receive call };
# Receive and use open files from the server.
allow $1 $2:fd use;')

.binder_set_context_mgr =	selinux_binder_set_context_mgr,
.binder_transaction =		selinux_binder_transaction,
.binder_transfer_binder =	selinux_binder_transfer_binder,
.binder_transfer_file =		selinux_binder_transfer_file,

static int selinux_binder_set_context_mgr(struct task_struct *mgr)
{
	u32 mysid = current_sid();
	u32 mgrsid = task_sid(mgr);
	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！