From f6a95b9827b0ce8f05dec4ad47f8e466c8683314 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 19 Feb 2015 15:19:53 -0500 Subject: libselinux: Add a README.android file. Add a README.android file to libselinux explaining how it relates to upstream, how it differs, and which new files were added. Change-Id: I113f7fac5ed6a3f37fd65ce790fd59b2496998cc Signed-off-by: Stephen Smalley --- README.android | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 README.android diff --git a/README.android b/README.android new file mode 100644 index 0000000..e01f889 --- /dev/null +++ b/README.android @@ -0,0 +1,62 @@ +This directory contains a small port of libselinux for Android. +It was originally forked in mid-2011, circa libselinux 2.1.0. +Some changes have been cherry-picked from the upstream libselinux. +Upstream git repository is https://github.com/SELinuxProject/selinux +(libselinux subdirectory) and official releases are available from +https://github.com/SELinuxProject/selinux/wiki/Releases. + +This fork differs from upstream libselinux in at least the following ways: + +* Dependencies on glibc-specific features have been removed/replaced +in order to work with bionic, + +* Legacy code and compatibility interfaces have been removed, + +* Many interfaces, functions, and files are omitted since they are +unused in Android, + +* The python bindings are omitted since they are unused in Android, + +* The setrans (context translation) support has been removed since +there is no need for MLS label translation in Android and the support +imposes extra overhead on calls passing security contexts, + +* The SELinux policy files are all located in / rather than under +/etc/selinux since /etc is not available in Android until /system +is mounted and use fixed paths, not dependent on /etc/selinux/config, + +* The kernel policy file (sepolicy in Android, policy.N in Linux) does +not include a version suffix since Android does not need to support +booting multiple kernels, + +* The policy loading logic does not support automatic downgrading of +the kernel policy file to a version known to the kernel, since this +requires libsepol on the device and is only needed to support mixing +and matching kernels and userspace easily, + +* The selabel interface and label_file backend have been extended to +support label-by-symlink and partial matching support for use by ueventd +in labeling device nodes based on stable symlink names and by init for +optimizing its restorecon_recursive of /sys, + +* Since the fork, upstream libselinux has switched the label_file +backend to use a binary version of the file_contexts file +(file_contexts.bin) that contains precompiled versions of the pcre +regexes. This reduces the time to load the file_contexts +configuration, which in Linux can be significant due to the large +number of entries (> 5000). As Android has far fewer entries (~400), +this has not yet seemed necessary. + +* restorecon functionality, including recursive restorecon, has been +fully implemented within new libselinux functions, along with optimizations +to prune the tree walk if no change has occurred in file_contexts since +the last restorecon, + +* Support for new Android-specific SELinux configuration files, such +as seapp_contexts, property_contexts, and service_contexts, has been +added. + +New files added for Android: +* libselinux/include/selinux/android.h +* libselinux/src/android.c +* libselinux/src/label_android_property.c (later added upstream) -- cgit v1.2.3