Exploring SE for Android

www.it-ebooks.info
www.it-ebooks.info
ExploringSEforAndroid
www.it-ebooks.info
TableofContents
ExploringSEforAndroid
Credits
Foreword
AbouttheAuthors
AbouttheReviewers
www.PacktPub.com
Supportfiles,eBooks,discountoffers,andmore
Whysubscribe?
FreeaccessforPacktaccountholders
Preface
Whatthisbookcovers
Whatyouneedforthisbook
Whothisbookisfor
Conventions
Readerfeedback
Customersupport
Downloadingtheexamplecode
Errata
Piracy
Questions
1.LinuxAccessControls
Changingpermissionbits
Changingownersandgroups
Thecaseformore
Capabilitiesmodel
Android’suseofDAC
GlancingatAndroidvulnerabilities
Skypevulnerability
GingerBreak
www.it-ebooks.info
Rageagainstthecage
MotoChopper
Summary
2.MandatoryAccessControlsandSELinux
Gettingbacktothebasics
Labels
Users
Roles
Types
Accessvectors
Multilevelsecurity
Puttingittogether
Complexitiesandbestpractices
Summary
3.AndroidIsWeird
Android’ssecuritymodel
Binder
Binder’sarchitecture
Binderandsecurity
Zygote–applicationspawn
Thepropertyservice
Summary
4.InstallationontheUDOO
Retrievingthesource
FlashingimageonanSDcard
UDOOserialandAndroidDebugBridge
Flippingtheswitch
It’salive
Summary
5.BootingtheSystem
Policyload
www.it-ebooks.info
Fixingthepolicyversion
Summary
6.ExploringSELinuxFS
Locatingthefilesystem
Interrogatingthefilesystem
Theenforcenode
Thedisablefileinterface
Thepolicyfile
Thenullfile
Themlsfile
Thestatusfile
AccessVectorCache
Thebooleansdirectory
Theclassdirectory
Theinitial_contextsdirectory
Thepolicy_capabilitiesdirectory
ProcFS
JavaSELinuxAPI
Summary
7.UtilizingAuditLogs
Upgrades–patchesgalore
Theauditsystem
Theauditddaemon
Auditdinternals
InterpretingSELinuxdeniallogs
Contexts
Summary
8.ApplyingContextstoFiles
Labelingfilesystems
fs_use
fs_task_use
www.it-ebooks.info
fs_use_trans
genfscon
Mountoptions
Labelingwithextendedattributes
Thefile_contextsfile
Dynamictypetransitions
Examplesandtools
Fixingup/data
Asidenoteonsecurity
Summary
9.AddingServicestoDomains
Init–thekingofdaemons
Dynamicdomaintransitions
Explicitcontextsviaseclabel
Relabelingprocesses
Limitationsonapplabeling
Summary
10.PlacingApplicationsinDomains
Thecasetosecurethezygote
Fortifyingthezygote
Plumbingthezygotesocket
Themac_permissions.xmlfile
keys.conf
seapp_contexts
Summary
11.LabelingProperties
Labelingviaproperty_contexts
Permissionsonproperties
Relabelingexistingproperties
Creatingandlabelingnewproperties
Specialproperties
www.it-ebooks.info
Controlproperties
Persistentproperties
SELinuxproperties
Summary
12.MasteringtheToolChain
Buildingsubcomponents–targetsandprojects
Exploringsepolicy’sAndroid.mk
Buildingsepolicy
Controllingthepolicybuild
Diggingdeeperintobuild_policy
Buildingmac_permissions.xml
Buildingseapp_contexts
Buildingfile_contexts
Buildingproperty_contexts
CurrentNSAresearchfiles
Standalonetools
sepolicy-check
sepolicy-analyze
Summary
13.GettingtoEnforcingMode
UpdatingtoSEPolicymaster
Purgingthedevice
SettingupCTS
RunningCTS
Gatheringtheresults
CTStestresults
Auditlogs
Authoringdevicepolicy
adbd
bootanim
debuggerd
www.it-ebooks.info
drmserver
dumpstate
installd
keystore
mediaserver
netd
rild
servicemanager
surfaceflinger
system_server
toolbox
untrusted_app
vold
watchdogd
wpa
Secondpolicypass
init
shell
init_shell.te
Fieldtrials
Goingenforcing
Summary
A.TheDevelopmentEnvironment
VirtualBox
UbuntuLinux12.04(precisepangolin)
VirtualBoxextensionpackandguestadditions
VirtualBoxextensionpack
VirtualBoxguestadditions
Savetimewithsharedfolders
Thebuildenvironment
OracleJava6
www.it-ebooks.info
Summary
Index
www.it-ebooks.info
www.it-ebooks.info
ExploringSEforAndroid
www.it-ebooks.info
www.it-ebooks.info
ExploringSEforAndroid
Copyright©2015PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,
ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthe
publisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyofthe
informationpresented.However,theinformationcontainedinthisbookissoldwithout
warranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,andits
dealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecaused
directlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthe
companiesandproductsmentionedinthisbookbytheappropriateuseofcapitals.
However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:February2015
Productionreference:1190215
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78439-059-4
www.packtpub.com
www.it-ebooks.info
www.it-ebooks.info
Credits
Authors
WilliamConfer
WilliamRoberts
Reviewers
JoshuaBrindle
HiromuYakura
CommissioningEditor
UshaIyer
AcquisitionEditor
ReshmaRaman
ContentDevelopmentEditor
ArvindKoul
TechnicalEditor
ShinyPoojary
CopyEditors
ShivangiChaturvedi
VikrantPhadke
NehaVyas
ProjectCoordinator
NehaBhatnagar
Proofreaders
PaulHindle
StephenSilk
Indexer
PriyaSane
ProductionCoordinator
ConidonMiranda
CoverWork
ConidonMiranda
www.it-ebooks.info
www.it-ebooks.info
Foreword
ThefirsttalkofSELinuxonAndroidstartedalmostassoonasAndroidwasannounced.
Theinterestatthattimewasmainlyshownbyacademiccirclesanddevelopersof
SELinuxitself.AsalongtimeuserofSELinuxinserverdeployments,Iknewitsbenefits
fromasecuritypointofviewandalsoknewhowmuchAndroidcouldbenefitfromthem.
Atthattime,ImayhavebeencoyaboutthereasonsIwantedtocommitsomeoftheinitial
patchestotheSELinuxproject.LookingbackatthecodereviewsforthoseAndroidOpen
SourceProject(AOSP)changes,Inowrememberhowmuchresistancetherewasinthe
beginning.Spaceondeviceswasatapremium,anditwasconsideredavictoryifwe
couldsaveafewkilobytes.AndhereweretheSELinuxlibrariesandpoliciesthat
increasedthesystemsizebythirtykilobytes!Theperformanceimpacthadnotevenbeen
measuredatthattime.
TheworkcontinuedunabatedwithSELinuxcontributors,suchasStephenSmalley,
RobertCraig,JoshuaBrindle,andanauthorofthisbook,WilliamRoberts,aswellaswith
thehelpofmycoworkersGeremyCondraandNickKralevichatGoogle.Slowly,through
theherculeaneffortsofeveryoneinvolved,theprojectmaterializedandbecamemoreand
morecomplete.SinceAndroid4.4KitKat,SELinuxisshippedinenforcingmode,andall
Androiduserscanbenefitfromtheaddedprotectionthatitaffords.
Thetaledoesn’tendthere!Now,it’syourturntolearn.Thisbookisthefirstreference
availableforthespecificflavorofSELinuxfoundinAndroid.It’smysincerehopethat
thisbookimpartstheknowledgeyouneedtounderstandandcontributetoitscontinued
development.WilliamRobertshasbeensubmittingcodetoAOSPsincethebeginningof
SELinuxforAndroid,andhisandDr.Confer’sknowledgeiscontainedinthesepages.It’s
uptoyoutoreaditandhelpwritethenextchapterofthissaga.
KennyRoot
MountainView,CA
www.it-ebooks.info
www.it-ebooks.info
AbouttheAuthors
WilliamConferhasbeenengineeringembeddedandmobilesystemssince1997.Hehas
workedforSamsungMobileasamanagingstaffengineerandcurrentlyteachescomputer
scienceatSUNYPolytechnicInstitute.Heholdsapatentinlow-costcharacterrecognition
forextremelyresource-limiteddevicesandhasmultipleotherpatentspendingformobile
technologies.
Mywife,Ása,sacrificedendlesslytohelpgivemethespaceandtimeneededforthis
work,andIowehermorethanIcansay.MythreedaughtersalsoensuredIcouldn’t
alwaysbeworkingonthisbookanddistractedmeinthebestpossibleways.Icouldn’trest
ifIdidn’tthankallmyfall2014studentsfromSUNYPolytechnicInstitutewhoputup
withmewhenIwassidetrackedbythisbook.Finally,andmostimportantly,mygreatest
thanksgoestomycoauthor(andfriend,student,andteacher),WilliamRoberts,without
whomIwouldhavetohavefoundanother.
WilliamRobertsisasoftwareengineerwhoisfocusedonOS-levelsecurityandplatform
enhancements.HeisoneoftheengineerswhofoundedtheSamsungKNOXproductand
anearlyadopterofSEforAndroid.Hehasmadecontributionstoseveralopensource
projects,suchasSEforAndroid,theAndroidOpenSourceProject,theLinuxKernel,
CyanogenMod,andOpenSC.HisrecentinterestshavetakenhimtoSmartCard
technologiesandthevirtualizationofsmartcards.Inhissparetime,heworkswithDr.
ConferontheMiniatproject(http://www.miniat.org),avirtual,embeddedarchitecture
simulator.
IwouldliketothankDr.WilliamConfer,thecoauthor,forhelpingmewritethisbook;his
contributionswereinvaluable.Also,Iwouldliketothankmywifeforsupportingmeand
givingmethetimetodothis,eventhoughwewererenovatingthehouse.Also,Iwould
liketothankmyfamilyandfriendsfortheirencouragementalongtheway.
www.it-ebooks.info
www.it-ebooks.info
AbouttheReviewers
JoshuaBrindleistheCTOandcofounderofQuarkSecurityInc.,acompanyfocusedon
solvingmobileandcross-domainsecurityproblems.Joshuahas12yearsofprofessional
experienceintheareaofdevelopmentforgovernment,academic,andopensource
softwarethatfocusesonsecurityinLinux.Joshuahascontributedtonumerousopen
sourceprojects,bothasaprojectmaintainerandasadeveloper.Hisworkcanbefoundon
allSELinuxsystemsandnearlyallLinuxsystems.Joshua’srecentexperiencefocuseson
buildingsecuremobiledevicesusingtechnologiessuchasSecurityEnhancementsfor
Android,mobiledevice,andapplicationmanagement.
HiromuYakuraisastudentatNadaHighSchool,Japan.Heistheyoungestpersonto
holdthenationalinformationsecurityqualificationfromJapan.Hehasgivenlectures
aboutSEforAndroidatmanyconferences.Heisalsofamiliarwiththesecurity
competition,CapturetheFlag(CTF),andhasparticipatedinDEFCONCTF2014asa
teambinja.
Iwouldliketoexpressmygratitudetomyfamilyfortheirunderstandingandsupport.
www.it-ebooks.info
www.it-ebooks.info
www.PacktPub.com
www.it-ebooks.info
Supportfiles,eBooks,discountoffers,and
more
Forsupportfilesanddownloadsrelatedtoyourbook,pleasevisitwww.PacktPub.com.
DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFand
ePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandas
aprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwith
usat<[email protected]>formoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signup
forarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooks
andeBooks.
https://www2.packtpub.com/books/subscription/packtlib
DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt’sonlinedigital
booklibrary.Here,youcansearch,access,andreadPackt’sentirelibraryofbooks.
www.it-ebooks.info
Whysubscribe?
FullysearchableacrosseverybookpublishedbyPackt
Copyandpaste,print,andbookmarkcontent
Ondemandandaccessibleviaawebbrowser
www.it-ebooks.info
FreeaccessforPacktaccountholders
IfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccess
PacktLibtodayandview9entirelyfreebooks.Simplyuseyourlogincredentialsfor
immediateaccess.
www.it-ebooks.info
www.it-ebooks.info
Preface
ThisbookintroducestheSecurityEnhancements(SE)forAndroidopensourceproject
andwalksyouthroughtheprocessofsecuringnewembeddedsystemswithSEfor
Android.Toourknowledge,thisbookisthefirstsourcetodocumentsuchaprocessinits
entiretysothatstudents,DIYhobbyists,andengineerscancreatecustomsystemssecured
bySEforAndroid.Generally,onlyoriginalequipmentmanufacturers(OEMs)dothis,and
quitecommonly,thetargetdeviceisaphoneortablet.Wetrulyhopeourbookwillchange
that,engagingawideaudienceindevelopmentsotheycanuseandunderstandthese
modernsecuritytools.
Weworkedveryhardtoensurethistextisnotjustastep-by-steptechnologybook.
Specifically,we’vechosenamodelthatdirectsyoutofailyourwaytosuccess.Youwill
firstgainappropriatetheoreticalunderstandingofhowsecurityisgainedandenforced.
Thenwewillintroduceasystemthathasneverbeensecuredthatway(notevenbyus,
priortowritingthisbook).Next,we’llguideyouthroughallourintelligentguesswork,
embracingunexpectedfailuresforthenewlyfoundidiosyncrasiestheyexpose,and
eventuallyenforcingourcustomsecuritypolicies.Itrequiresyoutolearntoresolve
differencesbetweenmajoropensourceprojectssuchasSELinux,SEforAndroid,and
GoogleAndroid,eachofwhichhasindependentgoalsanddeploymentschedules.This
preparesyoutosecureotherdevices,theprocessforwhichisalwaysdifferent,but
hopefully,willnowbemoreaccessible.
www.it-ebooks.info
Whatthisbookcovers
Chapter1,LinuxAccessControls,discussesthebasicsofDiscretionaryAccessControl
(DAC),howsomeAndroidexploitsleverageDACproblems,anddemonstratetheneed
formorerobustsolutions.
Chapter2,MandatoryAccessControlsandSELinux,examinesMandatoryAccessControl
(MAC)anditsmanifestationinSELinux.Thischapteralsoexplorestangiblepolicyto
controlSELinuxobjectinteraction.
Chapter3,AndroidIsWeird,introducestheAndroidsecuritymodelandinvestigates
binder,zygote,andthepropertyservice.
Chapter4,InstallationontheUDOO,walksthroughbuildinganddeployingAndroid
fromsourcetotheUDOO-embeddedboardandturnsonSELinuxsupport.
Chapter5,BootingtheSystem,followsthebootprocessfromthepolicyloading
perspectiveandcorrectsissuestogetSELinuxtoausablestateontheUDOO.
Chapter6,ExploringSELinuxFS,examinestheSELinuxFSfilesystemandhowitprovides
thekernel-to-userspaceinterfaceforhigher-levelidioms.
Chapter7,UtilizingAuditLogs,investigatestheauditsubsystem,revealinghowto
interpretSELinuxauditlogsforthebenefitofpolicywriting.
Chapter8,ApplyingContextstoFiles,teachesyouhowfilesystemsandfilesystemobjects
gettheirlabelsandcontexts,demonstratingtechniquestochangethem,includingdynamic
typetransitions.
Chapter9,AddingServicestoDomains,emphasizesprocesslabeling,notablytheAndroid
servicesrunandmanagedbyinit.
Chapter10,PlacingApplicationsinDomains,showsyouhowtoproperlylabeltheprivate
datadirectoriesofapplications,aswellasapplicationruntimecontextsviaconfiguration
filesandSELinuxpolicy.
Chapter11,LabelingProperties,demonstrateshowtocreateandlabelnewandexisting
properties,andsomeoftheanomaliesthatoccurwhendoingso.
Chapter12,MasteringtheToolChain,covershowthevariouscomponentsthatcontrol
policyonthedeviceareactuallybuiltandcreated.ThischapterreviewstheAndroid.mk
components,detailinghowtheheartofthebuildandconfigurationmanagementworks.
Chapter13,GettingtoEnforcingMode,utilizesalltheskillsyoulearnedintheearlier
chapterstorespondtoauditlogsfromCTSandgettheUDOOinenforcingmode.
Appendix,TheDevelopmentEnvironment,walksyouthroughthenecessarystepsof
settingupaLinuxenvironmentsuitableforyoutofollowalltheactivitiesinthisbook.
www.it-ebooks.info
www.it-ebooks.info
Whatyouneedforthisbook
Hardwarerequirementsinclude:
AUDOO-embeddeddevelopmentboard
An8GBMiniSDcard(whileyoucanuseacardwithgreatercapacity,wedonot
recommendedit)
Aminimumof16GBofRAM
Atleast80GBoffreeharddrivespace
Softwarerequirementsinclude:
AnUbuntu12.04LTSdesktopsystem
OracleJDK6.0version6u45
SomeadditionalmiscellaneousLinuxsoftwareisrequired,butthesearedescribedin
thebookandareavailableforfree.
www.it-ebooks.info
www.it-ebooks.info
Whothisbookisfor
Thisbookisintendedfordevelopersandengineerswhoaresomewhatfamiliarwith
operatingsystemconceptsasimplementedbyLinux.Theycouldbehobbyistswantingto
securetheirAndroid-poweredcreations,OEMengineersbuildinghandsets,orengineers
fromemergingareaswhereAndroidisseeinggrowth.AbasicbackgroundinC
programmingwillbehelpful.
www.it-ebooks.info
www.it-ebooks.info
Conventions
Inthisbook,youwillfindanumberoftextstylesthatdistinguishbetweendifferentkinds
ofinformation.Herearesomeexamplesofthesestylesandexplanationsoftheir
meanings.
Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,
pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:“Now
let’sattempttoexecutethehello.txtfileandseewhathappens.”
Ablockofcodeissetasfollows:
caseINTERFACE_TRANSACTION:
{
reply.writeString(DESCRIPTOR);
returntrue;
}
Anycommand-lineinputoroutputiswrittenasfollows:
$sutestuser
Password:
testuser@ubuntu:/home/bookuser$
Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,
forexample,inmenusordialogboxes,appearinthetextlikethis:“Exittheconfiguration
menusbyselectingExituntilyouareaskedtosaveyournewconfiguration.”
Note
Warningsorimportantnotesappearinaboxlikethis.
Tip
Tipsandtricksappearlikethis.
www.it-ebooks.info
www.it-ebooks.info
Readerfeedback
Feedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthis
book—whatyoulikedordisliked.Readerfeedbackisimportantforusasithelpsus
developtitlesthatyouwillreallygetthemostoutof.
Tosendusgeneralfeedback,simplye-mail<[email protected]>,andmentionthe
book’stitleinthesubjectofyourmessage.
Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingor
contributingtoabook,seeourauthorguideatwww.packtpub.com/authors.
www.it-ebooks.info
www.it-ebooks.info
Customersupport
NowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelp
youtogetthemostfromyourpurchase.
www.it-ebooks.info
Downloadingtheexamplecode
Youcandownloadtheexamplecodefilesfromyouraccountathttp://www.packtpub.com
forallthePacktPublishingbooksyouhavepurchased.Ifyoupurchasedthisbook
elsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilesemaileddirectlytoyou.
www.it-ebooks.info
Errata
Althoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdo
happen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthe
code—wewouldbegratefulifyoucouldreportthistous.Bydoingso,youcansaveother
readersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufind
anyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,
selectingyourbook,clickingontheErrataSubmissionFormlink,andenteringthe
detailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedand
theerratawillbeuploadedtoourwebsiteoraddedtoanylistofexistingerrataunderthe
Erratasectionofthattitle.
Toviewthepreviouslysubmittederrata,goto
https://www.packtpub.com/books/content/supportandenterthenameofthebookinthe
searchfield.TherequiredinformationwillappearundertheErratasection.
www.it-ebooks.info
Piracy
PiracyofcopyrightedmaterialontheInternetisanongoingproblemacrossallmedia.At
Packt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucome
acrossanyillegalcopiesofourworksinanyformontheInternet,pleaseprovideuswith
thelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.
Pleasecontactusat<[email protected]>withalinktothesuspectedpirated
material.
Weappreciateyourhelpinprotectingourauthorsandourabilitytobringyouvaluable
content.
www.it-ebooks.info
Questions
Ifyouhaveaproblemwithanyaspectofthisbook,youcancontactusat
<[email protected]>,andwewilldoourbesttoaddresstheproblem.
www.it-ebooks.info
www.it-ebooks.info
Chapter1.LinuxAccessControls
Androidisanoperatingsystemcomposedoftwodistinctcomponents.Thefirst
componentisaforkedmainlineLinuxkernelandsharesalmosteverythingincommon
withLinux.Thesecondcomponent,whichwillbediscussedlater,istheuserspace
portion,whichisverycustomandAndroidspecific.SincetheLinuxkernelunderpinsthis
systemandisresponsibleforthemajorityofaccesscontroldecisions,itisthelogical
placetobeginadetailedlookatAndroid.
Inthischapterwewill:
ExaminethebasicsofDiscretionaryAccessControl
IntroduceLinuxpermissionsflagsandcapabilities
Tracesyscallsaswevalidateaccesspolicies
Makethecaseformorerobustaccesscontroltechnology
DiscussAndroidexploitsthatleverageproblemswithDiscretionaryAccessControl
Linux’sdefaultandfamiliaraccesscontrolmechanismiscalledDiscretionaryAccess
Control(DAC).Thisisjustatermthatmeanspermissionsregardingaccesstoanobject
areatthediscretionofitscreator/owner.
InLinux,whenaprocessinvokesmostsystemcalls,apermissioncheckisperformed.As
anexample,aprocesswishingtoopenafilewouldinvoketheopen()syscall.Whenthis
syscallisinvoked,acontextswitchisperformed,andtheoperatingsystemcodeis
executed.TheOShastheabilitytodeterminewhetherafiledescriptorshouldbereturned
totherequestingprocessornot.Duringthisdecision-makingprocess,theOSchecksthe
accesspermissionsofboththerequestingprocessandthetargetfileitwishestoobtainthe
filedescriptorto.EitherthefiledescriptororEPERMisreturned,dependentonwhether
thepermissioncheckspassorfailrespectively.
Linuxmaintainsdatastructuresinthekernelformanagingthesepermissionfields,which
areaccessiblefromuserspace,andonesthatshouldbefamiliartoLinuxand*NIXusers
alike.Thefirstsetofaccesscontrolmetadatabelongstotheprocess,andformsaportion
ofitscredentialset.Thecommoncredentialsareuserandgroup.Ingeneral,weusethe
termgrouptomeanbothprimarygroupandpossiblesecondarygroup(s).Youcanview
thesepermissionsbyrunningthepscommand:
$ps-eopid,comm,user,group,supgrp
PIDCOMMANDUSERGROUPSUPGRP
1initrootroot...
2993system-service-rootrootroot
3276chromium-browsebookusersudofusebookuser
...
Asyoucansee,wehaveprocessesrunningastheusersrootandbookuser.Youcanalso
seethattheirprimarygroupisonlyonepartoftheequation.Processesalsohavea
secondarysetofgroupscalledsupplementarygroups.Thissetmightbeempty,indicated
bythedashintheSUPGRPfield.
www.it-ebooks.info
Thefilewewishtoopen,referredtoasthetargetobject,target,orobjectalsomaintainsa
setofpermissions.TheobjectmaintainsUSERandGROUP,aswellasasetofpermission
bits.Inthecontextofthetargetobject,USERcanbereferredtoasownerorcreator.
$ls-la
total296
drwxr-xr-x38bookuserbookuser4096Aug2311:08.
drwxr-xr-x3rootroot4096Jun818:50..
-rw-rw-r--1bookuserbookuser116Jul2213:13a.c
drwxrwxr-x4bookuserbookuser4096Aug416:20.android
-rw-rw-r--1bookuserbookuser130Jun1917:51.apport-ignore.xml
-rw-rw-r--1bookuserbookuser365Jun2319:44hello.txt
-rw-------1bookuserbookuser19276Aug416:36.bash_history
...
Ifwelookattheprecedingcommand’soutput,wecanseethathello.txthasaUSERof
bookuserandGROUPasbookuser.Wecanalsoseethepermissionbitsorflagsonthelefthandsideoftheoutput.Therearesevenfieldstoconsideraswell.Eachemptyfieldis
denotedwithadash.Whenprintedwithls,thefirstfieldscangetconvolutedby
semantics.Forthisreason,let’susestattoinvestigatethefilepermissions:
$stathello.txt
File:`hello.txt'
Size:365Blocks:8IOBlock:4096regularfile
Device:801h/2049dInode:1587858Links:1
Access:(0664/-rw-rw-r--)Uid:(1000/bookuser)Gid:(1000/bookuser)
Access:2014-08-0415:53:01.951024557-0700
Modify:2014-06-2319:44:14.308741592-0700
Change:2014-06-2319:44:14.308741592-0700
Birth:-
Thefirstaccesslineisthemostcompelling.Itcontainsalltheimportantinformationfor
theaccesscontrols.Thesecondlineisjustatimestamplettingusknowwhenthefilewas
lastaccessed.Aswecansee,USERorUIDoftheobjectisbookuser,andGROUPis
bookuseraswell.Thepermissionflags,(0664/-rw-rw-r--),identifythetwowaysthat
permissionflagsarerepresented.Thefirst,theoctalform0664,condenseseachthree-flag
fieldintooneofthethreebase-8(octal)digits.Thesecondisthefriendlyform,-rw-rw-r-,equivalenttotheoctalformbuteasiertointerpretvisually.Ineithercase,wecanseethe
leftmostfieldis0,andtherestofourdiscussionswillignoreit.Thatfieldisforsetuid
andsetgidcapabilities,whichisnotimportantforthisdiscussion.Ifweconvertthe
remainingoctaldigits,664,tobinary,weget110110100.Thisbinaryrepresentation
directlyrelatestothefriendlyform.Eachtriplemapstoread,write,andexecute
permissions.OftenyouwillseethispermissiontriplerepresentedasRWX.Thefirsttriple
arethepermissionsgiventoUSER,thesecondarethepermissionsgiventoGROUP,andthe
thirdiswhatisgiventoOTHERS.TranslatingtoconventionalEnglishwouldyield,“The
user,bookuser,haspermissiontoreadfromandwritetohello.txt.Thegroup,
bookuser,haspermissiontoreadfromandwritetohello.txt,andeveryoneelsehas
permissiononlytoreadfromhello.txt.”Let’stestthiswithsomereal-worldexamples.
www.it-ebooks.info
Changingpermissionbits
Let’stesttheaccesscontrolsintheexamplerunningprocessesasuserbookuser.Most
processesruninthecontextoftheuserthatinvokedthem(excludingsetuidandgetuid
programs),soanycommandweinvokeshouldinheritouruser’spermissions.Wecan
viewitbyissuing:
$groupsbookuser
bookuser:bookusersudofuse
Myuser,bookuser,isUSERbookuser,GROUPbookuserandSUPGRPsudoandfuse.
Totestforreadaccess,wecanusethecatcommand,whichopensthefileandprintsits
contenttostdout:
$cathello.txt
Hello,"ExploringSEforAndroid"
Hereisasimpletextfilefor
yourenjoyment.
...
Wecanintrospectthesyscallsexecutedbyrunningthestracecommandandviewingthe
output:
$stracecathello.txt
...
open("hello.txt",O_RDONLY)=3
...
read(3,"Hello,\"ExploringSEforAndroid\"\n"...,32768)=365
...
Theoutputcanbequiteverbose,soIamonlyshowingtherelevantparts.Wecanseethat
catinvokedtheopensyscallandobtainedthefiledescriptor3.Wecanusethatdescriptor
tofindotheraccessesviaothersyscalls.Laterwewillseeareadoccurringonfile
descriptor3,whichreturns365,thenumberofbytesread.Ifwedidn’thavepermissionto
readfromhello.txt,theopenwouldfail,andwewouldneverhaveavalidfiledescriptor
forthefile.Wewouldadditionallyseethefailureinthestraceoutput.
Nowthatreadpermissionisverified,let’strywrite.Onesimplewaytodothisistowritea
simpleprogramthatwritessomethingtotheexistingfile.Inthiscase,wewillwritethe
linemynewtext\n(refertowrite.c.)
Compiletheprogramusingthefollowingcommand:
$gcc-omywritewrite.c
Nowrunusingthenewlycompiledprogram:
$strace./mywritehello.txt
Onverification,youwillsee:
...
open("hello.txt",O_WRONLY)=3
www.it-ebooks.info
write(3,"mynewtext\n",12)=12
...
Asyoucansee,thewritesucceededandreturned12,thenumberofbyteswrittento
hello.txt.Noerrorswerereported,sothepermissionsseeminchecksofar.
Nowlet’sattempttoexecutehello.txtandseewhathappens.Weareexpectingtoseean
error.Let’sexecuteitlikeanormalcommand:
$./hello.txt
bash:./hello.txt:Permissiondenied
Thisisexactlywhatweexpected,butlet’sinvokeitwithstracetogainadeeper
understandingofwhatfailed:
$strace./hello.txt
...
execve("./hello.txt",["./hello.txt"],[/*39vars*/])=-1EACCES
(Permissiondenied)
...
Theexecvesystemcall,whichlaunchesprocesses,failedwithEACCESS.Thisisjustthe
sortofthingonewouldhopeforwhennoexecutepermissionisgiven.TheLinuxaccess
controlsworkedasexpected!
Let’stesttheaccesscontrolsinthecontextofanotheruser.First,we’llcreateanewuser
calledtestuserusingtheaddusercommand:
$sudoaddusertestuser
[sudo]passwordforbookuser:
Addinguser`testuser'...
Addingnewgroup`testuser'(1001)...
Addingnewuser`testuser'(1001)withgroup`testuser'...
Creatinghomedirectory`/home/testuser'...
...
VerifytheUSER,GROUP,andSUPGRPoftestuser:
$groupstestuser
testuser:testuser
SincetheUSERandGROUPdonotmatchanyofthepermissionsona.S,allaccesseswillbe
subjecttotheOTHERSpermissionschecks,whichifyourecall,isreadonly(0664).
Startbytemporarilyworkingastestuser:
$sutestuser
Password:
testuser@ubuntu:/home/bookuser$
Asyoucansee,wearestillinbookuser’shomedirectory,butthecurrentuserhasbeen
changedtotestuser.
Wewillstartbytestingreadwiththecatcommand:
$stracecathello.txt
...
www.it-ebooks.info
open("hello.txt",O_RDONLY)=3
...
read(3,"mynewtext\n",32768)=12
...
Similartotheearlierexample,testusercanreadthedatajustfine,asexpected.
Nowlet’smoveontowrite.Theexpectationisthatthiswillfailwithoutappropriate
access:
$strace./mywritehello.txt
...
open("hello.txt",O_WRONLY)=-1EACCES(Permission
denied)
...
Asexpected,thesyscalloperationfailed.Whenweattempttoexecutehello.txtas
testuser,thisshouldfailaswell:
$strace./hello.txt
...
execve("./hello.txt",["./hello.txt"],[/*40vars*/])=-1EACCES
(Permissiondenied)
...
Nowweneedtotestthegroupaccesspermissions.Wecandothisbyaddinga
supplementarygrouptotestuser.Todothis,weneedtoexittobookuser,whohas
permissionstoexecutethesudocommand:
$exit
exit
$sudousermod-Gbookusertestuser
Nowlet’scheckthegroupsoftestuser:
$groupstestuser
testuser:testuserbookuser
Asaresultoftheprevioususermodcommandtestusernowbelongstotwogroups:
testuserandbookuser.Thatmeanswhentestuseraccessesafileorotherobject(such
asasocket)withthegroupbookuser,theGROUPpermissions,ratherthanOTHERS,will
applytoit.Inthecontextofhello.txt,testusercannowreadfromandwritetothefile,
butnotexecuteit.
Switchtotestuserbyexecutingthefollowingcommand:
$sutestuser
Testreadbyexecutingthefollowingcommand:
$stracecat./hello.txt
...
open("./hello.txt",O_RDONLY)=3
...
read(3,"mynewtext\n",32768)=12
...
www.it-ebooks.info
Asbefore,testuserisabletoreadthefile.Theonlydifferenceisthatitcannowreadthe
filethroughtheaccesspermissionsofOTHERSandGROUP.
Testwritebyexecutingthefollowingcommand:
$strace./mywritehello.txt
...
open("hello.txt",O_WRONLY)=3
write(3,"mynewtext\n",12)=12
...
Thistime,testuserwasabletowritethefileaswell,insteadoffailingwiththeEACCESS
permissionerrorshownbefore.
Attemptingtoexecutethefileshouldstillfail:
$strace./hello.txt
execve("./hello.txt",["./hello.txt"],[/*40vars*/])=-1EACCES
(Permissiondenied)
...
TheseconceptsarethefoundationofLinuxaccesscontrolpermissionbits,usersand
groups.
www.it-ebooks.info
www.it-ebooks.info
Changingownersandgroups
Usinghello.txtforexploratoryworkintheprevioussections,wehaveshownhowthe
ownerofanobjectcanallowvariousformsofaccessbymanagingthepermissionbitsof
theobject.Changingthepermissionsisaccomplishedusingthechmodsyscall.Changing
theuserand/orgroupisdonewiththechownsyscall.Inthissection,wewillinvestigate
thedetailsoftheseoperationsinaction.
Let’sstartbygrantingreadandwritepermissionsonlytotheownerofhello.txtfile,
bookuser.
$chmod0600hello.txt
$stathello.txt
File:`hello.txt'
Size:12Blocks:8IOBlock:4096regularfile
Device:801h/2049dInode:1587858Links:1
Access:(0600/-rw-------)Uid:(1000/bookuser)Gid:(1000/bookuser)
Access:2014-08-2312:34:30.147146826-0700
Modify:2014-08-2312:47:19.123113845-0700
Change:2014-08-2312:59:04.275083602-0700
Birth:-
Aswecansee,thefilepermissionsarenowsettoonlyallowreadandwriteaccessfor
bookuser.Athoroughreadercouldexecutethecommandsfromearliersectionsinthis
chaptertoverifythatpermissionsworkasexpected.
Changingthegroupcanbedoneinasimilarfashionwithchown.Let’schangethegroupto
testuser:
$chownbookuser:testuserhello.txt
chown:changingownershipof`hello.txt':Operationnotpermitted
Thisdidnotworkasweintended,butwhatistheissue?InLinux,onlyprivileged
processescanchangetheUSERandGROUPfieldsofobjects.TheinitialUSERandGROUP
fieldsaresetduringobjectcreationfromtheeffectiveUSERandGROUP,whicharechecked
whenattemptingtoexecutethatprocess.Onlyprocessescreateobjects.Privileged
processescomeintwoforms:thoserunningasthealmightyrootandthosethathavetheir
capabilitiesset.Wewilldiveintothedetailsofcapabilitieslater.Fornow,let’sfocuson
theroot.
Let’schangetheusertoroottoensureexecutingthechowncommandwillchangethe
groupofthatobject:
$sudosu
#chownbookuser:testuserhello.txt
Now,wecanverifythechangeoccurredsuccessfully:
#stathello.txt
File:`hello.txt'
Size:12Blocks:8IOBlock:4096regularfile
Device:801h/2049dInode:1587858Links:1
Access:(0600/-rw-------)Uid:(1000/bookuser)Gid:(1001/testuser)
Access:2014-08-2312:34:30.147146826-0700
www.it-ebooks.info
Modify:2014-08-2312:47:19.123113845-0700
Change:2014-08-2313:08:46.059058649-0700
Birth:-
www.it-ebooks.info
www.it-ebooks.info
Thecaseformore
YoucanseetheGROUP(GID)isnowtestuser,andthingsseemreasonablysecurebecause
inordertochangetheuserandgroupofanobject,youneedtobeprivileged.Youcanonly
changethepermissionbitsonanobjectifyouownit,withtheexceptionoftherootuser.
Thismeansthatifyou’rerunningasroot,youcandowhateveryouliketothesystem,
evenwithoutpermission.Thisabsoluteauthorityiswhyasuccessfulattackoranerroron
arootrunningprocesscancausegravedamagetothesystem.Also,asuccessfulattackon
anon-rootprocesscouldalsocausedamagebyinadvertentlychangingthepermissions
bits.Forexample,supposethereisanunintendedchmod0666commandonyourSSH
privatekey.Thiswouldexposeyoursecretkeytoallusersonthesystem,whichisalmost
certainlysomethingyouwouldneverwanttohappen.Therootlimitationispartially
addressedbythecapabilitiesmodel.
www.it-ebooks.info
www.it-ebooks.info
Capabilitiesmodel
FormanyoperationsonLinux,theobjectpermissionmodeldoesn’tquitefit.Forinstance,
changingUIDandGIDrequiressomemagicalUSERknownasroot.Supposeyouhavea
longrunningservicethatneedstoutilizesomeofthesecapabilities.Perhapsthisservice
listenstokerneleventsandcreatesthedevicenodesforyou?Suchaserviceexists,andit’s
calledueventdorusereventdaemon.Thisdaemontraditionallyrunsasroot,which
meansifitiscompromised,itcouldpotentiallyreadyourprivatekeysfromyourhome
directoryandsendthembacktotheattacker.Thismightbeanextraordinaryexample,but
it’smeanttoshowcasethatrunningprocessesasrootcanbedangerous.Supposeyou
couldstartaserviceastherootuserandhavetheprocesschangeitsUIDandGIDto
somethingnotprivileged,butretainsomesmallersetofprivilegedcapabilitiestodoits
job?ThisisexactlywhatthecapabilitiesmodelinLinuxis.
ThecapabilitiesmodelinLinuxisanattempttobreakdownthesetofpermissionsthat
roothasintosmallersubsets.Thisway,processescanbeconfinedtothesetofminimum
privilegestheyneedtoperformtheirintendedfunction.Thisisknownasleastprivilege,a
keyideologywhensecuringsystemsthatminimizestheamountofdamageasuccessful
attackcando.Insomeinstances,itcanevenpreventasuccessfulattackfromoccurringby
blockinganotherwiseopenattackvector.
Therearemanycapabilities.Themanpageforcapabilitiesisthedefactodocumentation.
Let’stakealookattheCAP_SYS_BOOTcapability:
$mancapabilities
...
CAP_SYS_BOOT
Usereboot(2)andkexec_load(2).
Thismeansaprocessrunningwiththiscapabilitycanrebootthesystem.However,that
processcan’tarbitrarilychangeUSERSandGROUPasitcouldifitwasrunningasrootor
withCAP_DAC_READ_SEARCH.Thislimitswhatanattackercando:
<FROMMANPAGE>
CAP_DAC_READ_SEARCH
Bypassfilereadpermissionchecksanddirectoryreadandexecute
permissionchecks.
NowsupposethecasewhereourrestartprocessrunswithCAP_CHOWN.Let’ssayitusesthis
capabilitytoensurethatwhenarestartrequestisreceived,itbacksupafilefromeach
user’shomedirectorytoaserverbeforerestarting.Let’ssaythisfileis~/backup,the
permissionsare0600,andUSERandGROUParetherespectiveuserofthathomedirectory.
Inthiscase,wehaveminimizedthepermissionsasbestwecan,buttheprocesscouldstill
accesstheusersSSHkeysanduploadthoseeitherbyerrororattack.Anotherapproachto
thiswouldbetosetthegrouptobackupandruntheprocesswithGROUPbackup.
However,thishaslimitations.Supposeyouwanttosharethisfilewithanotheruser.That
userwouldrequireasupplementarygroupofbackup,butnowtheusercanreadallofthe
backupfiles,notjusttheonesintended.Anastutereadermightthinkaboutthebind
www.it-ebooks.info
mounts,howevertheprocessdoingthebindmountsandfilepermissionsalsorunswith
somecapability,andthussuffersfromthisgranularityproblemaswell.
Themajorissue,andthecaseforanotheraccesscontrolsystemcanbesummarizedbyone
word,granularity.TheDACmodeldoesn’thavethegranularityrequiredtosafelyhandle
complexaccesscontrolmodelsortominimizetheamountofdamageaprocesscando.
ThisisparticularlyimportantonAndroid,wheretheentireisolationsystemisdependent
onthiscontrol,andaroguerootprocesscancompromisethewholesystem.
www.it-ebooks.info
www.it-ebooks.info
Android’suseofDAC
IntheAndroidsandboxmodel,everyapplicationrunsasitsownUID.Thismeansthat
eachappcanseparateitsstoreddatafromoneanother.Theuserandgrouparesettothe
UIDandGIDofthatapplication,sonoappcanaccesstheprivatefilesofanapplication
withouttheapplicationexplicitlyperformingchmodonitsobjects.Also,applicationsin
Androidcannothavecapabilities,sowedon’thavetoworryaboutcapabilitiessuchas
CAP_SYS_PTRACE,whichistheabilitytodebuganotherapplication.InAndroid,ina
perfectworld,onlysystemcomponentsrunwithprivileges,andapplicationsdon’t
accidentallychmodprivatefilesforalltoread.Thisissuewasnotcorrectedbythecurrent
AOSPSELinuxpolicyduetoappcompatibility,butcouldbeclosedwithSELinux.The
properwaytosharedatabetweenapplicationsonAndroidisviabinder,andsharingfile
descriptors.Forsmalleramountsofdata,theprovidermodelsuffices.
www.it-ebooks.info
www.it-ebooks.info
GlancingatAndroidvulnerabilities
WithournewlyfoundunderstandingoftheDACpermissionmodelandsomeofits
limitations,let’slookatsomeAndroidexploitsagainstit.Wewillcoveronlyafew
exploitstounderstandhowtheDACmodelfailed.
www.it-ebooks.info
Skypevulnerability
CVE-2011-1717wasreleasedin2011.Inthisexploit,theSkypeapplicationleftaSQLite3
databaseworldreadable(somethinganalogousto0666permissions).Thisdatabase
containedusernamesandchatlogs,andpersonaldatasuchasnameande-mail.An
applicationcalledSkypwnedwasabletodemonstratethiscapability.Thisisanexample
ofhowbeingabletochangethepermissionsonyourobjectscouldbebad,especially
whenthecaseopensREADtoOTHERS.
www.it-ebooks.info
GingerBreak
CVE-2011-1823showcasesarootattackonAndroid.Thevolumemanagementdaemon
(vold)onAndroidisresponsibleforthemountingandunmountingoftheexternalSD
card.ThedaemonlistensformessagesoveraNETLINKsocket.Thedaemonnever
checkedwherethemessagesweresourcedfrom,andanyapplicationcouldopenand
createaNETLINKsockettosendmessagestovold.Oncetheattackeropenedthe
NETLINKsocket,theysentaverycarefullycraftedmessagetobypassasanitycheck.
Thechecktestedasignedintegerforamaximumbound,butnevercheckeditfor
negativity.Itwasthenusedtoindexanarray.Thisnegativeaccesswouldleadtomemory
corruptionand,withapropermessage,couldresultintheexecutionofarbitrarycode.The
GingerBreakimplementationresultedinanarbitraryusergainingrootprivileges,a
textbookprivilegeexecutionattack.Oncerooted,thedevice’ssandboxeswerenolonger
valid.
www.it-ebooks.info
Rageagainstthecage
CVE-2010-EASYisasetuidexhaustionviaforkbombattack.Itsuccessfullyattacksthe
adbdaemononAndroid,whichstartslifeasrootanddowngradesitspermissionsifrootis
notneeded.Thisattackkeepsadbasrootandreturnsarootshelltotheuser.InLinux
kernel2.6,thesetuidsystemcallreturnsanerrorwhenthenumberofrunningprocesses
RLIMIT_NPROCismet.Theadbdaemoncodedoesnotcheckthereturnofsetuid,which
leavesasmallracewindowopenfortheattacker.Theattackerneedstoforkenough
processestoreachRLIMIT_NPROCandthenkillthedaemon.Theadbdaemondowngrades
toshellUIDandtheattackerrunstheprogramasshellUSER,thusthekillwillwork.Atthis
point,theadbserviceisrespawned,andifRLIMIT_NPROCismaxedout,setuidwillfail
andadbwillstayrunningasroot.Then,runningadbshellfromahostreturnsaniceroot
shelltotheuser.
www.it-ebooks.info
MotoChopper
CVE-2013-2596isavulnerabilityinthemmapfunctionalityofaQualcommvideodriver.
AccesstotheGPUisprovidedbyappstodoadvancedgraphicsrenderingsuchasinthe
caseofOpenGLcalls.Thevulnerabilityinmmapallowstheattackertommapkerneladdress
space,atwhichpointtheattackerisabletodirectlychangetheirkernelcredential
structure.ThisexploitisanexamplewheretheDACmodelwasnotatfault.Inreality,
outsideofpatchingthecodeorremovingdirectgraphicsaccess,nothingbutprogramming
checksofthemmapboundscouldhavepreventedthisattack.
www.it-ebooks.info
www.it-ebooks.info
Summary
TheDACmodelisextremelypowerful,butitslackoffinegranularityanduseofan
extraordinarilypowerfulrootuserleavessomethingtobedesired.Withtheincreasing
sensitivityofmobilehandsetuse,thecasetoincreasethesecurityofthesystemiswellfounded.Thankfully,AndroidisbuiltonLinuxandthusbenefitsfromalargeecosystem
ofengineersandresearchers.SincetheLinuxKernel2.6,anewaccesscontrolmodel
calledMandatoryAccessControls(MAC)wasadded.Thisisaframeworkbywhich
modulescanbeloadedintothekerneltoprovideanewformofaccesscontrolmodel.The
veryfirstmodulewascalledSELinux.ItisusedbyRedHatandotherstosecuresensitive
governmentsystems.Thus,asolutionwasfoundtoenablesuchaccesscontrolsfor
Android.
www.it-ebooks.info
www.it-ebooks.info
Chapter2.MandatoryAccessControls
andSELinux
InChapter1,LinuxAccessControls,weintroducedsomeoftheshortcomingsofa
discretionaryaccesscontrolsystem.Inthesesystems,theownerofanobjecthasfull
controloveritspermissionsflagsandcandemonstrategreatercapabilities(forexample,
theabilitytochown)whenexecutingasrootorwithcertaincapabilities.Inthischapter,
wewill:
ExaminethefundamentalsofMAC
IntroducesomeindustrydriversforSELinux
Discusslabels,users,roles,andtypes
Exploretheimplementationoftangiblepolicytoallowandconstrainobject
interaction
IdealMACsystemsmaintainthepropertyofprovidingdefinitiveaccesscontrolson
kernelresources,suchasfiles,irrespectiveofanobject’sowner.Forinstance,withaMAC
system,theownerofanobjectmightnothavefullcontrolofitspermissions.InLinux,the
MACframeworkworksorthogonallytothecurrentDACcontrols.Thismeansthatthe
MACcontrolsdonotinterferewiththeDACcontrols.Inotherwords,toavoidpotential
conflictsbetweentheMACandDACsystems,thekernelvalidatesaccessusingtheDAC
permissionsbeforecheckingtheMACpermissions.IftheDACpermissionsresultina
permissionsviolation,thentheMACpermissionsareneverchecked.Thekernelwill
validateaccessagainsttheMACpermissionsprovideronlywhentheDACpermissions
pass.FailureateitherlevelwillresultinareturnofEACCESS.IftheDACandtheMAC
permissionspass,thenthekernelresource(forexample,afiledescriptor)issentbackto
userspace.
InLinux,aframeworkcalledtheLinuxSecurityModule(LSM)frameworkwasmerged
duringtheLinux2.6.xseriesofkernels.Thisframeworkallowsyoutoenablethe
mandatoryaccesscontrolsystemsinabuildtimeselectionbytetheringtheLSMhooksto
thesecurityprovider.SecurityEnhancedLinux(SELinux)isthefirstconsumerofthis
MACsecurityframeworkwithinthekernelandisanimplementationofamandatory
accesscontrolsystem.SELinuxshipsinawidevarietyofLinuxsystems,suchasRedHat
EnterpriseLinux(RHEL)andconsequentlyFedora.Recently,ithasbegunshipping
withAndroid.ThesourcecodeforSELinuxcanbefoundintheLinuxsourcecodetree
underkernel/security/selinuxforthosewishingtoreviewit.
www.it-ebooks.info
Gettingbacktothebasics
SELinuxisareimplementationofadesignengineeredbytheU.S.governmentandThe
UniversityofUtahknownastheFLUXAdvancedSecurityKernel(FLASK).The
SELinuxandFLASKarchitectureprovideacentralpolicyfileutilizedwhiledetermining
theresultsofaccesscontroldecisions.Thiscentralpolicyisinawhitelistform.This
meansthatallaccesscontrolrulesmustbedefinedexplicitlybythepolicyfile.This
policyfileisabstractedandservedbyasoftwarecomponentcalledasecurityserver.
WhentheLinuxkernelneedstomakeanaccesscontroldecisionandSELinuxisenabled,
thekernelinteractswiththesecurityserverbymeansoftheLSMhooks.
Inarunningsystem,aprocessistheactiveentitythatgetstimeontheCPUtoperform
tasks.Theusermerelyinvokestheseprocessestodotheworkontheirbehalf.Thisisan
importantconcept.Aswetypethisbook,wetrustthatthewordprocessorsrunningonour
machineswithourcredentialsaren’topeningourSSHkeysandembeddingtheminthe
documentmetadata.Rightnow,theprocessisincontrolofthecomputingresources,not
theuser.Theprocessistherunningentity,itistheprocessthatmakessystemcallstothe
kernelforresources,notthephysicalhumanbeing.Withthisinmind,theveryfirstactor
inthisSELinuxsystemistheprocess,typicallyreferredtoasthesubject.Itisthesubject
thataccessesfiles.Itisthesubjectthatthesecurityserverwillusetomakeaccess
decisionson.
Consequently,thesubjectutilizeskernelresources.Thiskindofkernelresourceisan
exampleofatarget.Thesubjectperformsactionsonthetarget.Naturally,oneshouldask,
“Whatactionsdoesasubjectperform?”Theseareknownasaccessvectorsandtypically
correlatetothenameofthesyscallperformed.Forexample,thesubjectcouldperforman
openonthetarget.Itisimportanttonotethattargetscouldbeprocessesaswell.For
instance,ifthesystemcallisptrace,thesubjectcouldbesomethingalongthelinesofa
debugger,andthetargetwouldbetheprocessyouwishtodebug.Asubjectisfrequentlya
process,butatargetcouldbeaprocess,socket,file,orsomethingelse.
www.it-ebooks.info
www.it-ebooks.info
Labels
SELinuxprovidessemanticsfordescribingpoliciesrelatedtothetargetsandsubjects
usinglabels.Labelsarethemetadataassociatedwithanobjectthatmaintainsthesubject’s
andtarget’saccessinformation.Thedataassociatedwiththisobjectisastring.Returning
tothedebuggerexample,thegdbprocessmighthaveasubjectlabelstringofdebugger,
andthetargetmighthavealabelofdebugee.Theninthesecuritypolicy,somesemantic
couldbeusedtoexpressthatprocesseswiththesubjectlabeldebuggerareallowedto
debugapplicationswithtargetlabeldebugee.
Fortunately,andperhapsunfortunately,SELinuxdoesnotusesuchsimplelabels.Infact,
thelabelsaremadeupoffourcolon-delimitedfields:user,role,type,andlevel.This
additionalcomplexityaffordsveryflexiblecontroloptions.
www.it-ebooks.info
Users
Theveryfirstfieldinalabelidentifiestheuser.Theuserfieldisusedaspartofthedesign
foruser-basedaccesscontrols(UBAC).However,thisisnottypicallyassociatedwith
humanusersasitiswiththeconceptofusersinDAC.SELinuxuserstypicallydefinea
groupoftraditionalusers.Acommonexampleistoidentifyallnormalusersasthe
SELinuxuser,user_u.Perhapsaseparateuserforsystemprocesses,suchassystem_u.By
conventioninthedesktopSELinuxcommunity,userportionsofthestringaresuffixed
witha_u.
www.it-ebooks.info
Roles
Thesecondfieldinalabelisrole.Theroleisusedaspartofthedesignforrole-based
accesscontrols(RBAC).Rolesareusedtoprovideadditionalgranularitytotheuser.For
instance,supposewehavetheuserfield,sysadm_u,reservedforadministrators.The
administratormightbeinseparatetasks,anddependingonthetasks,therole(and
therefore,privileges)ofusersinsysadm_umaychange.Forexample,whenan
administratorneedstomountandunmountfilesystems,therolefieldmightchangeto
mount_admin_r.Whenanadministratorissettingtheiptablesrules,therolemight
changetonet_admin_r.Rolesallowtheisolationofprivilegeswithinthescopeofthe
tasksbeingperformed.
www.it-ebooks.info
Types
Typeisthethirdfieldofthecolon-delimitedlabel.Thetypefieldisevaluatedduringthe
typeenforcement(TE)portionofSELinux’saccesscontrolmodel.TEisthemajor
componentthatdrivesSELinux’ssecuritycapabilities,anditisatthispointwherethe
policystartstotakeeffect.
SELinuxisbasedonawhitelistsystemwhereeverythingisdeniedbydefaultandrequires
explicitapprovalfromthepolicyforaninteractiontooccur.Thisapprovalisinitially
determinedfromthepolicyviaanallowrulethatreferencesboththesubject’sandtarget’s
type.SELinuxtypescanalsobeassignedattributes.Attributesallowyoutogive
numeroustypesacommonsetofrules.Attributescanhelpminimizetheamountoftypes,
andcanbeusedinfashionsimilartothatofaninheritancemodel.
www.it-ebooks.info
www.it-ebooks.info
Accessvectors
Dataisaccessedbyprocessesviasystemcallsandpossibleuserdefinedaccessmethods.
Theuserdefinedaccessmethodsareusuallycontrolledviaauserspaceobjectmanager.
Theseaccesspaths,alsoknownasvectors,makeupasetofactionsthatcanbeappliedto
theobject.Forinstance,ifaprocessopensafile,writessomedataintothefile,andthen
readsitback,theaccessvectorsexercisedwouldbeopen,read,andwrite.Ifaprocess
debugsanotherprocess,theaccessvectorwouldbeptrace.
www.it-ebooks.info
www.it-ebooks.info
Multilevelsecurity
SELinuxalsosupportsamultilevelsecurity(MLS)model,whichpayshomagetothe
Bell-LaPadula(BLP)model,butalternatemodelscouldbeused.TheBLPmodelwas
createdtoformalizetheDepartmentofDefense’ssecuritypolicies.Forexample,aperson
withasecretclearanceshouldnotbeabletoreadtop-secretmaterial.However,let’s
supposethispersonhasabrilliantideathatultimatelyneedstobeprotectedatthetopsecretlevel;thatdatacouldthenbe“up-classified”totop-secret.Thisisreferredtoas“no
readuporwritedown”.
TheSELinuximplementationofthisfieldhassubfields.Thefirstfieldissensitivity,and
willalwaysbepresent.Inthecontextofthepreviousexample,pertinentsensitivities
includesecretandtopsecret.Thesecondsubfieldiscategory,andmightnotbepresent.
Thesefieldsalsomakesenseinthecontextofgovernmentclassification.Thedataitself
mightbecompartmentalized,sowhilethesensitivityisthesame,suchastopsecret,the
datashouldonlybedisseminatedtopeoplewithinthesamecompartmentorcategory.
Sensitivitiesaredefinedinahierarchicalfashionviathedominancekeyword.Inatypical
policy,s0isthelowestsensitivityandsNwheren>0isthehighest.Thus,s1hasa
greatersensitivitythans0.Categoriesaresets.Thecontrolsassociatedwiththelevel,
whichiscomprisedofsensitivitiesandpotentiallycategories,followsettheoryconcepts,
suchasdominanceandequality.InMLSsecurity,allinteractionsareallowedbydefault,
unliketypeenforcement.Boththesensitivityandthecategorycanberanged,and
categoriescanbeenumerated.Thus,alabelmighthavesomenumberofsensitivitiesand
differentnumberofcategories.
www.it-ebooks.info
www.it-ebooks.info
Puttingittogether
SELinuxlabelsarequiteflexibleandsometimescomplex.It’softenbeneficialtostart
withacontrivedexamplethatfocusesontypeenforcement.Later,wecanaddadditional
fieldslaterastheneedforfinergranularitybecomesmoreapparent.Conveniently,youcan
projectthismodeltoscenariosineverydaylifetoprovidesomesenseoftangibilitytothe
material.DanWalsh,aprominentSELinuxfigure,postedablogpostusingpetsasan
analogy.Let’scontinueonwiththatpremise,butwewillmakesomemodificationsaswe
goanddefineourownexamples.It’sbesttostartwithsimpletypeenforcementasitisthe
easiesttounderstand.
Note
YoucanreadDanWalsh’soriginalblogpostintroducingthepetanalogyat
http://opensource.com/business/13/11/selinux-policy-guide.
Supposeweownacatandadog.Wedon’twantthecattoeatdogfood.Wedon’twantthe
dogtoeatcatfood.Atthispoint,wehavealreadyidentifiedtwosubjects,acatandadog,
andtwotargets,catfoodanddogfood.Wealsohaveidentifiedanaccessvector,eating.
Wecanuseallowrulestoimplementourpolicy.Possiblerulescouldlooklikethis:
allowcatcat_chow:foodeat;
allowdogdog_chow:foodeat;
Let’susethisexampletostartanddefineabasicsyntaxforexpressingtheaccesscontrols
wewouldliketoenforce.Thefirsttokenisallow,statingwewishtoallowaninteraction
betweenasubjectandatarget.Thedogisassignedthetype,dog,andthecat,cat.Thecat
foodisassignedthetypecat_chow,andthedogfood,dog_chow.Theaccessvectorinthis
caseiseat.Withthisbasicsyntax,whichisalsovalidSELinuxsyntax,werestrictthe
animalstothefoodtheyshouldeat.Noticethe:foodannotationafterthetype.Thisisthe
classfieldofthetargetobject.Forinstance,theremightalsobedog_chowtreatand
cat_chowclassesthatcouldindicateourdesiretoallowaccesstotreatsinafashionthatis
potentiallydifferentfromthewayweallowaccesstofoodsthatarenottreats.
Let’ssaywegettwomoredogs,andourscenariohasthreedogs.Thedogsareofdifferent
sizes:small,medium,andlarge.Wewanttomakesurenoneofthesenewdogseatothers’
food.Wecoulddosomethinglikecreateanewtypeforeachofthedogsandpreventdogs
fromeatingthefoodofotherdogs.Itwouldlooksomethinglikethis:
allowcatcat_chow:foodeat;
allowdog_smalldog_small_chow:foodeat;
allowdog_mediumdog_medium_chow:foodeat;
allowdog_largedog_largechow:foodeat;
Thiswouldwork;however,thetotalnumberoftypeswouldbedifficulttomanage,and
thatwouldcontinuetogrowifweallowthelargedogtoeatthesmallerbreeds’food.
WhatwecoulddoisuseMLSsupporttoassignasensitivitytoeachtargetordogfood
bowl.Let’sassumethefollowing:
Thecat’sfoodbowlhassensitivity,tiny
www.it-ebooks.info
Thesmalldog’sfoodbowlhassensitivity,small
Themedium-sizeddog’sfoodbowlhassensitivity,medium
Thelargedog’sfoodbowlhassensitivity,large
Wealsoneedtomakesurethatthesubjectsarelabeledwiththepropersensitivityaswell:
Thecatshouldhavesensitivity,tiny
Thesmalldogshouldhavesensitivity,small
Themedium-sizeddogshouldhavesensitivity,medium
Thelargedogshouldhavesensitivity,large
Atthispoint,weneedtointroduceadditionalsyntaxtoallowtheinteractions,sinceby
default,MLSallowseverythingandTEdenieseverything.We’llusemlsconstrain,to
restrictinteractionswithinthesystem.Therulecouldlooklikethis:
mlsconstrainfoodeat(l1eql2);
Thisconstraintonlyallowssubjectstoeatfoodwiththesamesensitivitylevel.SELinux
definesthekeywordsl1andl2.Thel1keywordisthelevelofthetargetandl2isthe
levelofthesource.Becausetherulesarepartofawhitelist,thisalsopreventssubjects
fromeatingfoodthatdoesnothavetheequivalentsensitivitylevel.
Now,let’ssaywegetyetanotherlargedog.Nowwehavetwolargebreeddogs.However,
theyhavedifferentdietsandneedtoaccessdifferentfoods.Wecouldaddanewtypeor
modifyanexistingtype,butthiswouldhavethesamelimitationsthatledustouse
sensitivitiestopreventaccess.Wecouldaddanothersensitivity,butitmightgetconfusing
thattherearelarge1andlarge2sensitivities.Atthispoint,categorieswouldallowusto
getabitmoregranularinourcontrols.Supposeweaddacategorydenotingthebreed.Our
MLSportionofourlabelwouldlooksomethinglikethis:
large:golden_retriever
large:black_lab
Thesecouldbeusedtopreventtheblacklabfromeatingthegoldenretriever’sfood.Now
supposeyou’resurprisedwithanotherdog,aSaintBernard.Let’ssaythisnewBernard
caneatanylargedog’sfood,buttheotherlargedogscan’teathisfood.Wecouldlabelthe
foodbowlsandthedogs.
DogBreed
Subjectlabel
Targetlabel
GoldenRetriever Dog:large:golden_retriver
dog_chow:large:golden_retriver
BlackLab
Dog:large:black_lab
dog_chow:large:black_lab
SaintBernard
Dog:large:saint_bernard,black_lab,golden_retriever dog_chow:large:saint_bernard
Cat
Cat:tiny
cat_chow:tiny
Theexistingmlsconstraintneedsmodification.IftheSaintBernardranoutoffoodand
wenttotheBlackLab’sdish,theSaintBernardwouldnotbeabletoeatfromitsincethe
levelsarenotequal(Dog:large:saint_bernard,black_lab,golden_retrieverisnot
www.it-ebooks.info
thesameasdog_chow:large:black_lab).Remember,thelevelsaresets,soweneedto
introducesomenotionthatifthesubjectssetdominatesthetargetset,thatinteraction
shouldbeallowed.
Thiscouldbeaccomplishedwiththedomkeyword:
mlsconstrainfoodeat(l1doml2);
Thedominatekeyword,dom,differsfromequality,indicatingl1isasupersetofl2In
otherwords,thelevelsassociatedwiththetarget,l2,areamongthepotentiallylargerset
oflevelsassociatedwiththesubject,l1.Atthispoint,weareabletokeepallthefood
separatedandusedhoweverweseefit.
Aftergettingallthesedogs,yourealizeit’stimetofeedthem,soyougetabagofdog
foodandputsomeineachbowl.However,beforeyoucanadddogfoodtothebowls,we
needsomeallowrulesandlabelsthatwillletyou.Remember,SELinuxisawhitelistbasedsystem,andeverythingmustbeexplicitlyallowed.
Wewilllabelthehumanwiththehumanlabelanddefinesomerules.Ohyeah…don’t
forgettofeedthecat,aswell:
allowhumandog_chow:foodput;
allowhumancat_chow:foodput;
Wewillalsoneedtolabelhumanwithallthesensitivitiesandcategories,butthiswould
becomecumbersomewhenweneedtoaddadditionaldogs,breeds,andbreedsizestoour
system.Wecouldjustbypasstheconstraintifthetypeishuman.Withthisapproach,we
alwaystrusthumantoputthecorrectfoodintheappropriatebowl:
mlsconstrainfoodeat(l1doml2);
mlsconstrainfoodput(t1==human);
NotetheadditionofputintheaccessvectorsoftheMLSconstraint.Viola!Thehuman
cannowfeedhisever-growingpackofanimals.
Soyourbirthdayrollsaround,andyoureceiveanautomaticdogfeederasapresent.You
labelthefooddispenser,dispenserandmodifytheMLSconstraints:
mlsconstrainfoodeat(l1doml2);
mlsconstrainfoodput(t1==humanort1==dispenser);
Again,weseeaneedtocondensethenumberoftypesandgetorganizedtopreventhaving
toduplicatelines.Thisiswhereattributesarequitehandy.Wecanassignanattributeto
ourhumananddispensertypesbyfirstdefiningtheattribute:
attributefeeder;
Thenwecanaddittothetype:
typeattributehuman,feeder;
typeattributedispenser,feeder;
Thiscouldalsobedoneattypedeclaration:
typehuman,feeder;
www.it-ebooks.info
typedispenser,feeder;
Atthispoint,wecouldmodifytheMLSstatementstolooklikethis:
mlsconstrainfoodeat(l1doml2);
mlsconstrainfoodput(t1==feeder);
Nowlet’ssupposeyouhireamaidservice.Youwanttoensureanyonesentbythemaid
serviceisabletofeedyourpets.Forthatmatter,let’sletyourfamilymembersfeedthem,
aswell.Thiswouldbeagoodusecasefortheusercapabilities.Wewilldefinethe
followingusers:adults_u,kids_u,andmaid_u.Thenwe’llneedtoaddaconstraint
statementtoallowinteractionsbytheseusers:
mlsconstrainfoodput(u1==adults_uoru1==maid_u);
Thiswouldpreventthekidsfromfeedingthedogs,butletthemaidsandadultsfeedthem.
Nowsupposeyouhireagardener.Youcouldcreateyetanotheruser,gardener_u,oryou
couldcollapsetheusersintoafewclassesanduseroles.Let’ssupposewecollapse
gardener_uandmaid_uintostaff_u.Thereisnoreasonthegardenershouldbefeeding
thedog,sowecoulduserole-basedtransitionstomovethestaffbetweentheirduties.For
instance,supposestaffcanperformmorethanoneservice,thatis,thesamepersonmight
gardenandclean.Inthiscase,theymighttakeontheroleofgardener_rormaid_r.We
couldusetherolecapabilityofSELinuxtomeetthisneed:
mlsconstrainfoodput(u1==adults_uor(u1==staff_uandr1==
animal_care_r);
Staffmayonlyfeedthedogswhenthey’reintheanimal_care_rrole.Howtogetintoand
backoutofthatroleisreallytheonlycomponentmissing.Youneedtohaveawelldefinedsystemforhowthestaffcanmoveintotheanimalcareroleandtransitionback
out.ThesetransitionsinSELinuxoccureitherautomaticallyviadynamicroletransitions
orviasourcecodemodifications.We’llassumethatanyhumanentity(gardener,adults,
kids)allstartinthehuman_rrole.
Dynamicroletransitionsworkwithatwo-partrule,thefirstpartallowsthetransitionto
occurviaanallowrule:
allowhuman_ranimal_care_r;
Theroletransitionstatementsareasfollows:
role_transitionhuman_rdog_chowanimal_care_r;
role_transitionhuman_rcat_chowanimal_care_r;
Thiswouldbeagoodcasetoattributethedog_chowandcat_chowtypestoanew
attribute,animal_chow,andrewritetheprecedingroletransitionsto:
typeattributedog_chow,animal_chow;
typeattributecat_chow,animal_chow;
role_transitionhuman_ranimal_chowanimal_care_r;
Withtheseroletransitions,youcanonlygofromthehuman_rroletoanimal_care_r.You
wouldneedtodefinetransitionstogetbackaswell.It’salsoimportanttonotethatyou
www.it-ebooks.info
mightdefineotherroles.Supposeyoudefinetherolegardener_r,andwhensomeoneis
inthatrole,theycannottransitiontoanimal_care_r.Supposeyourjustificationforthis
policyisthatgardenersmightworkwithchemicalsunsafeforpets,sotheywouldneedto
washtheirhandsbeforefeedingpets.Insuchasituation,theyshouldonlybeableto
transitiontoanimal_care_rfromthehand_wash_rrole.
www.it-ebooks.info
www.it-ebooks.info
Complexitiesandbestpractices
Asyoucannowappreciate,SELinuxiscomplex,andcanbethoughtofasageneral
purpose“metaprogrammingpolicylanguage”.You’reliterallyprogrammingwhat
interactionsareallowedtooccurinaverycomplexOSsuchasLinux,wherethe
interactionsthemselvesareoftencomplex.Justlikeaprogramminglanguage,youcando
thingswithdifferentstylesandmethodsthatwillyielddifferingresults.Perhapsusinga
switch()inthatprogramwillmakeitcleanerandeasiertounderstandratherthanan
else-ifblock,eventhoughfunctionallyyouwillendupwiththesamething.SELinuxis
thesame;youcanoftenaccomplishthingswithoneportionoftheenforcement
mechanismsthatwouldbemoreappropriatelyaccomplishedusinganalternate
mechanism.Inlaterchapters,wewillcovertheprocessoflabelingthetargetandsubject,
oneofthemoredifficultpartsofthesystem.
Whensomeoneauthorsaprogram,theyoftenhaveasetofrequirementsinplacethatthe
softwareshouldperform.Thesearetherequirementsofthesoftware.InSELinux,you
shoulddothesamething.Youshouldgatherthesecurityrequirementsandunderstandthe
threatmodelsyouwishtoprotectyourselffrom.AwelldesignedSELinuxpolicywould
meetthesegoals.Agreatdesignwoulddoitinawaythatiseasytoextend.That’s
ultimatelywherecarefulandjudicioususeofthecombinationofUBAC,RBAC,TE,and
MLSwillhelpachievetherequirementsanddesigngoals.
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,wecoveredthemajorworkingportionsofSELinuxthatincludetype
enforcement,multilevelandmulticategorysecurity,aswellasusersandroles.
Additionally,wesawhowtoapplythesetechnologiestoimplementincreasinglycomplex
accesspoliciestoatangibleexample.Inthenextchapter,wewillmoveoutsideofthe
kernelanddiscoverhowAndroidworksinitsveryuniqueuserspace.
www.it-ebooks.info
www.it-ebooks.info
Chapter3.AndroidIsWeird
Itreallyis.AlthoughitisbuiltonthefamiliarLinuxkernel,Androidhasacompletely
customuserspace,andwhilemanyofitsfunctionalitiesarerewritesoftheirGNU
cousins,someareeitherneworhavesignificantlydifferentfunctionsthantheirdesktop
counterparts.Becauseofthesedifferences,thesesystemshadtobemodifiedtosupport
SELinux.Inthischapter,wewill:
IntroducetheAndroidsecuritymodel
Investigatebinder,zygote,andthepropertyservice
CoverwhichSELinuxelementswereaddedtocomplementthesesystemsandwhy
Thecoverageofthesesystemswillbemoderate,butwewillpresentmoreintricatedetails
ofeachsystemlater,whenappropriate,inourexploratoryinvestigationofSEforAndroid.
www.it-ebooks.info
Android’ssecuritymodel
Android’scoresecuritymodelisbasedonLinuxDAC,includingcapabilities.Android,
however,usestheLinuxconceptofUID/GIDinaverynon-traditionalway.Eachprocess
onthesystemhasitsownUIDratherthantheUIDofwhoeverlaunchedit.TheseUIDs
(generallyunique)providesandboxingandprocessisolation.Thereareafew
circumstances,though,whereprocessescanshareUIDsandGIDs.Typically,whena
processsharesaUIDwithanotherprocess,itisbecausetheybothneedthesamesetof
permissionsonthesystemandsharedata.ThesamecouldbepossibleforGIDs.However,
someGIDsinAndroidareactuallyusedtogainpermissiontoaccessunderlyingsystems,
suchastheSDcardfilesystem.Inanutshell,theUIDisusedtoisolateprocessesandnot
thehumanusersofthesystem.Infact,Androiddidn’thavesupportformultiplehuman
usersuntilitsJellyBean4.3release.Itwasalwaysintendedfordeviceswithasingle
humanuser…atleastinoperation.
Withinthissecuritymodel,therearetwoprocessclasses.Thefirstiscalledsystem
componentservices.Thesearetheservicesdeclaredinthesysteminitscripts.Theytend
tobehighlyprivilegedandthusalmostnevershareaUIDwithanotherprocess.An
examplesystemcomponentservicewouldbetheRadioInterfaceLayerDaemon
(RILD).RILDisresponsibleforprocessingmessagesbetweenAndroiduserspaceandthe
modemonthedevice.Becauseofthenatureofwhatitdoes,ittypicallyrunsasUIDroot.
Thereisnorequirementthatprocessesbepurenativecode.Systemserverhasnon-native
components,runsasthesystemUID,andishighlyprivileged.Almostallofthesesystems
shareacommontheme;theyhaveaUIDthatiseitherrootorissettotheownerofmany
sensitivekernelobjects,suchassockets,pipes,andfiles.
Thesecondclassisapplications.ApplicationsaretypicallywritteninJava,althoughthisis
notarequirement;thisissimilartohowsystemcomponentservicesaretypicallywritten
innativecodewithoutitbeingarequirement.TheseapplicationshaveUIDsassigned
automaticallywhentheyareinstalled,andtheseUIDsarereservedbythesystemforthis
purpose.ThepackagemanagerisresponsibleforissuingUIDstoapplications.These
UIDshavenotiestoanythingsensitiveordangerousonthesystem,andtheapplications
runwithnocapabilities.Inordertoaccessasystemresource,anapplicationmusthaveits
supplementarygroupappendedtooritmustbearbitratedbyaseparateprocess.
Asimpleexampleofutilizingthesupplementarygroupisseenwhenanapplicationneeds
tousetheSDcard.ForapplicationstoaccesstheSDcard,theymusthaveSDCARD_RWin
theirsupplementaryGIDs.ThesepermissionsareenforcedwithstandardLinuxDAC
permissionsbythekernel.Thesupplementarygroupisassignedbythepackagemanager
duringtheapplication’sinstallationbasedonadeclaredpermission.Applicationsin
Androidmustdeclaresomethingcalleduses-permissionintheapplication’smanifest.
ThispermissionappearsasastringwhichismappedtoasupplementaryGID.This
mappingismaintainedinafileinthesystem,specifically
/system/etc/permissions/platform.xml.Youwillseeanapplicationofthese
permissionstringsinalaterchapter.
www.it-ebooks.info
Thesecondwayanapplicationgainsaccesstoasystemresourceisthroughanother
process.Theapplicationwishingtouseasystemresourcemustgetanotherprocesstodo
thisonitsbehalf.Mostrequestsarehandledbyaprocessknownasthesystemserver.
Thesystemservercheckswhethertheapplicationmakingthearbitrationrequesthad
declaredamatchingpermissionstringinitsmanifestfile.Ifitdid,it’sallowedtoproceed,
otherwiseasecurityexceptionisthrown.EvenarbitratedaccessesinAndroiduseaDAC
model,inessence.Whiletheobjectownercontrolstheaccessrulesontheobjectvia
permissionstrings,anyconsumeroftheprotectedobjectcanjustrequestthepermission
stringtogetaccess.Essentially,anyonecanwriteanapplicationrequestingany
permissionstringstheywant.Whileinstallinganapplication,theuserispresentedwith
thelistofpermissionsrequestedbytheapplication,whichtheychoosetoacceptorreject
enmasse.Iftheuser’sintentistoinstalltheapplication,allrequestedpermissionsmustbe
granted.Iftheuserisnotcareful,theymightinadvertentlyallowthatapplicationtoaccess
protectedobjectsinawaythatcanthreatenthesecurityofthedevice,applications,oruser
data.Theownersofthedevicesshouldalwaysensuretheyarecomfortablewiththe
applicationusingthedeclaredpermissions.
Note
Forexamplesorfurtherdiscussion,referto
http://developer.android.com/guide/topics/security/permissions.html.
www.it-ebooks.info
www.it-ebooks.info
Binder
ThearbitratedaccessmethoddiscussedbeforerequiressomeformofInterprocess
Communication(IPC),andwhileAndroiddoesuseUnixdomainsockets,italsobrings
itsownIPCmechanismthatisusedmorewidelythroughoutthesystem.ThisIPC
mechanismiscalledbinderandisthecoreIPCmechanismintheAndroidoperating
system.IthashistoricalrelevancefromtheBeOSandPalmOSimplementationsof
OpenBinder,andsincetheinitialAndroiddevelopmentteamwascomprisedofmany
OpenBinderengineers,binderwentwiththemtoAndroid.However,Androidhasa
complete,fromscratchrewriteofthebindercodebasethatisspecifictoLinux.
Note
BinderiscurrentlynotcompletelymainstreamedintotheLinuxkernel,andmanyof
Android’skernelchangesarestillstaged.
Thereissomecontroversyaroundbinderanditsmainlineadoption.Somepeopleargue
againsttheamountofheavyliftingitdoeswithinthedriverincontrasttocompeting
implementationssuchasdbus.However,itwilllikelybealongtimebeforeweseethe
resolutionofthisdebate.RegardlessofwhetherbinderstaysanAndroid-specific
technology,ismainstreamedintheLinuxkernel,oriseventuallyreplacedbyanother
technologyinAndroid,binderisheretostayfortheforeseeablefuture.
www.it-ebooks.info
Binder’sarchitecture
BinderIPCfollowsaclient/serverarchitecture.Aservicepublishesaninterfaceand
clientsconsumefromthatinterface.Clientscanbindtoservicesviaoneofthetwo
methods:knownaddressorservicename.
Eachbinderinterfaceinthesystemisknownasabindernode.Eachbindernodehasan
address.Whenclientswanttouseaninterface,theymustbindtoabindernodeviathis
address.ThisisanalogoustobrowsingawebpageviaitsIPaddress.However,unlikean
IPaddressthatisusuallyfixedforlongdurationsoftime,thebinderaddresscouldchange
basedonrestartsofthepublishingserviceorontheservicestartuporderattheboottime
ofthedevice.Theorderofprocessesisn’tquiteguaranteed,thusthepublishingofprocess
servicescanresultinadifferentbindertoken(asimplebinderobjecttoshareamong
processes)beingassigned.Also,thisindirectionallowstheruntimeabilitytoreseat
serviceimplementationsusingjustthepublishedservicenameswithoutthenecessityto
utilizethetoken.
ThewaythisredirectionfunctionsissimilartohowDNSprovidestheresolutionfrom
nametoIPaddressfornetworkeddeviceaccesses.Binderhassomethingcalledthe
contextmanager(alsoknownastheservicemanager).Thecontextmanagerlivesata
fixednodeaddressof0.Publishingservicessendanameandabindertokentothecontext
manager,andthen,whenclientsneedtofindaservicebyname,theycheckbindernode0
andresolvethenametothebindertoken.Abindertokenisthepropernameforthis
address,orID,thatuniquelyaddressesabinderinterface.Afteraclientbindstothebinder
object,whichisaprocessthatimplementsthebinderinterface,theprocessesthenperform
bindertransactionsusingawell-establishedbinderprotocol.Thisprotocolallows
synchronoustransactionsanalogtoamethodcall.
Sincebinderisakerneldriver,ithassomenicefeaturesthatdeterminewhatonecando
acrosstheinterface.Forstarters,itallowsthetransmissionoffiledescriptors.Italso
managesathreadpoolfordispatchingservicemethods.Additionally,itemploysan
approachreferredtoaszerocopywherebybinderdoesnotcopyanyofthetransaction
databetweenprocesses…itsharestheminstead.Binderalsoaffordsreferencecountingof
objectsandletsservicesquerytheclientapplication’sLinuxcredentialslikeUID,GID,
andProcessID(PID).Binderalsoallowstheserviceandclienttoknowwhentheother
hasterminatedviaitslinktodeathfunctionality.
TypicallyinAndroid,youdon’tworkwithbinderdirectly.Instead,youworkwitha
serviceratherviaaserviceanditsAndroidInterfaceDescriptionLanguage(AIDL)
interface.ThefinalchapterwillprovidedetailedexamplesofAIDLinpracticeforour
customSEforAndroidsystem,butinthemeantime,thefollowingisasimpleexampleof
anAIDLinterfaceprovidingthemeansforremoteprocessestoexecutethe
getAccountName()andputAccountName()functions:
packagecom.example.sample;
interfaceIRemoteInterface{
StringgetAccountName();
www.it-ebooks.info
booleanputAccountName(inStringname);
}
ThebeautyinworkingwithanAIDLinterfaceisthatitisusedtogenerateasignificant
amountofcodetomanagedataandprocessesthatwouldotherwisehavetobedoneby
hand.Forexample,thefollowingisonlyasmallportionofthecodegeneratedfromthe
precedingAIDLsample:
@OverridepublicbooleanonTransact(intcode,android.os.Parceldata,
android.os.Parcelreply,intflags)throwsandroid.os.RemoteException
{
switch(code)
{
caseINTERFACE_TRANSACTION:
{
reply.writeString(DESCRIPTOR);
returntrue;
}
caseTRANSACTION_getAccountName:
{
data.enforceInterface(DESCRIPTOR);
java.lang.String_result=this.getAccountName();
reply.writeNoException();
reply.writeString(_result);
returntrue;
}
caseTRANSACTION_putAccountName:
{
data.enforceInterface(DESCRIPTOR);
java.lang.String_arg0;
_arg0=data.readString();
...
www.it-ebooks.info
Binderandsecurity
Thesecurityimplicationsofbinderarequitelarge.Youshouldbeabletocontrolwho
becomesthecontextmanager,asaroguecontextmanagercouldcompromisethewhole
systembysendingclientstorogueservices,ratherthantheproperones.Outsideofthat,
youmightwanttocontrolwhichclientscanbindtowhichbinderobjects.Lastly,you
mightwishtocontrolwhetherfiledescriptorscanbesentviabinder.Thebinderalsohas
thecapabilitytoallowsomeonetofakecredentialsovertheinterface,whichisdesignedto
beusedforgood.Forexample,someprivilegedsystemprocesses,suchasActivity
ManagerService(AMS),performoperationsonbehalfofotherprocesses.The
credentialsexposedinthiskindofmasqueradingareoftheprocessyouaredoingthework
for,notoftheprivilegedentity.Thisisanalogoustoapowerofattorney,usedwhen
someoneisactingonyourbehalf.
Android’sbinderIPCmechanismwastraditionallycontrolledwithDACpermissions.
However,aswesawinChapter1,LinuxAccessControls,thesepermissionshavesome
flaws.ItfollowsthatbinderneedstobemodifiedtosupportSELinuxbecausethebinder
driverdoesnototherwiseimplementhookstoanyadditionalsecuritymodules.Todothis,
apatchwassenttoGooglebyStephenSmalleyimplementingthesefeatures.Thepatch
implementsnewhooksforconsumersofwhatisknownastheLinuxSecurityModule
(LSM)framework.ThisframeworkallowsLSMssuchasSELinuxtobeinvokedandthen
makeaccessdecisions.Thedetailsofthispatchareoutsidethescopeofthisbook.It
sufficesthatbinderwaspatched,andSELinuxcannowcontrolitscapabilitieswithMAC.
Note
StephenSmalleyisacomputersecurityresearcherattheTrustedSystemsResearch
organizationoftheUnitedStatesNationalSecurityAgency(NSA)andleadstheSE
Androidproject.ThepatchhesenttoGoogletomodifythebinderforSELinuxhookscan
beviewedathttps://android-review.googlesource.com/45984.
BecauseoftheintegrationofSELinuxandbinder,SEforAndroidhasanadditionalclass
withaccessvectors(afancywayofsaying,“thingsitcando.”)Inpreviousexamplesfrom
Chapter2,MandatoryAccessControlsandSELinux,thetargetclassisfood.Similarly,the
SELinuxclassforbinderisbinder.Itdefinestheaccessvectorslistedinthefollowing
bullets.Ifyourecall,theaccessvectorforfoodinChapter2,MandatoryAccessControls
andSELinux,waseat.Thefollowingaccessvectorsareavailableforbinder:
impersonate:Thiscreatesfakecredentialsoverabinderinterface
call:Thisbindsaclienttoabinderinterfaceandusesit
set_context_mgr:Thissetsthecontextmanager
transfer:Thistransfersafiledescriptor
www.it-ebooks.info
www.it-ebooks.info
Zygote–applicationspawn
Non-nativeapplicationsinAndroidhistoricallymakeuseoftheDalvikvirtualmachine
(VM)andrunaproprietarybytecodecalledDEX.Applicationsarealsospawnedfroma
commonprocesscalledzygotethroughamechanismcalledforkandspecialize.Zygote
itselfisaprocessthathastheDalvikVMandsomecommonclasses,suchas
java.util.*,loadedintotheVM.Forkandspecializeisthemechanismofgoingfroma
zygotetoachildprocessofzygotethatexecutessomeapplicationcode.
Note
VersionsofAndroidsinceAndroid4.4arereplacingthiswiththeAndroidRunTime
(ART).ItisspeculatedthatAndroidLwillnotusetheDalvikVMatall.
Thefirstpartofthisprocessinvolvesasocketconnection.Zygotelistensoverthissocket
foranapplication’sspawnrequests.Someoftheargumentsincludethepackagenameof
theapplicationthatshouldbeloadedandaflagthatindicateswhethertheapplicationis
thesystemserverornot.Oncethespawncommandisreceived,theforkcanproceed.
Note
Agreatwaytostarttracingbackthisinitialsocketconnectioniswiththeapp_process
tool.ThiscommandstartsaprocesswithDalvik.Formoreinformation,navigateto
frameworks/base/cmds/app_process/app_main.cpp.
Afterthefork,thenowparentzygotereturnstolistenonthesocketformorerequests.The
childprocessisexecutingandafewthingsneedtohappen.Thefirstthingthatneedsto
happenisaUIDandGIDswitch.ZygoterunswiththeUIDroot,andthustomeetthe
Androidsecuritymodel,itmustsetthechildprocessUIDsandGIDstosomethingother
thanroot.ThechildprocesswillsetUIDandGIDasdefinedbythepackagemanagerand
thesupplementaryGIDs.Italsosetstheprocess’resourcelimitsandschedulingpolicy.
Thenitclearsthecapabilitysetoftheapplicationtozero(nocapabilities).Inthecaseof
thesystemserver,thecapabilitysetisnotclearedbutrathersetasoneofthearguments
sentoverthesocket.Afterthispoint,thechildprocessruns.Codefurtheralonginthe
zygoteloadstheclass,andothersysteminteractions,suchasintentdelivery,areusedto
startanactivity.Thesepartsofzygotearebeyondthescopeofthisbook.
www.it-ebooks.info
www.it-ebooks.info
Thepropertyservice
ThepropertyserviceinAndroidprovidesasharedmappingofkey-valuepairsbetweenall
processes.AllprocessesonanAndroidsystemsharesomepagesofmemorydedicatedto
thissystem.However,themappinginallprocessesisREADONLYwiththeexceptionofinit
processes,whichhaveaREAD/WRITEmapping.Thepropertyservicesystemresideswithin
init,anditisthissystem’sjobtoupdateoraddvaluestothiskey-valuemap.Inorderto
changeavalue,youmustgothroughpropertyservice,butanyonecanreadavalue.It’s
imperativethatifyouusepropertyservice,youdonotstoresensitiveinformation.Itis
primarilyintendedtobeusedforsmallvalues,notagenericlarge-valuestore.What
followsisonlyaverybasicintroductiontothepropertyservice.Athoroughinvestigation
willbeconductedlater.
Tosetaproperty,youmustsendarequestusingaUnixdomainsockettotheproperty
service.Propertyservicewillthenparsetherequestandsetthevalueifthepermissions
allowittodoso.Propertieshaveperiod-delimitedsegments,likepackagenames,that
havepermissionsassignedtoitstaticallyatbuildtime.Thepermissionsandproperty
servicecodecanbefoundtogetheratsystem/core/property_service.c.Thearguments
expectedoverthisinterfaceincludeacommand,thepropertyname,andtheproperty
value.Forthosewhoarecurious,thesearealldefinedinthestructureprop_msg,whichis
definedinbionic/libc/include/sys/_system_properties.h.Uponreceivingthe
message,thepropertyservicechecksthepeersocket’scredentialsagainstthestaticmapof
permissions.IftheUIDisroot,itcanwritetoanything,otherwiseitmustbeamatchfor
eitherUIDorGID.InverynewAndroidversions,orthosewiththepatchappliedfrom
https://android-review.googlesource.com/#/c/98428/,boththepermissioncheckingand
hardcodedDAChavebeenreplacedbySELinuxcontrols.
SincethepermissiontosetavalueiscontrolledbyuserspaceusingDAC,itfollowsthat
thepropertysetmechanismssharetheinherentrootingvulnerabilityflaw.Withthisin
mind,thepropertyservicecodewasaugmentedinSELinux.Sincethisisauserspace
process,itusestheSELinuxAPIthroughthekerneltoprogramsomethingcalledauser
spaceobjectmanager.ThisjustmeanstheuserspaceapplicationcheckswithSELinuxin
thekerneltoensureitcanperformanactivity…inthiscase,setonaproperty.
www.it-ebooks.info
www.it-ebooks.info
Summary
Androidhassomeveryuniqueproperties.FromitsuseofthecommonUIDandGID
modeltopromoteitssecuritygoals,toitscustombinderIPCmechanism,thesesystems
haveimplicationsonthesecurityandfunctionalityofthedevice.Inthenextchapter,these
systemswillcomebackintoplayaswegettheUDOOupandrunningandenableSEfor
Androidonit.
www.it-ebooks.info
www.it-ebooks.info
Chapter4.InstallationontheUDOO
Inordertocontinueourexploration,wewillneedtogetatangiblesysteminplacetowork
with.Inthischapter,wewill:
BuildAndroid4.3fortheUDOOfromsource
FlashanSDcardwithourbootimages
GettheUDOOrunningwhilecapturinglogs
EstablishanadbconnectiontotheUDOO
RebuildthekernelwithSELinuxsupport
VerifyourSELinuxUDOOimageworksasexpected
WewillstartwiththepubliclyavailableUDOOAndroid4.3JellyBeansourcecode,
whichcanbedownloadedfromhttp://www.udoo.org/downloads/.Itisassumedyouhavea
UDOOandhaveverifiedthatitisfunctional.Itisrecommendedyoufollowthe
instructionsontheUDOOwebsiteforgettingstartedwiththeAndroid4.3prebuiltimage
asaninitialtest(formoreinformation,refertohttp://www.udoo.org/getting-started/).
YouwillalsoneedanappropriatedevelopmentsystemforworkingwithAndroidanda
UDOO,butthedetailsofthisarebeyondthescopeofthischapter.Anappendixhasbeen
provideddetailingthesetupofastandardUbuntuLinux12.04systemtoensureyouhave
thehighestprobabilityofsuccessduplicatingtheworkinthisbook.
www.it-ebooks.info
Retrievingthesource
Let’sstartthisexercisebydownloadingtheAndroid4.3Jellybeansourcecodefromthe
downloadlinksgivenintheprecedingsection,andextractthedownloadintoaworkspace
usingthefollowingcommands:
$mkdir~/udoo&&cd~/udoo
$tar-xavf~/Downloads/UDOO_Android_4.3_Source_v2.0.tar.gz
Oncethisisdone,youshouldreviewtheUDOOdocumentationandtheAndroidsource
codebuildinginstructionsatthefollowingURLs:
http://www.elinux.org/UDOO_compile_android_4-2-2_from_sources
http://source.android.com/source/initializing.html
TheinstructionsprovidedbytheprecedingURLdiscusshowtobuildAndroidwithOpen
JDK7.However,theseinstructionsareforthecurrentreleaseofAndroid(Lpreview)and
arenot100percentrelevant.ForAndroid4.3,youmustbuildwithOracleJava6,whichis
archivedbyOracleandfoundat
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archivedownloads-javase6-419409.html.
ItisassumedthatyouhaveaduplicateofthesystemdetailedintheAppendix,The
DevelopmentEnvironment.Thatappendix,amongotherthings,walksyouthroughthe
setupofOracleJava6asyouronlyJavainstance.However,forthosewhoprefertowork
fromtheirexistingsystems,particularlythosewithmultipleJavaSDKs,pleasekeepin
mindyouwillneedtoensureyoursystemisusingtheOracleJava6toolswhenworking
throughtherestofthisbook.
FinishsettingupyourenvironmentbychangingtotherootofyourUDOOsourcetreeand
executethefollowingcommand:
$.setupudoo-eng
Oncetheenvironmentisconfigured,weneedtobuildthebootloader:
$cdbootable/bootloader/uboot-imx
$./compile.sh-c
Agraphicalmenuwillappear.Ensurethesettingsareasfollows:
DDRSize:Select1Giga,bussize64,andactiveCS\1(256Mx4)
BoardType:SelectUDOO
CPUtype:Selectquad-coreordual-coreoption,dependentonwhichsystemyou
have.Wehappentobeusingthequad-coresystem.
OStype:SelectAndroid
Environmentdevice:MustselectSD/MMC
Extraoptions:CLEANshouldbeselected
Compileroptions:Pathstotoolchainscanbeselectedhere;justtakethedefaults
Thefollowingscreenshotshowsthegraphicalmenudisplayedbytheprecedingcommand:
www.it-ebooks.info
Whenyouexit,besuretosave.Thenstartthecompilation:
$./compile.sh
Boardtypeselected:UDOO
CPUType:QUAD/DUAL
OStype:Android
...
/home/bookuser/udoo/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6/bin/arm-eabiobjcopy-Osrecu-bootu-boot.srec
/home/bookuser/udoo/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6/bin/arm-eabiobjcopy--gap-fill=0xff-Obinaryu-bootu-boot.bin
Justtobesafe,verifyyourbuildwassuccessfulbyusinglsu-boot.bintoensurethe
bootloaderimagenowexists.Now,buildAndroidusingthefollowingcommand:
$croot
$make–j42>&1|teelogz
ThefirstcommandissomethingthatwassourcedinthesetupscriptsforAndroidand
takesusbacktotherootofourprojecttree.Thesecondcommand,make,buildsthe
system.YoushouldsettheoptionforjtotwiceyourCPU/corecountinmostcases.
Becausemanyofyoumighthaveadual-coremachine,we’lluse–j4.Oneoftheauthors
ofthisbookuses8CPUcores,forexample,andusestheflag-j16.Thefileredirection
andteecommandscapturethebuildoutputtoafile.Thisisimportanttohelpanddebug
anybuildissues.Thisbuild,dependingonyoursystemcantakealong,longtime.Onthe
previouslymentioned8-coresystemwith16GBRAM,thistookalittleover35minutes.
Onothersystems,we’veexperiencedbuildtimesover3hours.
Inthiscase,capturingthelogsprovedveryuseful.Thebuildterminatedwithanerror,and
bysearchingthelogsforerror,wefoundthefollowing:
$greperrorlogz
...
external/mtd-utils/mkfs.ubifs/mkfs.ubifs.h:48:23:fatalerror:uuid/uuid.h:
Nosuchfileordirectory
external/mtd-utils/mkfs.ubifs/mkfs.ubifs.h:48:23:fatalerror:uuid/uuid.h:
Nosuchfileordirectory
www.it-ebooks.info
external/mtd-utils/mkfs.ubifs/mkfs.ubifs.h:48:23:fatalerror:uuid/uuid.h:
Nosuchfileordirectory
...
Byevaluatingthoseerrors,wediscoverwearemissingheadersforuuidandlzo1x.We
canalsoopentheAndroidmakefile,external/mtd-utils/mkfs.ubifs/Android.mk,and
determinethelikelylibrariesinvolvedfromthelineLOCAL_LDLIBS:=-lz-llzo2-lmluuid-m64.SearchingrevealsthespecificUbuntupackagewe’remissing;wewillinstall
themandbuildagain.The$characterattheendofthesearchstringensuresweonlyget
resultsendinginuuid/uuid.h.Withoutit,wemightmatchfilesendingin.htmlor.hpp:
$sudoapt-filesearch-x“uuid/uuid.h$”
uuid-dev:/usr/include/uuid/uuid.h
$sudoapt-getinstalluuid-dev
$make–j42>&1|teelogz
Asuccessfulbuildshouldproducesomefinaloutputsimilartothefollowing:
...
Running:mkuserimg.shout/target/product/udoo/system
out/target/product/udoo/obj/PACKAGING/systemimage_intermediates/system.img
ext4system293601280out/target/product/udoo/root/file_contexts
Installsystemfsimage:out/target/product/udoo/system.img
out/target/product/udoo/system.img+out/target/product/udoo/obj/PACKAGING/re
covery_patch_intermediates/recovery_from_boot.pmaxsize=299747712
blocksize=4224total=294120167reserve=3028608
www.it-ebooks.info
www.it-ebooks.info
FlashingimageonanSDcard
Withthebootloader,Androiduserspace,andLinuxkernelbuilt,it’stimetoinsertanSD
cardandflashtheimages.InsertanSDcardintoyourhostcomputer,andensureit’s
unmounted.InUbuntu,removablemediaaremountedautomatically,soyou’llneedto
findthe/dev/sd*devicethatisyourflashdrive,andumountit.Fortheremainderofthe
text,wewilluse/dev/sddastheflashdrive,butitisimportanttousethecorrectdevice
foryoursystem.IfyouhaveusedthisSDcardforinstallingUDOObefore,thecardwill
containmultiplepartitions,soyoumightsee/dev/sdd<num>mountednumeroustimes:
$mount|grepsdd
/dev/sdd7on/media/vendertypeext4(rw,nosuid,nodev,uhelper=udisks)
/dev/sdd4on/media/datatypeext4(rw,nosuid,nodev,uhelper=udisks)
/dev/sdd5on/media/57f8f4bc-abf4-655f-bf67-946fc0f9f25btypeext4
(rw,nosuid,nodev,uhelper=udisks)
/dev/sdd6on/media/cachetypeext4(rw,nosuid,nodev,uhelper=udisks)
$sudobash-c"umount/dev/sdd4&&umount/dev/sdd5&&umount/dev/sdd6&&
umount/dev/sdd7"
OncetheSDcardisproperlyunmounted,wecanflashourimage:
$sudo-E./make_sd.sh/dev/sdd
Tip
Youmustusethe-Eparameteronsudotopreservealltheexportedvariablesfromthe
Androidbuild.YoumustbeinthesameterminalsessionyoubuiltAndroidin.Otherwise
youwillseetheerrorNoOUTexportvariablefound!Setupnotcalledin
advance….
Oncethiscompletes(itwilltakeawhile),it’simportanttoflushtheblockdevicecaches
backtothediskwiththecommand,sudosync.Then,youcanremovetheSDcard,insert
itintotheUDOO,andboot!
www.it-ebooks.info
www.it-ebooks.info
UDOOserialandAndroidDebugBridge
NowthattheUDOOisbootingintoAndroid,wewanttomakesurewecanaccessitusing
theserialportaswellastheAndroidDebugBridge(adb).You’llneedtheUDOOserial
driversappropriateforyoursystem.ThedetailsofthisforMac,Linux,andWindowscan
befoundat
http://www.udoo.org/ProjectsAndTutorials/connecting-via-serial-cable/.
Theserialportisthefirstformofcommunicationthatwillcomefromthesystem,anditis
initializedbythebootloader.Itisacriticallinkfordebugginganykernelorsystem
issuesthatyouencounterlateron.It’salsorequiredinordertoconfiguretheUSBportto
allowadbconnectionsacrossCN3(theUSBOTGportontheUDOO).Toconfigurethe
port,weneedtoconfigureanduseminicomtoconnectashelltothedevice.Startby
pluggingamicroUSBcablefromCN6(themicroUSBportclosesttothepowerbutton)
tothehostmachine.Next,let’sfindtheserialconnectionbylookingthroughdmesgforthe
connectionmessageofaTTYoverUSB.
$sudodmesg|tail-n5
[9019.090058]usb4-1:Manufacturer:SiliconLabs
[9019.090061]usb4-1:SerialNumber:0078AEDB
[9019.096089]cp210x4-1:1.0:cp210xconverterdetected
[9019.208023]usb4-1:resetfull-speedUSBdevicenumber4usinguhci_hcd
[9019.359172]usb4-1:cp210xconverternowattachedtottyUSB0
OurTTYterminalisonthelastline.Let’sconnectthroughitwithminicom:
$sudominicom-sw
SelectSerialPortSetup,typea,changeSerialDeviceto/dev/ttyUSB0,andtypefto
togglethehardwareflowcontroloff:
Toexit,hitEnter,selectSaveSetupandDFL,thenselectExitfromMinicom,andpress
www.it-ebooks.info
Enter.NowrunminicomtoconnecttoyourUDOO,andwatchitboot:
$sudominicom-w
Ifthedeviceisbootedandrunning,you’llgetafriendlyrootshell:
Ifit’sbooting,you’llseethelogs.Justwaitfortherootshellprompt:
www.it-ebooks.info
NowweneedtoflipsomeGPIOpinstomovetheCN3microUSBintodebugmode:
root@udoo:/#echo0>/sys/class/gpio/gpio203/value
root@udoo:/#echo0>/sys/class/gpio/gpio128/value
Then,resettheSAM3X8Eprocessorthatwasusingthatbus,byremovingandreplacing
theJ16jumper.NowpluginamicroUSBcablefromthehosttoCN3.Youshouldnow
seeaUSBdeviceaswellasadb:
$lsusb
Bus001Device009:ID18d1:4e42GoogleInc.
$adbdevices
Listofdevicesattached
0123456789ABCDEFoffline
YouneedtoselectAllowUSBdebuggingwhenthepromptappearsontheUDOO
Androidside.Whenyoudothis,thedeviceshouldgofromofflinetoonline;thiswayyou
canuseadb.
Nowtesttheconnectionandgrabthescreenshotoveradb:
$adbshell
root@udoo:/#
$adbshellscreencap-p|perl-pe's/\x0D\x0A/\x0A/g'>screen.png
Thisisthescreenshot:
Atthispoint,wehaveaworkingdevelopmentsystem.Wehaveearlybootlogsanda
rescueshellthroughtheserialconsole.Wealsohaveanadbbridgewithwhichwecanuse
thestandardAndroiddebuggingtools!There’snothinglefttodobutgetthissystem
www.it-ebooks.info
securedwithSELinux!
www.it-ebooks.info
www.it-ebooks.info
Flippingtheswitch
NowthatweareenablingSELinuxontheUDOO,weneedtoverifyitisn’tturnedon.The
waytodothisistochecktheknownfilesystemtypesinthe/procfilesystem.SELinux
hasitsownpsuedo-filesystem,soifit’senabled,weshouldseeitinthelist:
$adbshellcat/proc/filesystems
nodevsysfs
nodevrootfs
nodevbdev
nodevproc
nodevcgroup
nodevcpuset
nodevtmpfs
nodevdebugfs
nodevsockfs
nodevpipefs
nodevanon_inodefs
nodevrpc_pipefs
nodevdevpts
ext3
ext2
ext4
cramfs
nodevramfs
vfat
msdos
nodevnfs
nodevjffs2
nodevfuse
fuseblk
nodevfusectl
nodevmtd_inodefs
nodevubifs
ThereisnoevidenceofSELinuxhere,solet’sfindthekernelconfigurationandturniton.
Executethiscommandfromthe~/udoo/kernel_imxdirectory,andeventuallyyouwillbe
greetedwithagraphicaleditingscreen:
$makemenuconfig
First,youwillneedtoenableAuditingsupport,asthisisadependencyofSELinux.
UnderGeneralsetup|AuditingSupport,enableAuditSupportandEnablesystemcallauditing.Usetheupanddownarrowkeystohighlightanentry,andpressthe
spacebartoenableit.Whenanitemisenabled,youwillseeanasterisk(*)nexttoit:
www.it-ebooks.info
GobacktothemainmenubyselectingExit…it’snotveryintuitive.EntertheFile
systemsmenu,andforeachofthethreefilesystems,Ext2,Ext3,andExt4,ensurethat
ExtendedattributesandSecurityLabelsareenabled.Then,gobacktothemainmenu
byselectingExit:
Fromthatscreen,exitbacktothemainmenuandgotoSecurityOptions.Onceinthe
SecurityOptionssubmenu,enabletheEnabledifferentsecuritymodelsandSocketand
NetworkingSecurityHooksoptions:
www.it-ebooks.info
Oncetheseareenabled,moreoptionswillappear.EnableNSASELinuxSupportand
ensuretheotherselectionsandvaluesfromthefollowingscreenshotareduplicated:
Finally,setDefaultsecuritymoduletoSELinux:
OnceyouselectDefaultsecuritymodule,anewwindowwillappearfromwhichyoucan
selectSELinux.ExittheconfigurationmenusbyselectingExituntilyouareaskedto
saveyournewconfiguration:
Savethenewconfigurationandwritethesechangestotheoriginatingkernelconfiguration
file.Otherwise,itwillbeoverwrittenonsubsequentbuilds.Todothis,we’llneedto
discoverwhichconfigurationfilewasusedinthedefaultbuild,whichwebuiltearlier
beforewemadeourownconfigurationwithmakemenuconfig:
$grepdefconfiglogzmake-Ckernel_imximx6_udoo_android_defconfig
www.it-ebooks.info
ARCH=armCROSS_COMPILE=`pwd`/prebuilts/gcc/linux-x86/arm/arm-eabi4.6/bin/arm-eabi-
Youcanseethatimx6_udoo_android_defconfigwasusedasthedefaultconfiguration.
Copyyourcustomconfigurationandbuildagain:
$cp.configarch/arm/configs/imx6_udoo_android_defconfig
$croot
$make–j4bootimage2>&1|teelogz
AquicksanitycheckofthelogfileisalwaysagoodideatoverifySELinuxwasactually
builtintothekernel:
$grep-iselinuxlogz
HOSTCCscripts/selinux/mdp/mdp
HOSTCCscripts/selinux/genheaders/genheaders
GENsecurity/selinux/flask.hsecurity/selinux/av_permissions.h
CCsecurity/selinux/avc.o
...
Now,withabuiltkernelsupportingSELinux,inserttheSDcardintothehostandrunthe
followingcommands:
$sudo-E./make_sd.sh/dev/sdd
$sudosync
Tip
Don’tforgettoumountanyautomountedpartitionsfromtheSDcardaswedidbefore.
PlugtheSDcardintotheUDOO,andfireitup.Youshouldseelogsovertheserial
consoleaswedidbefore:
Eventually,theserialconnectionshouldtakeustoarootshell.
www.it-ebooks.info
www.it-ebooks.info
It’salive
HowdoweknowthatwehavesuccessfullyenabledSELinuxinthekernel?Earlierinthis
chapter,youranthecommand,adbshellcat/proc/filesystems.We’regoingtodo
thesamethingandlookforanewfilesystemcalledselinuxfs.Ifthatispresent,it
indicateswehaveenabledSELinuxsuccessfully.Runthefollowingcommandintheserial
terminal:
#cat/proc/filesystems|grepselinux
nodevselinuxfs
Wecanseethatselinuxfsispresent!Anothercommonpracticeistocheckdmesgforany
SELinuxoutput.Todothis,executethefollowingcommandviatheserialterminal:
#dmesg|grep-iselinux
<6>SELinux:Initializing.
<7>SELinux:Startinginpermissivemode
<7>SELinux:Registeringnetfilterhooks
<3>SELinux:policydbversion26doesnotmatchmyversionrange15-23
<4>SELinux:Couldnotloadpolicy:Invalidargument
www.it-ebooks.info
www.it-ebooks.info
Summary
Thiswasaveryexcitingchapter.YoulearnedhowtoenableSELinuxinthekernel
configuration,bootthe“secured”system,andhowtoverifyitspresence.Wealsolearned
howtoflashandbuildimagesfortheUDOOingeneralandhowtoconnecttoitviaserial
andadbconnections.Inthenextchapters,wewillfocusonhowtomaketheUDOO
usablewithSEforAndroidcapabilities.
www.it-ebooks.info
www.it-ebooks.info
Chapter5.BootingtheSystem
NowthatwehaveanSEforAndroidsystem,weneedtoseehowwecanmakeuseofit,
andgetitintoausablestate.Inthischapter,wewill:
Modifythelogleveltogainmoredetailswhiledebugging
Followthebootprocessrelativetothepolicyloader
InvestigateSELinuxAPIsandSELinuxFS
Correctissueswiththemaximumpolicyversionnumber
ApplypatchestoloadandverifyanNSApolicy
YoumighthavenoticedsomedisturbingerrormessagesdmesginChapter4,Installation
ontheUDOO.Torefreshyourmemory,herearesomeofthem:
#dmesg|grep–iselinux
<6>SELinux:Initializing.
<7>SELinux:Startinginpermissivemode
<7>SELinux:Registeringnetfilterhooks
<3>SELinux:policydbversion26doesnotmatchmyversionrange15-23
...
ItwouldappearthateventhoughSELinuxisenabled,wedon’tquitehaveanerror-free
system.Atthispoint,weneedtounderstandwhatcausesthiserror,andwhatwecandoto
rectifyit.Attheendofthischapter,weshouldbeabletoidentifythebootprocessofan
SEforAndroiddevicewithrespecttopolicyloading,andhowthatpolicyisloadedinto
thekernel.Wewillthenaddressthepolicyversionerror.
www.it-ebooks.info
Policyload
AnAndroiddevicefollowsabootsequencesimilartothatofthe*NIXbootingsequence.
Thebootloaderbootsthekernel,andthekernelfinallyexecutestheinitprocess.Theinit
processisresponsibleformanagingthebootprocessofthedevicethroughinitscriptsand
somehardcodedlogicinthedaemon.Likeallprocesses,inithasanentrypointatthe
mainfunction.Thisiswherethefirstuserspaceprocessbegins.Thecodecanbefoundby
navigatingtosystem/core/init/init.c.
Whentheinitprocessentersmain(refertothefollowingcodeexcerpt),itprocesses
cmdline,mountssometmpfsfilesystemssuchas/dev,andsomepseudo-filesystems
suchasprocfs.ForSEforAndroiddevices,initwasmodifiedtoloadthepolicyintothe
kernelasearlyinthebootprocessaspossible.ThepolicyinanSELinuxsystemisnot
builtintothekernel;itresidesinaseparatefile.InAndroid,theonlyfilesystemmounted
inearlybootistherootfilesystem,aramdiskbuiltintoboot.img.Thepolicycanbefound
inthisrootfilesystemat/sepolicyontheUDOOortargetdevice.Atthispoint,theinit
processcallsafunctiontoloadthepolicyfromthediskandsendsittothekernel,as
follows:
intmain(intargc,char*argv[]){
...
process_kernel_cmdline();
unionselinux_callbackcb;
cb.func_log=klog_write;
selinux_set_callback(SELINUX_CB_LOG,cb);
cb.func_audit=audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT,cb);
INFO("loadingselinuxpolicy\n");
if(selinux_enabled){
if(selinux_android_load_policy()<0){
selinux_enabled=0;
INFO("SELinux:Disabledduetofailedpolicyload\n");
}else{
selinux_init_all_handles();
}
}else{
INFO("SELinux:Disabledbycommandlineoption\n");
}
…
Intheprecedingcode,youwillnoticetheverynicelogmessage,SELinux:Disableddue
tofailedpolicyload,andwonderwhywedidn’tseethiswhenwerandmesgbefore.
Thiscodeexecutesbeforesetlevelininit.rcisexecuted.
ThedefaultinitloglevelissetbythedefinitionofKLOG_DEFAULT_LEVELin
system/core/include/cutils/klog.h.Ifwereallywantedto,wecouldchangethat,
rebuild,andactuallyseethatmessage.
Nowthatwehaveidentifiedtheinitialpathofthepolicyload,let’sfollowitonitscourse
www.it-ebooks.info
throughthesystem.Theselinux_android_load_policy()functioncanbefoundinthe
Androidforkoflibselinux,whichisintheUDOOAndroidsourcetree.Thelibrarycan
befoundatexternal/libselinux,andalloftheAndroidmodificationscanbefoundin
src/android.c.
Thefunctionstartsbymountingapseudo-filesystemcalledSELinuxFS.Ifyourecall,this
wasoneofthenewfilesystemsmentionedin/proc/filesystemsthatwesawinChapter
4,InstallationontheUDOO.Insystemsthatdonothavesysfsmounted,themountpoint
is/selinux;onsystemsthathavesysfsmounted,themountpointis/sys/fs/selinux.
Youcancheckmountpointsonarunningsystemusingthefollowingcommand:
#mount|grepselinuxfs
selinuxfs/sys/fs/selinuxselinuxfsrw,relatime00
SELinuxFSisanimportantfilesystemasitprovidestheinterfacebetweenthekerneland
userspaceforcontrollingandmanipulatingSELinux.Assuch,ithastobemountedforthe
policyloadtowork.Thepolicyloadusesthefilesystemtosendthepolicyfilebytestothe
kernel.Thishappensintheselinux_android_load_policy()function:
intselinux_android_load_policy(void)
{
char*mnt=SELINUXMNT;
intrc;
rc=mount(SELINUXFS,mnt,SELINUXFS,0,NULL);
if(rc<0){
if(errno==ENODEV){
/*SELinuxnotenabledinkernel*/
return-1;
}
if(errno==ENOENT){
/*Fallbacktolegacymountpoint.*/
mnt=OLDSELINUXMNT;
rc=mkdir(mnt,0755);
if(rc==-1&&errno!=EEXIST){
selinux_log(SELINUX_ERROR,"SELinux:Couldnotmkdir:%s\n",
strerror(errno));
return-1;
}
rc=mount(SELINUXFS,mnt,SELINUXFS,0,NULL);
}
}
if(rc<0){
selinux_log(SELINUX_ERROR,"SELinux:Couldnotmountselinuxfs:%s\n",
strerror(errno));
return-1;
}
set_selinuxmnt(mnt);
returnselinux_android_reload_policy();
}
Theset_selinuxmnt(car*mnt)functionchangesaglobalvariableinlibselinuxsothat
otherroutinescanfindthelocationofthisvitalinterface.Fromthereitcallsanotherhelper
www.it-ebooks.info
function,selinux_android_reload_policy(),whichislocatedinthesamelibselinux
android.cfile.Itloopsthroughanarrayofpossiblepolicylocationsinpriorityorder.
Thisarrayisdefinedasfollows:
Staticconstchar*constsepolicy_file[]={
"/data/security/current/sepolicy",
"/sepolicy",
0};
Sinceonlytherootfilesystemismounted,itchooses/sepolicyatthistime.Theother
pathisfordynamicruntimereloadsofpolicy.Afteracquiringavalidfiledescriptortothe
policyfile,thesystemismemorymappedintoitsaddressspace,andcalls
security_load_policy(map,size)toloadittothekernel.Thisfunctionisdefinedin
load_policy.c.Here,themapparameteristhepointertothebeginningofthepolicyfile,
andthesizeparameteristhesizeofthefileinbytes:
intselinux_android_reload_policy(void)
{
intfd=-1,rc;
structstatsb;
void*map=NULL;
inti=0;
while(fd<0&&sepolicy_file[i]){
fd=open(sepolicy_file[i],O_RDONLY|O_NOFOLLOW);
i++;
}
if(fd<0){
selinux_log(SELINUX_ERROR,"SELinux:Couldnotopensepolicy:%s\n",
strerror(errno));
return-1;
}
if(fstat(fd,&sb)<0){
selinux_log(SELINUX_ERROR,"SELinux:Couldnotstat%s:%s\n",
sepolicy_file[i],strerror(errno));
close(fd);
return-1;
}
map=mmap(NULL,sb.st_size,PROT_READ,MAP_PRIVATE,fd,0);
if(map==MAP_FAILED){
selinux_log(SELINUX_ERROR,"SELinux:Couldnotmap%s:%s\n",
sepolicy_file[i],strerror(errno));
close(fd);
return-1;
}
rc=security_load_policy(map,sb.st_size);
if(rc<0){
selinux_log(SELINUX_ERROR,"SELinux:Couldnotloadpolicy:%s\n",
strerror(errno));
munmap(map,sb.st_size);
close(fd);
return-1;
}
www.it-ebooks.info
munmap(map,sb.st_size);
close(fd);
selinux_log(SELINUX_INFO,"SELinux:Loadedpolicyfrom%s\n",
sepolicy_file[i]);
return0;
}
Thesecurityloadpolicyopensthe<selinuxmnt>/loadfile,whichinourcaseis
/sys/fs/selinux/load.Atthispoint,thepolicyiswrittentothekernelviathispseudo
file:
intsecurity_load_policy(void*data,size_tlen)
{
charpath[PATH_MAX];
intfd,ret;
if(!selinux_mnt){
errno=ENOENT;
return-1;
}
snprintf(path,sizeofpath,"%s/load",selinux_mnt);
fd=open(path,O_RDWR);
if(fd<0)
return-1;
ret=write(fd,data,len);
close(fd);
if(ret<0)
return-1;
return0;
}
www.it-ebooks.info
www.it-ebooks.info
Fixingthepolicyversion
Atthispoint,wehaveaclearideaofhowthepolicyisloadedintothekernel.Thisisvery
important.SELinuxintegrationwithAndroidbeganinAndroid4.0,sowhenportingto
variousforksandfragments,thisbreaks,andcodeisoftenmissing.Understandingall
partsofthesystem,howevercursory,willhelpustocorrectissuesastheyappearinthe
wildanddevelop.Thisinformationisalsousefultounderstandthesystemasawhole,so
whenmodificationsneedtobemade,you’llknowwheretolookandhowthingswork.At
thispoint,we’rereadytocorrectthepolicyversions.
Thelogsandkernelconfigareclear;onlypolicyversionsupto23aresupported,and
we’retryingtoloadpolicyversion26.Thiswillprobablybeacommonproblemwith
Androidconsideringkernelsareoftenoutofdate.
Thereisalsoanissuewiththe4.3sepolicyshippedbyGoogle.SomechangesbyGoogle
madeitabitmoredifficulttoconfiguredevicesastheytailoredthepolicytomeettheir
releasegoals.Essentially,thepolicyallowsnearlyeverythingandthereforegeneratesvery
fewdeniallogs.Somedomainsinthepolicyarecompletelypermissiveviaaper-domain
permissivestatement,andthosedomainsalsohaverulestoalloweverythingsodeniallogs
donotgetgenerated.Tocorrectthis,wecanuseamorecompletepolicyfromtheNSA.
Replaceexternal/sepolicywiththedownloadfrom
https://bitbucket.org/seandroid/external-sepolicy/get/seandroid-4.3.tar.bz2.
AfterweextracttheNSA’spolicy,weneedtocorrectthepolicyversion.Thepolicyis
locatedinexternal/sepolicyandiscompiledwithatoolcalledcheck_policy.The
Android.mkfileforsepolicywillhavetopassthisversionnumbertothecompiler,sowe
canadjustthishere.Onthetopofthefile,wefindtheculprit:
...
#Mustbe<=/selinux/policyversreportedbytheAndroidkernel.
#Mustbewithinthecompatibilityrangereportedbycheckpolicy-V.
POLICYVERS?=26
...
Sincethevariableisoverridablebythe?=assignment.Wecanoverridethisin
BoardConfig.mk.Editdevice/fsl/imx6/BoardConfigCommon.mk,addingthefollowing
POLICYVERSlinetothebottomofthefile:
...
BOARD_FLASH_BLOCK_SIZE:=4096
TARGET_RECOVERY_UI_LIB:=librecovery_ui_imx
#SELinuxSettings
POLICYVERS:=23
-includedevice/google/gapps/gapps_config.mk
Sincethepolicyisontheboot.imgimage,buildthepolicyandbootimage:
$mmm-Bexternal/sepolicy/
$make–j4bootimage2>&1|teelogz
!!!!!!!!!WARNING!!!!!!!!!VERIFYBLOCKDEVICE!!!!!!!!!
$sudochmod666/dev/sdd1
www.it-ebooks.info
$ddif=$OUT/boot.imgof=/dev/sdd1bs=8192conv=fsync
EjecttheSDcard,placeitintotheUDOO,andboot.
Tip
Thefirstoftheprecedingcommandsshouldproducethefollowinglogoutput:
out/host/linux-x86/bin/checkpolicy:writingbinaryrepresentation(version
23)toout/target/product/udoo/obj/ETC/sepolicy_intermediates/sepolicy
Atthispoint,bycheckingtheSELinuxlogsusingdmesg,wecanseethefollowing:
#dmesg|grep–iselinux
<6>init:loadingselinuxpolicy
<7>SELinux:128avtabhashslots,490rules.
<7>SELinux:128avtabhashslots,490rules.
<7>SELinux:1users,2roles,274types,0bools,1sens,1024cats
<7>SELinux:84classes,490rules
<7>SELinux:Completinginitialization.
Anothercommandweneedtorunisgetenforce.Thegetenforcecommandgetsthe
SELinuxenforcingstatus.Itcanbeinoneofthreestates:
Disabled:Nopolicyisloadedorthereisnokernelsupport
Permissive:Policyisloadedandthedevicelogsdenials(butisnotinenforcing
mode)
Enforcing:Thisstateissimilartothepermissivestateexceptthatpolicyviolations
resultinEACCESSbeingreturnedtouserspace
OneofthegoalswhilebootinganSELinuxsystemistogettotheenforcingstate.
Permissiveisusedfordebugging,asfollows:
#getenforce
Permissive
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,wecoveredtheimportantpolicyloadflowthroughtheinitprocess.We
alsochangedthepolicyversiontosuitourdevelopmenteffortsandkernelversion.From
there,wewereabletoloadtheNSApolicyandverifythatthesystemloadedit.This
chapteradditionallyshowcasedsomeoftheSELinuxAPIsandtheirinteractionswith
SELinuxFS.Inthenextchapter,wewillexaminethefilesystemandthenmoveforwardin
ourquesttogetthesystemintoenforcingmode.
www.it-ebooks.info
www.it-ebooks.info
Chapter6.ExploringSELinuxFS
Inthelastfewchapters,wesawSELinuxFSsurfaceonnumerousoccasions.Fromits
entryin/proc/filesystemstothepolicyloadintheinitdaemon,itseesfrequentusein
anSELinux-enabledsystem.SELinuxFSisthekernel-to-userspaceinterfaceandthe
foundationonwhichhigheruserspaceidiomsandlibselinuxarebuilt.Inthischapter,we
willexplorethecapabilitiesofthisfilesystemforadeeperunderstandingofhowthe
systemworks.Specifically,wewill:
DeterminehowtofindthemountpointoftheSELinuxfilesystem
ExtractstatusinformationaboutourcurrentSELinuxsystem
ModifyourSELinuxsystemstatusontheflyfromtheshellandthroughcode
InvestigateProcFSinterfaces
www.it-ebooks.info
Locatingthefilesystem
Thefirstthingweneedtodoislocatethemountpointforthefilesystem.libselinux
mountsthefilesystemineitheroftwoplaces:/selinux(bydefault)or/sys/fs/selinux.
However,thisisnotastrictrequirementandcanbealteredwithacalltovoid
set_selinuxmnt(char*mnt),whichsetstheSELinuxmountpointlocation.However,
thisshouldhappenandshouldnotneedanyadjustmentinmostcircumstances.
Thebestwaytofindthemountpointinthesystemisbyrunningthemountcommandand
findingthelocationofthefilesystem.Fromtheserialconsole,issuethefollowing
commands:
root@udoo:/#mount|grepselinux
selinuxfs/sys/fs/selinuxselinuxfsrw,relatime00
Asyoucansee,themountpointis/sys/fs/selinux.Let’sgotothatdirectorybyissuing
thefollowingcommandattheserialterminalprompt:
root@udoo:/#cd/sys/fs/selinux
root@udoo:/sys/fs/selinux#
YouarenowintherootoftheSELinuxfilesystem.
www.it-ebooks.info
www.it-ebooks.info
Interrogatingthefilesystem
YoucaninterrogateSELinuxFStofindoutwhatthekernel’shighestsupportedpolicy
versionis.Thisisusefulwhenyoubegintoworkwithsystemsyoudidnotbuildfrom
source.ItisalsousefulwhenyoudonothavedirectaccesstotheKConfigfile.Itis
importanttonotethatbothDACandMACpermissionsapplytothisfilesystem.With
respecttoMACandSELinux,theaccessvectorsforthisareenumeratedinclasssecurity
inthepolicyfilelocatedatexternal/sepolicy/access_vectors:
root@udoo:/sys/fs/selinux#echo'catpolicyvers'
23
Tip
Inthepreviouscommand,andinseveralcommandstofollow,wedonotjustprintthe
fileswiththecatcommand.Thisisbecausethesefilesdonothaveatrailingnewlineat
theendofthefile.Withoutthenewline,thecommandpromptfollowingthecommand’s
executionwouldbeattheendofthelastlineoftheoutput.Wrappingthecatcommand
withechoguaranteesanewline.Analternatewaytogetthesameeffectisbyusingcat
policyvers;echo.
Asweexpected,thesupportedversionis23.Asyourecall,wesetthisvalueinChapter4,
InstallationontheUDOOwhileconfiguringthekerneltoenableSELinuxusingmake
menuconfigfromthekernel_imxdirectory.Thisisalsoaccessiblebythelibselinux
API:
intsecurity_policyvers(void);
Itshouldnotrequireanyelevatedpermissionsandisreadablebyanyoneonthesystem.
www.it-ebooks.info
Theenforcenode
Inpreviouschapters,wediscussedthatSELinuxoperatesintwomodes,enforcingand
permissive.Bothmodeslogpolicyviolations,however,enforcingmodecausesthekernel
todenyaccesstotheresourceandreturnanerrortothecallinguserspaceprocess(for
example,EACCESS).SELinuxFShasaninterfacetoquerythisstatus—thefilenode
enforce.Readingfromthisfilereturnsthestatus0or1dependingonwhetherweare
runninginpermissiveorenforcingmode,respectively:
root@udoo:/sys/fs/selinux#echo'catenforce'
0
Asyoucansee,oursystemisinpermissivemode.Androidhasatoolboxcommandfor
printingthisaswell.ThiscommandreturnsthestatusPermissiveorEnforcing
dependingonwhetherwearerunninginapermissiveorenforcingmode,respectively:
root@udoo:/sys/fs/selinux#getenforce
Permissive
Youcanalsowritetotheenforcefile.TheDACpermissionsforthisfilesystemare:
Owner:rootread,write
Group:rootread
Others:read
Anyonecangettheenforcingstatus,buttosetit,youmustbetherootuser.TheMAC
permissionrequiredforthisis:
class:security
vector:setenforce
Acommandcalledsetenforcecanchangethestatus:
root@udoo:/sys/fs/selinux#setenforce0
Toseewhatthecommanddoes,runitinstrace:
root@udoo:/sys/fs/selinux#stracesetenforce0
...
open("/proc/self/task/3275/attr/current",O_RDONLY)=4
brk(0x41d80000)=0x41d80000
read(4,"u:r:init_shell:s0\0",4095)=18
close(4)=0
open("/sys/fs/selinux/enforce",O_RDWR)=4
write(4,"0",1)
...
Aswecansee,theinterfacetoenforceisassimpleaswriting0or1.Thefunctionin
libselinuxtodothisisintsecurity_setenforce(intvalue).Anotherinteresting
artifactoftheprecedingcommandiswecanseeprocfswasaccessed.SELinuxhassome
additionalentriesinprocfsaswell.Thosewillbecoveredfurtherinthischapter.
www.it-ebooks.info
Thedisablefileinterface
SELinuxcanalsobedisabledatruntimeusingthedisablefileinterface.However,the
kernelmustbebuiltwithCONFIG_SECURITY_SELINUX_DISABLE=y.Ourkernelwasnotbuilt
withthisoption.ThisfileiswriteonlybyownerandhasnospecificMACpermission
associatedwithit.Werecommendkeepingthisoptiondisabled.Additionally,SELinux
canbedisabledbeforeapolicyisloaded.Evenwhentheoptionisenabled,onceapolicy
isloaded,itisdisabled.
www.it-ebooks.info
Thepolicyfile
ThepolicyfileletsyoureadthecurrentSELinuxpolicyfilethatwasloadedintothe
kernel.Thiscanbereadandsavedtodisk:
root@udoo:/sys/fs/selinux#catpolicy>/sdcard/policy
Byenablingtheadbinterface,youcannowextractitfromthedeviceandanalyzeitonthe
hostwiththestandardSELinuxtools.TheDACpermissionsonthisfileareowner:root,
read.ThereisnoSELinuxpermissionspecifictothisfile.
Theinversetothepolicyfileistheloadfile.Wehaveseenthisfileappearwhenthe
policyfileisloadedbyinitusingthelibselinuxAPI:
intsecurity_load_policy(void*data,size_tlen);
www.it-ebooks.info
Thenullfile
ThenullfileisusedbySELinuxtoredirectunauthorizedfileaccesseswhendomain
transitionsoccur.Rememberthatadomaintransitioniswhenyoutransitionfromone
contexttoanother.Inmostcases,thisoccurswhenaprogramperformsaforkandexec
function,butthiscouldhappenprogrammatically.Ineithercase,theprocesshasfile
referencesitcannolongeraccess,andtohelpkeepprocessesfromcrashing,theyjust
write/readfromtheSELinuxnulldevice.
www.it-ebooks.info
Themlsfile
Oneofthecapabilitiesoursystemhasisthatourcurrentpolicyisusingmultilevel
security(MLS)support.Thisiseither0or1,basedonwhethertheloadedpolicyfileis
usingit.Sincewehaveitenabled,wewouldexpecttosee1fromthisfile:
root@udoo:/sys/fs/selinux#echo'catmls'
1
ThemlsfileisreadablebyallandhasacorrespondingSELinuxAPI:
intis_selinux_mls_enabled(void)
www.it-ebooks.info
Thestatusfile
Theversionfileallowsamechanismbywhichyoucanbeinformedofupdatesthatoccur
withinSELinux.Onesuchexamplewouldbewhenapolicyreloadoccurs.Auserspace
objectmanagercouldcachedecisionresultsandusethereloadeventasatriggertoflush
theircache.ThestatusfileisreadonlybyeveryoneandhasnospecificMAC
permissions.ThelibselinuxAPIinterfaceis:
intselinux_status_open(intfallback);
voidselinux_status_close();
intselinux_status_updated(void);
intselinux_status_getenforce(void);
intselinux_status_policyload(void);
intselinux_status_deny_unknown(void);
Bycheckingthestatusstructure,youcandetectchangesandflushthecache.Currently,
however,youaremissingthisAPIinyourlibselinux,butwe’llcorrectthatinChapter7,
UtilizingAuditLogs.
TherearemanySELinuxFSfilesinthefiletree;ourintentherewasonlytocoverseveral
filesbecauseoftheirimportanceorpertinencetowhatwe’vedoneandwherewe’regoing.
Wedidnotcover:
access
checkreqprot
commit_pending_bools
context
create
deny_unknown
member
reject_unknown
relabel
Theuseofthesefilesisnotsimpleandistypicallydonebyuserspaceobjectmanagersthat
areusingthelibselinuxAPItoabstractthecomplexities.
www.it-ebooks.info
AccessVectorCache
SELinuxFSalsohassomedirectoriesyoucanexplore.Thefirstisavc.Thisstandsfor
“AccessVectorCache”andcanbeusedtogetstatisticsaboutthesecurityserverinthe
kernel:
root@udoo:/sys/fs/selinux#cdavc/
root@udoo:/sys/fs/selinux/avc#ls
cache_stats
cache_threshold
hash_stats
Allthesefilescanbereadwiththecatcommand:
root@udoo:/sys/fs/selinux/avc#catcache_stats
lookupshitsmissesallocationsreclaimsfrees
285710285438272272128128
245827245409418418288288
267511267227284284192193
214328213883445445288298
Thecache_statsfileisreadablebyallandrequiresnospecialMACpermissions.
Thenextfiletolookatishash_stats:
root@udoo:/sys/fs/selinux/avc#cathash_stats
entries:512
bucketsused:284/512
longestchain:7
TheunderlyingdatastructurefortheAccessVectorCacheisahashtable;hash_stats
liststhecurrentproperties.Aswecanseeintheoutputoftheprecedingcommand,we
have512slotsinthetable,with284oftheminuse.Forcollisions,wehavethelongest
chainat7entries.ThisfileisworldreadableandrequiresnospecialMACpermissions.
Youcanmodifythenumberofentriesinthistablethroughthecache_thresholdfile.
Thecache_thresholdfileisusedtotunethenumberofentriesintheavchashtable.Itis
worldreadableandownerwriteable.ItrequirestheSELinuxpermissionsetsecparam,and
canbewrittentoandreadfromwiththefollowingsimplecommands,respectively:
root@udoo:/sys/fs/selinux/avc#echo"1024">cache_threshold
root@udoo:/sys/fs/selinux/avc#echo'catcache_threshold'
1024
Youcandisablethecachebywriting0.However,outsidethebenchmarkingtests,thisis
notencouraged.
www.it-ebooks.info
Thebooleansdirectory
Theseconddirectorytolookintoisbooleans.AnSELinuxbooleanallowspolicy
statementstochangedynamicallyviabooleanconditions.Bychangingthebooleanstate,
youcanaffectthebehavioroftheloadedpolicy.Thecurrentpolicydoesnotdefineany
booleans;sothisdirectoryisempty.Inpoliciesthatdefinebooleans,thedirectorywould
bepopulatedwithfilesnamedaftereachboolean.Youcanthenreadandwritetothese
filestochangethebooleanstate.TheAndroidtoolboxhasbeenmodifiedtoincludethe
getseboolandsetseboolcommands.ThelibselinuxAPIalsoexposesthese
capabilities:
intsecurity_get_boolean_names(char***names,int*len);
intsecurity_get_boolean_pending(constchar*name);
intsecurity_get_boolean_active(constchar*name);
intsecurity_set_boolean(constchar*name,intvalue);
intsecurity_commit_booleans(void);
intsecurity_set_boolean_list(size_tboolcnt,SELboolean*boollist,int
permanent);
Booleansaretransactional.Thismeansitisanallornothingset.Whenyouuse
security_set_boolean*,youmustcallsecurity_commit_booleans()tomakeittake
effect.UnlikeLinuxdesktopsystems,permanentbooleansarenotsupported.Changing
theruntimevaluedoesnotpersistacrossreboots.Also,onAndroid,ifyouareattempting
AndroidCompatibilityTestSuite(CTS)compliance,booleanswillcausetheteststofail.
BooleanscanhavevaryingDACpermissionsbasedonthetarget,buttheyalwaysrequire
theSELinuxpermission,setbool.
Tip
YoumustpasstheAndroidCompatabilityTestSuiteforAndroidbranding.MoreonCTS
canbefoundathttps://source.android.com/compatibility/cts-intro.html.
www.it-ebooks.info
Theclassdirectory
Thenextdirectorytolookatisclass.Theclassdirectorycontainsalltheclassesdefined
intheaccess_vectorsSELinuxpolicyfileorviatheclasskeywordintheSELinux
policylanguage.Foreachclassdefinedinthepolicy,adirectoryexistswiththesame
name.Forinstance,runthefollowingontheserialterminal:
root@udoo:/sys/fs/selinux/class#ls-la
...
dr-xr-xr-xrootroot1970-01-0201:58peer
dr-xr-xr-xrootroot1970-01-0201:58process
dr-xr-xr-xrootroot1970-01-0201:58property_service
dr-xr-xr-xrootroot1970-01-0201:58rawip_socket
dr-xr-xr-xrootroot1970-01-0201:58security
...
Asyoucanseefromtheprecedingcommand,therearequiteafewdirectories.Let’s
examinetheproperty_servicedirectory.Thisdirectorywaschosenbecauseitisonly
onedefinedonAndroid.However,thefilespresentineachdirectoryarethesameand
includeindexandperms:
root@udoo:/sys/fs/selinux/class/property_service#ls
index
perms
ThemappingbetweenstringandsomearbitraryintegerthatisdefinedintheSELinux
kernelmoduleisindex.Adirectorythatcontainsallthepermissionspossibleforthatclass
isperms:
root@udoo:/sys/fs/selinux/class/property_service#cdperms/
root@udoo:/sys/fs/selinux/class/property_service/perms#ls
set
Asyoucansee,thesetaccessvectorisavailablefortheproperty_serviceclass.The
classdirectorycanbeverybeneficialtoobserveapolicyfilealreadyloadedinasystem.
www.it-ebooks.info
Theinitial_contextsdirectory
Thenextdirectoryentrytopeerintoisinitial_contexts.Thisisthestaticmappingof
theinitialsecuritycontexts,betterknownassecurityidentifier(sid).Thismaptellsthe
SELinuxsystemwhichcontextshouldbeusedtostarteachkernelobject:
root@udoo:/sys/fs/selinux/initial_contexts#ls
any_socket
devnull
file
...
Wecanseewhattheinitialsidforfileisbyperforming:
root@udoo:/sys/fs/selinux/initial_contexts#echo'catfile'
u:object_r:unlabeled:s0
Thiscorrespondstotheentryinexternal/sepolicy/initial_sid_contexts:
...
sidfileu:object_r:unlabeled:s0…
www.it-ebooks.info
Thepolicy_capabilitiesdirectory
Thelastdirectorytolookintoispolicy_capabilities.Thisdirectorydefinesany
additionalcapabilitiesthepolicymighthave.Forourcurrentsetup,weshouldhave:
root@udoo:/sys/fs/selinux/policy_capabilities#ls
network_peer_controls
open_perms
Eachfileentrycontainsabooleanindicatingwhetherthefeatureisenabled:
root@udoo:/sys/fs/selinux/policy_capabilities#echo'catopen_perms'
1
Theentriesarereadablebyallandwriteablebynone.
www.it-ebooks.info
ProcFS
Wealludedtosomeoftheprocfsinterfacesthatarebeingexported.Muchofwhatis
discussedisthesecuritycontexts,sothatmeanstheshellshouldhavesomesecurity
contextassociatedwithit…buthowdoweachievethis?Sincethisisageneral
mechanismthatallLSMsuse,thesecuritycontextsarebothreadandwrittenthrough
procfs:
root@udoo:/sys/fs/selinux/policy_capabilities#echo'cat
/proc/self/attr/current'
u:r:init_shell:s0
Youcanalsogetper-threadcontextsaswell:
root@udoo:/sys/fs/selinux/policy_capabilities#echo
'/proc/self/task/2278/attr/current'
u:r:init_shell:s0
Justreplace2278withthethreadIDyouwant.
TheDACpermissionsonthecurrentfilearereadandwriteforeveryone,butthosefiles
aretypicallyveryrestrictedbyMACpermissions.Typically,onlytheprocessthatowns
theprocfsentrycanreadthefiles,andyoumusthavebothstandardwritepermissionsand
acombinationofsetcurrent.Notethatthe“from”and“to”domainsmustbeallowed
usingadyntransition.Toread,youmusthavegetattr.Allofthesepermissionsare
attainedfromthesecurityclass,process.ThelibselinuxAPIfunctionsgetconand
setconallowyoutomanipulatecurrent.
Theprevfilecanbeusedtofindthepreviouscontextyouswitchedfrom.Thisfileisnot
writeable:
root@udoo:/proc/self/attr#echo'catprev'
u:r:init:s0
Ourserialterminal’sformerdomainorsecuritycontextwasu:r:init:s0.
Theexecfileisusedtosetthelabelforchildrenprocesses.Thisissetbeforerunningan
exec.AllthepermissionsonthesefilesarethesamewithrespecttotheMACpermissions
usedtoactuallysetthem.Thecallerattemptingtosetthismustalsoholdsetexecfrom
theprocessclass.ThelibselinuxAPIintsetexeccon(security_context_tcontext)
andintgetexeccon(security_context_t*context)canbeusedforsettingand
retrievingthelabel.
Thefscreate,keycreate,andsockcreatefilesdosimilarthings.Whenaprocesscreates
anyoneofthecorrespondingobjects,fsobjects(files,namedpipes,orotherobjects),
keys,orsockets,thevaluessethereareused.Thecallermustalsoholdsetfscreate,
setsockcreate,andsetkeycreatefromtheprocessclass.ThefollowingSELinuxAPI
isusedtoalterthese:
intset*createcon(security_context_tcontext);
intget*createcon(security_context_t*con);
www.it-ebooks.info
Where*canbefs,key,orsocket.
It’simportanttonotethatthesespecialprocessclasspermissionsgiveyoutheabilityto
changetheproc/attrfile.YoustillneedtogetthroughtheDACpermissionsandany
SELinuxpermissionssetonthefileobjectsthemselves.Thenandonlythendoyouneed
theadditionalpermission,suchassetfscreate.
www.it-ebooks.info
www.it-ebooks.info
JavaSELinuxAPI
SimilarAPIstotheCAPIsdiscussedpreviouslyexistforJavaaswell.Inthiscase,itis
assumedyouwillbuildthecodewiththeplatform,asthesearenotpublicAPIsshipped
withtheAndroidSDK.TheAPIislocatedat
frameworks/base/core/java/android/os/SELinux.java.However,thisisaverylimited
subsetoftheAPI.
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,weexploredtheinterfacebetweenthekernelanduserspacewithrespectto
SELinux,andreinforcedtheconceptsofaccessvectorclassandsecuritycontext.Inthe
nextchapter,wewillperformsomeupgradestooursystemandlookattheauditlogs
gettingonestepclosertoourultimategoal—anoperabledeviceinSELinuxenforcing
mode.Wesayoperablebecausewecanputitinenforcingmodenow.However,ifyoudo
itnowviasetenforce1onaUDOO,yourdevicewillbecomeunstable.Onoursystem,
forexample,thebrowserfailstolaunchifwedothis.
www.it-ebooks.info
www.it-ebooks.info
Chapter7.UtilizingAuditLogs
Sofarwe’veseenAVCrecordsortheSELinuxdenialmessagesshowupindmesg,but
dmesgisacircularmemorybuffer,subjecttofrequentrolloverdependentonhowverbose
yourkernelis.Byusingtheauditkernelsubsystem,wecanroutethesemessagesintouser
spaceandlogthemtodisk.Onthedesktop,thedaemonthatdoesthisiscalledauditd.A
minimalportofauditdismaintainedintheNSAbrancheshowever,ithasnotofficially
beenmergedintoAOSP.WearegoingtousetheauditdversionfromtheNSAbranches
sinceweareworkingonAndroid4.3.TheofficiallymergedversionasofApril7,2014
canbefoundathttps://android-review.googlesource.com/#/c/89645/.It’simplemented
withinlogd,andmergedathttps://android-review.googlesource.com/#/c/83526/.
Inthischapter,wewill:
Updateoursystemwiththefast-pacedSEforAndroidOpenSourceCommunity
(AOSP)
Investigatehowtheauditsubsystemworks
LearntoreadSELinuxauditlogsandstartwritingpolicy
Lookatcontextsrelativetothelogs
AllLSMsshouldlogtheirmessagesintotheauditsubsystem.Theauditsubsystemcan
thenroutethemessagestothekernelcircularbufferusingprintk,ortotheauditing
daemoninuserspace,ifoneispresent.Thekernelanduserspaceloggingdaemon
communicateusingtheAUDIT_NETLINKsocket.Wewilldissectthisinterfacefurtherinthe
chapter.
Lastly,theauditsubsystemhasthecapabilitytoprintcomprehensiverecordswhenpolicy
violationsoccur.Althoughyoudon’tneedthisfeaturetoenableandworkwithSELinux,it
canmakeyourlifeeasier.Toenablethissystem,youmustuseauditd,becauselogd
currentlydoesn’thavethissupport.You’llneedtobuildyourkernelwith
CONFIG_AUDITSYSCALL=yandplaceanaudit.rulesfilein/data/misc/audit/.Afteryou
patchyourtreewiththefollowinginstructions,readsystem/core/auditd/README.
Unfortunately,theUDOOkernelversion3.0.35doesnotsupportCONFIG_AUDITSYSCALL.
Thepatchlocatedathttps://git.kernel.org/cgit/linux/kernel/git/stable/linuxstable.git/commit/?id=29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587bshouldenablethe
support.However,ontheUDOO,itcausesadeadlockwecouldnottracedown.
www.it-ebooks.info
Upgrades–patchesgalore
AlthoughAndroid4.3,releasedfromGoogle,hadSEforAndroidsupport,itisstill
limited,especiallyintheareasofauditing.Oneofthesimplestwaystobringthistoa
moreuseablestateistogetthepatchesforsomeoftheprojectsfromtheNSA’sSEfor
Android4.3branch.Here,thecommunityhasstagedanddeployedmanyofthemore
advancedfeatureswhichwerenotmergedinthe4.3timeframe.
TheNSAmaintainsrepositoriesathttps://bitbucket.org/seandroid/.Therearemany
projectssofiguringoutwhichtouseandwhatbranchcanbedaunting.Awaytofindthem
istogothrougheachprojectandfindtheprojectswithaSEAndroid-4.3branch.You
don’tneedtodescendintothedevicetreessincewe’renotbuildingAOSPdevices.The
listofsuchprojectis:
https://bitbucket.org/seandroid/system-core
https://bitbucket.org/seandroid/frameworks-base
https://bitbucket.org/seandroid/external-libselinux
https://bitbucket.org/seandroid/build
https://bitbucket.org/seandroid/frameworks-native
Wecanalsosafelyskipsepolicysincewe’vealreadyupdatedittothebleedingedge,but
thekernelsareabittrickier.Weneedthechangesfromkernel-common
(https://bitbucket.org/seandroid/kernel-common)andthebinderpatch(https://androidreview.googlesource.com/#/c/45984/),whichcanbeattainedasfollows:
$mkdir~/sepatches
$cd~/sepatches
$gitclonehttps://bitbucket.org/seandroid/system-core.git
$gitclonehttps://bitbucket.org/seandroid/frameworks-base.git
$gitclonehttps://bitbucket.org/seandroid/external-libselinux.git
$gitclonehttps://bitbucket.org/seandroid/build.git
$gitclonehttps://bitbucket.org/seandroid/frameworks-native.git
Wecanstartbyfiguringouttheexactversionweneedtopatchtobylookingatthe
build/core/build_id.mkfile,andbyusingthewebpage
https://source.android.com/source/build-numbers.htmltodoalookup.
ThefileshowsBUILD_IDisJSS15J,andthelookupshowsthatweareworkingwiththe
android-4.3_r2.1releasefortheUDOO.
Foreachdownloadedprojectsofar,generatethepatchesbyrunningthecommandgit
checkoutorigin/seandroid-4.3_r2.Finally,executegitformat-patchorigin/jbmr2.0-release.Sincethereisno4.3._r2.1branch,we’reusingr2.
Foreachofthesepatches,you’llneedtoapplytheminthetreefromtheircorresponding
udoo/<project>folder.Itisimportanttoapplythepatchesforeachprojectinnumeric
orderstartingwiththe0001*patch,movingonto0002*,andsoon.Asanexampleofhow
toapplyaspecificpatchforaproject,let’slookatthefirstpatchneededforsystem-core.
NotethattheseGitrepositoriesusehyphensinplaceoftheslashesinthesourcetree;so
frameworks-basecorrelatestoframeworks/base.
www.it-ebooks.info
First,generatethepatches:
$cdsepatches/system-core
$gitcheckoutorigin/seandroid-4.3_r2
$gitformat-patchorigin/jb-mr2.0-release
Applythefirstpatch,asfollows:
$cd<udoo_root>/system/core
$patch-p1<~/sepatches/system-core/0001-Add-writable-data-space-forradio.patch
patchingfilerootdir/init.rc
Reversed(orpreviouslyapplied)patchdetected!Assume-R?[n]
Note
NotethatforUDOO,itisimportantnottoapplyapatchnumberhigherthan0005in
frameworks/base.Forotherprojects,youshouldapplyallthepatches.
Notetheerror.JusthitCtrl+Ctoquitthepatchingprocesswheneveryouseethis.The
Gittreesarenotquiteperfect,andbecauseofthis,someofthepatchesarealreadyinthe
UDOOsource.Thepatchcommandwillletusknow,andwecanskipthesebycanceling
them,whenwarned,withCtrl+C.Keepgoingthroughthepatches,cancelingtheones
alreadyapplied,andfixingupanyfailures.Afterpatchinguserspace,it’shighly
recommendedthatyoubuildtoensurenothingisbroken.
Onceuserspaceiscompletelypatched,weneedtopatchthekernel.Startbycloningthe
kernel-commonprojectfromBitbucketwiththegitclone
https://bitbucket.org/seandroid/kernel-common.gitcommand.Wewillpatchthe
kernelwiththesamemethodastherestoftheprojectswiththeexceptionofthebinder
patch.Byviewingthelinkforthebinderpatchmentioned,https://androidreview.googlesource.com/#/c/45984/,wefoundthattheGitSHAhashis
a3c9991b560cf0a8dec1622fcc0edca5d0ced936,asgiveninthePatchset4reference
fieldinthefollowingscreenshot:
WecanthengeneratethepatchforthisSHAhash:
$gitformat-patch-1a3c9991b560cf0a8dec1622fcc0edca5d0ced936
www.it-ebooks.info
0001-Add-security-hooks-to-binder-and-implement-the-hooks.patch
Then,applythatpatchwiththepatchcommandaswedidbefore.Thepatchhasafailed
hunkforaheaderfileinclusion;justfixitupliketheothersbyusingtherejectfile.When
youbuild,you’llgetthiserrorinthekernel:
security/selinux/hooks.c:1846:9:error:variable'sad'hasinitializerbut
incompletetype
security/selinux/hooks.c:1846:28:error:storagesizeof'sad'isn'tknown
Goaheadandremovethislineandallreferences.Thiswasachangemadeinthe3.0
kernels:
structselinux_audit_datasad={0,};
ad.selinux_audit_data=&sad;
Note
Wefiguredthisoutbylookingthroughtheoriginal3.0patches,whichcanbefoundat
followinglink:
https://bitbucket.org/seandroid/kernelomap/commits/59bc19226c746f479edc2acca9a41f60669cbe82?at=seandroid-omap-tuna3.0
Asyourecall,theUDOOusesacustominit.rc.Weneedtoaddanychangestoinit.rc
totheoneUDOOactuallyuses.Allthepatchesthatcanmodifyinit.rcwillbeinthe
system-coreproject,specificallythese:
0003-Auditd-initial-commit.patch
0007-Handle-policy-reloads-within-ueventd-rather-than-res.patch
0009-Allow-system-UID-to-set-enforcing-and-booleans.patch
Goaheadandfindthechangestoinit.rcinthesepatchesandapplythemto
device/fsl/imx6/etc/init.rcusingthesamepatchtechnique.
www.it-ebooks.info
www.it-ebooks.info
Theauditsystem
Intheprevioussection,wedidalotofpatching;thepointofwhichwastoenabletheaudit
integrationworkdoneonAndroidanditsdependencies.Thesepatchesalsofixsomebugs
inthecodeand,veryimportantly,enabletheSELinux/LSMbinderhooksandpolicy
controls.
TheauditsysteminLinuxisusedbyLSMstoprintthedenialrecordsaswellastogather
verythoroughandcompleterecordsofevents.Nomatterwhat,whenanLSMprintsa
message,itgetspropagatedtotheauditsubsystemandprinted.However,iftheaudit
subsystemhasbeenenabled,thenyougetmorecontextassociatedwiththedenial.The
auditsubsystemevensupportsloadingrulesforwatchingthis.Forinstance,youcould
watchallwritesto/systemthatwerenotdonebythesystemUID.
www.it-ebooks.info
Theauditddaemon
Theauditddaemon,orservice,runsinuserspaceandlistensoveraNETLINKsocketto
theauditsubsystem.Thedaemonregistersitselftoreceivethekernelmessages,andcan
alsoloadtheauditrulesoverthissocket.Onceregistered,theauditddaemonreceivesall
theauditevents.Theauditddaemonwasminimallyported,andtherewasanattemptto
mainlineitintoAndroidthatwaslaterrejected.However,auditdhasbeenusedby
variousOEMs(suchasSamsung)andbytheNSA’s4.3branch.Analternativeapproach
thatputrecordsinlogcatwaslatermergedintoAndroid(formoreinformation,referto
https://android-review.googlesource.com/89645).
Earlier,wesawtheAVCdenialmessagesfromSELinuxindmesg.Theproblemwiththis
isthatthecircularmemorylogispronetorolloverwhenyouhavemanydenialsora
chattykernel.Withauditd,allthemessagescometothedaemonandarewrittentothe
/data/misc/audit/audit.logfile.Thislogfile,hereinreferredtoasaudit.log,may
existondevicebootandisrotatedintothe/data/misc/audit/audit.oldfile,knownas
audit.old.Thedaemonresumesloggingtoanewaudit.logfile.Thisrotateevent
occurswhenthesizethresholdAUDITD_MAX_LOG_FILE_SIZEKB(setduringcompiletimein
thesystem/core/auditd/Android.mkfile)isexceeded.Thisthresholdistypically1000
KBbutcanbechangedinthedevice’smakefile.Also,sendingSIGHUPwithkillwill
causearotateasinthefollowingexample.
VerifythedaemonisrunningandgetitsPID:
root@udoo:/#ps-Z|grepaudit
u:r:auditd:s0audit22811/system/bin/auditd
u:r:kernel:s0root22932kauditd
Verifyonlyonelogexists:
root@udoo:/#ls-la/data/misc/audit/
-rw-r-----auditsystem791731970-01-0200:19audit.log
Rotatethelogs:
root@udoo:/#kill-SIGHUP2281
Verifyaudit.old:
root@udoo:/#ls-la/data/misc/audit/
-rw-r-----auditsystem3191970-01-0200:20audit.log
-rw-r-----auditsystem791731970-01-0200:19audit.old
www.it-ebooks.info
Auditdinternals
SincetheauditdandlibauditcodefromtheLinuxdesktophaveaGPLlicense,a
rewritewasdoneforAndroid,releasedundertheApachelicense.Therewriteisminimal,
thusyouwillonlyfindthefunctionsimplementedthatwererequiredtosupportthe
daemon.Thefunctionalandheaderinterfacesshouldremainidenticalthough.
Theauditddaemonstartslifeatmain()insystem/core/auditd.c.Itquicklychangesits
permissionsfromUIDroottoaspecialauditdUID.Whenitdoesthis,itretains
CAPSYS_AUDIT,whichisarequiredDACcapabilitychecktousetheAUDITNETLINK
socket.Itdoesthisviaacalltodrop_privileges_or_die().Fromthere,itdoessome
optionparsingwithgetopt(),andwefinallygettotheaudit-specificcalls,thefirstof
whichopenstheNETLINKsocketusingaudit_open().Thisfunctionsimplycalls
socket(PF_NETLINK,SOCK_RAW,NETLINK_AUDIT),whichopensafiledescriptortothe
NETLINKsocket.Afteropeningthesocket,thedaemonopensahandletoaudit.log
withacalltoaudit_log_open(constchar*logfile,constchar*rotatefile,
size_tthreshold).Thisfunctioncheckswhethertheaudit.logfileexistsand,ifit
does,renamesittoaudit.old.Itthencreatesanewemptylogfileinwhichthedatais
recorded.
Thenextstepistoregisterthedaemonwiththeauditsubsystemsothatitknowstowhom
tosendmessages.BysettingthePIDofthedaemon,youensurethatonlythisdaemonwill
getthemessages.SinceNETLINKcansupportmanyreaders,youdon’twanta“rogue
auditd”toreadthemessages.Withthatstated,thedaemoncalls
audit_set_pid(audit_fd,getpid(),WAIT_YES),whereaudit_fdistheNETLINK
socketfromaudit_open(),getpid()returnsthedaemon’sPID,andWAIT_YEScausesthe
daemontoblockuntiltheoperationiscomplete.Next,thedaemonenablestheaudit
subsystem’sadvancedfeatureswithacalltoaudit_set_enabled(audit_fd,1)andadds
rulestotheauditsubsystemviaaudit_rules_read_and_add(audit_fd,
AUDITD_RULES_FILE).Thisfunctionreadstherulesfromthatfile,formatssomestructures,
andsendsthosestructurestothekernel.
Theaudit_set_enabled()andaudit_rules_read_and_add()onlyhaveaneffectifthe
kernelisbuiltwithCONFIG_AUDITSYSCALL.Afterthis,thedaemoncheckswhetherthe-k
optionwasspecified.The-koptiontellsauditdtolookindmesgforanymissedaudit
records.Itdoesthisbecausethereisaracebetweencapturingauditrecordsbeforethe
circularbufferoverflowsanduserspacestartingmanyservices,generatingauditevents
andpolicyviolations.Essentially,thishelpscoalescetheauditeventsfromearlybootinto
thesamelogfiles.
Afterthis,thedaemonentersalooptoreadfromtheNETLINKsocket,formattingthe
messages,andwritingthemtothelogfile.ItstartsthisloopbywaitingforIOonthe
NETLINKsocketusingpoll().Ifpoll()exitswithanerror,theloopcontinuestocheck
thequitvariable.IfEINTRisraised,theloopguard,quit,issettotrueinthesignal
handler,andthedaemonexits.Ifpoll()isdataontheNETLINK,thedaemoncalls
audit_get_reply(audit_fd,&rep,GET_REPLY_BLOCKING,0),gettinganaudit_reply
www.it-ebooks.info
structurebackwiththerepparameter.Itthenwritestheaudit_replystructure(with
formatting)totheaudit.logfilewithaudit_log_write(alog,"type=%dmsg=%.*s\n",
rep.type,rep.len,rep.msg.data).ItdoesthisuntilEINTRisraised,atwhichpoint,
thedaemonexits.
Whenthedaemonexits,itclearsthePIDregisteredwiththekernel
(audit_set_pid(audit_fd,0)),closestheauditsocketviaaudit_close()(whichis
reallyjustthesyscall,close(audit_fd)),andclosestheaudit.logwith
audit_log_close().Theaudit_log_*familyoffunctionsisnotpartoftheGPLed
interfacetoauditandisacustomwrite.
WhenGoogleportedauditdtothelogdinfrastructureinAndroid,itusedthesame
functionsandlibrarycodeusedbythedaemon’smain()andwrappeditintologd.
However,Googledidnottaketheaudit_set_enabled()and
audit_rules_read_and_add()functions.
www.it-ebooks.info
www.it-ebooks.info
InterpretingSELinuxdeniallogs
TheSELinuxdenialsgetroutedtothekernelauditsubsystem,toauditd,andfinally,to
audit.logandaudit.old.Withthelogsresidentinaudit.log,let’spullthisfileover
adbandhaveacloserlookatit.
Runthefollowingcommandfromthehost,withadbenabled:
$adbpull/data/misc/audit/audit.log
Now,let’stailthatfileandlookfortheselines:
$tailaudit.log
...
type=1400msg=audit(88526.980:312):avc:denied{getattr}forpid=3083
comm="adbd"path="/data/misc/audit/audit.log"dev=mmcblk0p4ino=42
scontext=u:r:adbd:s0tcontext=u:object_r:audit_log:s0tclass=file
type=1400msg=audit(88527.030:313):avc:denied{read}forpid=3083
comm="adbd"name="audit.log"dev=mmcblk0p4ino=42scontext=u:r:adbd:s0
tcontext=u:object_r:audit_log:s0tclass=file
type=1400msg=audit(88527.030:314):avc:denied{open}forpid=3083
comm="adbd"name="audit.log"dev=mmcblk0p4ino=42scontext=u:r:adbd:s0
tcontext=u:object_r:audit_log:s0tclass=file
Therecordshereconsistoftwomajorportions:typeandmsg.Thetypefieldindicates
whattypeofmessageitis.Messageswithtype1400areAVCmessages,whichare
SELinuxdenialmessages(thereareothertypes,aswell).Themsg(shortformessage)
portionoftheprecedingpolicycontainsthepartforustoanalyze.
Thelastcommandweexecutedwasadbpull/data/misc/audit/aduit.logand,asyou
cansee,wehaveafewadbpolicyviolationsatthetailoftheaudit.logfile.Let’sstartby
lookingatthisevent:
type=1400msg=audit(88526.980:312):avc:denied{getattr}forpid=3083
comm="adbd"path="/data/misc/audit/audit.log"dev=mmcblk0p4ino=42
scontext=u:r:adbd:s0tcontext=u:object_r:audit_log:s0tclass=file
Wecanseethatthecommfieldisadbd.However,it’snotwisetotrustthisvaluesinceit
canbecontrolledfromuserspaceusingtheprctl()interface.Itcanonlybeviewedasa
hint.ThebestwaytoverifythisistocheckthePIDusingps-Z:
#ps-Z|grepadbd
u:r:adbd:s0root30831/sbin/adbd
Withthedaemonverified,wecannowcheckthemessageinmoredetail.Themessage
consistsofthefollowingfields(optionalfieldsareidentifiedby*):
avc:denied:Thispartwillalwayshappenanddenotesitisadenialrecord.
{permission}:Thisisthepermissionthatwasdenied,inthiscase,getattr.
for:Thiswillalwaysbeprintedandmakestheoutputreadable.
Path*:Thisistheoptionalfieldthatcontainsthepathoftheobjectinquestion.It
onlymakessenseforfilesystemaccessdenials.
dev*:Thisistheoptionalfieldthatidentifiestheblockdeviceforthemounted
www.it-ebooks.info
filesystem.Itonlymakessenseforfilesystemaccessdenials.
ino*:Thisistheoptionalinodeofthefile.OnlytheanonymousfilesinLinuxprint
inode.Itonlymakessenseforfilesystemaccessdenials.
tclass:Thisisthetargetclassoftheobject,whichinourcasewasfile.
Atthispoint,weneedtounderstandwhatthemsgportionofthedenialrecordistellingus
ataverydistilledlevel.ItissayingthattheAndroiddebugbridgedaemonwantstobe
abletocallgetattronourpolicyfile.Afeweventsdown,wewillseeitalsowantsread
andopen.Thisisthesideeffectofrunningadbpull.Agetattrpermissiondenialoccurs
fromastat()syscall,andtheread/openarefromread()andopen()syscalls.Ifyou
wanttoallowthisinyourpolicy,whichwouldbeasecuritydecisionbasedonyourthreat
model,youshouldadd:
allowadbdaudit_log:file{getattrreadopen};
Alternatively,usethemacrosetsdefinedinglobal_macros:
allowadbdaudit_log:filer_file_perms;
Mostofthetime,youshouldusethemacrosdefinedinglobal_macrosforfilepermission
accesses.Typically,addingthemonebyoneisverytimeconsumingandtedious.The
macrosgroupthepermissionsinacontextanalogoustoread,write,andexecuteDAC
permissions.Forinstance,ifyougiveitopenandread,there’sagoodchanceatsome
pointthatthesourcedomainwillneedtostatthefile.So,ther_file_permsmacrohas
thosepermissionsinitalready.
Youshouldaddthisruletoexternal/sepolicy/adbd.te.The.tefiles(alsocalledtype
enforcementfiles)areorganizedbysourcecontext,somakesureyouaddittothecorrect
file.Wedonotrecommendaddingthisallowrule—there’snolegitimatereasonthatadbd
needsaccesstotheauditlogs—wecansafelyignorethesewithadontauditrule:
dontauditadbdaudit_log:filer_file_perms;
Thedontauditruleisapolicystatementthatsaysdon’taudit(print)denialsthatmatch
thisrule.
Ifyou’renotsurewhattodo,thebestadviceistoleveragethemailinglistsforSEfor
Android,SELinux,andaudit.Justkeepthemessagesappropriatetothespecificmailing
liststopic.
Atoolexistscalledaudit2allow,whichcanhelpyouwritepolicyallowrules.However,
it’sonlyatoolandcanbemisused.Ittranslatesthepolicyfiletotheallowrulesforthe
policy:
$cataudit.log|audit2allow
#=============adbd==============
allowadbdaudit_log:file{readgetattropen};
Theaudit2allowtoolisnotmacroawareorawareifyoureallywanttoaddthisallow
ruletothepolicyfile.Onlythepolicyauthorcanmakethisdecision.
Thereisalsoatooltoenablether_file_*macromappingcalledfixup.py.Youcanget
www.it-ebooks.info
thetoolathttps://bitbucket.org/billcroberts/fixup/overview.Afterdownloading,makeit
executable,andplaceitsomewhereinyourexecutablepath:
$chmoda+xfixup.py
$cataudit.log|audit2allow|fixup.py
#=============adbd==============
allowadbdaudit_log:filer_file_perms;
www.it-ebooks.info
www.it-ebooks.info
Contexts
Inthesimplestsense,writingpoliciesisjusttheactivityofidentifyingpolicyviolations
andaddingtheappropriateallowrulestothepolicyfile.However,inorderforSELinuxto
beeffective,thesourceandtargetcontextsmustbecorrect.Iftheyarenot,theallowrules
aremeaningless.
Thefirstthingsyoumightencounteraredenialswherethetargettypeisunlabeled.Inthis
case,thepropertargetlabelneedstobeset(refertoChapter11,LabelingProperties).
Also,processlabelscanbewrong.Multipleprocessescanbelongtoadomain,andunless
explicitlydoneviapolicy,thechildprocessofaparentinheritstheparent’sdomain.
However,inAndroid,domainsthathavemultipleprocessesarequitelimited.Youwill
neverseemultipleprocessesininit,system_server,adbd,auditd,debuggerd,dhcp,
servicemanager,vold,netd,surfaceflinger,drmserver,mediaserver,installd,
keystore,sdcardd,wpa,andzygotedomains.
It’sokaytoseemultipleprocessesinthefollowingdomains:
system_app
untrusted_app
platform_app
shared_app
media_app
release_app
isolated_app
shell
Onareleaseddevice,nothingshouldberuninthesu,recovery,andinit_shell
domains.Thefollowingtableprovidesacompletemappingofdomainstotheexpected
executablesandcardinality:
Domain
Executable(s)
Cardinality(N)
u:r:init:s0"
/init
N==1
u:r:ueventd:s0
/sbin/ueventd
N==1
u:r:healthd:s0
/sbin/healthd
N==1
u:r:servicemanager:s0 /system/bin/servicemanager
N==1
u:r:vold:s0
/system/bin/vold
N==1
u:r:netd:s0
/system/bin/netd
N==1
u:r:debuggerd:s0
/system/bin/debuggerd,/system/bin/debuggerd64 N==1
u:r:surfaceflinger:s0 /system/bin/surfaceflinger
N==1
u:r:zygote:s0
zygote,zygote64
N==1
u:r:drmserver:s0
/system/bin/drmserver
N==1
www.it-ebooks.info
u:r:mediaserver:s0
/system/bin/mediaserver
N>=1
u:r:installd:s0
/system/bin/installd
N==1
u:r:keystore:s0
/system/bin/keystore
N==1
u:r:system_server:s0
system_server
N==1
u:r:sdcardd:s0
/system/bin/sdcard
N>=1
u:r:watchdogd:s0
/sbin/watchdogd
N>=0&&N<2
u:r:wpa:s0
/system/bin/wpa_supplicant
N>=0&&N<2
u:r:init_shell:s0
null
N==0
u:r:recovery:s0
null
N==0
u:r:su:s0
null
N==0
SeveralCompatibilityTestSuite(CTS)testshavebeenwrittenaroundthisand
submittedtoAOSPathttps://android-review.googlesource.com/#/c/82861/.
Basedonthesegenericassertionsofwhatagoodpolicyshouldlooklike,let’sevaluate
ours.
First,wewillcheckforunlabeledobjects.Fromthehost,withtheaudit.logfileyou
obtainedwithadbpull:
$cataudit.log|grepunlabeled
...
type=1400msg=audit(86527.670:341):avc:denied{rename}forpid=3206
comm="pool-1-thread-1"name="com.android.settings_preferences.xml"
dev=mmcblk0p4ino=129664scontext=u:r:system_app:s0
tcontext=u:object_r:unlabeled:s0tclass=file
...
Itlookslikewehavesomefilesandotherthingsthatarenotlabeledproperly;wewill
addresstheseintheChapter11,LabelingProperties.Now,let’scheckfordomainsthat
havemultipleprocesseswhentheyshouldnot,andfindimproperbinariesinthose
domains(refertotheprevioustableforthecompletemapping.)
Init:
$adbshellps-Z|grepu:r:init:s0
u:r:init:s0root10/init
u:r:init:s0root22671/sbin/watchdogd
Zygote:
$adbshellps-Z|grepu:r:zygote:s0
u:r:zygote:s0root22851zygote
$adbshellps-Z|grepu:r:init_shell
u:r:init_shell:s0root22781/system/bin/sh
…throughalldomains
www.it-ebooks.info
Afterdoingthis,wefoundissuesbecausesomethingisrunningintheinit_shell
domain,andwatchdogdisintheinitdomain.Thesemustbecorrected.
www.it-ebooks.info
www.it-ebooks.info
Summary
Writingsepolicyisrelativelyeasy,writinggoodpolicyisanart.Itrequiresthepolicy
authortounderstandthesystemandtheimplicationsoftheallowrule.Policyitselfisa
meta-programminglanguagewherethelanguagecontrolshowuserspaceandthekernel
getalong,andmuchlikeanyprogram,thepolicycanbearchitectedforaspecificuse.
Policiescanbetooporous(essentiallyuseless)orverytightanddifficulttochange
withoutbreakingtheportionsthatalreadywork.
Agoodpolicyneedstopreservetheintendedproperfunctionofthesystem,sothorough
testingofallthesystemswithinAndroidisessential.CTSisagreathelpinexercising
Android,butitoftendoesnotcoverallthecases;usertestingisrecommended.Inthenext
chapter,wewillcoverhowfilesystemsandfilesystemobjectsgettheirsecuritylabelsand
howwecanchangethem.Later,wewillgooverhowtouseCTSasatooltotestthe
systemandgeneratepolicyviolationsforintendedbehaviors.
www.it-ebooks.info
www.it-ebooks.info
Chapter8.ApplyingContextstoFiles
Inthelastchapter,weupgradedoursystem,collectedtheauditlogs,andstartedtoanalyze
theauditrecords.Wediscoveredthatsomeobjectsonthefilesystemwereunlabeled.In
thischapter,wewill:
Learnhowfilesystemsandfilesystemobjectsgettheirlabels
Demonstratetechniquestochangelabels
Introduceextendedattributesforlabeling
Investigatefilecontextsanddynamictypetransitions
www.it-ebooks.info
Labelingfilesystems
FilesystemsonLinuxoriginatefrommount,withtheexceptionoframdiskrootfson
Android.FilesystemsonLinuxvarydrastically.Ingeneral,inordertosupportallthe
featuresofSELinux,youneedafilesystemwiththesupportforxattrandthesecurity
namespace.Wesawthisrequirementwhenweweresettingupthekernelconfiguration.
Filesystemobjects,astheyarecreated,allstartwithaninitialcontext,justlikeallother
kernelobjects.Contextsonfilessimplyinheritfromtheirparent,soiftheparentis
unlabeled,thenthechildisunlabeled,withtheexceptionofatypetransitionrule.
Typically,ifthecontextisunlabeled,itinfersthatthedatawascreatedonafilesystem
priortoenablingSELinuxsupport,orthetypelabelinthexattrdoesnotexistinthe
currentlyloadedpolicy.
Theinitiallabelorinitialsecurityid(sid),isinthesepolicyfileinitial_sid_contexts.
Eachobjectclasshasitsassociatedinitialsidpresent.Forexample,let’stakealookatthe
followingcodesnippet:
...
sidfsu:object_r:labeledfs:s0
sidfileu:object_r:unlabeled:s0…
www.it-ebooks.info
fs_use
Filesystemscanbelabeledinavarietyofways.Thebestcasescenarioiswhenthe
filesystemsupportsxattrs.Inthatcase,anfs_use_xattrstatementshouldappearinthe
policy.Thesestatementsappearinthefs_usefileinthesepolicydirectory.Thesyntax
forfs_use_xattris:
fs_use_xattr<fstype><context>
Tolookatfs_usefromsepolicy,wecanrefertoanexamplefortheext4filesystems:
...
fs_use_xattrext3u:object_r:labeledfs:s0;
fs_use_xattrext4u:object_r:labeledfs:s0;
fs_use_xattrxfsu:object_r:labeledfs:s0;
...
ThistellsSELinuxthatwhenitencountersanext4fsobject;lookintheextended
attributesforthelabelorfilecontext.
www.it-ebooks.info
fs_task_use
Theotherwayafilesystemcanbelabeledisbyusingtheprocess’contextwhilecreating
objects.Thismakessenseforpseudofilesystemswheretheobjectsarereallyprocess
contexts,suchaspipefsandsockfs.Thesepseudofilesystemsmanagethepipeand
socketsyscallsandarenotreallymountedtouserspace.Theyexistinternallytothekernel,
forthekernelsuse.However,theydohaveobjects,andlikeanyotherobject,theyneedto
belabeled.Thisisthecontextinwhichthefs_task_usepolicystatementmakessense.
Theseinternalfilesystemscanonlybeaccessedbyprocessesdirectly,andprovideservices
tothoseprocesses.Hence,labelingthemwiththecreatormakessense.Thesyntaxisas
follows:
fs_task_use<fstype><context>
Examplesfromthesepolicyfilefs_useareasfollows:
...
#Labelinodesfromtasklabel.
fs_use_taskpipefsu:object_r:pipefs:s0;
fs_use_tasksockfsu:object_r:sockfs:s0;
...
www.it-ebooks.info
fs_use_trans
Thenextwayyoumightwishtosetlabelsonpseudofilesystemsthatareactually
mounted,isbyusingfs_use_trans.Thissetsafilesystemwidelabelonthepseudo
filesystem.Thesyntaxforthisisasfollows:
fs_use_trans<fstype><context>
Examplefromthesepolicyfilefs_useisasfollows:
...
fs_use_transdevptsu:object_r:devpts:s0;
fs_use_transtmpfsu:object_r:tmpfs:s0;
...
www.it-ebooks.info
genfscon
Ifnoneofthefs_use_*statementsmeetyourusecases,whichwouldbethecaseforvfat
filesystemsandprocfs,thenyouwouldusethegenfsconstatement.Thelabelspecified
forgenfsconappliestoallinstancesofthatfilesystemmount.Forinstance,youmight
wishtousegenfsconwiththevfatfilesystems.Ifyouhavetwovfatmounts,theywill
usethesamegenfsconstatementforeachmount.However,genfsconbehavesdifferently
withprocfs,andletsyoulabeleachfileordirectorywithinthefilesystem.
Thesyntaxofgenfsconisasfollows:
genfscon<fstype><path><context>
Examplesfromsepolicygenfs_contextsareasfollows:
...
#Labelinodeswiththefslabel.
genfsconrootfs/u:object_r:rootfs:s0
#proclabelingcanbefurtherrefined(longestmatchingprefix).
genfsconproc/u:object_r:proc:s0
genfsconproc/net/xt_qtaguid/ctrlu:object_r:qtaguid_proc:s0…
Notethattherootfspartialpathis/.It’snotprocfs,soitdoesn’tsupportanyfine
granularitytoitslabeling;so/istheonlythingyoucanuse.However,youcangetwild
withprocfsandsettoanygranularityyoudesire.
www.it-ebooks.info
Mountoptions
Anotheroption,ifnoneofthosefityourneeds,istopassthecontextoptionviathemount
commandline.Thissetsafilesystemwidemountcontext,suchasgenfscon,butisuseful
inthecaseofmultiplefilesystemsthatneedtohaveseparatelabels.Forinstance,ifyou
havetwovfatfilesystemsmounted,youmightwishtoseparateaccessestothem.With
genfsconstatements,bothfilesystemswouldusethesamelabelprovidedbygenfscon.
Byspecifyingthelabelatmounttime,youcanhavetwovfatfilesystemsmountedwith
differentlabels.
Takethefollowingcommandasanexample:
mount-ocontext=u:object_r:vfat1:s0/dev/block1/mnt/vfat1
mount-ocontext=u:object_r:vfat2:s0/dev/block1/mnt/vfat2
Additionaltothecontextasamountoptionare:fscontextanddefcontext.These
optionsaremutuallyexclusivefromcontext.Thefscontextoptionsetsthemeta
filesystemtypethatisusedforcertainoperations,suchasmount,butdoesnotchangethe
perfilelabels.Thedefcontextsetsthedefaultcontextforunlabeledfilesoverridingthe
initial_sidstatements.Lastly,anotheroption,rootcontextallowsyoutosettheroot
inodecontextinthefilesystem,butonlyforthatobject.Accordingtothemanpagemount
(man8mount),itwasfoundusefulinstatelessLinux.
www.it-ebooks.info
Labelingwithextendedattributes
Lastly,andprobablythemostfrequentlyusedwayoflabeling,isbyusingtheextended
attributessupportalsoknownasxattrorEAsupport.Evenwithxattrsupport,new
objectsinheritthecontextoftheirparentdirectory;however,theselabelshavethe
granularityofbeingperfilesystemobject-basedorinode-based.Ifyouremember,wehad
toturnonorverifythatXATTR(CONFIG_EXT4_FS_XATTR)supportwasenabledforour
filesystemsonAndroidaswellasconfiguringSELinuxtouseitviatheconfigoption
CONFIG_EXT4_FS_SECURITY.
Extendedattributesareakey-valuemetadatastoresforfiles.SELinuxsecuritycontexts
usethesecurity.selinuxkey,andthevalueisastringthatisthesecuritycontextor
label.
www.it-ebooks.info
Thefile_contextsfile
Withinthesepolicydirectory,youwillfindthefile_contextsfile.Thisfileisconsulted
tosettheattributesonfilesystemsthatsupportperfilesecuritylabels.Notethatacouple
ofpseudofilesystemssupportthisaswell,suchastmpfs,sysfs,andrecentlyrootfs.The
file_contextfilehasaregularexpression-basedsyntaxasfollows,whereregexpisthe
regularexpressionforthepath:
regexp<type>(<filelabel>|<<none>>)
Ifmultipleregularexpressionsaredefinedforafile,thelastmatchisused,soorderis
important.
Thefollowinglistshowseachtypefieldvalueforthetypeoffilesystemobject,their
meanings,andsyscallinterface:
--:Thisdenotesaregularfile.
-d:Thisdenotesadirectory.
-b:Thisdenotesablockfile.
-s:Thisdenotesasocketfile.
-c:Thisdenotesacharacterfile.
-l:Thisdenotesalinkfile.
-p:Thisdenotesanamedpipefile.
Asyoucansee,thetypeisessentiallythemodeasoutputbyls-lacommand.Ifit’snot
specified,itmatcheseverything.
Thenextfieldisthefilelabelorthespecialidentifier<<none>>.Eitheronewouldsupplya
contextortheidentifier<<none>>.Ifyouspecifythecontext,theSELinuxtoolsthat
consultfile_contextsusethelastmatchtothespecifiedcontext.Ifthecontextspecified
is<<none>>,itmeansthatnocontextisassigned.So,leavetheonethatwehavefound.
Thekeyword<<none>>isnotusedintheAOSPreference,sepolicy.
It’simportanttonotethattheprecedingparagraphexplicitlystatesthatSELinuxtoolsuse
thefile_contextspolicy.Thekernelisnotawarethatthisfileexists.SELinuxlabelsall
itsobjectsbyexplicitlysettingthemfromuserspacewithtoolsthatlookupthecontextin
file_contextorviathefs_use_*andgenfspolicystatements.Inotherwords,
file_contextsisnotbuiltinthecorepolicyfile,anditisnotloadedoruseddirectlyby
thekernel.Atbuildtime,thefile_contextsfileisbuiltintheramdiskrootfsandcanbe
foundat/file_contexts.Also,duringbuildtime,thesystemimageislabeled,freeing
thedeviceitselffromthisburden.
InAndroid,init,ueventd,andinstalldhaveallbeenmodifiedtolookupthecontexts
ofobjectstheyarecreating;sothattheycanlabelthemproperly.Thus,alltheinitbuiltins
thatcreatefilesystemobjects,suchasmkdir,havebeenmodifiedtomakeuseofthe
file_contextsfileifitexists,andthesamegoesforinstalldandueventd.
Let’stakealookatsomesnippetsfromthefile_contextfilelocatedinsepolicy:
...
www.it-ebooks.info
/dev(/.*)?u:object_r:device:s0
/dev/accelerometeru:object_r:sensors_device:s0
/dev/alarmu:object_r:alarm_device:s0…
Here,wearesettingupthecontextsforfilesin/dev.Notehowtheentriesareinorder
frommostgenerictomorespecificdevfiles.Thus,anyfilesnotcoveredbythemore
specificentrieswillendupwiththecontextu:object_r:device:s0,andthefilesthat
matchfurtherdown,endupwithamorespecificlabel.Forinstance,theaccelerometerat
/dev/accelerometerwillgetthecontextu:object_r:sensors_device:s0.Notethatthe
typefieldwasomitted,whichmeansthatitmatchesonallfilesystemobjects,suchas
directories(type-d).
Youmightbewonderinghow/dev,thedirectoryitself,getsafilecontext.Lookingat
someofthesnippets,wesaythe/orroot,gotlabeledviathestatementgenfsconrootfs
/u:object_r:rootfs:s0inthegenfs_contextfile.Thischapterstatedearlierthat,“new
objectsinheritthecontextoftheirparentdirectory.”Hence,wecanreasonthat/devisof
contextu:object_r:rootfs:s0sincethatisthelabel/has.Wecantestthisbypassing
the-Zflagtolstoshowusthelabelof/dev.OntheUDOOserialconnection,executethe
followingcommand:
130|root@udoo:/#ls-laZ/
...
drwxr-xr-xrootrootu:object_r:device:s0dev
...
Itseemsthatthehypothesisisincorrect,butnotethatitistruethateverythinghasalabel,
andifit’snotspecified,thenitinheritsfromtheparent.Lookingbackatsepolicy,wecan
seethatthedevfilesystemwasinitiallysetwithafs_use_transdevtmpfs
u:object_r:device:s0;policystatement.Sowhenthefilesystemismounted,itisset
filesystemwide.Later,whenentriesareaddedbyinitorueventd,theyuse
file_contextsentriestosetthecontextofthenewlycreatedfilesystemobjecttowhatis
specifiedinthefile_contextsfile.Thefilesystemat/dev,whichisadevtmpspseudo
filesystem,isanexampleofafilesystemthathasbothafilesystem-widelabelviathe
fs_use_transstatement,butcanalsosupportfinegrainedlabelingviafile_contexts;.
FilesystemsarenotveryconsistentincapabilitiesonLinux.
www.it-ebooks.info
Dynamictypetransitions
DynamictypetransitionsindicatedbytheSELinuxpolicystatementtype_transitionare
awaytoallowfilestodynamicallydeterminetheirtypes.Becausethesearecompiledinto
thepolicy,thesedonothaveanyrelationtothefile_contextsfile.Thesepolicy
statementsallowthepolicyauthortodynamicallydictatethecontextofafilebasedonthe
contextinwhichthefileiscreated.Theseareusefulinsituationswhereyoudon’tcontrol
sourcecode,ordonotwishtocoupleSELinuxinanyway.Forinstance,thewpa
supplicant,whichisaservicethatrunsforWi-Fisupportandcreatesasocketfileinits
datadirectory.Itsdatadirectoryislabeledwiththetypewifi_data_fileandasexpected,
thesocketendsupwiththatlabel.However,thissocketissharedbythesystemserver.
Now,wecanallowjustthesystemservertoaccessthetypeandobjectclass,however,
hostapdandotherthingsarecreatingsocketsandotherobjectsinthatdirectoryandthus
theobjectsalsohavethistype.Wereallywanttoensurethatthetwosocketsinquestion,
theoneusedbyhostapdandtheotherbysystemserver,arekeptexclusivefromeach
other.Todothis,weneedtobeabletolabeloneofthesocketsatafinergranularity,and
todoso,wecaneithermodifythecodeoruseadynamictypetransition.Ratherthan
muckingwiththecode,let’suseatypetransition,asfollows:
type_transitionwpawifi_data_file:sock_filewpa_socket;
Thisisanactualstatementfromthesepolicyfile,wpa_supplicant.te.Itsaysthat,when
aprocessofthetypewpacreatesafileofthetypewifi_data_fileandtheobjectclassis
sock_filetolabelitaswpa_socketoncreation.Thestatementsyntaxisasfollows:
type_transition<creatingtype><createdtype>:<class><newtype>;
AsofSELinuxpolicyversion25,thetype_transitionstatementcansupportnamedtype
transitionswhereafourthargumentexistsandisthenameofthefile:
type_transition<creatingtype><createdtype>:<class><newtype><file
name>;
Wewillseeanexampleuseofthisfilenameinthesepolicyfile,system_server.te:
type_transitionsystem_serversystem_data_file:sock_file
system_ndebug_socket"ndebugsocket";
Notethefilenameorbasenameandnotthepath,anditmustmatchexactly.Regexisnot
supported.It’salsointerestingtonotethatthedynamictransitionsarenotlimitedtofile
objects,butanyobjectclasseventprocesses.Wewillseehowdynamicprocesstransitions
areusedinChapter9,AddingServicestoDomains.
www.it-ebooks.info
www.it-ebooks.info
Examplesandtools
Withthetheorybehindus,let’slookatthetoolsandtechniquestolabelfilesinthe
system.Let’sstartbymountingaramfsfilesystem.Wewillstartbyremounting/sinceit
isreadonlyandcreateamountpointforthefilesystem.ViatheUDOOserialconsole,
execute:
root@udoo:/#mount-oremount,rw/
root@udoo:/#mkdir/ramdisk
root@udoo:/#mount-tramfs-osize=20mramfs/ramdisk
Now,wewanttoseewhichlabelthefilesystemhas:
#ls-laZ/|grepramdisk
drwxr-xr-xrootrootu:object_r:unlabeled:s0ramdisk
Asyoucanrecall,theinitial_sid_contextfilehadthisinitialsidsetforthefilesystem:
sidfileu:object_r:unlabeled:s0
Ifwewanttogetthisramdiskinanewlabel,weneedtocreatethetypeinthepolicy,and
setanewgenfsconstatementtouseit.Wewilldeclarethenewtypeinthesepolicyfile
file.te:
typeramdisk,file_type,fs_type;
Thetypepolicystatementsyntaxisasfollows:
type<newtype>,<attribute0,attribute1…attributeN>;
AttributesinSELinuxarestatementsthatletyoudefinecommongroups.Theyaredefined
viatheattributestatement.InAndroidSELinuxpolicy,wehavefile_typeand
fs_typedefinedforusalready.Wewillusethemherebecausethisnewtype,whichwe’re
creating,hastheattributesfile_typeandfs_type.Thefile_typeattributeisassociated
withatypeforafile,andthefs_typeattributemeansthatthistypeisalsoassociatedwith
filesystems.Attributes,rightnow,arenotofgreatimportance;sodon’tgetcaughtupin
thedetail.
Thenextthingtomodifyisthesepolicyfile,genfs_contextbyaddingthefollowing:
genfsconramfs/u:object_r:ramdisk:s0
Now,wewillcompilethebootimageandflashittothedevice,orbetteryet,let’susethe
dynamicpolicyreloadsupportlikethefollowing.
FromtherootoftheUDOOprojecttreebuildjustthesepolicyproject:
$mmmexternal/sepolicy/
Pushthenewpolicyoveradb,asfollows:
$adbpush$OUT/root/sepolicy/data/security/current/sepolicy
544KB/s(86409bytesin0.154s)
Triggerareloadbyusingthesetpropcommand:
www.it-ebooks.info
$adbshellsetpropselinux.reload_policy1
Ifyouhavetheserialconsoleconnected,youshouldsee:
SELinux:Loadedpolicyfrom/data/security/current/sepolicy
Ifyoudon’t,andjusthaveadb,checkdmesg:
$adbshelldmesg|grep"SELinux:Loaded"
<4>SELinux:Loadedpolicyfrom/sepolicy
<6>init:SELinux:Loadedpropertycontextsfrom/property_contexts
<4>SELinux:Loadedpolicyfrom/data/security/current/sepolicy
Asuccessfulloadshoulduseourpolicyatthepath,/data/security/current/sepolicy.
Let’sunmounttheramdiskandremountittocheckoutitstype:
root@udoo:/#umount/ramdisk
root@udoo:/#mount-tramfs-osize=20mramfs/ramdisk
root@udoo:/#ls-laZ/|grepramdisk
drwxr-xr-xrootrootu:object_r:ramdisk:s0ramdisk
Wewereabletomodifythepolicyandusegenfscontochangethefilesystemtype,and
nowtoshowinheritance,let’sgoaheadandcreateafileonthefilesystemwithtouch:
root@udoo:/#cd/ramdisk
root@udoo:/ramdisk#touchhello
root@udoo:/ramdisk#ls-Z
-rw-------rootrootu:object_r:ramdisk:s0hello
Asweexpected,thenewfileislabeledwiththetyperamdisk.Now,supposewhenwedo
touchfromtheshell,wewantthefiletobeofadifferenttype,suchasramdisk_newfile;
howcanwedothis?Wecandothisbymodifyingtouchitselftoconsultfile_contexts,
orwecandefineadynamictypetransition;letustrythedynamictypetransition
approach.Thefirstargumenttothetype_transitionstatementisthecreatingtype;so
whattypeisourshellin?Youcangetthisbyperforming:
root@udoo:/ramdisk#echo`cat/proc/self/attr/current`
u:r:init_shell:s0
Asimplerwayistoruntheid-Zcommand,whichusestheaforementionedprocfile.For
aserialconsole,execute:
root@udoo:/ramdisk#id-Z
uid=0(root)gid=0(root)context=u:r:init_shell:s0
Andtorunthesamecommandfortheadbshell:
$adbshellid-Z
uid=0(root)gid=0(root)context=u:r:shell:s0
Notethediscrepancybetweenourserialconsoleshellandtheadbshell,inChapter9,
AddingServicestoDomains;wewillfixthis.Becauseofthis,thepolicyweauthornow
willaddressbothcases.
Startbyopeningthesepolicyfile,init_shell.teandappendthefollowingtotheendof
thefile:
www.it-ebooks.info
type_transitioninit_shellramdisk:fileramdisk_newfile;
Dothisforthesepolicyfile,shell.te:
type_transitionshellramdisk:fileramdisk_newfile;
Now,weneedtodeclarethenewtype;soopenupthesepolicyfile,file.teandappend
thefollowing:
typeramdisk_newfile,file_type;
Notethatwehaveonlyusedthefile_typeattribute.Thisisbecauseafilesystemshould
neverhavethetyperamdisk_newfile,onlyafileresidingwithinthatfilesystemshould.
Now,buildtheadbpolicy,pushittothedevice,andtriggerareload.Withthatdone,
createthefileandchecktheresults:
$adbshell'touch/ramdisk/shell_newfile'
$adbshell'ls-laZ/ramdisk'
-rw-rw-rw-rootrootu:object_r:ramdisk:s0shell_newfile
Soitdidn’twork.Let’sinvestigatethereasonbytryingonanexampleofanext4
filesystem.Let’susethefollowingcommands:
root@udoo:/#cd/data/
root@udoo:/data#mkdirramdisk
Now,checkitscontext:
root@udoo:/data#ls-laZ|grepramdisk
drwx------rootrootu:object_r:system_data_file:s0ramdisk
Thelabelissystem_data_file.Thisisnothelpful,asitdoesn’tapplytoourtype
transitionrule;tofixthis,wecanusethechconcommandtoexplicitlychangethefiles
context:
root@udoo:/data#chconu:object_r:ramdisk:s0ramdisk
root@udoo:/data#ls-laZ|grepramdisk
drwx------rootrootu:object_r:ramdisk:s0ramdisk
Nowwiththecontextchangedtomatchwhatweweretryingearlierwiththeramdisk,let’s
trytocreateafilewithinthisdirectory:
root@udoo:/data/ramdisk#touchnewfile
root@udoo:/data/ramdisk#ls-laZ
-rw-------rootrootu:object_r:ramdisk_newfile:s0newfile
Asyoucansee,thetypetransitionhasoccurred.Thiswasmeanttoillustratetheissues
youmayfindwhileworkingwithSELinuxandAndroid.Nowthatwehaveshownthat
ourtype_transitionstatementisvalid,thereareonlytwopossibilitieswhythisis
failing:thefilesystemdoesn’tsupportitorwe’remissingsomethingsomewhereto“turnit
on”.Itturnsoutthatthelatteristhecase;weweremissingourfs_use_transstatements.
Sogoaheadandopenupthesepolicyfile,fs_useandaddthefollowingline:
fs_use_transramfsu:object_r:ramdisk:s0;
www.it-ebooks.info
ThisstatementenablesSELinuxdynamictransitionsonthisfilesystem.Now,rebuildthe
sepolicyproject,adbpushthepolicyfile,andenableadynamicreloadviasetprop:
$mmmexternal/sepolicy
$adbpush$OUT/root/sepolicy/data/security/current/sepolicy546KB/s
(86748bytesin0.154s)
$adbshellsetpropselinux.reload_policy1
root@udoo:/#cdramdisk
root@udoo:/ramdisk#touchfoo
root@udoo:/ramdisk#ls-Z
-rw-------rootrootu:object_r:ramdisk_newfile:s0foo
Thereyouhaveit,theobjecthastherightvaluedeterminedbyadynamictypetransition.
Weweremissingfs_use_trans,whichenabledtypetransitionsonfilesystemsthatdon’t
supportxattrs.
Now,supposewewanttomountanotherramdisk,whatwouldhappen?Wellsinceitwas
labeledwiththegenfsconstatement,allfilesystemsmountedwiththattypeshouldgetthe
context,u:object_r:ramdisk:s0.Wewillmountthisfilesystemat/ramdisk2,andverify
thisbehavior:
root@udoo:/#mkdirramdisk2
root@udoo:/#mount-tramfs-osize=20mramfs/ramdisk2
Also,checkthecontexts:
root@udoo:/#ls-laZ|grepramdisk
drwxr-xr-xrootrootu:object_r:ramdisk:s0ramdisk
drwxr-xr-xrootrootu:object_r:ramdisk:s0ramdisk2
Ifwewanttowriteallowrulestoseparateaccessestothesefilesystems,wewillneedto
havetheirtargetfilesinseparatetypes.Todothis,wecanmountthenewramdiskwiththe
contextoption.Butfirst,weneedtocreatethenewtype;letsgotothesepolicyfile,
file.teandaddanewtypecalledramdisk2:
typeramdisk2,file_type,fs_type;
Now,buildthesepolicywiththecommandmmm,followedbeusingthecommandabd
pushtopushthepolicy,andtriggerareloadwiththesetpropcommand:
$mmmexternal/sepolicy/
$adbpushout/target/product/udoo/root/sepolicy
/data/security/current/sepolicy542KB/s(86703bytesin0.155s)
$adbshellsetpropselinux.reload_policy1
Atthispoint,let’sumount/ramdisk2andremountitwiththecontext=option:
root@udoo:/#umount/ramdisk2/
root@udoo:/#mount-tramfs-osize=20m,context=u:object_r:ramdisk2:s0
ramfs/ramdisk2
Now,verifythecontexts:
root@udoo:/#ls-laZ|grepramdisk
drwxr-xr-xrootrootu:object_r:ramdisk:s0ramdisk
drwxr-xr-xrootrootu:object_r:ramdisk2:s0ramdisk2
www.it-ebooks.info
Wecanoverridethegenfsconcontextwiththemountoption,context=<context>.Infact,
ifwelookatdmesg,wecanseesomegreatmessages.Whenwemountedramfswithout
thecontextoption,wegot:
<7>SELinux:initialized(devramfs,typeramfs),usesgenfs_contexts
Whenwemounteditwiththecontext=<context>option,wegot:
<7>SELinux:initialized(devramfs,typeramfs),usesmountpointlabeling
WecanseethatSELinuxgivesussomehelpfulmessageswhiletryingtofigureoutfrom
whereitsourcesitslabels.
Now,let’sgoontolabelingfilesystemswiththexattrsupport,suchasext4.Wewillstart
withthetoolboxcommand,chcon.Thechconcommandallowsyoutosetthecontextofa
filesystemobjectexplicitly,itdoesnotconsultfile_contexts.
Let’stakealookat/system/binandinit,atthefirst10files:
$adbshellls-laZ/system/bin|head-n10
-rwxr-xr-xrootshellu:object_r:system_file:s0InputDispatcher_test
-rwxr-xr-xrootshellu:object_r:system_file:s0InputReader_test
-rwxr-xr-xrootshellu:object_r:system_file:s0abcc
-rwxr-xr-xrootshellu:object_r:system_file:s0adb
-rwxr-xr-xrootshellu:object_r:system_file:s0am
-rwxr-xr-xrootshellu:object_r:zygote_exec:s0app_process
-rwxr-xr-xrootshellu:object_r:system_file:s0applypatch
-rwxr-xr-xrootshellu:object_r:system_file:s0applypatch_static
drwxr-xr-xrootshellu:object_r:system_file:s0asan
-rwxr-xr-xrootshellu:object_r:system_file:s0asanwrappe
Wecanseethatmanyofthemhavethesystem_filelabel,whichisthedefaultlabelfor
thatfilesystem;let’schangetheamtypetoam_exec.Again,weneedtocreateanewtype
byaddingthefollowingtosepolicyfile,file.te:
typeam_exec,file_type;
Now,rebuildthepolicyfile,pushittotheUDOO,andtriggerareload.Afterthat,let’s
startremountingthesystem,sinceitisreadonly:
root@udoo:/#mount-orw,remount/system
Nowperformchcon:
root@udoo:/#chconu:object_r:am_exec:s0/system/bin/am
Verifytheresult:
root@udoo:/#la-laZ/system/bin/am
-rwxr-xr-xrootshellu:object_r:am_exec:s0am
Additionally,therestoreconcommandwillusefile_contexts,andrestorethatfileto
whatissetinthefile_contextsfile,whichshouldbesystem_file:
root@udoo:/#restorecon/system/bin/am
root@udoo:/#la-laZ/system/bin/am
www.it-ebooks.info
-rwxr-xr-xrootshellu:object_r:system_file:s0am
Asyoucansee,restoreconwasabletoconsultfile_contextsandrestorethespecified
contextonthatobject.
TheAndroidsystem’sfilesystemgetsconstructedduringthebuildtime,andconsequently,
allitsfileobjectsarelabeledduringthatprocess.Wecanalsochangethisatbuildtimeby
changingfile_contexts.Withthischanged,thesystempartitionrebuilt,andafter
reflashingthesystem,weshouldseetheamfilewiththeam_exectype.Wecantestthisby
amendingthesepolicyfile,file_contextsbyaddingthislineattheendofthe
system/binsection:
/system/bin/amu:object_r:am_exec:s0
Rebuildthewholesystemwith:
$make-j82>&1|teelogz
Nowflashandreboot,andlet’stakealookatthe/system/bin/amcontextasfollows:
root@udoo:/#ls-laZ/system/bin/am
-rwxr-xr-xrootshellu:object_r:am_exec:s0am
Thisshowsthatthesystempartitionrespectsthefilecontextsforbuild-timelabeling,and
howwecancontroltheselabels.
www.it-ebooks.info
Fixingup/data
Additionallyintheauditlogs,wehaveseenabunchofunlabeledfiles,forinstance,the
followingdenial:
type=1400msg=audit(86559.780:344):avc:denied{append}forpid=2668
comm="UsbDebuggingHan"name="adb_keys"dev=mmcblk0p4ino=42
scontext=u:r:system_server:s0tcontext=u:object_r:unlabeled:s0tclass=file
Wecanseethatthedeviceismmcblk0p4,whichmountcommandsandwilltelluswhat
filesystemthisismountedto,initsoutput:
root@udoo:/#mount|grepmmcblk0p4
/dev/block/mmcblk0p4/dataext4
rw,seclabel,nosuid,nodev,noatime,nodiratime,errors=panic,user_x0
Sowhydoesthe/datafilesystemhavesomanyunlabeledfiles?Thereasonisthat
SELinuxismeanttobeturnedonfromanemptydevice,thatis,fromfirstboot.Android
buildsthedatadirectorystructuresondemand.Thus,allthelabelsforthe/dataare
handledbythefile_contextsfilesinceitisext4.Also,itishandledbythesystemsthat
createthe/datafilesanddirectories.Thesesystemshavebeenmodifiedtolabelthedata
partitionbasedonthefile_contextsspecifications.Sothispresentstwooptions:wipe
/dataandreboot,orrestorecon-R/data.
Optiononeisabitharsh,butifyouejecttheSDcardandremoveallthefilesonthedata
partition,partition4,Androidwillrebuildandyouwon’tseeanymoreunlabeled
issues.However,thisisnotrecommendedfordeployeddeviceswhenyouupgrade;you
willdestroyalloftheusers’data.
Optiontwoismorepalatableindeployedscenarios,buthasitslimitations.Notably,
executingrestorecon-R/datawilltakealongtimeandmustbedoneearlyinboot,
rightafterthemount.However,thisisreallytheonlyoptionatthispoint.Google,
however,hasdonealotofworkinthisarea,andcreatedasystemthatintelligently
relabels/dataonpolicyupdates.Forouruse,wewillchooseavariantofoptiontwo,
especiallyafterconsideringhowsparselypopulatedthe/datafilesystemis;wereally
haven’tinstalledorgeneratedalotofuserdatayet.Withthatstated,execute:
root@udoo:/#restorecon-R/data
root@udoo:/#reboot
Wedon’thavetoexecuterestoreconearlyinbootsinceoursystemisinpermissive
mode,andwe’renotinadeployedscenario.Now,let’spulltheaudit.logfileand
compareittothealreadypulledaudit.log:
$adbpull/data/misc/audit/audit.logaudit_data_relabel.log
170KB/s(14645bytesin0.084s)
Let’susegreptocountthenumberofoccurrencesineachfile:
$grep-cunlabeledaudit.log
185
$grep-cunlabeledaudit_data_relabel.log
www.it-ebooks.info
0
Great,wefixedupallofourunlabeledissueson/data!
www.it-ebooks.info
www.it-ebooks.info
Asidenoteonsecurity
Notethateventhoughwearerunningallthesecommandsandchangingallthesethings,
thisisnotasecurityvulnerabilitywithinSELinux.Beingabletochangetypelabels,
mountingfilesystems,andassociatingfilesystemswithatype,allrequireallowrules.If
youlookthroughtheauditlogs,you’llseeaslewofdenials;asampleisprovided:
type=1400msg=audit(90074.080:192):avc:denied{associate}forpid=3211
comm="touch"name="foo"scontext=u:object_r:ramdisk_newfile:s0
tcontext=u:object_r:ramdisk:s0tclass=filesystem
type=1400msg=audit(90069.120:187):avc:denied{mount}forpid=3205
comm="mount"name="/"dev=ramfsino=1992scontext=u:r:init_shell:s0
tcontext=u:object_r:ramdisk:s0tclass=filesystem
Ifwewereinanenforcingmode,wewouldn’thavebeenabletoperformanyofthe
experimentsshownhere.
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,wesawhowtogetfilesintocontextsbyrelabelingthem.Weusedavariety
oftechniquestoaccomplishthistask,fromtoolboxcommandssuchaschconand
restorecon,tomountoptionsanddynamictransitions.Withthesetools,wecanensure
thatallfilesystemobjectsarelabeledcorrectly.Thisway,weendupwiththerighttarget
contextssothatthepoliciesweauthorareeffective.Inthenextchapter,wewillfocuson
theprocesses,makingsurethattheyareintherightdomainorcontext.
www.it-ebooks.info
www.it-ebooks.info
Chapter9.AddingServicestoDomains
Inthepreviouschapter,wecoveredtheprocessofgettingfileobjectsintheproper
domain.Inmostcases,thefileobjectisthetarget.However,inthischapter,wewill:
Emphasizelabelingprocesses—notablyAndroidservicesrunandmanagedbyinit
Managetheancillaryassociatedobjectscreatedbyinit
www.it-ebooks.info
Init–thekingofdaemons
TheinitprocessisvitalinaLinuxsystem,andAndroidisnotspecialinthiscase.
However,Androidhasitsownimplementationofinit.Initisthefirstprocessonthe
system,andthushasaProcessID(PID)of1.Allotherprocessesaretheresultofadirect
fork()frominit,thusallprocesseseventuallyareparentedunderinit,eitherdirectlyor
indirectly.Initisresponsibleforcleaningupandmaintainingtheseprocesses.For
instance,anychildprocesswhoseparentdiesisreparentedunderinitbythekernel.Inthis
way,initcancallwait()(man2waitformoredetails)tocleanupaftertheprocesswhen
itexits.
Note
Aprocesswhichhasterminatedbuthasnothadwait()calledisazombieprocess.The
kernelmustkeeptheprocessdatastructuresarounduntilthiscall.Failingtodosowill
consumememoryindefinitely.
Sinceinitistherootofallprocesses,italsoprovidesamechanismtodeclareandexecute
commandsthroughitsownscriptinglanguage.Filesusingthislanguagetocontrolinitare
referredtoasinitscripts,andwehavealreadymodifiedsomeofthem.Inthesourcetree,
weusedtheinit.rcfile,whichyoucanreachbynavigatingto
device/fsl/imx6/etc/init.rc,butonthedevice,itispackagedwiththeramdiskat
/init.rc,andismadeavailabletoinit,whichisalsopackagedintheramdiskat/init.
Toaddaservicetotheinitscript,youcanmodiheinit.reandaddadeclaration,as
follows:
service<name><path>[<argument>...]
Here,nameistheservicename,pathisthepathtotheexecutable,andargumentarespace
delimitedargumentstringstobedeliveredtotheexecutableinitsargvarray.
Forexample,hereistheservicedeclarationforrild,theRadioInterfaceLayerDaemon
(RILD):
Serviceril-daemon/system/bin/rild
Itisoftenthecasethatadditionalserviceoptionscanandneedtobeadded.Theinitscript
servicestatementsupportsarichassortmentofoptions.Forthecompletelist,refertothe
informationalfilelocatedatsystem/core/init/readme.txt.Additionally,wecovered
theSEforAndroid-specificchangesinChapter3,AndroidIsWeird.
Continuingtodissectrild,weseethattherestofthedeclarationintheUDOOinit.rcis
asfollows:
Serviceril-daemon/system/bin/rild
classmain
socketrildstream660rootradio
socketrild-debugstream660radiosystem
socketrild-pppstream660radiosystem
userroot
www.it-ebooks.info
groupradiocacheinetmiscaudiosdcard_rwlog
Theinterestingthingtonotehereisthatitcreatesquiteafewsockets.Thesocket
keywordininit.rcisdescribedbythereadme.txtfile:
Note
Fromthesourcetreefilesystem/core/init/readme.txt:
socket<name><type><perm>[<user>[<group>[<context>]]]
CreateaUnixdomainsocketnamed/dev/socket/<name>andpassitsfdtothelaunched
process.Thetypemustbedgram,stream,orseqpacket.TheuserandgroupIDsdefault
to0.TheSELinuxsecuritycontextforthesocketiscontext.Itdefaultstotheservice
securitycontext,asspecifiedbyseclabel,oriscomputedbasedontheserviceexecutable
file’ssecuritycontext.
Let’stakealookatthisdirectoryandseewhatwe’vefound.
root@udoo:/dev/socket#ls-laZ|grepadb
srw-rw----systemsystemu:object_r:adbd_socket:s0adbd
Thisraisesthequestion,“Howdiditgetintothatdomain?”Usingourknowledgefromthe
previouschapter,weknowthat/devisatmpfs,soweknowthatitdidnotenterthis
domainthroughxattrs.Itmustbeeitheracodemodificationoratypetransition.Let’s
checkwhetherit’satypetransition.Ifitis,wewouldexpecttoseeastatementinthe
expandedpolicy.conf.SELinuxpolicyisbasedonthem4macrolanguage.During
builds,itisexpandedintopolicy.conf,andthencompiled.Chapter12,Masteringthe
ToolChain,hasmoredetailsonthis.
Wecandiscoverthisbyusingsesearchtofindtypetransitionsforadbd_socket:
$sesearch-T-tadbd_socket$OUT/sepolicy
Asyoucanseefromtheemptyoutput,therearezerosuchlines,soit’snotthepolicy
whichisdoingthisbutacodechange.
InLinux,processesarecreatedwithfork()followedbyexec().Becauseofthis,weare
abletoaffordgreatkeywordstosearchtheinitdaemon.Wesuspectthatthecodetosetup
thesocketisjustafteracalltofork()inthechildprocessesandbeforeacalltoexec():
$grep-nforksystem/core/init/init.c
235:pid=fork();
So,theforkwearesearchingforisonline235ofinit.c;let’sopeninit.cinatext
editorandtakealook.Wewillfindthefollowingsnippettoexamine:
...
NOTICE("starting'%s'\n",svc->name);
pid=fork();
if(pid==0){
structsocketinfo*si;
structsvcenvinfo*ei;
www.it-ebooks.info
chartmp[32];
intfd,sz;
umask(077);
if(properties_inited()){
get_property_workspace(&fd,&sz);
sprintf(tmp,"%d,%d",dup(fd),sz);
add_environment("ANDROID_PROPERTY_WORKSPACE",tmp);
}
for(ei=svc->envvars;ei;ei=ei->next)
add_environment(ei->name,ei->value);
for(si=svc->sockets;si;si=si->next){
intsocket_type=(
!strcmp(si->type,"stream")?SOCK_STREAM:
(!strcmp(si->type,"dgram")?SOCK_DGRAM:SOCK_SEQPACKET));
ints=create_socket(si->name,socket_type,
si->perm,si->uid,si->gid,si->socketcon?:scon);
if(s>=0){
publish_socket(si->name,s);
}
...
Accordingtoman2fork,thereturncodeoffork()inthechildprocessis0.Thechild
processexecuteswithinthisifstatementandtheparentskipsit.Thefunctioncreate_
socket()alsoseemsinteresting.Itappearstotakethenameoftheservice,thetypeof
socket,permissionsflags,uid,gid,andsocketcon.Whatissocketcon?Let’scheck
whetherwecantracebacktowhereitisset.
Ifwelookbeforefork(),wecanseethattheparentprocessgetsitssconbasedontwo
factors:
...
if(svc->seclabel){
scon=strdup(svc->seclabel);
if(!scon){
ERROR("Outofmemorywhilestarting'%s'\n",svc->name);
return;
}
}else{
...
Thefirstpaththroughtheifstatementoccurswhensvc->seclabelisnotnull.Thissvc
structureispopulatedwiththeoptionsthatcanbeassociatedwithaservice.Asarefresher
fromChapter3,AndroidIsWeird,seclabelletsyouexplicitlysetthecontextona
service,hardcodedtothevalueininit.rc.Theelseclauseisabitmoreinvolvedand
interesting.
Intheelseclause,wegetthecontextofthecurrentprocessbycallinggetcon().This
function,sincewe’rerunningininit,shouldreturnu:r:init:s0andstoreitinmycon.The
nextfunction,getfilecon()ispassedthepathoftheexecutable,andchecksthecontext
ofthefileitself.Thethirdfunctionistheworkhorsehere:security_compute_create().
www.it-ebooks.info
Thistakesthemycon,fcon,andtargetclassandcomputesthesecuritycontext,scon.
Giventheseinputs,ittriestodetermine,basedonpolicytypetransitions,whatthe
resultingdomainforthechildshouldbe.Ifnotransitionsaredefined,sconwillbethe
sameasmycon.
Aconditionalexpressionwithinthecreate_socket()functionadditionallydetermines
thesocketcontextpassed.Thevariablesiisastructurethatcontainsalltheoptionstothe
socketstatementintheinitservicesection.Asspecifiedbythereadme.txtfile,si>socketconisthesocketcontextargument.Inotherwords,thesocketcontextcancome
fromoneofthreeplaces(indescendingpriority):
Thesocketconoptiononthesocketoptionintheservicedeclaration
Theseclabeloptionontheservicekeyword
Dynamicallycomputedfromsourceandtargetcontexts
Thesocketcontextispassedtocreate_socket().Now,let’slookatcreate_socket().
Thisfunctionisdefinedatsystem/core/init/util.c:87.Thesnippetsofcodearound
socket()seeminteresting:
...
if(socketcon)
setsockcreatecon(socketcon);
fd=socket(PF_UNIX,type,0);
if(fd<0){
ERROR("Failedtoopensocket'%s':%s\n",name,strerror(errno));
return-1;
}
if(socketcon)
setsockcreatecon(NULL);
...
Thesetsockcreatecon()functionsetstheprocess’socketcreationcontext.Thismeans
thatthesocketcreatedbythesocket()callwillhavethecontextsetvia
setsockcreatecon().Afterit’screated,theprocessresetsittotheoriginalbyusing
setsockcreatecon(NULL).
Thenextbitofinterestingcodeisaroundbind():
...
filecon=NULL;
if(sehandle){
ret=selabel_lookup(sehandle,&filecon,addr.sun_path,S_IFSOCK);
if(ret==0)
setfscreatecon(filecon);
}
ret=bind(fd,(structsockaddr*)&addr,sizeof(addr));
if(ret){
ERROR("Failedtobindsocket'%s':%s\n",name,strerror(errno));
gotoout_unlink;
}
www.it-ebooks.info
setfscreatecon(NULL);
freecon(filecon);
...
Here,wehavesetthefilecreationcontext.Thefunctionsareanalogousto
setsock_creation(),butworkforfilesystemobjects.However,theselabel_lookup()
functionlooksinfile_contextsforthecontextofthefile.Thepartyoumightbemissing
isthatthecalltobind(),forpath-basedsockets,createsafileatthepathspecifiedin
sockaddr_unstruct.So,thesocketobjectandthefilesystemnodeentryaredistinctly
separatethingsandcanhavedifferentcontexts.Typically,thesocketbelongstothe
process’context,andthefilesystemnodeisgivensomeothercontext.
www.it-ebooks.info
www.it-ebooks.info
Dynamicdomaintransitions
Wesawinitcomputingofthecontextsfortheinitsockets,butweneverencounteredit
whilesettingthedomainsforchildprocesses.Inthissection,wewilldiveintothetwo
techniquestodoso:explicitsettingwithaninitscriptandsepolicydynamicdomain
transitions.
Thefirstwaytothedomainsforchildprocessesiswiththeseclabelstatementintheinit
scriptservicedeclaration.Withinthechildprocessesexecutionafterfork(),wefindthis
statement:
if(svc->seclabel){
if(is_selinux_enabled()>0&&setexeccon(svc->seclabel)<0){
ERROR("cannotsetexeccon('%s'):%s\n",svc->seclabel,strerror(errno));
_exit(127);
}
}
Toclarify,thesvcvariableisthestructurethatcontainstheserviceoptionsandarguments,
sosvc->seclabelisseclabel.Ifit’sset,itcallssetexeccon(),whichsetstheprocess’
executioncontextforanythingitexecutesviaexec().Furtherdown,weseethatthe
exec()functioncallsaremade.Theexec()syscallneverreturnsonsuccess;itonly
returnsonfailure.
Theotherwaytosetthedomainsforchildprocesses,whichisthepreferredway,isby
usingsepolicy.It’spreferredbecausethepolicyhasnodependenciesonanythingelse.By
hardcodingacontextintoinit,you’recouplingadependencybetweentheinitscriptand
thesepolicy.Forinstance,ifthesepolicyremovesatypethatwashardcodedintheinit
script,theinitsetconwillfail,butbothsystemswillcompilecorrectly.Ifyouremovea
typeforatypetransitionandleavethetransitionstatement,youcancatchtheerrorat
compiletime.Sincewelookedattherildservicestatement,let’slookattherild.te
policyfilelocatedinsepolicy.Weshouldsearchforthetype_transitionkeywordin
thisfileusinggrep:
$grep-ctype_transitionrild.te
0
Noinstancesoftype_transitionarefound,butthiskeywordmustexist,similartofiles.
However,itcanbehiddeninanunexpandedmacro.TheSELinuxpolicyfilesareinthe
m4macrolanguage,andtheygetexpandedpriortobeingcompiled.Let’slookthrough
rild.teandcheckwhetherwecanfindsomemacros.Theyaredistinguishedandlook
likefunctionswithparameters.Thefirstmacrowecomeacrossisthe
init_daemon_domain(rild)macro.Now,weneedtofindthismacro’sdefinitionin
sepolicy.Them4languageusesthedefinekeywordtodeclaremacros,sowecansearch
forthat:
$grep-ninit_daemon_domain*|grepdefine
te_macros:99:define(`init_daemon_domain',`
Ourmacroisdeclaredinte_macros,whichcoincidentallyholdsallthemacrosrelatedto
www.it-ebooks.info
typeenforcement(TE).Let’stakealookatwhatthismacrodoesinmoredetail.First,its
definitionis:
...
#####################################
#init_daemon_domain(domain)
#Setupatransitionfrominittothedaemondomain
#uponexecutingitsbinary.
define(`init_daemon_domain',`
domain_auto_trans(init,$1_exec,$1)
tmpfs_domain($1)
')
...
Thecommentedlinesintheprecedingcode(linesstartingwith#inm4),statethatitsets
upatransitionfrominittothedaemondomain.Thissoundslikesomethingwewant.
However,boththeencompassingstatementsaremacros,andweneedtorecursively
expandthem.Wewillstartwithdomain_auto_trans():
...
#####################################
#domain_auto_trans(olddomain,type,newdomain)
#Automaticallytransitionfromolddomaintonewdomain
#uponexecutingafilelabeledwithtype.
#
define(`domain_auto_trans',`
#Allowthenecessarypermissions.
domain_trans($1,$2,$3)
#Makethetransitionoccurbydefault.
type_transition$1$2:process$3;
')
...
Thecommenthereindicatesthatweareheadedintheproperdirection;however,weneed
tokeepexpandingmacrosinoursearch.Accordingtothecomment,thedomain_trans()
macroallowsjustthetransitiontooccur.RememberthatalmosteverythinginSELinux
needsexplicitpermissionfromthepolicyinordertohappen,includingtypetransitions.
Thelaststatementinthemacroistheoneweweresearchingfor:
type_transition$1$2:process$3;
Ifyouexpandthisstatementout,you’llget:
type_transitioninitrild_exec:processrild;
Whatthisstatementconveysisthatifyoumakeanexec()syscallonafilewiththetype
rild_exec,andtheexecutingdomainisinit,thenmakethechildprocess’domainrild.
www.it-ebooks.info
www.it-ebooks.info
Explicitcontextsviaseclabel
Theotheroptionforsettingcontextsisverystraightforward.It’shardcodingthemwiththe
initscriptintheservicedeclaration.Intheservicedeclaration,aswesawinChapter3,
AndroidIsWeird,thereweremodificationstotheinitlanguage.Oneoftheadditionsis
seclabel.Thisoptionjustletsinitexplicitlychangethecontextoftheservicetothe
argumentgiventoseclabel.Hereisanexampleofadbd:
Serviceadbd/sbin/adbd
classcore
socketadbdstream660systemsystem
disabled
seclabelu:r:adbd:s0
Sowhyusedynamictransitionsonsomeandseclabelonothers?Theansweris
dependentonwhereyou’reexecutingfrom.Thingssuchasadbdexecuteearlyonfromthe
ramdisk,andsincetheramdiskreallydoesn’tuseperfilelabels,youcan’tsetup
transitionsproperly—thetargethasthesamecontext.
www.it-ebooks.info
www.it-ebooks.info
Relabelingprocesses
Nowthatwearearmedwithdynamicprocesstransitions,andtheabilitytosetsocket
contextsfrominitscriptsisneeded.Let’sattempttorelabeltheservicesthatarein
impropercontexts.Wecantellifthey’reimproperbycheckingthemagainstthefollowing
rules:
Nootherprocessbutinitshouldbeintheinitcontext
Nolongrunningprocessshouldbeintheinit_shelldomain
Nothingbutzygoteshouldbeinthezygotedomain
Note
AmorecomprehensivetestsuiteispartofCTSonAOSP.RefertotheAndroidCTS
projectformoredetails:(gitclone)https://android.googlesource.com/platform/cts.Take
noteofthe
./hostsidetests/security/src/android/cts/security/SELinuxHostTest.javaand
./tests/tests/security/src/android/security/cts/SELinux.*.javatests.
Let’srunsomebasiccommandsandevaluatethestatusofourUDOOovertheadb
connection:
$adbshellps-Z|grepinit
u:r:init:s0root10/init
u:r:init:s0root22671/sbin/watchdogd
u:r:init_shell:s0root22781/system/bin/sh
$adbshellps-Z|grepzygote
u:r:zygote:s0root22851zygote
Wehavetwoprocessesintheimproperdomains.Thefirstiswatchdogd,andthesecondis
ashprocess.Weneedtofindtheseandcorrectthem.
Wewillstartwiththemysteryshprogram.Asyoucanrecallfromthepreviouschapter,
ourUDOOserialconsoleprocesshadthecontextofinit_shell,sothisisagoodsuspect.
Let’scheckPIDsandfindout.FromaUDOOserialconsoleexecute:
root@udoo:/#echo$$
2278
WecancomparethisPIDtothePIDfieldintheadbshellpsoutputhere(PIDfieldis
thethirdfield,index2),andasyoucansee,wehaveamatch.
Fromthere,weneedtofindtheservicedeclarationforthis.Weknowthatitisininit.rc
sinceit’srunningininit_shell,atypethatcanonlybetransitionedtobyinitdirectlyas
pertheSELinuxpolicy.Also,initonlystartsprocessingthingsbyservicedeclarations,so
inordertobeininit_shell,youmuststartbyinitviaaservicedeclaration.
Note
Usesesearchtofindoutsuchthingsonthecompiledsepolicybinary:
$sesearch-T-sinit-tshell_exec-cprocess$OUT/root/sepolicy
www.it-ebooks.info
Ifwesearchinit.rcfortheUDOO,whichisinudoo/device/fsl/imx6/etc,wecan
grepitscontentsfor/system/bin/sh,thecommandinquestion.Ifwedothat,wewill
find:
$grep-n"/system/bin/sh"init.rc
499:serviceconsole/system/bin/sh
702:servicewifi_mac/system/bin/sh/system/etc/check_wifi_mac.sh
Let’slookat499sincewedon’thaveanythingtodowithWi-Fi:
serviceconsole/system/bin/sh
classcore
console
userroot
grouproot
Ifthisistheserviceinquestion,weshouldbeabletodisableit,andverifythatourserial
connectionnolongerworks:
$adbshellsetpropctl.stopconsole
Myliveserialconnectiondiedat:
root@udoo:/#avc:denied{set}forproperty=ctl.console
scontext=u:r:shell:s0tcontext=u:e
Nowthatwehaveverifiedwhatitis,wecanstartitbackup:
$adbshellsetpropctl.startconsole
Withthesystembackinaworkingstate,wenowneedtoaddressthebestwaytocorrect
thelabelonthisservice.Wehavetwooptions:
Usinganexplicitseclabelentryininit.rc
Usingatypetransition
Theoptionwewillusehereisthefirst.Thereasonisbecauseinitexecutesshellfromtime
totime,andwedon’twantalloftheseintheconsoleprocessesdomain.Wewantleast
privilegetosegregatetherunningprocesses.Byusingtheexplicitseclabel,wewon’t
changeanyoftheothershellsthatareexecutedalongtheway.
Todothis,weneedtomodifytheinit.rcentryforconsole;add:
serviceconsole/system/bin/sh
classcore
console
userroot
grouproot
seclabelu:r:shell:s0
Theproperdomainforthisexecutableisshell,sinceitshouldhavethesamepermission
setasadbshell.Afteryoumakethischange,recompilethebootimage,flash,andthen
reboot.Wecanseethatitisnowinashelldomain.Toverify,executethefollowingfroma
UDOOserialconnection:
root@udoo:/#id-Z
www.it-ebooks.info
uid=0(root)gid=0(root)context=u:r:shell:s0
Alternatively,executethefollowingcommandusingadb:
$adbshellps-Z|grep"system/bin/sh"
u:r:shell:s0root22791/system/bin/sh
Thenextoneweneedtotakecareofiswatchdogd.Thewatchdogdprocessalreadyhasa
domainandallowsrulesinwatchdog.te;sowejustneedtoaddaseclabelstatementand
getitintothisproperdomain.Modifyinit.rc:
#Setwatchdogtimerto30secondsandpetitevery10secondstogeta20
secondmargin
servicewatchdogd/sbin/watchdogd1020
classcore
seclabelu:r:watchdogd:s0
Toverifyusingadb,executethefollowingcommand:
$adbshellps-Z|grepwatchdog
u:r:watchdogd:s0root22671/sbin/watchdogd
Atthispoint,wehavemadeactualpolicycorrectionsthattheUDOOwasinneedof.
However,weneedtopracticetheuseofdynamicdomaintransitions.Agoodteaching
examplewouldhavesubshellsfromashellintheirowndomain.Let’sstartbydefininga
newdomainandsettingupthetransition.
Wewillcreateanew.tefileinsepolicycalledsubshell.te,andedititsothatits
contentscontainthefollowing:
typesubshell,domain,shelldomain,mlstrustedsubject;
#domain_auto_trans(olddomain,type,newdomain)
#Automaticallytransitionfromolddomaintonewdomain
#uponexecutingafilelabeledwithtype.
#
domain_auto_trans(shell,shell_exec,subshell)
Now,themmmtrickusedearlierinthebookcanbeusedtocompilejustthepolicyAlso,use
adbpushcommandtopushthenewpolicyto/data/security/current/sepolicyand
executesetproptoreloadthepolicy,justaswedidinChapter8,ApplyingContextsto
Files.
Totestthis,weshouldbeabletotypesh,andverifythedomaintransition.Wewillstart
bygettingourcurrentcontext:
root@udoo:/#id-Z
uid=0(root)gid=0(root)context=u:r:shell:s0
Thenexecuteashellbydoing:
root@udoo:/#sh
root@udoo:/#id-Z
uid=0(root)gid=0(root)context=u:r:subshell:s0
Wewereabletouseadynamictypetransitiontogetanewprocessinadomain.Ifyou
couplethiswithlabelingfiles,aspresentedinChapter8,ApplyingContextstoFiles,you
www.it-ebooks.info
haveapowerfultooltocontrolprocesspermissions.
www.it-ebooks.info
www.it-ebooks.info
Limitationsonapplabeling
Afundamentallimitationofthesedynamicprocesstransitionsisthattheyrequirean
exec()systemcalltobemade.OnlythencanSELinuxcomputethenewdomain,and
triggerthecontextswitch.Theonlyotherwaytodothisisbymodifyingthecode,which
essentiallyiswhatinitisdoingwhenyouspecifyseclabel().Theinitcodesetstheexec
contextforitsprocess,causingthenextexectoendupinthespecifieddomain.Infact,we
canseethisintheinit.ccode:
if(svc->seclabel){
if(is_selinux_enabled()>0&&setexeccon(svc->seclabel)<0){
ERROR("cannotsetexeccon('%s'):%s\n",svc->seclabel,strerror(errno));
_exit(127);
}
}
Here,thechildprocessgetsitsexecutecontextsetbyacalltosetexeccon()beforethe
exec()systemcallhandsovercontroltoanewbinaryimage.InAndroid,applicationsare
notspawnedthisway,andnoexec()syscallexistsintheprocesscreationpath;soanew
mechanismwillbeneeded.
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,welearnedhowtolabelprocessesviatypetransitionsaswellasviathe
seclabelstatements.Wealsoinvestigatedhowinitmanagesservicesockets,andhowto
properlylabelthem.Wethencorrectedtheprocesscontextsfortheserialconsoleaswell
asthewatchdogdaemon.
ApplicationsinAndroidneverhaveanexplicitcalltoexec()tostarttheirprogram
execution.Sincethereisnoexec(),wehavetolabelapplicationswithacodechange.In
thenextchapter,wewilladdresshowthishappens,andhowapplicationsgetlabeled.
www.it-ebooks.info
www.it-ebooks.info
Chapter10.PlacingApplicationsin
Domains
InChapter3,AndroidIsWeird,weintroducedthezygoteandthatallapplications,APKs
inAndroidspeak,emanatefromthezygotejustlikeservicesemanatefromtheinit
process.Assuch,theyneedtobelabeled,aswedidinthepreviouschapter.Recallthat
labelingisthesameasplacingaprocessinadomainofthatlabel.Applicationsneedtobe
labeledaswell.
Note
APKisthefileextensionandformatforinstallableapplicationpackagesonAndroid.It’s
analogoustothedesktoppackageformatslikeRPM(Redhatbased)orDEB(Debian
based).
Inthischapter,wewilllearnto:
Properlylabelapplicationprivatedatadirectoriesandtheirruntimecontexts
Furtherexaminezygoteandmethodstosecureit
Discoverhowafinishedmac_permssions.xmlfileassignsseinfovalue
Createanewcustomdomain
www.it-ebooks.info
Thecasetosecurethezygote
Androidapplicationswithelevatedpermissionsandcapabilitiesarespawnedfromthe
zygote.Anexampleofthisisthesystemserver,alargeprocesscomprisedofnativeand
non-nativecodehostingavarietyofservices.Thesystemserverhousestheactivity
manager,packagemanager,GPSfeedsandsoon.Thesystemserveralsorunswitha
highlysensitiveUIDofsystem(1000).Also,manyOEMspackagewhatareknownas
systemapps,whicharestandaloneapplicationsrunningwiththesystemUID.
Thezygotealsospawnsapplicationsthatdonotneedelevatedpermissions.Allthird-party
applicationsrepresentthis.ThirdpartyapplicationsrunastheirownUID,separatefrom
sensitiveUIDs,suchassystem.Additionally,applicationsgetspawnedintovariousUIDs
suchasmedia,nfc,andsoon.OEMstendtodefineadditionalUIDs.
It’simportanttonotethattogetintoaspecialUID,likesystem,youmustbesignedwith
theproperkey.Androidhasfourmajorkeysusedtosignapplications:media,platform,
shared,andtestkey.Theyarelocatedinbuild/target/product/security,alongwitha
README.
AccordingtotheREADME,thekeyusageisasfollows:
testkey:Agenerickeyforpackagesthatdonototherwisespecifyakey.
platform:Atestkeyforpackagesthatarepartofthecoreplatform.
shared:Atestkeyforthingsthataresharedinthehome/contactsprocess.
media:Atestkeyforpackagesthatarepartofthemedia/downloadsystem.
InordertorequestsystemUIDforyourapplication,youmustbesignedwiththe
platformkey.Possessionoftheprivatekeyisrequiredtoexecuteinthesemoreprivileged
environments.
Asyoucansee,wehaveapplicationsexecutingatavarietyofpermissionlevels,andtrust
levels.Wecannottrustthirdpartyapplicationssincetheyarecreatedbyunknownentities,
andwecantrustthingssignedwithourprivatekeys.However,beforeSELinux,
applicationpermissionswerestillboundbythesameDACpermissionlimitationsasthose
identifiedinChapter1,LinuxAccessControls.Becauseoftheseproperties,itmakesthe
zygoteaprimetargetforattack,aswellasfortificationwithSELinux.
www.it-ebooks.info
www.it-ebooks.info
Fortifyingthezygote
Nowthatwehaveidentifiedaproblemwithzygote,thenextstepisunderstandinghowto
getapplicationsintoappropriatedomains.WeneedeitherSELinuxpolicyorcodechanges
toplacenewprocessesintoadomain.InChapter9,AddingServicestoDomains,we
covereddynamicdomaintransitionswithinit-basedservicesandtheendofthechapter
mentionstheimportanceoftheexec()syscallinthe“LimitationsonAppLabeling”
section.Thisisthetriggeronwhichdynamicdomaintransitionsoccur.Ifthereisnoexec
inthepath,wewouldhavetorelyoncodechanges.However,onealsohastoconsiderthe
signingkeyinthissecuritymodel,andthereisnowayinpureSELinuxpolicylanguageto
expressthekeytheprocesswassignedwith.
Ratherthanexploringthewholezygote,wecandissectthefollowingpatchesthat
introduceapplicationlabelingintoAndroid.Additionally,wecandiscoverhowthe
introduceddesignmeetstherequirementsofrespectingthesigningkey,workingwithin
thedesignofSELinuxandthezygote.
www.it-ebooks.info
Plumbingthezygotesocket
InChapter3,AndroidIsWeird,welearnedthatthezygotelistensforrequeststospawna
newapplicationfromasocket.Thefirstpatchtoexamineishttps://androidreview.googlesource.com/#/c/31066/.Thispatchmodifiesthreefilesinthebase
frameworksofAndroid.ThefirstfileisProcess.javainthemethodstartViaZygote().
Thismethodisthemainentrypointforothermethodswithrespecttobuildingstring
argumentsandpassingthemtothezygotewithzygoteSendArgsAndGetResult().The
patchintroducesanewargumentcalledseinfo.Lateron,wewillseehowthisgetsused.
Itappearsthatthispatchisplumbingthisnewseinfoargumentoverthesocket.Notethat
thiscodeiscalledexternaltothezygoteprocess.
ThenextfiletolookatinthispatchisZygoteConnection.java.Thiscodeexecutesfrom
withinthecontext.Thepatchstartsoffbydeclaringastringmembervariable
peerContextintheZygoteConnectionclass.Intheconstructor,thispeerContext
memberissettothevalueobtainedfromacallto
SELinux.getPeerContext(mSocket.getFileDescriptor()).
SincetheLocalSocketmSocketisaUnixdomainsocketunderthehood,youcanobtain
theconnectedclient’scredentials.Inthiscase,thecalltogetPeerContext()getsthe
client’ssecuritycontext,orinmoreformalterms,theprocesslabel.Aftertheinitialization,
furtherdowninmethodrunOnce(),weseeitbeingusedincallsto
applyUidSecurityPolicyandotherapply*SecurityPolicyroutines.Theprotected
methodrunOnce()iscalledtoreadonestartcommandfromthesocketandarguments.
Eventually,aftertheapply*SecurityPolicychecks,itcallsforkandSpecialize().Each
securitypolicycheckhasbeenmodifiedtouseSELinuxontopoftheexistingDAC
securitycontrols.IfwereviewapplyUidSecurityPolicy,weseetheymakethecall:
booleanallowed=SELinux.checkSELinuxAccess(peerSecurityContext,
peerSecurityContext,"zygote","specifyids");
Thisisanexampleofauserspaceleveragingmandatoryaccesscontrolsinwhatisknown
asanobjectmanager.Additionally,asecuritycheckhasbeenaddedforthemysterious
seinfostringintheapplyseInfoSecurityPolicy()method.Allthesecuritycheckshere
forSELinuxspecifythetargetclasszygote.Soifwelookintosepolicy
access_vectors,weseetheaddedclasszygote.ThisisacustomclassforAndroidand
definesallthevectorscheckedinthesecuritychecks.
Thelastfilewe’llconsiderfromthispatchisActivityManagerService.java.The
ActivityManagerisresponsibleforstartingapplicationsandmanagingtheirlifecycles.
It’saconsumeroftheProcess.startAPIandneedstospecifyseinfo.Thispatchis
simple,andfornow,justsendsnull.Later,wewillseethepatchenablingitsuse.
Thenextpatch,https://android-review.googlesource.com/#/c/31063/,executeswithinthe
contextoftheAndroidDalvikVMandiscodedintheVMzygoteprocessspace.The
forkAndSpecialize()wesawinZygoteConnectionendsupinthisnativeroutine.It
entersusingstaticpid_tforkAndSpecializeCommon(constu4*args,bool
isSystemServer).Thisroutineisresponsibleforcreatingthenewprocessthatbecomes
www.it-ebooks.info
theapplication.
ItbeginswithhousekeepingcodemovingfromJavatoCandsetsuptheniceNameand
seinfovaluesasC-stylestrings.Eventually,thecodecallsfork()andthechildprocess
startsdoingthings,likeexecutingsetgidandsetuid.Theuidandgidvaluesare
specifiedtothezygoteconnectionwiththeProcess.startmethod.Wealsoseeanew
calltosetSELinuxContext().Asanaside,theorderoftheseeventsisimportanthere.If
yousettheSELinuxcontextofthenewprocesstooearly,theprocesswouldneed
additionalcapabilitiesinthenewcontexttodothingslikesetuidandsetgid.However,
thosepermissionsarebestlefttothezygotedomain,sotheapplicationdomainweentered
canbeasminimalaspossible.
Continuing,setSELinuxContexteventuallycallsselinux_android_setcontext().Note
thattheHAVE_SELINUXconditionalcompilationmacroswereremovedafterthiscommit,
butpriortothe4.3release.Alsonotethatselinux_android_setcontext()isdefinedin
libselinux,soourjourneywilltakeusthere.Hereweseethemysteriousseinfoisstill
beingpassedalong.
Thenextpatchtoevaluateishttps://android-review.googlesource.com/#/c/39601/.This
patchactuallypassesamoremeaningfulseinfovaluefromtheJavalayer.Ratherthan
beingsettonull,thispatchintroducessomeparsinglogicfromanXMLfile,andpasses
thisalongtotheProcess.startmethod.
Thispatchmodifiestwomajorcomponents:PackageManagerandinstalld.
PackageManagerrunsinsidethesystem_server,andperformsapplicationinstallation.It
maintainsthestateofallinstalledpackagesinthesystem.Thesecondcomponent,a
serviceknownasinstalld,isaveryprivilegedrootservicethatcreatesallthe
applications’privatedirectoriesondisk.Ratherthangivingsystemserver,andtherefore
PackageManager,thecapabilitytocreatethesedirectories,onlyinstalldhasthese
permissions.Usingthisapproach,eventhesystemservercannotreaddatainyourprivate
datadirectoriesunlessyoumakeitworldreadable.
Thispatchislargerthantheothers,soweareonlygoingtoinspectthepartsdirectly
relevanttoourdiscussion.We’llstartbylookingatPackageManagerService.java.This
classisthepackagemanager,properforAndroid.Intheconstructorfor
PackageManagerService(),weseetheadditionofmFoundPolicyFile=
SELinuxMMAC.readInstallPolicy();.
Basedonthenaming,wecanconjecturethatthismethodislookingforsometypeof
policyconfigurationfile,andiffound,returnstrue,settingthemFoundPolicyFilemember
variable.WealsoseesomecallstocreateDataDirsandmInstaller.*calls.Thesewe
canignore,sincethosecallsareheadedtoinstalld.
Thenextmajorportionaddsthefollowing:
if(mFoundPolicyFile){
SELinuxMMAC.assignSeinfoValue(pkg);
}
It’simportanttonotethatthiscodewasaddedintothescanPackageLI()method.This
www.it-ebooks.info
methodiscalledeverytimeapackageneedstobescannedforinstallation.Soatahigh
level,ifsomepolicyfileisfoundduringservicestartup,thenaseinfovalueisassignedto
thepackage.
ThenextfiletolookatisApplicationInfo.java,acontainerclassformaintainingmeta
informationaboutapackage.Aswecansee,theseinfovalueisspecifiedhereforstorage
purposes.Additionally,thereissomecodeforserializinganddeserializingtheclassvia
theAndroidspecificParcelimplementation.
Atthispoint,weshouldhaveacloserlookattheSELinuxMMAC.javacodetoconfirmour
understandingofwhat’sgoingon.Theclassstartsbydeclaringtwolocationsforpolicy
files.
//Locationsofpotentialinstallpolicyfiles.
privatestaticfinalFile[]INSTALL_POLICY_FILE={
newFile(Environment.getDataDirectory(),"system/mac_permissions.xml"),
newFile(Environment.getRootDirectory(),
"etc/security/mac_permissions.xml"),
null};
Accordingtothis,policyfilescanexistintwolocations/data/system/mac_permissions.xmland
/system/etc/security/mac_permissions.xml.Eventually,weseethecallfrom
PackageManagerServiceinitializationtothemethoddefinedintheclass
readInstallPolicy(),whicheventuallyreducestoacallof:
privatestaticbooleanreadInstallPolicy(File[]policyFiles){
FileReaderpolicyFile=null;
inti=0;
while(policyFile==null&&policyFiles!=null&&policyFiles[i]!=
null){
try{
policyFile=newFileReader(policyFiles[i]);
break;
}catch(FileNotFoundExceptione){
Slog.d(TAG,"Couldn'tfindinstallpolicy"+
policyFiles[i].getPath());
}
i++;
}
...
WithpolicyFilessettoINSTALL_POLICY_FILE,thiscodeusesthearraytofindafileat
thespecifiedlocations.Itisprioritybased,withthe/datalocationtakingprecedenceover
/system.Therestofthecodeinthismethodlookslikeparsinglogicandfillsuptwohash
tablesthatweredefinedintheclassdeclaration:
//Signatureseinfovaluesreadfrompolicy.
privatestaticfinalHashMap<Signature,String>sSigSeinfo=
newHashMap<Signature,String>();
//Packagenameseinfovaluesreadfrompolicy.
privatestaticfinalHashMap<String,String>sPackageSeinfo=
newHashMap<String,String>();
www.it-ebooks.info
ThesSigSeinfomapsSignatures,orsigningkeys,toseinfostrings.Theothermap,
sPackageSeinfomapsapackagenametoastring.
Atthispoint,wecanreadsomeformattedXMLfromthemac_permissions.xmlfileand
createinternalmappingsfromsigningkeytoseinfoandpackagenametoseinfo.
TheothercallfromPackageManagerServiceintothisclasscamefromvoid
assignSeinfoValue(PackageParser.Packagepkg).
Let’sinvestigatewhatthismethodcando.Itstartsbycheckingiftheapplicationissystem
UIDorasysteminstalledapp.Inotherwords,itcheckswhethertheapplicationisathirdpartyapplication:
if(((pkg.applicationInfo.flags&ApplicationInfo.FLAG_SYSTEM)!=0)||
((pkg.applicationInfo.flags&ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)!=
0)){
ThiscodehassubsequentlybeendroppedbyGoogle,andwasinitiallyarequirementfor
merge.Wecan,however,continueourevaluation.Thecodeloopsoverallthesignatures
inthepackage,andchecksagainstthehashtable.Ifitissignedwithsomethinginthat
map,itusestheassociatedseinfovalue.Theothercaseisthatitmatchesbypackage
name.Ineithercase,thepackage’sApplictionInfoclassseinfovalueisupdatedto
reflectthisandbeusedelsewherebyinstalldandzygoteapplicationspawn:
//Wejustwantoneofthesignaturestomatch.
for(Signatures:pkg.mSignatures){
if(s==null)
continue;
if(sSigSeinfo.containsKey(s)){
Stringseinfo=pkg.applicationInfo.seinfo=sSigSeinfo.get(s);
if(DEBUG_POLICY_INSTALL)
Slog.i(TAG,"package("+pkg.packageName+
")labeledwithseinfo="+seinfo);
return;
}
}
//Checkforseinfolabeledbypackage.
if(sPackageSeinfo.containsKey(pkg.packageName)){
Stringseinfo=pkg.applicationInfo.seinfo=
sPackageSeinfo.get(pkg.packageName);
if(DEBUG_POLICY_INSTALL)
Slog.i(TAG,"package("+pkg.packageName+
")labeledwithseinfo="+seinfo);
return;
}
}
}
Asanaside,whatismergedintomainlineAOSPandwhatismaintainedintheNSA
Bitbucketrepositoriesisabitdifferent.TheNSAhasadditionalcontrolsinthesepolicy
filesthatcancauseanapplicationinstallationtoabort.GoogleandtheNSAare“forked”
overthisissue,sotospeak.IntheNSAversionsofSELinuxMMAC.java,youcanspecify
thatapplicationsmatchingaspecificsignatureorpackagenameareallowedtohave
www.it-ebooks.info
certainsetsofAndroid-levelpermissions.Forinstance,youcanblockallapplications
frombeinginstalledthatrequestCAMERApermissionsorblockapplicationssignedwith
certainkeys.Thisalsohighlightshowimportantitcanbetofindpatcheswithinlargecode
basesandquicklycomeuptospeedonhowprojectsevolve,whichcanoftenseem
daunting.
ThelastfileinthispatchforustoconsiderisActivityManagerService.java.Thispatch
replacesthenullwithapp.info.seinfo.Afterallthatworkandallthatplumbing,we
finallyhavethemysticalseinfovaluefullyparsed,associatedperapplicationpackage,
andsentalongtothezygoteforuseinselinux_android_setcontext().
Nowitwouldbenefitustositbackandthinkaboutsomeofthepropertieswewantedto
achieveinlabelingapplications.Oneofthemistosomehowcoupleasecuritycontext
withtheapplicationsigningkey,andthisispreciselythemainbenefitofseinfo.Thisisa
highlysensitiveandtrustedstringassociatedvalueofasigningkey.Theactualcontentsof
thestringarearbitraryanddictatedinmac_permissions.xml,whichisthenextstopon
ouradventure.
www.it-ebooks.info
Themac_permissions.xmlfile
Themac_permissions.xmlfilehasaveryconfusingname.Expanded,thenameisMAC
permissions.However,itsmajormainlinefunctionalityistomapasigningkeytoa
seinfostring.Secondarily,itcanalsobeusedtoconfigureanon-mainstreaminstall-time
permission-checkingfeature,knownasinstalltimeMMAC.MMACcontrolsarepartof
theNSA’sworktoimplementmandatoryaccesscontrolsinthemiddlewarelayer.MMAC
standsfor“MiddlewareMandatoryAccessControls”.Googlehasnotmergedanyofthe
MMACfeatures.However,sinceweusedtheNSABitbucketrepositories,ourcodebase
containsthesefeatures.
Themac_permissions.xmlisanXMLfile,andshouldadheretothefollowingrules,
whereitalicizedportionsareonlysupportedonNSAbranches:
AsignatureisahexencodedX.509certificateandisrequiredforeachsignertag.
A<signersignature="">elementmayhavemultiplechildelements:
allow-permission:Itproducesasetofmaximalallowedpermissions
(whitelist)
deny-permission:Itproducesablacklistofpermissionstodeny
allow-all:Itisawildcardtagthatwillalloweverypermissionrequested
package:Itisacomplextagwhichdefinesallow,deny,andwildcardsub-
elementsforaspecificpackagenameprotectedbythesignature
Zeroormoreglobal<packagename="">tagsareallowed.Thesetagsallowapolicy
tobesetoutsideanysignatureforspecificpackagenames.
A<default>tagisallowedthatcancontaininstallpolicyforallappsnotsignedwith
apreviouslylistedcertandnothavingaperpackageglobalpolicy.
Unknowntagsatanylevelareskipped.
Zeroormoresignertagsareallowed.
Zeroormorepackagetagsareallowedpersignertag.
A<packagename="">tagmaynotcontainanother<packagename="">tag.If
found,it’sskipped.
Whenmultiplesub-elementsappearforatag,thefollowinglogicisusedto
ultimatelydeterminethetypeofenforcement:
Ablacklistisusedifatleastonedeny-permissiontagisfound.
Awhitelistisused,ifnotablacklist,andatleastoneallow-permissiontagis
found.
Awildcard(acceptallpermissions)policyisusedifnotablacklistandnota
whitelist,andatleastoneallow-alltagispresent.
Ifa<packagename="">sub-elementisfound,thenthatsub-element’spolicyis
usedaccordingtotheearlierlogicandoverridesanysignatureglobalpolicy
type.
Inorderforapolicystanzatobeenforced,atleastoneofthepreceding
situationsmustapply.Meaning,emptysigner,defaultorpackagetagswillnot
beaccepted.
www.it-ebooks.info
Eachsigner/default/package(globalorattachedtoasigner)tagisallowedto
containone<seinfovalue=""/>tag.Thistagrepresentsadditionalinfothateach
appcanuseinsettinganSELinuxsecuritycontextontheeventualprocess.
StrictenforcingofanyXMLstanzaisnotenforcedinmostcases.Thismainly
appliestoduplicatetags,whichareallowed.Intheeventthatatagalreadyexists,the
originaltagisreplaced.
Therearealsonochecksonthevalidityofpermissionnames.Althoughvalid
Androidpermissionsareexpected,nothingpreventsunknowns.
Followingaretheenforcementdecisions:
Allsignaturesusedtosignanapparecheckedforpolicyaccordingtosigner
tags.However,onlyoneofthesignaturepolicieshastopass.
Intheeventthatnoneofthesignaturepoliciespass,ornoneevenmatch,thena
globalpackagepolicyissought.Iffound,thispolicymediatestheinstall.
Thedefaulttagisconsultedlast,ifneeded.
Alocalpackagepolicyalwaysoverridesanyparentpolicy.
Ifnoneofthecasesapply,thentheappisdenied.
ThefollowingexamplesignoretheInstallMMACsupportandfocusonthemainline
usageofseinfomapping.Thefollowingisanexampleofstanzamappingallthings
signedwiththeplatformkeytoseinfovalueplatform:
<!--PlatformdevkeyinAOSP-->
<signersignature="@PLATFORM">
<seinfovalue="platform"/>
</signer>
Hereisanexamplemappingallthingssignedwiththereleasekeytothereleasedomain
withtheexceptionofthebrowser.Thebrowsergetsassignedaseinfovalueofbrowser,
asfollows:
<!--releasedevkeyinAOSP-->
<signersignature="@RELEASE">
<seinfovalue="release"/>
<packagename="com.android.browser">
<seinfovalue="browser"/>
</package>
</signer>
...
Anythingwithanunknownkey,getsmappedtothedefaulttag:
...
<!--Allotherkeys-->
<default>
<seinfovalue="default"/>
</default>
Thesigningtagsareofinterest,the@PLATFORMand@RELEASEarespecialprocessing
stringsusedduringbuild.Anothermappingfilemapsthesetoactualkeyvalues.Thefile
thatisprocessedandplacedontothedevicehasallkeyreferencesreplacedwithhex
encodedpublickeysratherthantheseplaceholders.Italsohasallwhitespaceand
www.it-ebooks.info
commentsstrippedtoreducesize.Let’stakealookbypullingthebuiltfilefromthe
deviceandformattingit.
$adbpull/system/etc/security/mac_permissions.xml
$xmllint--formatmac_permissions.xml
Now,scrolltothetopoftheformattedoutput;youshouldseethefollowing:
<?xmlversion="1.0"encoding="iso-8859-1"?>
<!--AUTOGENERATEDFILEDONOTMODIFY-->
<policy>
<signer
signature="308204ae30820396a003020102020900d2cba57296ebebe2300d06092a864886
f70d0101050500308196310b300906035504061302555331133…
dec513c8443956b7b0182bcf1f1d">
<allow-all/>
<seinfovalue="platform"/>
</signer>
Noticethatsignature=@PLATFORMisnowahexstring.ThishexstringisavalidX509
certificate.
www.it-ebooks.info
keys.conf
Theactualmagicdoingthemappingfromsignature=@PLATFORMin
mac_permissions.xmliskeys.conf.Thisconfigurationfileallowsyoutomapapem
encodedx509toanarbitrarystring.Theconventionistostartthemwith@,butthisisnot
enforced.TheformatofthefileisbasedonthePythonconfigparserandcontainssections.
Thesectionnamesarethetagsinthemac_permissions.xmlfileyouwishtoreplacewith
keyvalues.Theplatformexampleis:
[@PLATFORM]
ALL:$DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
InAndroid,whenyoubuild,youcanhavethreelevelsofbuilds:engineering,
userdebug,oruser.Inthekeys.conffile,youcanassociateakeytobeusedforalllevels
withthesectionattributeALL,oryoucanassigndifferentkeysperlevel.Thisishelpful
whenbuildingreleaseoruserbuildswithveryspecialreleasekeys.Weseeanexampleof
thisinthe@RELEASEsection:
[@RELEASE]
ENG:$DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USER:$DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USERDEBUG:$DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
Thefilealsoallowstheuseofenvironmentvariablesthroughthetraditional$special
character.Thedefaultlocationforthepemfilesisbuild/target/product/security.
However,youshouldneverusethesekeysforauserreleasebuild.Thesekeysarethe
AOSPtestkeysandarepublic!Bydoingso,anyonecanusethesystemkeytosigntheir
appandgainsystemprivilege.Thekeys.conffileisonlyusedduringthebuildandisnot
locatedonthesystem.
www.it-ebooks.info
seapp_contexts
Sofar,wehavelookedathowafinishedmac_permssions.xmlfileassignstheseinfo
value.Nowweshouldaddresshowthelabelingisactuallyconfiguredandutilizesthis
value.Thelabelingofapplicationsismanagedinanotherconfigurationfile,
seapp_contexts.Likemac_permissions.xml,itisloadedtothedevice.However,the
defaultlocationis/seapp_contexts.Theformatofseapp_contextsisthekey=value
pairmappingsperline,adheringtothefollowingrules:
Inputselectors:
isSystemServer(boolean)
user(string)
seinfo(string)
name(string)
sebool(string)
Inputselectorrules:
isSystemServer=truecanonlybeusedonce.
AnunspecifiedisSystemServerdefaultstofalse.
Anunspecifiedstringselectorwillmatchanyvalue.
Auserstringselectorthatendsin*willperformaprefixmatch.
user=_appwillmatchanyregularappUID.
user=_isolatedwillmatchanyisolatedserviceUID.
Allspecifiedinputselectorsinanentrymustmatch(logicalAND).
Matchingiscase-insensitive.
Precedencerulesinorder:
isSystemServer=truebeforeisSystemServer=false
Specifieduser=stringbeforeunspecifieduser=string
Fixedtheuser=stringbeforetheuser=prefix(endingin*)
Longeruser=prefixbeforeshorteruser=prefix
Specifiedseinfo=stringbeforeunspecifiedseinfo=string.
Specifiedname=stringbeforeunspecifiedname=string.
Specifiedsebool=stringbeforeunspecifiedsebool=string.
Outputs:
domain(string):Itspecifiestheprocessdomainfortheapplication.
type(string):Itspecifiesthedisklabelfortheapplications’privatedata
directory.
levelFrom(string;oneofnone,all,app,oruser):ItgivestheMLSspecifier.
level(string):ItshowsthehardcodedMLSvalue.
Outputrules:
Onlyentriesthatspecifydomain=willbeusedforappprocesslabeling.
Onlyentriesthatspecifytype=willbeusedforappdirectorylabeling.
www.it-ebooks.info
levelFrom=userisonlysupportedfor_appor_isolatedUIDs.
levelFrom=apporlevelFrom=allisonlysupportedfor_appUIDs.
levelmaybeusedtospecifyafixedlevelforanyUID.
Duringapplicationspawn,thisfileisusedbytheselinux_android_setcontext()and
selinux_android_setfilecon2()functionstolookuptheproperapplicationdomainor
filesystemcontext,respectively.Thesourceforthesecanbefoundin
external/libselinux/src/android.candarerecommendedreads.Forexample,this
entryplacesallapplicationswithUIDbluetoothinthebluetoothdomainwithadata
directorylabelofbluetooth_data_file:
user=bluetoothdomain=bluetoothtype=bluetooth_data_file
Thisexampleplacesallthirdpartyor“default”applicationsintoaprocessdomainof
untrusted_appandadatadirectoryofapp_data_file.ItadditionallyusesMLS
categoriesoflevelFrom=apptohelpprovideadditionalMLS-basedseparations.
user=_appdomain=untrusted_apptype=app_data_filelevelFrom=app
Currently,thisfeatureisexperimentalasthisbreakssomeknownapplication
compatibilityissues.Atthetimeofthiswriting,thiswasahotitemoffocusforboth
GoogleandNSAengineers.Sinceitisexperimental,let’svalidateitsfunctionalityand
thendisableit.
Wehavenotinstalledanythirdpartyapplicationsyet,sowe’llneedtodosoinorderto
experiment.FDroidisausefulplacetofindthirdpartyapplications,solet’sdownload
somethingfromthereandinstallit.Wecanusethe0xbenchmarkapplicationlocatedat
https://f-droid.org/repository/browse/?fdid=org.zeroxlab.zeroxbenchmarkwithanAPKat
https://f-droid.org/repo/org.zeroxlab.zeroxbenchmark_9.apk,asfollows:
$wgethttps://f-droid.org/repo/org.zeroxlab.zeroxbenchmark_9.apk
$adbinstallorg.zeroxlab.zeroxbenchmark_9.apk
567KB/s(1193455bytesin2.052s)
pkg:/data/local/tmp/org.zeroxlab.zeroxbenchmark_9.apk
Success
Tip
Checklogcatfortheinstalltimeseinfovalue:
$adblogcat|grepSELinux
I/SELinuxMMAC(2557):package(org.zeroxlab.zeroxbenchmark)installedwith
seinfo=default
FromyourUDOO,launchthe0xbenchmarkAPK.Weshouldseeitrunningwithitslabel
inps:
$adbshellps-Z|grepuntrusted
u:r:untrusted_app:s0:c40,c256u0_a40178902285org.zeroxlab.zeroxbenchmark
Noticethelevelportionofthecontextstrings0:c40,c256.Thesecategorieswerecreated
withthelevel=appsettingfromseapp_contexts.
www.it-ebooks.info
Todisableit,wecouldsimplyremovethekey-valuepairforlevelfromtheentryin
seapp_contexts,orwecouldleveragetheseboolconditionalassignment.Let’susethe
Booleanapproach.Modifythesepolicyseapp_contextsfilesotheexisting
untrusted_appentryismodified,andanewoneisadded.Changeuser=_app
domain=untrusted_apptype=app_data_filetouser=_appsebool=app_level
domain=untrusted_apptype=app_data_filelevelFrom=app.
Buildthatwithmmmexternal/sepolicy,asfollows:
Error:
out/host/linux-x86/bin/checkseapp-p
out/target/product/udoo/obj/ETC/sepolicy_intermediates/sepolicy-o
out/target/product/udoo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
out/target/product/udoo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
.tmp
Error:Couldnotfindselinuxboolean"app_level"online:42infile:
out/target/product/udoo/obj/ETC/seapp_contexts_intermediates/seapp_contexts
Error:Couldnotvalidate
Well,therewasabuilderrorcomplainingaboutnotfindingtheselinuxBooleanonline
42ofseapp_contexts.Let’sattempttocorrecttheissuebydeclaringtheBoolean.In
app.te,add:boolapp_levelfalse;.Nowpushthenewlybuiltseapp_contextsand
sepolicyfiletothedeviceandtriggeradynamicreload:
$adbpush$OUT/root/sepolicy/data/security/current/
$adbpush$OUT/root/seapp_contexts/data/security/current/
$adbshellsetpropselinux.reload_policy1
WecanverifythattheBooleanexistsby:
$adbshellgetsebool-a|grepapp_level
app_level-->off
Duetodesignlimitations,weneedtouninstallandreinstalltheapplication:
$adbuninstallorg.zeroxlab.zeroxbenchmark
Re-installandcheckthecontextoftheprocessafterlaunchingit:
$adbshellps-Z|grepuntrusted
u:r:untrusted_app:s0:c40,c256u0_a40178902285org.zeroxlab.zeroxbenchmark
Great!Itfailed.Aftersomedebugging,wediscoveredthesourceoftheissueisthatthe
path/data/securityisnotworldsearchable,causingaDACpermissionsfailure.
Note
Wefoundthisbyprintingofftheresultanderrorcodesinandroid.cwherewesawthe
fopenonseapp_contexts_file[]array(filesinpriorityorder)whilecheckingtheresult
offp=fopen(seapp_contexts_file[i++],"r")in
selinux_android_seapp_context_reload()andusingselinux_log()todumpthedata
tologcat.
$adbshellls-la/data|grepsecurity
drwx------systemsystem1970-01-0400:22security
www.it-ebooks.info
RememberthesetselinuxcontextoccursaftertheUIDswitch,soweneedtomakeit
searchableforothers.WecanfixthepermissionsontheUDOOinit.rcscriptby
changingdevice/fsl/imx6/etc/init.rc.Specifically,changethelinemkdir
/data/security0700systemsystemtomkdir/data/security0711systemsystem.
Buildandflashthebootimage,andtrythecontexttestagain.
$adbuninstallorg.zeroxlab.zeroxbenchmark
$adbinstall~/org.zeroxlab.zeroxbenchmark_9.apk
<launchapk>
$adbshellps-Z|greporg.zeroxlab.zeroxbenchmark
u:r:untrusted_app:s0u0_a4033242285org.zeroxlab.zeroxbenchmark
Sofar,we’vedemonstratedhowtousethesebooloptiononseapp_contextstodisable
theMLScategories.It’simportanttonotethatwhenchangingcategoriesortypeson
APKs,itisrequiredtoremoveandinstalltheAPK,oryouwillorphantheprocessfromits
datadirectorybecauseitwon’thaveaccesspermissionsundermostcircumstances.
Next,let’stakethisAPK,uninstallit,andassignitauniquedomainbychangingits
seinfostring.Typically,youusethisfeaturetotakeasetofapplicationssignedwitha
commonkeyandgetthemintoacustomdomaintodocustomthings.Forexample,if
you’reanOEM,youmayneedtoallowcustompermissionstothirdpartyapplicationsthat
arenotsignedwithanOEMcontrolledkey.StartbyuninstallingtheAPK:
$adbuninstallorg.zeroxlab.zeroxbenchmark
Createanewentryinmac_permissions.xmlbyadding:
<signersignature="@BENCHMARK">
<allow-all/>
<seinfovalue="benchmark"/>
</signer>
Nowweneedtogetapemfileforkeys.conf.SounpackagetheAPKandextractthe
publiccertificate:
$mkdirtmp
$cdtmp
$unzip~/org.zeroxlab.zeroxbenchmark_9.apk
$cdMETA-INF/
$$opensslpkcs7-informDER-in*.RSA-outCERT.pem-outformPEMprint_certs
We’llhavetostripanycruftfromthegeneratedCERT.pemfile.Ifyouopenitup,you
shouldseetheselinesatthetop:
subject=/C=UK/ST=ORG/L=ORG/O=fdroid.org/OU=FDroid/CN=FDroid
issuer=/C=UK/ST=ORG/L=ORG/O=fdroid.org/OU=FDroid/CN=FDroid
-----BEGINCERTIFICATE----MIIDPDCCAiSgAwIBAgIEUVJuojANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV
SzEMMAoGA1UECBMDT1JHMQwwCgYDVQQHEwNPUkcxEzARBgNVBAoTCmZkcm9pZC5v…
Theyneedtoberemoved,soremoveonlythesubjectandissuerlines.Thefileshouldstart
withBEGINCERTIFICATEandendwithENDCERTIFICATEscissorlines.
www.it-ebooks.info
Let’smovethistoanewfolderinourworkspacecalledcertsandmovethecertificate
intothisfolderwithabettername:
$mkdirUDOO_SOURCE_ROOT/certs
$mvCERT.pemUDOO_SOURCE_ROOT/certs/benchmark.x509.pem
Wecansetupourkeys.confbyadding:
[@BENCHMARK]
ALL:certs/benchmark.x509.pem
Don’tforgettoupdateseapp_contextsinordertousethenewmapping:
user=_appseinfo=benchmarkdomain=benchmark_app
type=benchmark_app_data_file
Nowdeclarethenewtypestobeused.Thedomaintypeshouldbedeclaredinafilecalled
benchmark_app.teinsepolicy:
#Declarethenewtype
typebenchmark_app,domain;
#Thismacroaddsittotheuntrustedappdomainsetandgivesitsome
allowrules
#forbasicfunctionalityaswellasobjectaccesstothetypeinargument
2.
untrustedapp_domain(benchmark_app,benchmark_app_data_file)
Also,addthebenchmark_app_data_fileinfile.te:
typebenchmark_app_data_file,file_type,data_file_type,
app_public_data_type;
Tip
Youmaynotalwayswantalloftheseattributes,especiallyifyou’redoingsomething
securitycritical.Makesureyoulookateachattributeandmacroandseeitsusage.You
don’twanttoopenupanunintendedholebyhavinganoverlypermissivedomain.
Rebuildthepolicy,pushtherequiredpieces,andtriggerareload.
$mmmexternal/sepolicy/
$adbpush$OUT/system/etc/security/mac_permissions.xml
/data/security/current/
$adbpush$OUT/root/sepolicy/data/security/current/
$adbpush$OUT/root/seapp_contexts/data/security/current/
$adbshellsetpropselinux.reload_policy1
StartashellandgreplogcattoseetheseinfovaluethebenchmarkAPKisinstalledas.
TheninstalltheAPK:
$adbinstall~/org.zeroxlab.zeroxbenchmark_9.apk
$adblogcat|grep-iSELinux
Onthelogcatoutput,youshouldsee:
I/SELinuxMMAC(2564):package(org.zeroxlab.zeroxbenchmark)installedwith
seinfo=default
www.it-ebooks.info
Itshouldhavebeenseinfo=benchmark!Whatcouldhavehappened?
Theproblemisin
frameworks/base/services/java/com/android/server/pm/SELinuxMMAC.java.Itlooks
in/data/security/mac_permissions.xml;sowecanjustpushmac_permissions.xml.
Thisisanotherbuginthedynamicpolicyreloadandhastodowithhistoricalchangesin
thisloadingprocedure.Theculpritiswithinthe
frameworks/base/services/java/com/android/server/pm/SELinuxMMAC.javafile:
privatestaticfinalFile[]INSTALL_POLICY_FILE={
newFile(Environment.getDataDirectory(),"security/mac_permissions.xml"),
newFile(Environment.getRootDirectory(),
"etc/security/mac_permissions.xml"),
null};
Togetaroundthis,remountsystemandpushittothedefaultlocation.
$adbremount
$adbpush$OUT/system/etc/security/mac_permissions.xml
/system/etc/security/
Thisdoesnotrequireasetpropselinux.reload_policy1.Uninstallandreinstallthe
benchmarkAPK,andcheckthelogs:
I/SELinuxMMAC(2564):package(org.zeroxlab.zeroxbenchmark)installedwith
seinfo=default
OK.Itstilldidn’twork.Whenweexaminedthecode,themac_permissions.xmlfilewas
loadedduringpackagemanagerservicestart.Thisfilewon’tgetreloadedwithouta
reboot,solet’suninstallthebenchmarkAPK,andreboottheUDOO.Afterit’sbeen
bootedandadbisenabled,triggeradynamicreload,installtheAPK,andchecklogcat.It
shouldhave:
I/SELinuxMMAC(2559):package(org.zeroxlab.zeroxbenchmark)installedwith
seinfo=benchmark
Nowlet’sverifytheprocessdomainbylaunchingtheAPK,checkingps,andverifyingits
applicationprivatedirectory:
<launchapk>
$adbshellps-Z|greporg.zeroxlab.zeroxbenchmark
u:r:benchmark_app:s0u0_a4534932285org.zeroxlab.zeroxbenchmark
$adbshellls-Z/data/data|greporg.zeroxlab.zeroxbenchmark
drwxr-x--xu0_a45u0_a45u:object_r:benchmark_app_data_file:s0
org.zeroxlab.zeroxbenchmark
Thistime,allthetypescheckout.Wesuccessfullycreatedanewcustomdomain.
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,weinvestigatedhowtoproperlylabelapplicationprivatedatadirectories
aswellastheirruntimecontextsviatheconfigurationfilesandSELinuxpolicy.Wealso
lookedintothesubsystemsandcodetomakeallofthisworkaswellassomebasicthings
thatmaygowrongalongtheway.Inthenextchapter,wewillexpandonhowthepolicy
andconfigurationfilesgetbuiltbypeeringintotheSEforAndroidbuildsystem.
www.it-ebooks.info
www.it-ebooks.info
Chapter11.LabelingProperties
Inthischapter,wewillcoverhowtolabelpropertiesviatheproperty_contextsfile.
PropertiesareauniqueAndroidfeaturewelearnedaboutinChapter3,AndroidIsWeird.
Wewanttolabelthesetorestrictsettingofourpropertiestoonlythedomainsthatshould
setthem,preventingaclassicDACrootattackfrominadvertentlychangingthevalue.In
thischapter,wewilllearnto:
Createnewproperties
Labelnewandexistingproperties
Interpretanddealwithpropertydenials
EnumeratespecialAndroidpropertiesandtheirbehaviors
www.it-ebooks.info
Labelingviaproperty_contexts
Allpropertiesarelabeledusingtheproperty_contextsfile,anditssyntaxissimilarto
file_contexts.However,insteadofworkingonfilepaths,itworksonpropertynamesor
propertykeys(propertiesinAndroidareakey-valuestore).Thepropertykeysthemselves
aretypicallydelimitedwithperiods(.).Thisisanalogoustofile_contexts,exceptthe
slash(/)becomesaperiod.Somesamplepropertiesandtheirentriesin
property_contextswouldlooklikethefollowing:
ctl.ril-daemonu:object_r:ctl_rildaemon_prop:s0
ctl.u:object_r:ctl_default_prop:s0
Noticehowallctl.propertiesarelabeledwiththectl_default_proptype,butctl.rildaemonhasadifferenttypelabelofctl_rildaemon_prop.Thesearerepresentativeofhow
youcanstartgenericallyandmovetomorespecificvalues/typesasnecessary.
Additionally,anythingnotexplicitlylabeleddefaultstodefault_propthrougha“match
all”expressioninproperty_contexts:
#defaultpropertycontext
*u:object_r:default_prop:s0
www.it-ebooks.info
www.it-ebooks.info
Permissionsonproperties
Onecanviewthecurrentpropertiesonthesystem,andcreatenewoneswiththecommand
lineutilitiesgetpropandsetprop,asshowninthefollowingcodesnippet:
root@udoo:/#getprop
...
[sys.usb.state]:[mtp,adb]
[wifi.interface]:[wlan0]
[wlan.driver.status]:[unloaded]
RecallfromChapter3,AndroidIsWeird,thatpropertiesaremappedintoeveryone’s
addressspace,thusanyonecanreadthem.However,noteveryonecanset(write)them.
TheDACpermissionmodelforpropertiesishardcodedinto
system/core/init/property_service.c:
/*Whitelistofpermissionsforsettingpropertyservices.*/
struct{
constchar*prefix;
unsignedintuid;
unsignedintgid;
}property_perms[]={
{"net.rmnet0.",AID_RADIO,0},
{"net.gprs.",AID_RADIO,0},
{"net.ppp",AID_RADIO,0},
...
{"persist.service.bdroid.",AID_BLUETOOTH,0},
{"selinux.",AID_SYSTEM,0},
{"persist.audio.device",AID_SYSTEM,0},
{NULL,0,0}
YoumusthavetheUIDorGIDintheproperty_permsarraytosetanypropertythatthe
prefixmatcheswith.Forinstance,inordertosettheselinux.properties,youmustbe
UIDAID_SYSTEM(uid1000)orroot.Yes,rootcanalwayssetaproperty,andthisisakey
benefittoapplyingSELinuxtoAndroidproperties.Unfortunately,thereisnowayto
getprop-Ztolistthepropertiesandtheirlabels,likewithls-Zandfiles.
www.it-ebooks.info
www.it-ebooks.info
Relabelingexistingproperties
Inordertobecomemorecomfortablewithlabelingproperties,let’srelabelthe
wifi.interfaceproperty.First,let’sverifyitscontextbycausingadenialandviewing
thedeniallog,asshowninthefollowingcode:
root@udoo:/#setpropwifi.interfacewlan0
avc:denied{set}forproperty=wifi.interfacescontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0tclass=property_service
AninterestingactionoccurredwhenweexecutedthesetpropcommandovertheUDOO
serialconsole.TheAVCdenialrecordwasprintedout.Thisisbecausetheserialconsole
includesanythingprintedfromthekernelusingprintk().Whathappenshereistheinit
process,whichcontrolssetpropsasdetailedinChapter3,AndroidIsWeird,writesa
messagetothekernellog.Thislogmessageshowsupwhenweexecuteoursetprop
command.Ifyourunthisthroughadbshell,you’llseethemessageontheserialconsole,
butnotintheadbconsole.Todothis,however,youmustrebootyoursystembecause
SELinuxonlyprintsdenialrecordsoncewhileinpermissivemode.
Thecommandusingadbshellisasfollows:
$adbshellsetpropwifi.interfacewlan0
Thecommandusingtheserialconsoleisasfollows:
root@udoo:/#avc:denied{set}forproperty=wifi.interface
scontext=u:r:shell:s0tcontext=u:object_r:default_prop
usb2-1.3:devicedescriptorread/64,error-110
Fromthedenialoutput,wecanseethatthepropertytypelabelisdefault_prop.Let’s
changethistowifi_prop.
Westartbyeditingproperty.teinthesepolicydirectorytodeclarethenewtypeto
labelthesepropertiesbyappendingthefollowingline:
typewifi_prop,property_type;
Withthetypedeclared,thenextstepistoapplythelabelbymodifying
property_contextsbyaddingthefollowing:
#wifiproperties
wifi.u:object_r:wifi_prop:s0
Buildthepolicy,asfollows:
$mmmexternal/sepolicy
Pushthenewproperty_contextsfile:
$adbpushout/target/product/udoo/root/property_contexts
/data/security/current
51KB/s(2261bytesin0.042s)
Triggeradynamicreload:
www.it-ebooks.info
$adbshellsetpropselinux.reload_policy1
#setpropwifi.interfacewlan0
avc:denied{set}forproperty=wifi.interfacescontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0tclass=property_service
Ok,thatdidn’twork!Theproperty_contextsfilemustbein/data/security,not
/data/security/current.
Todiscoverthis,searchthelibselinux/src/android.cfile.Thereisnomentionof
property_contextsinthisfile;thus,itmustbementionedelsewhere.Thisleadsusto
searchsystem/core,whichcontainsthepropertyserviceforusesofthatfile.Thematches
areoncodeininit.ctoloadthefilefromprioritylocations.
$grep-rnproperty_contexts*
init/init.c:745:{SELABEL_OPT_PATH,"/data/security/property_contexts"},
init/init.c:746:{SELABEL_OPT_PATH,"/property_contexts"},
init/init.c:760:ERROR("SELinux:Couldnotloadproperty_contexts:%s\n",
Let’spushtheproperty_contextsfiletotheproperlocationandtryagain:
$adbpushout/target/product/udoo/root/property_contexts/data/security
51KB/s(2261bytesin0.042s)
$adbshellsetpropselinux.reload_policy1
root@udoo:/#setpropwifi.interfacewlan0
avc:receivedpolicyloadnotice(seqno=3)
init:sys_prop:permissiondenieduid:0name:wifi.interface
Wow!Itfailedyetagain.Thisexercisewasmeanttopointouthowtrickythiscanbeif
youforgettodosomething.Noinformativedenialmessagesweredisplayed,onlyan
indicatorthatitwasdenied.Thisisbecausethesepolicyfilethatcontainsthetype
declarationforwifi_propwasneverpushed.Thiscausescheck_mac_perms()in
system/core/init/property_service.ctofailintheselinux_check_access()function
becauseitcannotfindthetypetocomputetheaccesscheckagainst,eventhoughthelook
upinproperty_contextssucceeded.Therearenoverboseerrorlogsfromthis.
Wecancorrectthisbyensuringthatthesepolicyispushedaswell:
$adbpushout/target/product/udoo/root/sepolicy/data/security/current/
550KB/s(87385bytesin0.154s)
$adbshellsetpropselinux.reload_policy1
root@udoo:/#setpropwifi.interfacewlan0
avc:receivedpolicyloadnotice(seqno=4)
avc:denied{set}forproperty=wifi.interfacescontext=u:r:shell:s0
tcontext=u:object_r:wifi_prop:s0tclass=property_service
Nowweseeadenialmessage,asexpected,butthelabelofthetarget(orproperty)is
u:object_r:wifi_prop:s0.
Nowwiththetargetpropertylabeled,youcanallowaccesstoit.Notethatthisisa
contrivedexample,andintherealworld,youprobablywouldnotwanttoallowaccess
fromshelltomostproperties.Thepolicyshouldalignwithyoursecuritygoalsandthe
propertyofleastprivilege.
Wecanaddanallowruleinshell.teinthefollowingway:
www.it-ebooks.info
#wifiprop
allowshelldomainwifi_prop:property_serviceset;
Compilethepolicy,pushittothephone,andtriggeradynamicreload:
$mmmexternal/sepolicy/
$adbpushout/target/product/udoo/root/sepolicy/data/security/current/
547KB/s(87397bytesin0.155s)
$adbshellsetpropselinux.reload_policy1
Nowattempttosetthewifi.interfacepropertyandnoticethelackofdenial.
root@udoo:/#setpropwifi.interfacewlan0
avc:receivedpolicyloadnotice(seqno=5)
www.it-ebooks.info
www.it-ebooks.info
Creatingandlabelingnewproperties
Allpropertiesaredynamicallycreatedinthesystemusingsetpropcallsorfunctioncalls
thatdotheequivalentfromC(bionic/libc/include/sys/system_properties.h)and
Java(android.os.SystemProperties).NotethattheSystem.getProperty()and
System.setProperty()Javacallsworkonapplicationprivatepropertystoresandarenot
tiedintotheglobalone.
ForDACcontrols,youneedtomodifyproperty_perms[]asnotedearliertohave
permissionsfornon-rootuserstocreateorsettheproperty.Notethatrootcanalwaysset
andcreate,unlessconstrainedbySELinuxpolicy.
Supposewewanttocreatetheudoo.nameandudoo.ownerproperties;weonlywantthe
rootuserandshelldomaintoaccessthem.Wecouldcreatethemlikethis:
root@udoo:/#setpropudoo.nameudoo
avc:denied{set}forproperty=udoo.namescontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0tclass=property_service
root@udoo:/#setpropudoo.ownerWilliam
Noticethedenialshowstheseasbeingdefault_proptype.Tocorrectthis,wewould
relabelthese,exactlyaswedidintheprecedingsection,Relabelingexistingproperties.
www.it-ebooks.info
www.it-ebooks.info
Specialproperties
InAndroid,therearesomespecialpropertiesthathavedifferentbehaviors.Weenumerate
thepropertynamesandmeaningsintheproceedingsections.
www.it-ebooks.info
Controlproperties
Propertiesthatstartwithctlarereservedascontrolpropertiesforcontrollingservices
throughinit:
start:Startsaservice(setpropctl.start<servicename>)
stop:Stopsaservice(setpropctl.stop<servicename>)
restart:Restartsaservice(setpropctl.restart<servicename>)
www.it-ebooks.info
Persistentproperties
Anypropertystartingwiththeprefixpersistpersistsacrossrebootsandisrestored.The
dataissavedto/data/propertyinfilesofthesamenameastheproperty.
root@udoo:/#ls/data/property/
persist.gps.oacmode
persist.service.bdroid.bdaddr
persist.sys.profiler_ms
persist.sys.usb.config
www.it-ebooks.info
SELinuxproperties
Theselinux.reload_policypropertyisspecial.Aswehaveseen,itsuseisfortriggering
adynamicreloadevent.
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,wehaveexaminedhowtocreateandlabelnewandexistingpropertiesand
someoftheodditiesthatoccurwhendoingso.Wehavealsoexaminedthehardcoded
DACpermissiontableforpropertiesinproperty_service.c,aswellasthehardcoded
specialtypropertieslikethectl.family.Inthenextchapter,welookathowthetoolchain
buildsandcreatesallthepolicyfileswehavebeenusing.
www.it-ebooks.info
www.it-ebooks.info
Chapter12.MasteringtheToolChain
Sofar,wehavetakenadeepdiveintothecodeandpoliciesthatdriveSEforAndroid
technologies,butthebuildsystemandtoolsareoftenoverlooked.Masteringthetoolchain
willhelpyouimproveyourdevelopmentpractices.Inthischapter,wewilllookatallthe
componentsoftheSEforAndroidbuildandhowtheywork.Wewillcoverthefollowing
topics:
Buildingspecifictargets
ThesepolicyAndroid.mkfile
Custombuildpolicyconfiguration
Buildtools:
check_seapp
insertkeys.py
checkpolicy
checkfc
sepolicy-check
sepolicy-analyze
www.it-ebooks.info
Buildingsubcomponents–targetsand
projects
Sofar,wehaverunsomemagicalcommandssuchasmm,mmm,andmakebootimageto
actuallybuildvariousportionsoftheSEforAndroidcode.Googleofficiallydescribes
someofthesetoolsinthedocumentsathttps://source.android.com/source/buildingrunning.html,butmostcommandsarenotlisted.Nonetheless,
http://elinux.org/Android_Build_Systemhasawriteupthatismorecomprehensive.
InGoogle’s“buildingandrunning”documentation,theydescribethetargetasthedevice,
whichisultimatelywhatyoulunchfor.WhenbuildingAndroid,thelunchcommandsets
upenvironmentvariablesforthemakecommandyouexecutelater.Itsetsupthebuild
systemtooutputthecorrectconfigurationforthetargetdevice.Thisconceptofatargetis
notwhatwillbediscussedinthischapter.Instead,whentargetismentionedherein,it
meansaspecificmaketarget.However,intheeventofneedingtomentionthetarget
device,thecompletephrase“targetdevice”willbeused.Whilesomewhatconfusing,
thisterminologyisstandardandwillbeunderstoodbyengineersinthefield.
Wehaveissuedmakeafewtimes,optionallyprovidingatargetasanargumentandan
option,forexamplethe-j16option.Somethinglikemakeormake-j16essentiallybuilds
allofAndroid.Optionally,youcanspecifyatargetorlistoftargetsascommand
arguments.Anexampleofthisiswhenboot.imgwasbuilt.Theboot.imgfilecanbebuilt
andrebuiltbyspecifyingthebootimagetarget.Thecommandweuseforthispurposeis
makebootimage.Ithelpstoexpeditebuildsbyrebuildingonlytheportionsofthesystem
thatareneeded.Butwhatifyouonlyneedtorebuildaparticularfile?Perhaps,youonly
wanttorebuildsepolicy.Youcanspecifythatasthetargettobuild,asinmakesepolicy.
Thisleadstothequestion,“Whatabouttheotherfilessuchasmac_permissions.xml,
seapp_contexts,andsoon?”Theycanbebuiltinthesameway.Themoreintriguing
questionis,“Howdoesoneknowwhatthetargetnameis?Isitalwaysthefileoutput
name?”
Android’sbuildsystemisconstructedontopofGNUmake
(http://www.gnu.org/software/make/).ThecoreoftheAndroidbuildsystem’smakefiles
systemcanbefoundinbuild/core,andthedocumentationcanbefoundintheNDK
(https://developer.android.com/tools/sdk/ndk/index.html).Themajortakeawayfromthat
readingisthatatypicalAndroid.mkfiledefinessomethingcalledLOCAL_MODULE:=
mymodulename,andsomethingcalledmymodulenameisbuilt.Thetargetnamesaredefined
bytheseLOCAL_MODULEstatements.Let’slookattheAndroid.mkforexternalsepolicy,and
focusonthesepolicyportionofit,asthereareotherlocalmodulesortargetsdefinedin
thatMakefile.ThefollowingisanexamplefromAndroid4.3:
include$(CLEAR_VARS)
LOCAL_MODULE:=sepolicy
LOCAL_MODULE_CLASS:=ETC
LOCAL_MODULE_TAGS:=optional
LOCAL_MODULE_PATH:=$(TARGET_ROOT_OUT)
www.it-ebooks.info
...
OnecanfindallthemodulesforwithinanAndroid.mkfilebyjustlookingforlinesthat
beginwithLOCAL_MODULEdeclarationsandarewholewordmatches:
$grep-w'^LOCAL_MODULE'Android.mk
LOCAL_MODULE:=sepolicy
LOCAL_MODULE:=file_contexts
LOCAL_MODULE:=seapp_contexts
LOCAL_MODULE:=property_contexts
LOCAL_MODULE:=selinux-network.sh
LOCAL_MODULE:=mac_permissions.xml
LOCAL_MODULE:=eops.xml
Regularexpressionsdictatethat^isthebeginningoftheline,andthegrepmanpage
statesthat-wprovideswholewordsearch.
TheprecedinglistiscomprehensivefortheversionofAndroidweareusingonthe
UDOO.However,youshouldrunthecommandonyourexactversionoftheMakefileto
getanideaofwhatthingscanbebuilt.
Androidhassomeadditionaltoolsthatareseparatefrombuildingtargetsandgetaddedto
yourenvironmentwhenyouusesourcebuild/envsetup.sh.Thesearemmandmmm.They
bothperformthesametask,whichistobuildallthetargetsspecifiedinanAndroid.mk
file,however,differingthattheydonotbuildanyoftheirdependencies.Thetwo
commandsonlydifferinwheretheysourcethelocationoftheAndroid.mktoscourfor
buildtargets.Themmcommandusesthecurrentworkingdirectory,whereasmmmusesa
suppliedpath.Also,agreatoptionforeithercommandis-B,whichforcesarebuild.An
engineercansavealotoftimebyusingthemm(m)commandsovermake<target>.The
fullmakecommandwastesalotoftimefiguringoutthedependencytree,soexecutingmmm
path/to/projectonapreviouslybuiltsourcetree(ifyouknowthatallyourchangesare
withinaproject)cansaveafewminutes.However,sinceitdoesn’tbuildthe
dependencies,you’llneedtoensurethattheyarealreadybuiltandhavenodependent
changes.
www.it-ebooks.info
www.it-ebooks.info
Exploringsepolicy’sAndroid.mk
Theprojectlocatedatexternal/sepolicyusesanAndroid.mkfile,likeanyother
Androidproject,tobuildtheiroutputs.Let’sdissectthisfileandseewhatitdoes.
www.it-ebooks.info
Buildingsepolicy
We’llstartinthemiddlebylookingatthetargetforsepolicy.Itstartsoffwithfairly
boilerplateAndroid.mkstuff:
...
include$(CLEAR_VARS)
LOCAL_MODULE:=sepolicy
LOCAL_MODULE_CLASS:=ETC
LOCAL_MODULE_TAGS:=optional
LOCAL_MODULE_PATH:=$(TARGET_ROOT_OUT)
include$(BUILD_SYSTEM)/base_rules.mk…
Thenextportionisabitmorelikestandardmake.Itstartsoffbydeclaringatargetfilethat
getsbuiltintotheintermediateslocation.Theintermediateslocationisdefinedbythe
Androidbuildsystem.ItthenassignsthevaluesofMLS_SENSandMLS_CATStosomelocal
variablesforlateruse.Thelastlineisthemostinteresting.Itusesamakefunction,called
build_policy,andtakesfilenamesasarguments:
...
sepolicy_policy.conf:=$(intermediates)/policy.conf
$(sepolicy_policy.conf):PRIVATE_MLS_SENS:=$(MLS_SENS)
$(sepolicy_policy.conf):PRIVATE_MLS_CATS:=$(MLS_CATS)
$(sepolicy_policy.conf):$(callbuild_policy,security_classes
initial_sidsaccess_vectorsglobal_macrosmls_macrosmls
policy_capabilitieste_macrosattributesbools*.terolesusers
initial_sid_contextsfs_usegenfs_contextsport_contexts)
...
Next,wedefinetherecipeforbuildingthisintermediatetarget,policy.conf.The
interestingbitsoftherecipearethem4commandandthesedcommand.
Note
Formoreinformationonm4,seehttp://www.gnu.org/software/m4/manual/m4.html,and
formoreinformationonsed,refertohttps://www.gnu.org/software/sed/manual/sed.html.
SELinuxpolicyfilesgetprocessedusingm4.m4isamacroprocessorlanguagethatisoften
usedasafrontendtoacompiler.Them4commandtakessomeofthevaluessuchas
PRIVATE_MLS_SENSandPRIVATE_MLS_CATSandpassesthemthroughasmacrodefinitions.
Thisisanalogoustothegcc-Doption.Itthentakesthedependenciesforthetargetas
inputviathemakeexpansion,$^,andoutputsthemtothetargetnameusingthemake
expansionof$@.Italsotakesthatoutputandgeneratesa.dontauditversion.Thatversion
hasallofthedontauditlinesdeletedfromthepolicyfileusingsed.TheMLSvaluestell
SELinuxhowmanycategoriesandsensitivitiestogenerate.Thesemustbestatically
definedinthepolicyblobthatisloadedintothekernel,asfollows:
...
@mkdir-p$(dir$@)
$(hide)m4-Dmls_num_sens=$(PRIVATE_MLS_SENS)-D
mls_num_cats=$(PRIVATE_MLS_CATS)-s$^>$@
$(hide)sed'/dontaudit/d'$@>[email protected]…
www.it-ebooks.info
Thenextportiondefinestherecipeforbuildingtheactualtarget,namedfrom
LOCAL_MODULE_POLICY,evenifthisisnotobvious.LOCAL_BUILT_MODULEexpandstothe
intermediatefiletobebuilt,sepolicyinthiscase.ItfinallygetscopiedbytheAndroid
buildsystemasLOCAL_INSTALLED_MODULEbehindthescenes.Thistargetdependsonthe
intermediatepolicy.conffileandoncheckpolicy.Itusescheckpolicytotransformthe
m4expandedpolicy.confandpolicy.conf.dontauditintotwosepolicyfiles,sepolicy
andsepolicy.dontaudit.TheactualtoolthatisusedtocompiletheSELinuxstatements
inbinaryformtoloadtothekernelischeckpolicy,asfollows:
...
$(LOCAL_BUILT_MODULE):$(sepolicy_policy.conf)
$(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir-p$(dir$@)
$(hide)$(HOST_OUT_EXECUTABLES)/checkpolicy-M-c$(POLICYVERS)-o$@$<
$(hide)$(HOST_OUT_EXECUTABLES)/checkpolicy-M-c$(POLICYVERS)-o$(dir
$<)/$(notdir$@).dontaudit$<.dontaudit…
Finally,itendsbysettingalocalvariable,built_policy,foruseelsewherewithinthe
Android.mkfile,andclearspolicy.conftoavoidpollutingtheglobalnamespaceofmake,
asshown:
...
built_sepolicy:=$(LOCAL_BUILT_MODULE)
sepolicy_policy.conf:=
...
Additionally,buildingsepolicyalsodependsonthePOLICYVERSvariable,whichis
conditionallyassignedavalueof26ifnotset.Thisisthepolicyversionnumberusedby
checkpolicy,andaswesawearlierinthebook,wehadtooverridethisforourUDOO.
www.it-ebooks.info
Controllingthepolicybuild
Wesawthatthesepolicystatementcallsthebuild_policyfunction.Wealsoseeitsuse
inthatAndroid.mkfileforbuildingsepolicy,file_contexts,seapp_contexts,
property_contexts,andmac_permissions.xml,soitreasonsthatitisfairlyimportant.
Thisfunctionoutputsalistoffullyresolvedpathsusedforpolicyfiles.Thefunctiontakes
asinputsavariableargumentlistoffilenamesandincludesregularexpressionsupport
(note*.teinthebuild_policyfortargetsepolicy).Internally,thatfunctionusessome
magictoallowyoutooverrideorappendtothecurrentpolicybuildwithoutmodifyingthe
external/sepolicydirectorydirectly.ThisismeantforOEMsanddevicebuilderstobe
abletoaugmentpolicytocovertheirspecificdevices.
Whenbuildingapolicy,youcansetthefollowingmakevariables,typicallyinthedevice’s
Makefile,tocontroltheresultingbuild.Thevariablesareasfollows:
BOARD_SEPOLICY_DIRS:Thisisthesearchpathforpotentialpolicyfiles
BOARD_SEPOLICY_UNION:Thisisapolicyfileofnametoappendtoallfileswiththe
samename
BOARD_SEPOLICY_REPLACE:Thisisapolicyfileusedtooverridethebase
external/sepolicypolicyfile
BOARD_SEPOLICY_IGNORE:Thisisusedtoremoveaparticularpolicyfilefromthe
build,givenarepository’srelativepath
UsingtheUDOOasanexample,theproperwaytoauthorapolicywasnevertomodify
external/sepolicybuttocreateadirectoryindevice/fsl/udoo/sepolicy:
$mkdir<PATH>
ThenwemodifytheBoardConfig.mk:
$vimBoardConfig.mk
Next,weaddthefollowinglines:
BOARD_SEPOLICY_DIRS+=device/fsl/udoo/sepolicy
Tip
Beverycarefulwith+=asopposedto:=.Inlargeprojecttrees,someofthesevariables
maybesethigherinthebuildtreebycommonBoardConfigs,andyoucouldwipeout
theirsettings.Typically,thesafestbetis+=.Forfurtherdetails,seeVariableAssignmentin
theGNUmakemanual,athttp://www.gnu.org/software/make/manual/make.html.
Thiswilltellthebuild_policy()functioninAndroid.mktosearchnotonly
external/sepolicybutalsodevice/fsl/udoo/sepolicyforpolicyfiles.
Next,wecancreateafile_contextsfileinthisdirectory,andmoveourchangesfor
labelingtothisdirectorybycreatinganewfile_contextsfilein
device/fsl/udoo/sepolicy.
Afterthis,weneedtoinstructthebuildsystemtocombine,orunion,ourfile_contexts
www.it-ebooks.info
filewiththeoneinexternal/sepolicy.Weaccomplishthisbyaddingthefollowing
statementtotheBoardConfig.mkfile:
BOARD_SEPOLICY_UNION+=file_contexts
Youcandothisforanypolicyfile,evencustomfiles.Itdoesamatchonthefilenameby
basenameonly(nodirectories).Forinstance,ifyouhadawatchdog.terulesfileyou
wantedtoaddtothebasewatchdog.terulesfile,youcouldjustaddwatchdog.te,as
shown:
BOARD_SEPOLICY_UNION+=file_contextswatchdog.te
Thisproducesanewwatchdog.tefileduringthebuildthatunionsyournewruleswiththe
onesfoundinexternal/sepolicy/watchdog.te.
AlsonotethatyouaddnewfilesintothebuildwithBOARD_SEPOLICY_UNION,sotoadda
.tefileforacustomdomain,suchascustom.te,youcould:
BOARD_SEPOLICY_UNION+=file_contextswatchdog.tecustom.te
Let’ssayyouwanttooverridetheexternal/sepolicywatchdog.tefilewithyourown.
YoucanaddittoBOARD_SEPOLICY_REPLACE,asshown:
BOARD_SEPOLICY_REPLACE:=watchdog.te
Notethatyoucan’treplaceafilethatdoesnotexistinthebasepolicy.Also,youcan’t
havethesamefileappearinUNIONandREPLACE,asit’sambiguous.Youcan’thavemore
thanonespecificationofBOARD_SEPOLICY_REPLACEonthesamepolicyfile.
Supposewehaveahierarchicalbuildoccurringfortwofictitiousdevices,deviceXand
deviceY.Thetwodevices,deviceXanddeviceY,bothinheritBoardConfigCommon.mk
fromdeviceA.DeviceAisnotarealdevice,butsinceXandYsharecommonalities,the
commonbitsarekeptindeviceA.
SupposetheBoardConfigCommon.mkfordeviceAcontainsthesestatements:
BOARD_SEPOLICY_DIRS+=device/OEM/A
BOARD_SEPOLICY_UNION+=file_contextscustom.te
SupposethatdeviceX’sBoardConfig.mkcontains:
BOARD_SEPOLICY_DIRS+=device/OEM/X
BOARD_SEPOLICY_UNION+=file_contextscustom.te
Finally,supposedeviceY’sBoardConfig.mkcontains:
BOARD_SEPOLICY_DIRS+=device/OEM/Y
BOARD_SEPOLICY_UNION+=file_contextscustom.te
TheresultingpolicysetsusedtobuilddeviceXanddeviceYarethefollowing:
DeviceXpolicyset:
device/OEM/A/file_contexts
device/OEM/A/custom.te
device/OEM/X/file_contexts
www.it-ebooks.info
device/OEM/X/custome.te
external/sepolicy/*(basepolicyfiles)
DeviceYalsocontains:
device/OEM/A/file_contexts
device/OEM/A/custom.te
device/OEM/Y/file_contexts
device/OEM/Y/custom.te
external/sepolicy/*(basepolicyfiles)
Inacommonscenario,youmightnotwanttheresultingpolicysetfordeviceYtocontain
device/OEM/A/custom.te.ThisisausecaseforBOARD_SEPOLICY_IGNORE.Youcanuse
thistofilteroutspecificpolicyfiles.However,youhavetobespecificandusethe
repository’srelativepath.Forexample,indeviceY’sBoardConfig.mk:
BOARD_SEPOLICY_IGNORE+=device/OEM/A/custom.te
Now,whenyoubuildapolicyfordeviceY,thepolicysetwillnotincludethatfile.
BOARD_SEPOLICY_IGNOREcanalsobeusedwithBOARD_SEPOLICY_REPLACE,allowing
multipleusesinthedevicehierarchy,butonlyoneBOARD_SEPOLICY_REPLACEstatement
takeseffect.
www.it-ebooks.info
Diggingdeeperintobuild_policy
Nowthatwehaveseenhowtousesomenewmechanismstocontrolthepolicybuild,let’s
actuallydissectwhereinthebuildprocesshappens.Asstatedearlier,thepolicybuildis
controlledbytheAndroid.mkfile.Weencounteredcallstothebuild_policy()function
earlier,andthisispreciselywherethemagichappenswithrespecttoallofthe
BOARD_SEPOLICY_*variablesweset.Examiningthebuild_policyfunction,wesee
referencestothesepolicy_replace_pathsvariable,solet’sstartbylookingatthat
variable.
Thesepolicy_replace_pathsvariablebeginslifebygettingevaluatedwhenthe
Makefileisevaluated.Inotherwords,itisexecutedunconditionally.Thecodestartsoff
byloopingoveralltheBOARD_SEPOLICY_REPLACEfilesandcheckswhetheranyarein
BOARD_SEPOLICY_UNION.Ifoneisfound,anerrorisprintedandthebuildfails,showing
Ambiguousrequestforsepolicy$(pf).Appearsinboth
BOARD_SEPOLICY_REPLACEandBOARD_SEPOLICY_UNION,where$(pf)isexpandedtothe
offendingpolicyfile.Afterthat,itexpandstheBOARD_SEPOLICY_REPLACEentrieswith
thosefoundonthesearchpathssetbyBOARD_SEPOLICY_DIRS,thusresultinginfull
relativepathsfromtherootoftheAndroidtree.Thenitfilterstheseentriesagainst
BOARD_SEPOLICY_IGNORE,droppinganythingthatshouldbeignored.Itthenensuresthat
onlyonefilecandidateforreplacementisfound.Otherwise,itissuestheappropriateerror
message.Lastly,itensuresthatthefileexistsintheLOCAL_PATHorbasepolicy,andifnone
ofthetwoisfound,itissuesanerrormessage:
...
#QuickedgecaseerrordetectionforBOARD_SEPOLICY_REPLACE.
#Buildsthesingularpathforeachreplacefile.
sepolicy_replace_paths:=
$(foreachpf,$(BOARD_SEPOLICY_REPLACE),\
$(if$(filter$(pf),$(BOARD_SEPOLICY_UNION)),\
$(errorAmbiguousrequestforsepolicy$(pf).Appearsinboth\
BOARD_SEPOLICY_REPLACEandBOARD_SEPOLICY_UNION),\
)\
$(eval_paths:=$(filter-out$(BOARD_SEPOLICY_IGNORE),\
$(wildcard$(addsuffix/$(pf),$(BOARD_SEPOLICY_DIRS)))))\
$(eval_occurrences:=$(words$(_paths)))\
$(if$(filter0,$(_occurrences)),\
$(errorNosepolicyfilefoundfor$(pf)in$(BOARD_SEPOLICY_DIRS)),\
)\
$(if$(filter1,$(_occurrences)),\
$(evalsepolicy_replace_paths+=$(_paths)),\
$(errorMultipleoccurrencesofreplacefile$(pf)in$(_paths))\
)\
$(if$(filter0,$(words$(wildcard$(addsuffix/$(pf),
$(LOCAL_PATH))))),\
$(errorSpecifiedthesepolicyfile$(pf)inBOARD_SEPOLICY_REPLACE,\
butnonefoundin$(LOCAL_PATH)),\
)\
)
Afterthis,callstobuildpolicycanusereplace_pathsasanexpandedlistoffilesthat
www.it-ebooks.info
willbereplacedduringthebuild.
Theargumentsofthebuild_policyfunctionarethefilenamesyouwishtoexpandinto
theirAndroidroot-relativepathnames,usingthepowerprovidedbythe
BOARD_SEPOLICY_*familyofvariables.Forinstance,acallto$(build_policy,
file_contexts)inthecontextofourdevicesA,X,andYwouldresultinthis:
device/OEM/A/file_contexts
device/OEM/Y/file_contexts
Thebuild_policyfunctionisabittrickytoread.Manynestedfunctioncallsresultinthe
deepestindentsrunningfirst.However,likeallcode,wereaditfromtoptobottomand
lefttoright,sotheexplanationwillbeginthere.Thefunctionstartsbyloopingthroughall
thefilespassedasarguments.ItthenexpandsthemagainsttheBOARD_SEPOLICY_DIRS
onceforreplaceandonceforaunion.Thesepolicy_replace_pathsvariableiserror
checkedtoensureafiledoesnotappearinbothlocations,replaceandunion.Forthe
replacepathexpansion,itcheckswhethertheexpandedpathisin
sepolicy_replace_dirs,andifitis,replacesit.Fortheunionportion,itjustexpands
them.Theresultsoftheseexpansionsarethenfedthroughafilteron
BOARD_SEPOLICY_IGNORE,thusdroppinganyoftheexplicitlyignoredpaths:
#Buildspathsforallrequestedpolicyfilesw.r.t
#bothBOARD_SEPOLICY_REPLACEandBOARD_SEPOLICY_UNION
#productvariables.
#$(1):thesetofpolicynamepathstobuild
build_policy=$(foreachtype,$(1),\
$(filter-out$(BOARD_SEPOLICY_IGNORE),\
$(foreachexpanded_type,$(notdir$(wildcard$(addsuffix/$(type),
$(LOCAL_PATH)))),\
$(if$(filter$(expanded_type),$(BOARD_SEPOLICY_REPLACE)),\
$(wildcard$(addsuffix$(expanded_type),$(sort$(dir
$(sepolicy_replace_paths))))),\
$(LOCAL_PATH)/$(expanded_type)\
)\
)\
$(foreachunion_policy,$(wildcard$(addsuffix/$(type),
$(BOARD_SEPOLICY_DIRS))),\
$(if$(filter$(notdir$(union_policy)),$(BOARD_SEPOLICY_UNION)),\
$(union_policy),\
)\
)\
)\
)
...
www.it-ebooks.info
Buildingmac_permissions.xml
Themac_permissions.xmlbuildisabittricky,aswesawinChapter10,Placing
ApplicationsinDomains.First,mac_permissions.xmlcanbeusedwithallthe
BOARD_SEPOLICY_*variablesintroducedthusfar.TheendresultisoneXMLfileadhering
totherulesofthosevariables.Additionally,therawXMLfilesareprocessedbyatool
calledinsertkeys.py,locatedinsepolicy/tools.Theinsertkeys.pytooluses
keys.conftomaptagsintheXMLfilesignaturestanzawith.pemfilescontainingthe
certificate.Thekeys.conffileisalsosubjecttouseinBOARD_SEPOLICY_*variables.The
buildrecipefirstcallsbuild_policyonkeys.confandusesm4toconcatenatetheresults.
Thus,m4declarationsinkeys.confwillberespected.However,thishasnotbeenused.
Theinitialintentionwastousethem4-ssynclinessothatyoucanfollowtheinclusion
chaininthekeys.conffilewhenconcatenatedbym4processing.Ontheotherhand,sync
linesareprovidedbym4whenconcatenatingmanyfiles,andtheyprovidecommented
linesadheringtothe#lineNUM"FILE"'lines.Theseareusefulbecausem4takesmultiple
inputfilesandcombinesthemintoasingle,expandedoutputfile.Therewillbesynclines
indicatingthebeginningofeachofthosefiles,andtheycanhelpyoutrackdownissues.
Continuingbacktothemac_permissions.xmlbuild,afterexpansionofkeys.confbym4,
thisfile,alongwithallthemac_permissions.xmlfilesfromacalltobuild_policy()are
finallyfedtoinsertkeys.py.Theinsertkeys.pytoolthenusesthekeys.conffileto
replaceallmatchingsignature=<TAG>lineswithanactualhex-encodedX509fromthe
PEMfile,thatis,signature=308E3600.Additionally,theinsertkeys.pytoolcombines
theXMLfilesintoonefile,andstripswhitespaceandcommentstoreduceitssizeondisk.
Thishasnobuilddependenciesontheothermajorfilessuchassepolicy,
seapp_contexts,property_contexts,andmac_permissions.xml.
www.it-ebooks.info
Buildingseapp_contexts
Theseapp_contextsfileisalsosubjecttoalltheBOARD_SEPOLICY_*variables.Allofthe
seapp_contextsfilesfromaresultantcalltobuild_policy()arealsofedthroughm4-s
togetasingleseapp_contextsfilethatcontainssynclines.Again,like
mac_permissions.xmlfile’sbuildofkeys.conf,m4hasn’tbeenusedotherthanforthe
synclines.Thisresulting,concatenatedseapp_contextsfileisthenfedintocheck_seapp.
ThistoolisauthoredintheCprogramminglanguageandbuiltintoanexecutableduring
thebuild.Thesourcecanbefoundintools/check_seapp.Thistoolreadsthe
seapp_contextsfileandchecksitssyntax.Itverifiesthattherearenoinvalidkeyvalue
pairs,thatlevelFromisavalididentifier,andthatthetypeanddomainfieldsarevalidfor
agivensepolicy.Thisbuildisdependentonsepolicyforthestricttypecheckingof
domainandtypefieldsagainstthepolicyfile.
www.it-ebooks.info
Buildingfile_contexts
Thefile_contextsfileisalsosubjecttoalloftheBOARD_SEPOLICY_*variables.The
resultingsetispassedthroughm4-s,andthesingleoutputisrunthroughthecheckfc
tool.Thecheckfctoolchecksthegrammarandsyntaxofthefileandalsoverifiesthatthe
typesexistinthebuiltsepolicy.Becauseofthis,itisdependentonthesepolicybuild.
www.it-ebooks.info
Buildingproperty_contexts
Theproperty_contextsbehavesexactlylikethefile_contextsbuild,exceptthatit
checksaproperty_contextsfile.Italsousescheckfc.
www.it-ebooks.info
CurrentNSAresearchfiles
Additionally,workonEnterpriseOperations(eops)isalreadyunderwayattheNSA.As
thisfeaturehasn’tbeenmergedintomainstreamAndroidandislikelytochangewildly,it
won’tbecoveredhere.However,thebestplaceforthebleedingedgeisalwaysthesource
andNSABitbucketrepositories.Theselinux-network.shalsofallsunderthiscategory;
ithasn’tseenmainstreamadoptionyet,andwilllikelybedroppedfromAOSP
(https://android-review.googlesource.com/#/c/114380/).
www.it-ebooks.info
www.it-ebooks.info
Standalonetools
TherearealsosomestandalonetoolsbuiltforAndroidpolicyevaluationthatyoumayfind
useful.Wewillexploresomeofthemandtheirusages.Mostofthestandarddesktoptools
you’llfindinotherreferencesstillworkonSEforAndroidSELinuxpolicy.Notethatif
yourunanyofthefollowingtoolsandgetasegmentationfault,youwilllikelyneedto
applythepatchfromthethreadathttp://marc.info/?l=seandroidlist&m=141684060409894&w=2.
www.it-ebooks.info
sepolicy-check
Thistoolallowsyoutoseewhetheragivenallowruleexistsinapolicyfile.Thebasic
syntaxofitscommandisasfollows:
sepolicy-check-s<domain>-t<type>-c<class>-p<permission>-P
<policy_file>
Forinstance,ifyouwanttoseewhethersystem_appcanwritetosystem_data_filefor
classfile,youcanexecute:
$sepolicy-check-ssystem_app-tsystem_data_file-cfile-pwrite-P
$OUT/root/sepolicy
www.it-ebooks.info
sepolicy-analyze
ThisisagoodtooltocheckforcommonissuesinSELinuxdevelopmentanditcatches
someofthecommonpitfallsofnewSELinuxpolicywriters.Itcancheckforequivalent
domains,duplicateallowrules.Itcanalsoperformpolicytypedifferencechecks.
Thedomainequivalencecheckfeatureisveryhelpful.Itshowsyoudomainsyoumay(in
theory)wanttobedifferent,eventhoughtheyconvergedintheimplementation.These
typeswouldbeidealcandidatestocoalesce.However,itmighthavealsoshownanissue
inthedesignofthepolicythatshouldbecorrected.Inotherwords,youdidn’texpectthese
domainstobeequivalent.Invokingthecommandisasfollows:
$sepolicy-analyze-e-P$OUT/root/sepolicy
Theduplicateallowrulecheckswhetherallowrulesexistontypesthatalsoexiston
attributesthatthetypeinheritsfrom.Theallowruleonthespecifictypeisacandidatefor
removal,sincethereisalreadyanallowontheattribute.Toexecutethischeck,runthe
followingcommand:
$sepolicy-analyze-D-P$OUT/root/sepolicy
Thedifferenceisalsohandyisalsohandytoviewtypedifferenceswithinafile.Ifyou
wanttoseewhatthedifferencebetweentwodomainsis,youcanusethisfeature.Thisis
usefulforidentifyingpossibledomainstocoalesce.Toperformthischeck,executethe
followingcommand:
$sepolicy-analyze-d-P$OUT/root/sepolicy
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,wecoveredhowthevariouscomponentsthatcontrolthepolicyonthe
deviceareactuallybuiltandcreated,suchassepolicyandmac_permissions.xml.This
chapteralsopresentedtheBOARD_SEPOLICY_*variablesusedtomanageandbuildapolicy
acrossdevicesandconfigurations.ThenwereviewedtheAndroid.mkcomponents,
detailinghowtheheartofthebuildandconfigurationmanagementworks.
www.it-ebooks.info
www.it-ebooks.info
Chapter13.GettingtoEnforcingMode
Asanengineer,you’rehandedsomeAndroiddevice,andtherequirementistoapplySE
forAndroidcontrolstothedevicetoenhanceitssecurityposture.Sofar,wehaveseenall
thepiecesthatneedtobeconfiguredandhowtheyworktoenablesuchasystem.Inthis
chapter,we’lltakealltheskillscoveredtogetourUDOOinenforcingmode.Wewill:
Run,evaluate,andrespondtoauditlogsfromCTS
DevelopsecurepolicyfortheUDOO
Switchtoenforcingmode
www.it-ebooks.info
UpdatingtoSEPolicymaster
ManychangestothesepolicydirectoryhaveoccurredintheAOSPmasterbranchsince
the4.3release.Atthetimeofthiswriting,themasterbranchoftheexternal/sepolicy
projectwasonGitcommitSHAb5ffb.Theauthorsrecommendattemptingtousethe
mostrecentcommit.However,forillustrativepurposes,wewillshowyouhowto
optionallycheckoutcommitb5ffbsoyoucanaccuratelyfollowtheexamplesinthis
chapter.
First,you’llneedtoclonetheexternal/sepolicyproject.Intheseinstructions,we
assumeyourworkingdirectoryhastheUDOOsourcescontainedinthe./udoodirectory:
$gitclonehttps://android.googlesource.com/platform/external/sepolicy
$cdsepolicy
Ifyouwanttofollowtheexamplesinthischapterprecisely,you’llneedtocheckout
commitb5ffbwiththefollowingcommand.Ifyouskipit,youwillendupusingthelatest
commitinthemasterbranch:
$gitcheckoutb5ffb
Now,we’llreplacetheUDOO4.3sepolicywithwhatwejustacquiredfromGoogle:
$cd..
$rm-rfudoo/external/sepolicy
$cp-rsepolicyudoo/external/sepolicy
Optionally,youcanremovethe.gitfolderfromthenewlycopiedsepolicywiththe
followingcommand,butthisisnotnecessary:
$rm–rfudoo/external/sepolicy/.git
Also,copytheaudit.tefileandrestoreit.
Additionally,restoretheauditdcommitfromtheNSABitbucketseandroidrepository.
Foryourreference,it’scommitSHAd270aa3.
Afterthat,removeallreferencestosetoolfromudoo/build/core/Makefile.This
commandwillhelpyoulocatethem:
$grep-nwsetooludoo/build/core/Makefile
www.it-ebooks.info
www.it-ebooks.info
Purgingthedevice
Atthispoint,ourUDOOismessy,solet’sreflashit,includingthedatadirectory,andstart
afresh.Wewanttohaveonlythecodeandtheinitscriptchanges,withouttheadditional
sepolicy.Thenwecanauthorapolicyproperlyandapplyallthetechniquesandtools
we’veencountered.We’llstartbyresettingtoastateanalogoustothecompletionof
Chapter4,InstallationontheUDOO.However,themajordifferenceisweneedtobuilda
userdebugversionratherthananengineering(eng)versionforCTS.Theversionis
selectedinthesetupscript,whichultimatelycallslunch.Tobuildthisversion,executethe
followingcommandsfromtheUDOOworkspace:
$.setupudoo-userdebug
$make-j82>&1|teelogz
Flashthesystem,boottotheSDcard,andwipeuserdatawiththefollowingcommands,
assumingtheSDcardisinsertedintothehostanduserdataisnotmounted:
$mkdir~/userdata
$sudomount/dev/sdd4~/userdata
$cd~/userdata/
$sudorm-rf*
$cd..
$sudoumount~/userdata
www.it-ebooks.info
www.it-ebooks.info
SettingupCTS
YoumustpassCTSifyourorganizationseeksAndroidbranding.However,evenifyou
don’t,it’sagoodideatoruntheseteststohelpensureadevicewillbecompliantwith
applications.Basedonyoursecuritygoalsanddesires,youmayfailportionsofCTSif
you’renotseekingAndroidbranding.Forourcase,we’relookingatCTSasawayto
exercisethesystemanduncoverpolicyissuesthatpreventtheproperfunctioningofthe
UDOO.Itssourceislocatedinthects/directory,butwerecommenddownloadingthe
binarydirectlyfromGoogle.YoucangetmoreinformationandtheCTSbinaryitselffrom
https://source.android.com/compatibility/cts-intro.htmland
https://source.android.com/compatibility/android-cts-manual.pdf.
DownloadtheCTS4.3binaryfromtheDownloadstab.ThenselecttheCTSbinary.The
CompatibilityDefinitionDocument(CDD)isalsoworthreading.ItcoversthehighleveldetailsofCTSandcompatibilityrequirements.
DownloadCTSfromhttps://source.android.com/compatibility/downloads.htmlandextract
it.SelecttheCTSversionthatmatchesyourAndroidversion.Ifyoudon’tknowwhich
versionyourdeviceisrunning,youcanalwayscheckthero.build.version.release
propertyfromtheUDOOwithgetpropro.build.version.release:
$mkdir~/udoo-cts
$cd~/udoo-cts
$wgethttps://dl.google.com/dl/android/cts/android-cts-4.3_r2-linux_x86arm.zip
$unzipandroid-cts-4.3_r2-linux_x86-arm.zip
www.it-ebooks.info
www.it-ebooks.info
RunningCTS
TheCTSexercisesmanycomponentsonthedeviceandhelpstestvariouspartsofthe
system.Agood,generalpolicyshouldallowproperfunctioningofAndroidandpassCTS.
FollowthedirectionsintheAndroidCTSusermanualtosetupyourdevice(seeSection
3.3,Settingupyourdevice).Typically,youwillseesomefailuresifyoudon’tfollowall
thestepsprecisely,asyoumaynothavetheaccessorthecapabilitiestoacquireallthe
resourcesneeded.However,CTSwillstillexercisesomecodepaths.Ataminimum,we
recommendgettingthemediafilescopiedandWi-Fiactive.Onceyourdeviceissetup,
ensureadbisactiveandinitiatethetesting:
$./cts-tradefed
11-3010:30:08I/:Detectednewdevice0123456789ABCDEF
cts-tf>runcts--planCTS
cts-tf>
timepasseshere
11-3010:30:28I/TestInvocation:Startinginvocationfor'cts'onbuild
'4.3_r2'ondevice0123456789ABCDEF
11-3010:30:28I/0123456789ABCDEF:Createdresultdir2014.11.30_10.30.28
11-3010:31:44I/0123456789ABCDEF:Collectingdeviceinfo
11-3010:31:45I/0123456789ABCDEF:---------------------------------------11-3010:31:45I/0123456789ABCDEF:Testpackageandroid.aadbstarted
11-3010:31:45I/0123456789ABCDEF:---------------------------------------11-3010:32:15I/0123456789ABCDEF:
com.android.cts.aadb.TestDeviceFuncTest#testBugreportPASS
...
Theteststakemanyhourstoexecute,sobepatient;butyoucancheckthestatusofthe
test:
cts-tf>li
CommandIdExecTimeDeviceState
18m:220123456789ABCDEFrunningctsonbuild4.3_r2
Pluginspeakerstoenjoythesoundsfromthemediatestsandringtones!Also,CTS
rebootsthedevice.IfyourADBsessionisnotrestoredafterrebooting,ADBmaynot
executeanytests.Usethe--disable-rebootoptionwhenrunningthects-tf>runcts
--planCTS--disable-rebootplan.
www.it-ebooks.info
www.it-ebooks.info
Gatheringtheresults
First,we’llconsidertheCTSresults.Althoughweexpectsomefailures,wealsoexpect
theproblemwillnotgetworsewhenwegotoenforcingmode.Second,we’lllookatthe
auditlogs.Let’spullbothofthesefilesfromthedevice.
www.it-ebooks.info
CTStestresults
CTScreatesatestresultsdirectoryeachtimeitisrun.CTSisindicatingthedirectory
namebutnotthelocation:
11-3010:30:28I/0123456789ABCDEF:Createdresultdir2014.11.30_10.30.28
ThelocationismentionedbytheCTSmanualandcanbefoundundertheextractedCTS
directoryinrepository/results,typicallyatandroid-cts/repository/results.The
testdirectoriescontainanXMLtestreport,testResult.xml.Thiscanbeopenedinmost
webbrowsers.Ithasaniceoverviewofthetestsanddetailsofallexecutedtests.The
pass:failratioisourbaseline.Theauthorshad18,736pass,andonly53fail,whichis
fairlygoodconsideringhalfofthosearefeatureissues,suchasnoBluetoothorreturning
trueforcamerasupport.
www.it-ebooks.info
Auditlogs
Wewillusetheauditlogstoaddressdeficienciesinourpolicy.Pulltheseoffthedevice
usingthestandardadbpullcommandswehaveusedthroughoutthebook.Sincethisisa
userdebugbuildanddefaultadbterminalsareshelluid(notroot),startadbasrootwith
adbroot.suisalsoavailableonuserdebugbuilds.
Tip
Youmaygetanerrorsaying/data/misc/audit/audit.logdoesnotexist.Thesolutionis
torunadbasrootviatheadbrootcommand.Also,whenrunningthiscommand,itmay
hang.Justgotosettings,disable,andthenenableUSBDebuggingunderDeveloper
Options.Thenkilltheadb-rootcommandandverifyyouhaverootbyrunningadb
shell.Nowyoushouldbearootuseragain.
www.it-ebooks.info
www.it-ebooks.info
Authoringdevicepolicy
Runbothaudit.logandaudit.oldthroughaudit2allowtoseewhat’sgoingon.The
outputofaudit2allowisgroupedbysourcedomain.Ratherthangoingthroughitall,we
willhighlighttheunusualcases,startingwiththeinterpretedresultsofaudit2allow.
Assumingyouareintheauditlogdirectory,performcataudit.*|audit2allow|
less.Anypolicyworkwillbedoneinthedevice-specificUDOOsepolicydirectory.
www.it-ebooks.info
adbd
Thefollowingareouradbddenialsasfilteredthroughaudit2allow:
#=============adbd==============
allowadbdashmem_device:chr_fileexecute;
allowadbddumpstate:unix_stream_socketconnectto;
allowadbddumpstate_socket:sock_filewrite;
allowadbdinput_device:chr_file{writegetattropen};
allowadbdlog_device:chr_file{writereadioctlopen};
allowadbdlogcat_exec:file{readgetattropenexecuteexecute_no_trans};
allowadbdmediaserver:binder{transfercall};
allowadbdmediaserver:fduse;
allowadbdself:capability{net_rawdac_override};
allowadbdself:processexecmem;
allowadbdshell_data_file:file{executeexecute_no_trans};
allowadbdsystem_server:binder{transfercall};
allowadbdtmpfs:fileexecute;
allowadbdunlabeled:dirgetattr;
Thedenialsintheadbddomainarequitestrange.Thefirstthingthatcaughtoureyewas
theexecuteon/dev/ashmem,whichisacharacterdriver.Typically,thisisonlyneededfor
DalvikJIT.Lookingattherawaudits(cataudit.*|grepadbd|grepexecute),we
seethefollowing:
type=1400msg=audit(1417416666.182:788):avc:denied{execute}for
pid=3680comm="Compiler"
path=2F6465762F6173686D656D2F64616C76696B2D6A69742D636F64652D63616368652028
64656C6574656429dev=tmpfsino=412027scontext=u:r:adbd:s0
tcontext=u:object_r:tmpfs:s0tclass=file
type=1400msg=audit(1417416670.352:831):avc:denied{execute}for
pid=3753comm="Compiler"path="/dev/ashmem"dev=tmpfsino=1127
scontext=u:r:adbd:s0tcontext=u:object_r:ashmem_device:s0tclass=chr_file
Somethingwiththeprocesscommfieldofthecompilerisexecutingonashmem.Ourguess
isithassomethingtodowithDalvik,butwhyisitintheadbddomain?Also,whyisadbd
writingtotheinputdevice?Allthisisstrangebehavior.Typically,whenyouseethings
likethis,it’sbecausethechildrendidn’tendupintheproperdomain.Runthiscommand
tocheckthedomainsandconfirmoursuspicions:
$adbshellps-Z|grepadbd
u:r:adbd:s0root200461/sbin/adbd
u:r:adbd:s0root2010120046ps
Wethenrunadbshellps-Z|grepadbdtoseewhichthingswererunningintheadb
domain,furtherconfirmingoursuspicions:
u:r:adbd:s0root200461/sbin/adbd
u:r:adbd:s0root2010120046ps
Thepscommandshouldnotberunningintheadbdcontext;itshouldberunninginshell.
Thisconfirmedthatshellisnotintherightdomain:
$adbshell
www.it-ebooks.info
root@udoo:/#id
uid=0(root)gid=0(root)context=u:r:adbd:s0
Thefirstthingtocheckisthecontextonthefile:
root@udoo:/#ls-Z/system/bin/sh
lrwxr-xr-xrootshellu:object_r:system_file:s0sh->mksh
root@udoo:/#ls-Z/system/bin/mksh
-rwxr-xr-xrootshellu:object_r:system_file:s0mksh
Thebasepolicydefinesadomaintransitionwhenadbdloadstheshellusingexectogoto
theshelldomain.Thisisdefinedintheadbd.teexternalsepolicyas
domain_auto_trans(adbd,shell_exec,shell).
Obviously,anincorrectlabelhasbeenappliedtoshell,solet’slookatfile_contextsin
theexternalsepolicytofindoutwhy.
$catfile_contexts|grepshell_exec
/system/bin/sh—u:object_r:shell_exec:s0
Thetwodashesmeanthatonlyregularfileswillbelabeledandsymboliclinkswillbe
skipped.Weprobablydon’twanttolabelthesymlink,butratherthemkshdestination.Do
thisbyaddingacustomfile_contextsentrytothedeviceUDOOsepolicyandadding
thefiletotheBOARD_SEPOLICY_UNIONconfig.Infile_contexts,add/system/bin/mksh—
u:object_r:shell_exec:s0,andinsepolicy.mk,addBOARD_SEPOLICY_UNION+=
file_contexts.
Tip
Throughouttheremainderofthechapter,wheneveryoucreateormodifypolicyfiles(for
example,contextfilesor*.tefiles),don’tforgettoaddthemtoBOARD_SEPOLICY_UNION
insepolicy.mk.
Sincethisisafairlyfatalissuewiththepolicyandadbd,wewon’tworryaboutthedenials
fornow,withtheexceptionoftheunlabeled.Wheneveroneencountersanunlabeledfile,
itshouldbeaddressed.Theavcdenialthatcausedthisisasfollows:
type=1400msg=audit(1417405835.872:435):avc:denied{getattr}for
pid=4078comm="ls"path="/device"dev=mmcblk0p7ino=2scontext=u:r:adbd:s0
tcontext=u:object_r:unlabeled:s0tclass=dir
Becausethisismountedat/deviceandAndroidmountsaretypicallyat/,weshouldlook
atthemounttable:
root@udoo:/#mount|grepdevice
/dev/block/mmcblk0p7/deviceext4
ro,seclabel,nosuid,nodev,relatime,user_xattr,barrier=1,data=ordered00
Typically,mountcommandsareintheinitscriptsfollowingamkdir,orinanfstabfile
withtheinitbuilt-in,mount_all.Aquicksearchfordeviceandmkdirininit.rcfinds
nothing,butwedofinditinfstab.freescale.Thedeviceisread-only,soweshouldbe
abletogiveitatype,labelitwithfilecontexts,andapplythegetattrdomaintoits
directoryclass.Sinceit’sread-onlyandempty,nobodyshouldneedmorepermissions.
Lookingatthemake_sd.shscript,wenoticethatpartition7oftheblockdeviceisthe
www.it-ebooks.info
venderdirectory.ThisisamisspellingofthecommonvendordirectorythatOEMsplace
proprietaryblobsin.Weplacefiletypesinfile.teandthedomainallowrulesin
domain.te.
Infile.te,addthis:
typeudoo_device_file,file_type;
Indomain.te,addthefollowing:
allowdomainudoo_device_file:dirgetattr;
Infile_contexts,addthis:
/deviceu:object_r:udoo_device_file:s0
Ifthisdirectoryisnotempty,youmustmanuallyrunrestorecon-Ronittolabelexisting
files.
IfyoupulltheauditlogsmultipletimesfromtheUDOO,youmayalsoendupwith
denialsshowingthatyoudidso,asadbdwillnotbeabletoaccessthem.Youmayseethis:
#=============adbd==============
allowadbdaudit_log:file{readgetattropen};
Thisrulecomesfromtheendofthetestwhenyouadbpulledtheauditlogs.Wecan
safelydontauditthisandaddaneverallowtoensureitdoesn’taccidentallygetallowed.
Theauditlogscontaininformationamalwarewritercouldusetonavigatethroughthe
policy,andthisinformationshouldbeprotected.Inadevicesepolicyfolder,addan
adbd.tefileandunionitinthesepolicy.mkfile:
Inadbd.te,addthis:
#dontauditadbpullandadbshellcatofauditlogs
dontauditadbdaudit_log:filer_file_perms;
dontauditshellaudit_log:filer_file_perms;
Inauditd.te,addthis:
#Makesurenooneaddsanallowtotheauditlogs
#fromanythingbutsystemserver(readonly)and
#auditd,rwaccess.
neverallow{domain-system_server-auditd-init-kernel}audit_log:file
~getattr;
neverallowsystem_serveraudit_log:file~r_file_perms;
Ifauditd.teisstillinexternal/sepolicy,moveittodevice/fsl/udoo/sepolicyalong
withalldependenttypes.
Theneverallowentriesshowyouhowtousethecompliment,~,andsetdifference,-,
operatorsforstrongassertionsorbrevity.Thefirstneverallowstartswithdomain,andall
processtypes(domains)aremembersofthedomainattribute.Wepreventaccessthrough
setdifference,leavingthesetthatmustneverhaveaccess.Wethencomplimenttheaccess
vectorsettoallowonlygetattrorstatonthelogs.Thesecondneverallowuses
complimenttoensuresystem_serverislimitedtoreadoperations.
www.it-ebooks.info
bootanim
Thebootanimdomainisassignedtothebootanimationservicethatpresentssplash
screensonboot,typicallythecarrier’sbranding:
#=============bootanim==============
allowbootaniminit:unix_stream_socketconnectto;
allowbootanimlog_device:chr_file{writeopen};
allowbootanimproperty_socket:sock_filewrite;
Anythingtouchingtheinitdomainisaredflag.Here,bootanimconnectstoaninitUnix
domainsocket.Thisisapartofthepropertysystem,andwecanseethatafterconnecting,
itwritestothepropertysocket.ThesocketobjectanditsURIareseparate.Inthiscase,it’s
thefilesystem,butitcouldbeananonymoussocket:
type=1400msg=audit(1417405616.640:255):avc:denied{connectto}for
pid=2534comm="BootAnimation"path="/dev/socket/property_service"
scontext=u:r:bootanim:s0tcontext=u:r:init:s0tclass=unix_stream_socket
Thelog_deviceisdeprecatedinnewversionsofAndroidandreplacedwithlogd.
However,wearebackportinganewmastersepolicyto4.3,sowemustsupportthis.The
patchthatremovedsupportisathttps://android-review.googlesource.com/#/c/108147/.
Ratherthanapplyareversepatchtotheexternalsepolicy,wecanjustaddtherulestoour
devicepolicyinadomain.tefile.Wecansafelyallowtheseusingthepropermacrosand
stylesinthedeviceUDOOsepolicyfolder.Inbootanim.te,add
unix_socket_connect(bootanim,property,init),andindomain.te,addthis:
allowdomainudoo_device_file:dirgetattr;
allowdomainlog_device:dirsearch;
allowdomainlog_device:chr_filerw_file_perms;
www.it-ebooks.info
debuggerd
#=============debuggerd==============
allowdebuggerdlog_device:chr_file{writereadopen};
allowdebuggerdsystem_data_file:sock_filewrite;
Thelogdevicedenialwasaddressedunderbootanimbyaddingtheallowrulesforall
domainstouselog_device.Thesystem_data_file:sock_filewriteisstrange.Inmost
circumstances,you’llalmostneverwanttoallowacross-domainwrite,butthisisspecial.
Lookattherawdenial:
type=1400msg=audit(1417415122.602:502):avc:denied{write}forpid=2284
comm="debuggerd"name="ndebugsocket"dev=mmcblk0p4ino=129525
scontext=u:r:debuggerd:s0tcontext=u:object_r:system_data_file:s0
tclass=sock_file
Thedenialisonndebugsocket.Greppingforthisuncoversanamedtypetransition,which
policyversion23doesnotsupport:
system_server.te:297:type_transitionsystem_server
system_data_file:sock_filesystem_ndebug_socket"ndebugsocket";
Wehavetochangethecodetosetthepropercontextorjustallowit,whichwewill.We
won’tgrantadditionalpermissionsbecauseitneveraskedforopen,andwe’recrossing
domains.Preventingfileopensacrossdomainsisideal,astheonlywaytogetthisfile
descriptoristhroughanIPCcallintotheowningdomain.Indebuggerd.te,addallow
debuggerdsystem_data_file:sock_filewrite;.
www.it-ebooks.info
drmserver
#=============drmserver==============
allowdrmserverlog_device:chr_file{writeopen};
Thisistakencareofbydomain.terules,sowehavenothingtodohere.
www.it-ebooks.info
dumpstate
#=============dumpstate==============
allowdumpstateinit:bindercall;
allowdumpstateinit:processsignal;
allowdumpstatelog_device:chr_file{writereadopen};
allowdumpstatenode:rawip_socketnode_bind;
allowdumpstateself:capabilitysys_resource;
allowdumpstatesystem_data_file:file{writerenamecreatesetattr};
Thedenialtoinit:bindercallondumpstateisstrangebecauseinitdoesn’tuse
binder.Someprocessmuststayintheinitdomain.Let’scheckourprocesslistingforinit:
$adbshellps-Z|grepinit
u:r:init:s0root10/init
u:r:init:s0root22861zygote
u:r:init:s0radio27592286com.android.phone
Here,zygoteandcom.android.phoneshouldnotberunningasinit.Thismustbea
labelingerrorontheapp_processfile,whichisthezygote.Thels-laZ
/system/bin/app_processcommandrevealsu:object_r:system_file:s0
app_process,soaddanentrytofile_contextstocorrectthis.Wecanfindthelabelto
useinzygote.teinthebasesepolicydefinedasthezygote_exectype:
#zygote
typezygote,domain;
typezygote_exec,exec_type,file_type;
Infile_contexts,add/system/bin/app_processu:object_r:zygote_exec:s0.
www.it-ebooks.info
installd
Theaddeddomain.teruleshandleinstalld.
www.it-ebooks.info
keystore
#=============keystore==============
allowkeystoreapp_data_file:filewrite;
allowkeystorelog_device:chr_file{writeopen};
Thelogdeviceistakencareofbythedomain.terules.Let’slookattheraw
app_data_filedenial:
type=1400msg=audit(1417417454.442:845):avc:denied{write}for
pid=15339comm="onCtsTestRunner"
path="/data/data/com.android.cts.stub/cache/CTS_DUMP"dev=mmcblk0p4
ino=131242scontext=u:r:keystore:s0
tcontext=u:object_r:app_data_file:s0:c512,c768tclass=file
Categoriesaredefinedinthecontexts.ThismeansMLSsupportisactivatedforapp
domains.Intheseapp_contextsbasesepolicy,weseethis:
user=_appdomain=untrusted_apptype=app_data_filelevelFrom=user
user=_appseinfo=platformdomain=platform_apptype=app_data_file
levelFrom=user
MLSseparationofapplicationdataisstillunderdevelopmentanddidn’tworkon4.3,so
wecandisablethis.Wecanjustdeclaretheminadevice-specificseapp_contextsfile.In
seapp_contexts,adduser=_appdomain=untrusted_apptype=app_data_fileand
user=_appseinfo=platformdomain=platform_apptype=app_data_file.In4.3,any
changestocontextondatarequireafactoryreset.The4.4versionaddedsmartrelabel
capabilities.
www.it-ebooks.info
mediaserver
#=============mediaserver==============
allowmediaserveradbd:binder{transfercall};
allowmediaserverinit:binder{transfercall};
allowmediaserverlog_device:chr_file{writeopen};
Thelogdevicewasaddressedinthedomain.terules.We’llskipinitandadbdtoo,since
theirissuesweretriggeredbyimproperprocessdomains.It’simportantnottoaddallow
rulesblindly,asmostoftheworkforexistingdomainscanbehandledwithsmalllabel
changesorafewrules.
www.it-ebooks.info
netd
#=============netd==============
allownetdkernel:systemmodule_request;
allownetdlog_device:chr_file{writeopen};
Thelogdevicedenialofnetdwasaddressedbydomain.te.However,weshould
scrutinizeanythingrequestingacapability.Whengrantingcapabilities,thepolicyauthor
needstobeverycareful.Ifadomainisgrantedtheabilitytoloadasystemmoduleand
thatdomainormodulebinaryitselfiscompromised,itcouldleadtotheinjectionof
malwareintothekernelvialoadablemodules.However,netdneedsloadablekernel
modulesupporttosupportsomecards.Addtheallowruletoafilecallednetd.teinthe
deviceUDOOsepolicy.Innetd.te,addallownetdself:capabilitysys_module;.
www.it-ebooks.info
rild
#=============rild==============
allowrildlog_device:chr_file{writeopen};
Thisistakencareofbydomain.terules,sowehavenothingtodohere.
www.it-ebooks.info
servicemanager
#=============servicemanager==============
allowservicemanagerinit:bindertransfer;
allowservicemanagerlog_device:chr_file{writeopen};
Again,thelogdevicewashandledindomain.te.We’llskipinit,sinceitsissueswere
triggeredbyimproperprocessdomains.
www.it-ebooks.info
surfaceflinger
#=============surfaceflinger==============
allowsurfaceflingerinit:bindertransfer;
allowsurfaceflingerlog_device:chr_file{writeopen};
Again,thelogdevicewashandledindomain.te.We’llskipinittoo,sinceitsissueswere
triggeredbyimproperprocessdomains.
www.it-ebooks.info
system_server
#=============system_server==============
allowsystem_serveradbd:binder{transfercall};
allowsystem_serverdalvikcache_data_file:file{writesetattr};
allowsystem_serverinit:binder{transfercall};
allowsystem_serverinit:filewrite;
allowsystem_serverinit:process{setschedsigkillgetsched};
allowsystem_serverinit_tmpfs:fileread;
allowsystem_serverlog_device:chr_filewrite;
Sincelog_deviceistakencareofbydomain.te,andinitandadbdarepolluted,wewill
onlyaddresstheDalvikcachedenial:
type=1400msg=audit(1417405611.550:159):avc:denied{write}forpid=2571
comm="er.ServerThread"name="system@[email protected]@classes.dex"
dev=mmcblk0p4ino=129458scontext=u:r:system_server:s0
tcontext=u:object_r:dalvikcache_data_file:s0tclass=file
type=1400msg=audit(1417405611.550:160):avc:denied{setattr}for
pid=2571comm="er.ServerThread"
name="system@[email protected]@classes.dex"dev=mmcblk0p4ino=129458
scontext=u:r:system_server:s0tcontext=u:object_r:dalvikcache_data_file:s0
tclass=file
Theexternalsepolicyseandroid-4.3branchalloweddomain.te:allowdomain
dalvikcache_data_file:filer_file_perms;.Writeswereallowedbysystem_appwith
system_app.te:allowsystem_appdalvikcache_data_file:file{writesetattr
};.Weshouldbeabletograntthiswriteaccessbecausetheremaybeaneedtoupdateits
Dalvikcachefile.Indomain.te,addallowdomaindalvikcache_data_file:file
r_file_perms;,andinsystem_server.te,addallowsystem_server
dalvikcache_data_file:file{writesetattr};.
www.it-ebooks.info
toolbox
#=============toolbox==============
allowtoolboxsysfs:filewrite;
Typically,oneshouldnotwritetosysfs.Nowlookattherawdenialfortheoffending
sysfsfile:
type=1400msg=audit(1417405599.660:43):avc:denied{write}forpid=2309
comm="cat"path="/sys/module/usbtouchscreen/parameters/calibration"
dev=sysfsino=2318scontext=u:r:toolbox:s0tcontext=u:object_r:sysfs:s0
tclass=file
Fromhere,weproperlylabel/sys/module/usbtouchscreen/parameters/calibration.
Weplaceanentryinfile_contextstolabelsysfs,declareatypeinfile.te,andallow
toolboxaccesstoit.Infile.te,addtypesysfs_touchscreen_calibration,fs_type,
sysfs_type,mlstrustedobject;,andinfile_contexts,add
/sys/module/usbtouchscreen/parameters/calibration—
u:object_r:sysfs_touchscreen_calibration:s0,andintoolbox.te,addallow
toolboxsysfs_touchscreen_calibration:filew_file_perms;.
www.it-ebooks.info
untrusted_app
#=============untrusted_app==============
allowuntrusted_appadb_device:chr_filegetattr;
allowuntrusted_appadbd:binder{transfercall};
allowuntrusted_appadbd:dir{readgetattropensearch};
allowuntrusted_appadbd:file{readgetattropen};
allowuntrusted_appadbd:lnk_fileread;
...
untrusted_apphadmanydenials.Consideringthedomainlabelingissues,wewon’t
addressmostofthesenow.However,youshouldlookoutformislabeledandunlabeled
targetfiles.Whilesearchingthedeniallogsasinterpretedbyaudit2allow,thefollowing
wasfound:
allowuntrusted_appdevice:chr_file{readgetattr};
allowuntrusted_appunlabeled:dir{readgetattropen};
Forthechr_filedevice,wegetthis:
type=1400msg=audit(1417416653.742:620):avc:denied{read}forpid=3696
comm="onCtsTestRunner"name="rfkill"dev=tmpfsino=1126
scontext=u:r:untrusted_app:s0:c512,c768tcontext=u:object_r:device:s0
tclass=chr_file
type=1400msg=audit(1417416666.152:784):avc:denied{getattr}for
pid=3696comm="onCtsTestRunner"path="/dev/mxs_viim"dev=tmpfsino=1131
scontext=u:r:untrusted_app:s0:c512,c768tcontext=u:object_r:device:s0
tclass=chr_file
type=1400msg=audit(1417416653.592:561):avc:denied{getattr}for
pid=3696comm="onCtsTestRunner"path="/dev/.coldboot_done"dev=tmpfs
ino=578scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:device:s0tclass=file
Therefore,weneedtolabel/dev/.coldboot_done,/dev/rfkillproperly,and
/dev/mxs_viim./dev/rfkillshouldbelabeledinlinewithwhatthe4.3policyhad:
file_contexts:/sys/class/rfkill/rfkill[0-9]*/state—
u:object_r:sysfs_bluetooth_writable:s0
file_contexts:/sys/class/rfkill/rfkill[0-9]*/type—
u:object_r:sysfs_bluetooth_writable:s0
The/dev/mxs_viimdeviceseemstobeagloballyaccessibleGPU.Werecommenda
thoroughreviewofthesourcecode,butfornow,wewilllabelitasgpu_device.
/dev/.coldboot_doneiscreatedbyueventdwhenthecoldbootprocesscompletes.If
ueventdisrestarted,itskipsthecoldboot.Wedon’tneedtolabelthis.Thisdenialis
causedbythesourcedomainMLSonatargetfilethatisnotasubsetofthecategoriesof
thesourceanddoesnothavethemlstrustedsubjectattribute;itshouldgoawaywhen
wedropMLSsupportfromapps.
Infile_contexts:
#touchscreencalibration
/sys/module/usbtouchscreen/parameters/calibration—
u:object_r:sysfs_touchscreen_calibration:s0
www.it-ebooks.info
#BTRFKillnode
/sys/class/rfkill/rfkill[0-9]*/state—u:object_r:sysfs_bluetooth_writable:s0
/sys/class/rfkill/rfkill[0-9]*/type—u:object_r:sysfs_bluetooth_writable:s0
www.it-ebooks.info
vold
#=============vold==============
allowvoldlog_device:chr_file{writeopen};
Again,thelogdevicewashandledindomain.te.
www.it-ebooks.info
watchdogd
#=============watchdogd==============
allowwatchdogddevice:chr_file{readwritecreateunlinkopen};
Therawdenialsfromwatchdogpaintininterestingportrait:
type=1400msg=audit(1417405598.000:8):avc:denied{create}forpid=2267
comm="watchdogd"name="__null__"scontext=u:r:watchdogd:s0
tcontext=u:object_r:device:s0tclass=chr_file
type=1400msg=audit(1417405598.000:9):avc:denied{readwrite}for
pid=2267comm="watchdogd"name="__null__"dev=tmpfsino=2580
scontext=u:r:watchdogd:s0tcontext=u:object_r:device:s0tclass=chr_file
type=1400msg=audit(1417405598.000:10):avc:denied{open}forpid=2267
comm="watchdogd"name="__null__"dev=tmpfsino=2580
scontext=u:r:watchdogd:s0tcontext=u:object_r:device:s0tclass=chr_file
type=1400msg=audit(1417405598.000:11):avc:denied{unlink}forpid=2267
comm="watchdogd"name="__null__"dev=tmpfsino=2580
scontext=u:r:watchdogd:s0tcontext=u:object_r:device:s0tclass=chr_file
type=1400msg=audit(1417416653.602:575):avc:denied{getattr}for
pid=3696comm="onCtsTestRunner"path="/dev/watchdog"dev=tmpfsino=1095
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:watchdog_device:s0tclass=chr_file
Afileiscreatedandunlinkedbywatchdog,whichkeepsahandletoananonymousfile.
Nofilesystemreferenceexistsaftertheunlink,butthefiledescriptorisvalidandonly
watchdogcanuseit.Inthiscase,wecanjustallowwatchdogthisrule.Inwatchdogd.te,
addallowwatchdogddevice:chr_filecreate_file_perms;.Thisrule,however,
causesaneverallowviolationinthebasepolicy:
out/host/linux-x86/bin/checkpolicy:loadingpolicyconfigurationfrom
out/target/product/udoo/obj/ETC/sepolicy_intermediates/policy.conf
libsepol.check_assertion_helper:neverallowonline5375violatedbyallow
watchdogddevice:chr_file{readwriteopen};
Errorwhileexpandingpolicy
Theneverallowruleisinthedomain.tebasepolicyasneverallow{domain-initueventd-recovery}device:chr_file{openreadwrite};.Forsuchasimple
change,we’lljustmodifythebasesepolicytoneverallow{domain-init-ueventdrecovery-watchdogd}device:chr_file{openreadwrite};.
www.it-ebooks.info
wpa
#=============wpa==============
allowwpadevice:chr_file{readopen};
allowwpalog_device:chr_file{writeopen};
allowwpasystem_data_file:dir{writeremove_nameadd_namesetattr};
allowwpasystem_data_file:sock_file{writecreateunlinksetattr};
Again,thelogdevicewashandledindomain.te.Thesystemdataaccessesneedfurther
investigation,startingwiththerawdenials:
type=1400msg=audit(1417405614.060:193):avc:denied{setattr}for
pid=2639comm="wpa_supplicant"name="wpa_supplicant"dev=mmcblk0p4
ino=129295scontext=u:r:wpa:s0tcontext=u:object_r:system_data_file:s0
tclass=dir
type=1400msg=audit(1417405614.060:194):avc:denied{write}forpid=2639
comm="wpa_supplicant"name="wlan0"dev=mmcblk0p4ino=129318
scontext=u:r:wpa:s0tcontext=u:object_r:system_data_file:s0
tclass=sock_file
type=1400msg=audit(1417405614.060:195):avc:denied{write}forpid=2639
comm="wpa_supplicant"name="wpa_supplicant"dev=mmcblk0p4ino=129295
scontext=u:r:wpa:s0tcontext=u:object_r:system_data_file:s0tclass=dir
type=1400msg=audit(1417405614.060:196):avc:denied{remove_name}for
pid=2639co
Theoffendingfilewaslocatedusingls-laR:
/data/system/wpa_supplicant:
srwxrwx---wifiwifi2014-12-0106:43wlan0
Thissocketiscreatedbythewpa_supplicantitself.Relabelingitwithouttypetransitions
isimpossible,sowehavetoallowit.Inwpa.te,addallowwpasystem_data_file:dir
rw_dir_perms;andallowwpasystem_data_file:sock_filecreate_file_perms;.
Theunlabeleddevicehasalreadybeendealtwith;itwasonrfkill:
type=1400msg=audit(1417405613.640:175):avc:denied{read}forpid=2639
comm="wpa_supplicant"name="rfkill"dev=tmpfsino=1126scontext=u:r:wpa:s0
tcontext=u:object_r:device:s0tclass=chr_file
www.it-ebooks.info
www.it-ebooks.info
Secondpolicypass
Afterloadingthedraftedpolicy,thedevicestillhasdenialsonboot:
#=============init==============
allowinitrootfs:file{writecreate};
allowinitsystem_file:fileexecute_no_trans;
#=============shell==============
allowshelldevice:chr_file{readwritegetattr};
allowshellsystem_file:fileentrypoint;
Allofthesedenialsshouldbeinvestigatedbecausetheytargetsensitivetypes,tcontext
specifically.
www.it-ebooks.info
init
Therawdenialsforinitareasfollows:
<5>type=1400audit(4.380:3):avc:denied{create}forpid=2268
comm="init"name="tasks"scontext=u:r:init:s0tcontext=u:object_r:rootfs:s0
tclass=file
<5>type=1400audit(4.380:4):avc:denied{write}forpid=2268comm="init"
name="tasks"dev=rootfsino=3080scontext=u:r:init:s0
tcontext=u:object_r:rootfs:s0tclass=file
Theseoccurbeforeinitremounts/asread-only.Wecansafelyallowthese,andsince
initisrunningunconfined,wecanjustaddittoinit.te.Wecouldaddtheallowruleto
theunconfinedset,butsincethatisgoingaway,let’sminimizethepermissiononlyto
init:
allowintrootfs:filecreate_file_perms;
Note
Unconfinedisnotcompletelyunconfined.RulesgetstrippedfromthisdomainasAOSP
movesclosertozerounconfineddomains.
Doingthis,however,causesanotherneverallowtofail.Wecanmodify
external/sepolicydomain.tetobypassthis.Changetheneverallowfromthis:
#Nothingshouldbewritingtofilesintherootfs.
neverallow{domain-recovery}rootfs:file{createwritesetattrrelabelto
appendunlinklinkrename};
Changeittothis:
#Nothingshouldbewritingtofilesintherootfs.
neverallow{domain-recovery-init}rootfs:file{createwritesetattr
relabeltoappendunlinklinkrename};
Note
Ifyouneedtomodifyneverallowentriestobuild,youwillfailCTS.Theproperapproach
istoremovethisbehaviorfrominit.
Additionally,weneedtoseewhatisloadedwithexecwithoutadomaintransition,
causingtheexecute_no_transdenial:
<5>type=1400audit(4.460:6):avc:denied{execute_no_trans}forpid=2292
comm="init"path="/system/bin/magd"dev=mmcblk0p5ino=146
scontext=u:r:init:s0tcontext=u:object_r:system_file:s0tclass=file
<5>type=1400audit(4.460:6):avc:denied{execute_no_trans}forpid=2292
comm="init"path="/system/bin/rfkill"dev=mmcblk0p5ino=148
scontext=u:r:init:s0tcontext=u:object_r:system_file:s0tclass=file
Toresolvethis,wecanrelabelmagdwithitsowntypeandplaceitinitsownunconfined
domain.Aneverallowinthebasepolicyforcesustomoveeachexecutableintoitsown
domain.
www.it-ebooks.info
Createafilecalledmagd.te,addittoBOARD_SEPOLICY_UNION,andaddthefollowing
contentstoit:
typemagd,domain;
typemagd_exec,exec_type,file_type;
permissive_or_unconfined(magd);
Alsoupdatefile_contextstocontainthis:
/system/bin/magdu:object_r:magd_exec:s0
Repeatthestepsthatweredoneformagdforrfkill.Justreplacemagdwithrfkillinthe
precedingexample.Latertestingrevealedanentry-pointdenialwherethesourcecontext
wasinit_shellandthetargetwasrfkill_exec.Afteraddingtheshellrules,itwas
discoveredthatrfkillisloadedusingexecfromtheinit_shelldomain,solet’salso
adddomain_auto_trans(init_shell,rfkill_exec,rfkill)totherfkill.tefile.
Additionallygroupedwiththisdiscoverywasrfkillattemptingtoopen,read,andwrite
/dev/rfkill.Sowemustlabel/dev/rfkillwithrfkill_device,allowrfkillaccess
toit,andappendallowrfkillrfkill_device:chr_filerw_file_perms;tothe
rfkill.tefile.Createanewfiletodeclarethisdevicetype,calleddevice.te,andadd
typerfkill_device,dev_type;.Afterthat,labelitwithfile_contextsbyadding
/dev/rfkillu:object_r:rfkill_device:s0.
www.it-ebooks.info
shell
Thefirstshelldenialwewillevaluateisthedenialonentrypoint:
<5>type=1400audit(4.460:5):avc:denied{entrypoint}forpid=2279
comm="init"path="/system/bin/mksh"dev=mmcblk0p5ino=154
scontext=u:r:shell:s0tcontext=u:object_r:system_file:s0tclass=file
Sincewedidnotlabelmksh,weneedtolabelitnow.Wecancreateanunconfineddomain
forshellsspawnedbyinittoendupintheinit_shelldomain.Theconsolestillendsup
intheshelldomainviaanexplicitseclabel,andotherinvocationsendupas
init_shell.Createanewfile,init_shell.te,andaddittoBOARD_SEPOLICY_UNION.
www.it-ebooks.info
init_shell.te
typeinit_shell,domain;
domain_auto_trans(init,shell_exec,init_shell);
permissive_or_unconfined(init_shell);
Updatefile_contextstoincludethis:
/system/bin/mkshu:object_r:shell_exec:s0;
Nowwewillhandleshellaccesstotherawdevice:
<5>type=1400audit(6.510:7):avc:denied{readwrite}forpid=2279
comm="sh"name="ttymxc1"dev=tmpfsino=122scontext=u:r:shell:s0
tcontext=u:object_r:device:s0tclass=chr_file
<5>type=1400audit(7.339:8):avc:denied{getattr}forpid=2279comm="sh"
path="/dev/ttymxc1"dev=tmpfsino=122scontext=u:r:shell:s0
tcontext=u:object_r:device:s0tclass=chr_file
Thisisjustamislabeledtty,sowecanlabelthisasatty_device.Addthefollowing
entrytothefilecontexts:
/dev/ttymxc[0-9]*u:object_r:tty_device:s0
www.it-ebooks.info
www.it-ebooks.info
Fieldtrials
Atthispoint,rebuildthesourcetree,wipethedatafilesystem,flash,andre-runCTS.
Repeatthisuntilalldenialsareaddressed.
Onceyou’redonewithCTSandinternalQAtrials,werecommendperformingafieldtrial
withthedeviceinpermissivemode.Duringthisperiod,youshouldbegatheringthelogs
andrefiningpolicy.Ifthedomainsarenotstable,youcandeclarethemaspermissivein
thepolicyfileandstillputthedeviceinenforcingmode;enforcingsomedomainsisbetter
thanenforcingnone.
www.it-ebooks.info
www.it-ebooks.info
Goingenforcing
Youcanpasstheenforcingmodeeitherusingbootloader(whichwillnotbecovered
here)orwiththeinit.rcscriptearlyinboottime.Youcandothisrightaftersetcon:
setconu:r:init:s0
setenforce1
Oncethisstatementiscompiledintotheinit.rcscript,itcanonlybeundonewitha
subsequentbuildandareflashofboot.img.Youcancheckthisbyrunningthe
getenforcecommand.Also,asaninterestingtest,youcantrytorunthereboot
commandfromtherootserialconsoleandwatchitfail:
root@udoo:/#getenforce
Enforcing
root@udoo:/#reboot
reboot:Operationnotpermitted
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthischapter,allofyourpreviousunderstandingofthesystemwasusedtodevelopreal
SEforAndroidpolicyforabrandnewdevice.Youarenowempoweredwiththe
knowledgeofhowtowriteSELinuxpolicyforAndroid,whereandhowthecomponents
ofthesystemwork,andhowtoportandenablethesefeaturesonvariousAndroid
platforms.Sincethisisafairlynewfeaturethatinfluencesmanysysteminteractions,
issuesthatwillrequirecodechangesaswellaspolicychangeswillarise.Understanding
bothiscrucial.
Aspolicyauthorsandsecuritypersonnelingeneral,theresponsibilitytosecurethesystem
restsonourshoulders.Inmostorganizations,you’rerequiredtoworkinthedark.
However,ifyoucan,doasmuchworkandaskasmanyquestionsasyouwanttointhe
mailinglist,andneveracceptthestatusquo.TheSEforAndroidandAOSPprojects
welcomealltocontribute,andbycontributing,youwillhelpmaketheprojectbetterand
enhancethefeaturesetsforall.
www.it-ebooks.info
www.it-ebooks.info
AppendixA.TheDevelopment
Environment
InordertobuildtheAndroid4.3sourcesprovidedbyUDOO,youneedanUbuntuLinux
systemwithOracleJava6.Whileitmaybepossibletouseavariantofthissetup,
Google’sstandardtargetdevelopmentplatformforAndroid4.3isUbuntu12.04.
Therefore,wewillusethissetuptoensurethehighestprobabilityofsuccessinour
explorationofLinux,SELinux,Android,theUDOO,andSEforAndroid.
Inthisappendix,wewilldothefollowing:
DownloadandinstallUbuntu12.04usingavirtualmachine(VM)
EnhanceourVM’sperformancebyinstallingtheVirtualBoxExtensionPackand
VirtualBoxGuestAdditions
SetupadevelopmentenvironmentappropriateforbuildingtheLinuxkerneland
UDOOsources
InstallOracleJava6
Tip
IfyoualreadyuseUbuntuLinux12.04,youcanskiptotheTheBuildEnvironment
section.IfyouintendtoinstallUbuntunatively(notinaVM),youshouldskiptothe
UbuntuLinux12.04sectionandfollowthosedirections,ignoringtheVirtualBoxsteps.
www.it-ebooks.info
VirtualBox
Thereareanumberofvirtualizationproductsavailableforrunningguestoperating
systems,suchasUbuntuLinux,butforthissetupwewilluseVirtualBox.VirtualBoxisa
widelyusedopensourcevirtualizationsystemavailableforMac,Linux,Solaris,and
Windowshosts(amongothers).Itsupportsavarietyofguestoperatingsystems.
VirtualBoxalsoallowstheuseofhardwarevirtualizationofmanymodern/common
processorfamiliestoincreaseperformancebyprovidingeachvirtualmachineitsown
privateaddressspace.
TheVirtualBoxdocumentationhasexcellentinstallationinstructionsforvarious
platforms,andwerecommendreferringtotheseforyourhostplatform.Youcanfind
informationaboutinstallingandrunningVirtualBoxforyourhostoperatingsystemat
http://www.virtualbox.org/manual/ch02.html.
www.it-ebooks.info
www.it-ebooks.info
UbuntuLinux12.04(precisepangolin)
ToinstallUbuntuLinux12.04,youwillfirstneedtodownloadanappropriatedistribution
image.Thesecanbefoundathttp://releases.ubuntu.com/12.04/.Whilethereareanumber
ofacceptableimagesthere,wewillinstallthe64-bitdesktopversionofthedistribution
—http://releases.ubuntu.com/12.04/ubuntu-12.04.5-desktop-amd64.iso.Thehostmachine
we’reusinginthisexampleisa64-bitMacbookProrunningOSX10.9.2,sowe’re
targetinga64-bitguestaswell.Ifyouhavea32-bitmachine,thebasicmechanicsofwhat
wecoverwillbethesame;onlyafewdetailswillbedifferent,sowewillleavethosefor
youtodiscoverandresolve.
LaunchVirtualBoxonyourhost,waitfortheVMManagerwindowtoappear,and
performthefollowingsteps:
1. ClickonNew.
2. FortheNameandOperatingSystemsettings,makethefollowingselections:
Name:SEforAndroidBook
Type:Linux
Version:Ubuntu(64bit)
3. SetMemorySizetoavaluetoatleast16GB.Anythinglowerthanthiswillleadto
unsuccessfulbuilds.
4. Tosetuptheharddrive,selectCreateavirtualharddrivenow.Setthisvaluetoat
least80GB.
5. ChoosetheHardDriveFileType,VDI(VirtualBoxDiskImage).
6. Ensurestorageonthephysicalharddriveissettodynamicallyallocated.
7. Whenpromptedforfilelocationandsize,namethenewvirtualharddriveSEfor
AndroidBook,andsetitssizeto80GB.
EnsuretheSEforAndroidBookVMisselectedintheleftpane.ClickonthegreenStart
arrowtoperformaninitiallaunchoftheVM.Adialogwillappear,askingyoutoselecta
virtualopticaldiskfile.Clickonthesmallfoldericonandlocatetheubuntu-12.04.5desktop-amd64.isoCDimageyoudownloadedearlier.ThenclickonStart.
WhenthescreenturnsblackandshowsakeyboardimageatthebottomcenteroftheVM
window,pressanykeytobegintheUbuntuinstallation.Assoonasyoudothis,the
languageselectionscreenwillappear.Choosewhicheverlanguageismostappropriatefor
you,butforthisexample,we’llselectEnglish.ThenselectInstallUbuntu.
Sometimes,youmayseeanunusual-lookingerrorprintedacrossyourVMwindow—
somethinglikeSMBusbaseaddressuninitialized.Thismessageisshownbecause
VirtualBoxdoesn’tsupportaparticularkernelmodulethatisloadedbydefaultwith
Ubuntu12.04.However,thiswillnotcauseanydifficultyandisonlyacosmetic
annoyance.Afterafewmoments,aniceGUIinstallationscreenwillappear,waitingfor
youtochoosealanguageagain.We’llchooseEnglishagain.
OnthefollowingPreparingtoinstallUbuntuscreen,threechecklistitemsareshown.
www.it-ebooks.info
Youshouldhavealreadysatisfiedthefirstitem,sinceyourvirtualdriveismuchlarger
thantheminimumrequirementforUbuntu.Tosatisfytheothers,ensureyourhostsystem
ispluggedinwithapowersupplyandhasanestablishednetworkconnection.Although
thisisentirelyunnecessaryforourpurposeshere,wealmostalwaysmarktheDownload
updateswhileinstallingandInstallthisthird-partysoftwareboxesbeforecontinuing.
OntheInstallationtypescreen,we’lltaketheeasypathandselectErasediskandinstall
Ubuntu.KeepinmindthatthiswillonlyerasethediskofyourVM’svirtualharddrive
andleavesyourhostsystemintact.OntheErasediskandinstallUbuntuscreen,your
virtualharddriveshouldalreadybeselected,soyouonlyneedtoclickInstallNow.
FromthispointforwardintheUbuntuinstallation,twoseparatetaskswillhappen
simultaneously:inabackgroundthread,theinstallerwillpreparethevirtualdriveforthe
installationofthebasesystem;secondly,youwillconfiguresomebasicaspectsofyour
newsystem.Butfirst,youwillhavetoidentifyyourtimezonebyclickingonthe
appropriatepointontheworldmapbeforecontinuing.Thenidentifyyourkeyboardlayout
andcontinue.
Setupyourfirstuseraccount.Inthiscase,itwillbetheaccountweusedtodotheworkin
thisbook,sowewillenterthefollowinginformation:
YourName:BookUser
Yourcomputer’sname:SE-for-Android
Pickausername:bookuser
Passwordfields:(whateveryouprefer)
WewillalsoselectLoginautomatically.Whilewewouldnotnormallydothisfor
securityreasons,wewilldoitinourlocalVMforconvenience;butyoumayprotectthis
accountinwhicheverwayyouprefer.
OncetheUbuntuinstallationiscomplete,adialogaskingyoutorestartthecomputerwill
appear.ClicktheRestartnowbutton,andafterafewmoments,aterminalpromptwill
informyoutoremoveallinstallationmediaandpressEnter.Toremovethevirtual
installationCD,gotoDevices|CD/DVDDevices|Removediskfromvirtualdrive
usingtheVirtualBoxmenubar.ThenpressEntertorestarttheVM,butinterrupttheboot
processbyclosingtheVMwindow.Itwillaskyouifyouwanttopoweroffthemachine.
JustclickOK.
www.it-ebooks.info
www.it-ebooks.info
VirtualBoxextensionpackandguest
additions
TogetthebestperformancefromyourguestUbuntuVMandaccesstothevirtualUSB
devicesnecessaryforworkingwiththeUDOO,youwillneedtoinstalltheVirtualBox
extensionpackandguestadditions.
www.it-ebooks.info
VirtualBoxextensionpack
DownloadtheextensionpackfromtheVirtualBoxwebsite,at
http://www.virtualbox.org/wiki/Downloads.Therewillbeadownloadlinkthereintended
forAllsupportedplatforms.Oncethisfileisdownloaded,you’llneedtoinstallit.This
processisdifferentforeachtypeofhostsystem,butitisverystraightforward.ForLinux
andMacOSXhosts,simplydouble-clickingonthedownloadedextensionpackfilewill
dothetrick.ForWindowssystems,youwillneedtoruntheinstalleryou’vedownloaded.
www.it-ebooks.info
VirtualBoxguestadditions
Onceyou’vecompletedtheinstallationoftheextensionpack,bootyourUbuntuLinux
12.04VMfromVirtualBoxbyselectingtheVMfromtheleftpaneandclickingonStart
inthetoolbar.OnceyourUbuntudesktopisactive,you’llnoticeitdoesnotfitintoyour
VMwindow.ResizetheVMwindowtomakeitlarger,andtheVMscreenwillremainthe
samesize.This,amongotherperformanceissues,willberesolvedbyinstallingthe
VirtualBoxguestadditions.Youmayalsoseeawindowopenonyourvirtualdesktop
indicatinganewversionofUbuntuisavailable.Donotupgrade;justclosethatwindow.
UsingtheVirtualBoxmenubar,gotoDevices|InsertGuestAdditionsCDImage….
Shortlyafterward,adialogwillappear,askingwhetheryouwanttorunthesoftwareon
thenewmediayoujustinserted.ClicktheRunbutton.Youwillthenneedtoauthenticate
youruserbyenteringyouruser’spassword(whichyouenteredduringsetup).Oncethe
userisauthenticated,ascriptwillautomaticallybuildandupdateseveralkernelmodules.
Oncethescriptcompletes,reboottheVMbyclickingonthegearinthetop-rightcornerof
thescreen,selectingShutdown…,andclickingonRestartinthedialogthatfollows.
WhentheVMreboots,thefirstthingyoushouldnoticeisthattheVMscreennowfitsinto
theVMwindow.Moreover,ifyouresizetheVMwindow,theVMscreenresizeswithit.
Thisisthesimplestwaytodetermineyou’vesuccessfullyinstalledtheVirtualBoxguest
additions.
www.it-ebooks.info
www.it-ebooks.info
Savetimewithsharedfolders
Anotherthingyoucandotoboostyouraggregateperformancewhiledevelopingimages
fortheUDOOistosetupsharedfoldersbetweenyourhostsystemandyourUbuntu
Linuxguestsystem.Inthisway,onceyou’vebuiltanewSDcardimagefortheUDOO,
youcanmaketheimagedirectlyavailabletothehostthroughthesharedfolder.Thehost
canthenexecutethelong-runningcommandstoflashtheSDcardwithoutaddingtimeto
theprocessbyslowingdownaccesstoyourhost’scardreaderthroughthevirtualization
layer.Inthecaseofthesystemwe’reusingtowritethisbook,thereisasavingsofaround
10minutesperimageflashed.
Tosetupasharedfolder,youmustbeginwiththeVirtualBoxManageropenandyour
UbuntuVMpoweredoff.ClicktheSettingstoolbaricon.ThenselecttheSharedFolders
taboftheSettingsdialogthatopens.ClicktheAddSharedFoldericontotheright.Enter
FolderPathtoafolderonyourhostthatyouwanttoshare.Inourcase,wecreatedanew
foldercalledvbox_sharetosharewithourVMguest.VirtualBoxwillgenerateFolder
Name,butmakesureyouselectAuto-mountbeforeclickingOK.Whenyoubootyour
UbuntuVMfromnowon,thesharedfolderwillbeaccessibleinyourguestVMas
/media/sf_<folder_name>.However,ifyouattempttolistthefilesinthatdirectoryfrom
yourguest,youwilllikelybedenied.Togainfullaccesstothisfolder(asinread-andwriteaccess)forourbookuser,we’llneedtoaddthatUIDtothevboxsfgroup:
$sudousermod-a-Gvboxsfbookuser
LogoutandlogintoyourguestagainorrestarttheguestVMtocompletetheprocess.
www.it-ebooks.info
www.it-ebooks.info
Thebuildenvironment
ToprepareoursystemtobuildtheLinuxkernel,Android,andAndroidapplications,we
needtoinstallandsetupsomekeypiecesofsoftware.ClicktheUbuntudashboardiconat
thetopofthelaunchbarontheleftofyourscreen.Inthesearchbarthatappears,type
termandpressEnter.Aterminalwindowwillopen.Thenexecutethefollowing
commands:
$sudoapt-getupdate
$sudoapt-getinstallapt-filegit-coregnupgflexbisongperfbuildessentialzipcurlzlib1g-devlibc6-devlib32ncurses5-devia32-libs
x11proto-core-devlibx11-devia32-libsdialogliblzo2-devlibxml2-utils
minicom
TypeyandpressEnterwhenaskedwhetheryouwanttocontinue.
www.it-ebooks.info
www.it-ebooks.info
OracleJava6
DownloadthemostrecentJava6SEDevelopmentKit(version6u45)fromtheOracle
Javaarchivewebsite,athttp://www.oracle.com/technetwork/java/javase/archive139210.html.You’llneedthejdk-6u45-linux-x64.binversiontosatisfyGoogle’starget
developmentenvironment.Onceitisdownloaded,executethefollowingcommandsto
installtheJava6JDK:
$chmoda+xjdk-6u45-linux-x64.bin
$sudomkdir-p/usr/lib/jvm
$sudomvjdk-6u45-linux-x64.bin/usr/lib/jvm/
$cd/usr/lib/jvm/
$sudo./jdk-6u45-linux-x64.bin
$sudoupdate-alternatives--install"/usr/bin/java""java"
"/usr/lib/jvm/jdk1.6.0_45/bin/java"1
$sudoupdate-alternatives--install"/usr/bin/jar""jar"
"/usr/lib/jvm/jdk1.6.0_45/bin/jar"1
$sudoupdate-alternatives--install"/usr/bin/javac""javac"
"/usr/lib/jvm/jdk1.6.0_45/bin/javac"1
$sudoupdate-alternatives--install"/usr/bin/javaws""javaws"
"/usr/lib/jvm/jdk1.6.0_45/bin/javaws"1
$sudoupdate-alternatives--install"/usr/bin/jar""jar"
"/usr/lib/jvm/jdk1.6.0_35/bin/jar"1
$sudoupdate-alternatives--install"/usr/bin/javadoc""javadoc"
"/usr/lib/jvm/jdk1.6.0_45/bin/javadoc"1
$sudoupdate-alternatives--install"/usr/bin/jarsigner""jarsigner"
"/usr/lib/jvm/jdk1.6.0_45/bin/jarsigner"1
$sudoupdate-alternatives--install"/usr/bin/javah""javah"
"/usr/lib/jvm/jdk1.6.0_45/bin/javah"1
$sudormjdk-6u45-linux-x64.bin
www.it-ebooks.info
www.it-ebooks.info
Summary
Inthisappendix,wediscussedGoogle’stargetdevelopmentenvironmentforAndroidand
showedhowtocreateacompatibleenvironment,potentiallyinavirtualmachine.You
shouldfeelfreetomodifyotherelementsofyoursystem,buthavingtheelementsofthis
appendixinstalledwillprovideyouwiththeminimallyviableenvironmentnecessaryto
performallthestepsoutlinedinChapter4,InstallationontheUDOO,andbeyond.
www.it-ebooks.info
Index
A
absoluteauthority
about/Thecaseformore
AccessVectorCache/AccessVectorCache
accessvectors
about/Accessvectors
impersonate/Binderandsecurity
call/Binderandsecurity
set_context_mgr/Binderandsecurity
transfer/Binderandsecurity
ActivityManagerService(AMS)
about/Binderandsecurity
Android
DAC,usingfor/Android’suseofDAC
securitymodel/Android’ssecuritymodel
Android.mk,sepolicy
exploring/Exploringsepolicy’sAndroid.mk
sepolicy,building/Buildingsepolicy
policybuild,controlling/Controllingthepolicybuild
build_policy,defining/Diggingdeeperintobuild_policy
mac_permissions.xml,building/Buildingmac_permissions.xml
seapp_contexts,building/Buildingseapp_contexts
file_contexts,building/Buildingfile_contexts
property_contexts,building/Buildingproperty_contexts
NSAresearchfiles/CurrentNSAresearchfiles
AndroidDebugBridge(adb)
about/UDOOserialandAndroidDebugBridge
AndroidInterfaceDescriptionLanguage(AIDL)/Binder’sarchitecture
AndroidRunTime(ART)/Zygote–applicationspawn
Androidversions
URL/Thepropertyservice
Androidvulnerabilities
about/GlancingatAndroidvulnerabilities
Skypevulnerability/Skypevulnerability
GingerBreak/GingerBreak
CVE-2010-EASY/Rageagainstthecage
MotoChopper/MotoChopper
AOSPdevices
URL/Upgrades–patchesgalore
applabeling
limitations/Limitationsonapplabeling
www.it-ebooks.info
applications/Android’ssecuritymodel
auditddaemon/Theauditddaemon
auditdinternals/Auditdinternals
auditlogs/Auditlogs
auditsystem
about/Theauditsystem
auditddaemon/Theauditddaemon
auditdinternals/Auditdinternals
www.it-ebooks.info
B
Bell-LaPadula(BLP)model
about/Multilevelsecurity
Binder
about/Binder
architecture/Binder’sarchitecture
features/Binder’sarchitecture
andsecurity/Binderandsecurity
binderpatch
URL/Upgrades–patchesgalore
booleansdirectory/Thebooleansdirectory
buildenvironment
about/Thebuildenvironment
build_policy
defining/Diggingdeeperintobuild_policy
www.it-ebooks.info
C
cache_thresholdfile/AccessVectorCache
capabilitiesmodel
about/Capabilitiesmodel
chconcommand/Examplesandtools
classdirectory/Theclassdirectory
CompatibilityDefinitionDocument(CDD)/SettingupCTS
CompatibilityTestSuite(CTS)/Contexts
CompatibilityTestSuitecompliance(CTS)
about/Thebooleansdirectory
URL/Thebooleansdirectory
contexts
about/Contexts
domains,mapping/Contexts
controlproperties/Controlproperties
CTS
URL/Relabelingprocesses
settingup/SettingupCTS
running/RunningCTS
CTSbinary
URL/SettingupCTS
CTSresults
gathering/Gatheringtheresults
CTStestresults/CTStestresults
auditlogs/Auditlogs
CTStestresults/CTStestresults
CVE-2010-EASY/Rageagainstthecage
www.it-ebooks.info
D
/datafilesystem
fixingup/Fixingup/data
DAC
used,forAndroid/Android’suseofDAC
definekeyword/Dynamicdomaintransitions
device
purging/Purgingthedevice
devicepolicy
authoring/Authoringdevicepolicy
adbd/adbd
bootanim/bootanim
debuggerd/debuggerd
drmserver/drmserver
dumpstate/dumpstate
installd/installd
keystore/keystore
mediaserver/mediaserver
netd/netd
rild/rild
servicemanager/servicemanager
surfaceflinger/surfaceflinger
system_server/system_server
toolbox/toolbox
untrusted_app/untrusted_app
vold/vold
watchdogd/watchdogd
wpa/wpa
disablefileinterface/Thedisablefileinterface
dynamicdomaintransitions
about/Dynamicdomaintransitions
dynamictypetransitions/Dynamictypetransitions
dyntransition/ProcFS
www.it-ebooks.info
E
enforcefile/Theenforcenode
enforcing
about/Theenforcenode
enforcingmode
passing/Goingenforcing
existingproperties
relabeling/Relabelingexistingproperties
explicitcontexts
viaseclabel/Explicitcontextsviaseclabel
extendedattributes
labelingwith/Labelingwithextendedattributes
www.it-ebooks.info
F
fieldtrials
about/Fieldtrials
filesystem
locating/Locatingthefilesystem
interrogating/Interrogatingthefilesystem
enforcefile/Theenforcenode
disablefileinterface/Thedisablefileinterface
policyfile/Thepolicyfile
nullfile/Thenullfile
mlsfile/Themlsfile
statusfile/Thestatusfile
AccessVectorCache/AccessVectorCache
booleansdirectory/Thebooleansdirectory
classdirectory/Theclassdirectory
initial_contextsdirectory/Theinitial_contextsdirectory
policy_capabilitiesdirectory/Thepolicy_capabilitiesdirectory
procfs/ProcFS
filesystems
labeling/Labelingfilesystems
fs_use/fs_use
fs_task_use/fs_task_use
fs_use_trans/fs_use_trans
genfscon/genfscon
mountoptions/Mountoptions
extendedattributes/Labelingwithextendedattributes
file_contextsfile/Thefile_contextsfile
dynamictypetransitions/Dynamictypetransitions
file_contexts
building/Buildingfile_contexts
file_contextsfile/Thefile_contextsfile
fixup.py
URL/InterpretingSELinuxdeniallogs
flashing
about/FlashingimageonanSDcard
FLASK
about/Gettingbacktothebasics
fs_task_use/fs_task_use
fs_use/fs_use
fs_use_trans/fs_use_trans
www.it-ebooks.info
G
genfscon/genfscon
getenforcecommand,states
disabled/Fixingthepolicyversion
permissive/Fixingthepolicyversion
enforcing/Fixingthepolicyversion
GingerBreak/GingerBreak
graphicalmenu
settings/Retrievingthesource
groups
changing/Changingownersandgroups
www.it-ebooks.info
I
initial_contextsdirectory/Theinitial_contextsdirectory
initprocess
about/Init–thekingofdaemons
InterprocessCommunication(IPC)
about/Binder
www.it-ebooks.info
J
JavaSELinuxAPI
about/JavaSELinuxAPI
www.it-ebooks.info
K
kernel
SELinux,enablingin/It’salive
kernel-common
URL/Upgrades–patchesgalore
kernel-commonproject
URL/Upgrades–patchesgalore
keys.conf/keys.conf
www.it-ebooks.info
L
labeling
viaproperty_contexts/Labelingviaproperty_contexts
labels
about/Labels
users/Users
roles/Roles
types/Types
LinuxSecurityModule(LSM)
about/Binderandsecurity
www.it-ebooks.info
M
mac_permissions.xml
building/Buildingmac_permissions.xml
mac_permissions.xmlfile
about/Themac_permissions.xmlfile
mlsfile/Themlsfile
MotoChopper/MotoChopper
mountoptions/Mountoptions
multi-levelsecurity(MLS)/Themlsfile
multilevelsecurity(MLS)model
about/Multilevelsecurity
www.it-ebooks.info
N
NationalSecurityAgency(NSA)
about/Binderandsecurity
NSArepositories
URL/Upgrades–patchesgalore
NSAresearchfiles/CurrentNSAresearchfiles
nullfile/Thenullfile
www.it-ebooks.info
O
OracleJava6
about/OracleJava6
OracleJavaarchive
URL/OracleJava6
owners
changing/Changingownersandgroups
www.it-ebooks.info
P
patches
about/Upgrades–patchesgalore
permissionbits
changing/Changingpermissionbits
permissions,onproperties
about/Permissionsonproperties
permissive
about/Theenforcenode
persistentproperties/Persistentproperties
petanalogy
URL/Puttingittogether
about/Puttingittogether
policybuild
controlling/Controllingthepolicybuild
policyfile/Thepolicyfile
policyload
about/Policyload
policypass
about/Secondpolicypass
init/init
shell/shell
init_shell.te/init_shell.te
policyversion
fixing/Fixingthepolicyversion
policy_capabilitiesdirectory/Thepolicy_capabilitiesdirectory
processes
relabeling/Relabelingprocesses
ProcessID(PID)/Binder’sarchitecture,Init–thekingofdaemons
procfs/ProcFS
projects
building/Buildingsubcomponents–targetsandprojects
properties
creating/Creatingandlabelingnewproperties
labeling/Creatingandlabelingnewproperties
propertyservice
about/Thepropertyservice
property_contexts
labelingvia/Labelingviaproperty_contexts
building/Buildingproperty_contexts
www.it-ebooks.info
R
RadioInterfaceLayerDaemon(RILD)/Android’ssecuritymodel,Init–thekingof
daemons
README
testkey/Thecasetosecurethezygote
platform/Thecasetosecurethezygote
shared/Thecasetosecurethezygote
media/Thecasetosecurethezygote
role-basedaccesscontrols(RBAC)
about/Roles
roles,labels/Roles
www.it-ebooks.info
S
seapp_contexts/seapp_contexts
building/Buildingseapp_contexts
security
andBinder/Binderandsecurity
securityid(sid)/Labelingfilesystems
securityidentifier(sid)/Theinitial_contextsdirectory
securitymodel
systemcomponentservices/Android’ssecuritymodel
applications/Android’ssecuritymodel
SELinux
about/Gettingbacktothebasics
implementing/Multilevelsecurity
benefits/Puttingittogether
bestpractices/Complexitiesandbestpractices
complexities/Complexitiesandbestpractices
enabling,inkernel/It’salive
SELinuxdeniallogs
interpreting/InterpretingSELinuxdeniallogs
SELinuxFS
about/Policyload
SELinuxproperties/SELinuxproperties
sepolicy
building/Buildingsepolicy
sepolicy-analyzetool/sepolicy-analyze
sepolicy-checktool/sepolicy-check
SEPolicymaster
updating/UpdatingtoSEPolicymaster
setsockcreatecon()function/Init–thekingofdaemons
sharedfolders
about/Savetimewithsharedfolders
Skypevulnerability/Skypevulnerability
source
retrieving/Retrievingthesource
specialproperties
about/Specialproperties
controlproperties/Controlproperties
persistentproperties/Persistentproperties
SELinuxproperties/SELinuxproperties
standalonetools
about/Standalonetools
sepolicy-check/sepolicy-check
sepolicy-analyze/sepolicy-analyze
www.it-ebooks.info
statusfile/Thestatusfile
subject
about/Gettingbacktothebasics
switch
flipping/Flippingtheswitch
systemapps
about/Thecasetosecurethezygote
systemcomponentservices/Android’ssecuritymodel
systemserver
about/Android’ssecuritymodel
www.it-ebooks.info
T
target
about/Gettingbacktothebasics
targets
building/Buildingsubcomponents–targetsandprojects
tools,filesystems
about/Examplesandtools
/datafilesystem,fixingup/Fixingup/data
security/Asidenoteonsecurity
typeenforcement(TE)
about/Types,Dynamicdomaintransitions
typefieldvalue,filesystemobject
about/Thefile_contextsfile
—/Thefile_contextsfile
-d/Thefile_contextsfile
-b/Thefile_contextsfile
-s/Thefile_contextsfile
-c/Thefile_contextsfile
-l/Thefile_contextsfile
-p/Thefile_contextsfile
types,labels/Types
www.it-ebooks.info
U
UbuntuLinux12.04
about/UbuntuLinux12.04(precisepangolin)
URL/UbuntuLinux12.04(precisepangolin)
UDOOdocumentation
URL/Retrievingthesource
UDOOserial
about/UDOOserialandAndroidDebugBridge
user-basedaccesscontrols(UBAC)
about/Users
users,labels/Users
userspaceobjectmanager/Thestatusfile
www.it-ebooks.info
V
variables
BOARD_SEPOLICY_DIRS/Controllingthepolicybuild
BOARD_SEPOLICY_UNION/Controllingthepolicybuild
BOARD_SEPOLICY_REPLACE/Controllingthepolicybuild
BOARD_SEPOLICY_IGNORE/Controllingthepolicybuild
VirtualBox
about/VirtualBox
URL/VirtualBox
extensionpack/VirtualBoxextensionpack
guestadditions/VirtualBoxguestadditions
virtualmachine(VM)/Zygote–applicationspawn
www.it-ebooks.info
Z
Zygote
about/Zygote–applicationspawn
zygote
securing/Thecasetosecurethezygote
fortifying/Fortifyingthezygote
socket,plumbing/Plumbingthezygotesocket
mac_permissions.xmlfile/Themac_permissions.xmlfile
keys.conf/keys.conf
seapp_contexts/seapp_contexts
zygotesocket
plumbing/Plumbingthezygotesocket
www.it-ebooks.info