从selinux到SeAndroid新手分钟入门

1、SEAndroid OverviewFor beginner11 From SeLinuxBest and short summary 2WhyIntegrity (Type Enforcement)Confidentiality (Multi Level Security)Role Based Access Control3WhatSELinux is a security enhancement to Linux which allows users and administrators more control over access control.DAC and MAC4WhenSE

2、Linux kernel policy is presently compiled as part of the Android build and added to the ramdisk image so that it can be loaded by init very early in boot, before mounting the system partition. Once the data partition has been mounted, policy can be updated by placing policy files under a subdirector

3、y of /data/security, creating a symbolic link named current under /data/security to that subdirectory, and setting the selinux.reload_policy property to 1 (setprop selinux.reload_policy 1). This will trigger a reload of policy by init.5Where?Kernel: Security server, Object manager, Access Vector Cac

4、heUser Space: Coreutils, Policy coreutils, CheckpolicySELinux-policy: Configuration data , Rules that govern access6Traditional UNIX DAC approach Owner controls access to object Process with effective UID/GID Almighty root user above the rules7SELinux MAC approachPolicy controls access to objectsLab

5、eled objects (files, sockets, )Labeled processes (domains)Policy rules Concept of “almighty” unconfined processes is defined within policy8DAC of UNIX VS MAC of SELinux: UID/GIDProcess effective user/group: UID/GIDsetuid()Setuid bit (FC): labelProcess domain: labelType Enforcement (TE) rulesDomain t

6、ransition + implicit domain transition rule9labels$ ls -Z /var/spool/anacron/cron.daily-rw-. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily$ ps uxZ |grep /usr/sbin/atdsystem_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd10

7、PolicyDelivered via RPM packages selinux-policy, selinux-policy-targetedReference policy, multiple availableModular (*.fc)Type enforcement rules (*.te)M4 macros, interfaces (*.if)11Labeling rules delivered with policy packagesRPM applies labels upon package installationFiles inherit labels otherwise

8、Example cron.fc ：/etc/cron.d(/.*)?gen_context(system_u:object_r:system_cron_spool_t,s0)12Type Enforcement rulesSpecified in custom DSL + M4Compiled & loaded into kernel at runtimeExample cron.te:allow system_cronjob_t cron_log_t:file manage_;13DomainsTE rules control domain transitionTransitioned in

9、to upon execution of labeled file Remember the setuid bit?unconfined domainsExmaple cron.te:init_daemon_domain(system_cronjob_t, anacron_exec_t)14Management Toolsgetenforce 1; getenforce/var/sysconfig/selinuxUNIX tools with -Z argumentSemanageExample # chcon -t etc_t /var/spool/anacron# restorecon -

10、v /var/spool/anacron15What if things dont work?audit2why, audit2allow to analyze restorecon to fix context162 To SEAndroidAndroid 4.3 was the first Android release version to fully include and enable the SELinux support contributed by the SE for Android project. Android 4.4 is the first release to p

11、ut SELinux into enforcing mode, beginning by confining a specific set of root daemons.The Android SELinux support is discussed in 17SE for Android App and Service LoggingSE for Android services will log errors using the standard Android logging service logcat. The entries will generally be categoris

12、ed by the service such as SELinuxMMAC, IntentMMAC, MMACtypesGenerally though, there are enough clues to find most errors, and be aware that events logged may change with each update.18Log Example: 14.401242 type=1400 audit(112.879:6): avc: denied write for pid=200 comm=app_process name=property_serv

13、ice dev=tmpfs ino=8557 scontext=u:r:zygote:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_fileE/PackageManager( 281): INTENT_DENIAL: intent:action:ent.action.CALL_PRIVILEGED, data:tel:085-2369, callingPid:600, callingPkgs:viders.contacts,viders.applica

14、tions,com.android.contacts,viders.userdictionary, callingTypes:phone_state_perm,nfc_handler, destPkgs:com.android.phone, destTypes:,phone_state_perm,telephony_app19Audit2allow$ adb shell dmesg |audit2allowAnd setpolicy$ adb shell dmesg |audit2allow w$ adb shell dmesg |grep avc20not pa

15、rt of the regular SELinux policyThe property_contexts, seapp_contexts, and mac_permissions.xml configurations are unique to SE for Android ().21SELinux enabled adb shell commands (in Android toolbox)CommandCommentchconChange security context of file. As the first part ofchcon(1)(only supports thecon

16、text pathparameters).chcon context pathname getenforceGet current enforcing mode:getenforce getseboolGet SELinux boolean value(s):getsebool -a | boolean idDoes not take any options. If SELinux is enabled then the security context is automatically displayed.load_policyLoad new policy into kernel:load

17、_policy policy-file lsSupports -Z option to display security context.restoreconRestore security context as defined in thefile. Asrestorecon(8)but supports less options:restorecon -nrRv pathname runconRun command in specified security context:runcon context program args. setenforceModify the SELinux enforcing mode:setenforce enforcing|permissive|1|0 setseboolSet SELinux boolean to a value (note that the cmd does not set the boolean across reboots):setsebool name 1|true|on|0|false|off22SeAndroid ResourcesSELinuxSEAndroidSEAndroid1SEAndroid2SELinux Test Suite - set u