UP | HOME
2017-08-15 TOP | Slides

SEAndroid: SELinux Adapted to Android

Table of Contents

1 SEAndroid: SELinux Adapted to Android

  1. SEAndroid is an adapation of SELinux for the Android-embedded Linux, and Framework. Mostly because of Binder.
  2. Starting from Andoroid Lollipop: SEAndroid is enabled by default
  3. SE Android Timeline: Samsung specific

timeline.jpg

1.1 SEAndroid on my Samsung Note 10.1 P600

shell@lt03wifiue:/ $ ls -l /se*                                                
-rw-r--r-- root     root         7477 1969-12-31 19:00 seapp_contexts
-rw-r--r-- root     root      1446273 1969-12-31 19:00 sepolicy
-rw-r--r-- root     root          235 1969-12-31 19:00 sepolicy_version
  1. Ignore the date-time stamp
  2. Not all explicitly shown files are from this one device; check the prompt

1.2 SEAndroid #3

  1. SELinux modes
    1. GooglePlay SELinuxModeChanger APK can switch between modes "permissive"(used in android 4.3) and "enforcing"(in kitkat).
    2. adb shell su 0 setenforce 1
    3. root@C6833:/ # setenforce
    4. usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
    5. setenforce 0 puts it into permissive mode.
    6. SELinux can cause some rooted apps to break.

1.3 Output of id-Z

  1. id -Z Do note the prompt strings. E.g., shell@C6833:/ $ Context is at the end. Lines are manually wrapped. 
    shell@C6833:/ $ id -Z
uid=2000(shell) gid=2000(shell) groups=1004(input),1007(log),
1011(adb),1015(sdcard_rw),1028(sdcard_r),2991(removable_rw),
3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) 
context=u:r:shell:s0

shell@C6833:/ $ su
root@C6833:/ # id -Z
uid=0(root) gid=0(root) context=u:r:init_shell:s0

1.4 Output of id-Z, on another device

  1. On Samsung Note 10.1 P600 
    shell@lt03wifiue:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),
1011(adb),1015(sdcard_rw),1028(sdcard_r),
3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
context=u:r:shell:s0

1.5 /property contexts

  1. A (se security) context is a sequence of four values, colon-separated.
    1. user-id: object: property-type: sensitivity
  2. Contents of /property_contexts
    (some times the path name is given as external/sepolicy/property_contexts) 
    net.rmnet0              u:object_r:radio_prop:s0
net.gprs                u:object_r:radio_prop:s0
net.ppp                 u:object_r:radio_prop:s0
net.qmi                 u:object_r:radio_prop:s0
net.lte                 u:object_r:radio_prop:s0
net.cdma                u:object_r:radio_prop:s0
gsm.                    u:object_r:radio_prop:s0
persist.radio           u:object_r:radio_prop:s0
net.dns                 u:object_r:radio_prop:s0
sys.usb.config          u:object_r:radio_prop:s0
ril.                    u:object_r:rild_prop:s0
net.                    u:object_r:system_prop:s0
dev.                    u:object_r:system_prop:s0
runtime.                u:object_r:system_prop:s0
hw.                     u:object_r:system_prop:s0
sys.                    u:object_r:system_prop:s0
sys.powerctl            u:object_r:powerctl_prop:s0
service.                u:object_r:system_prop:s0
wlan.                   u:object_r:system_prop:s0
dhcp.                   u:object_r:system_prop:s0
bluetooth.              u:object_r:bluetooth_prop:s0
debug.                  u:object_r:shell_prop:s0
log.                    u:object_r:shell_prop:s0
service.adb.root        u:object_r:shell_prop:s0
service.adb.tcp.port    u:object_r:shell_prop:s0
persist.audio.          u:object_r:audio_prop:s0
persist.sys.            u:object_r:system_prop:s0
persist.service.        u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security.       u:object_r:system_prop:s0
persist.mmac.           u:object_r:security_prop:s0
selinux.                u:object_r:security_prop:s0
\*                      u:object_r:default_prop:s0
vold.                   u:object_r:vold_prop:s0
crypto.                 u:object_r:vold_prop:s0
ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
ctl.                    u:object_r:ctl_default_prop:s0

1.6 se policy

  1. shell@C6833:/ $ ls -l /sepolicy
-rw-r--r-- root     root        77338 1970-01-01 05:30 sepolicy
root@pmateti-XE700T1C:~# file /sepolicy
sepolicy: SELinux policy v26 MLS 8 symbols 7 ocons
  2. The policy file is constructed by a tool from /file_contexts, /property_contexts, /seapp_contexts and a /mac_permissions.xml files.
  3. The /file_contexts labels files at build time (e.g., the system partition) and at run time (e.g., device nodes, service socket files, /data directories created by init.rc, …).
  4. The /property_contexts the security context of Android properties for permission checking.
  5. The /seapp_contexts label app processes and app package directories.
  6. The /system/etc/security/mac_permissions.xml middleware MAC policy.

1.7 Sample SE policy

  1. type bluetoothd, domain;
type bluetoothd_exec, exec_type, file_type;

init_daemon_domain(bluetoothd)
allow bluetoothd self:capability { setuid \
  net_raw net_bind_service net_admin };
allow bluetoothd self:socket *;
allow bluetoothd bluetoothd_data_file:dir \
  create_dir_perms;
allow bluetoothd bluetoothd_data_file:file \
  create_file_perms;
unix_socket_connect(bluetoothd, dbus, dbusd)

1.8 se app contexts

root@C6833:/ # more /seapp_contexts
isSystemServer=true domain=system
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file levelFrom=none
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=_app seinfo=media domain=media_app type=platform_app_data_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file
user=smartcard domain=smartcard type=smartcard_data_file
user=suntrold domain=suntrold type=suntrold_exec

1.9 selinux occurrences

  1. root@C6833:/ # grep -n selinux /* 
    file_contexts:178:/data/local/tmp/selinux(/.*)?   u:object_r:tombstone_data_file:s0
Binary file init matches
init.rc:363:    chown system system /sys/fs/selinux/load
init.rc:364:    chown system system /sys/fs/selinux/enforce
init.rc:442:on property:selinux.reload_policy=1
property_contexts:44:# selinux non-persistent properties
property_contexts:45:selinux. u:object_r:security_prop:s0

2 References

  1. http://source.android.com/devices/tech/security/se-linux.html Validating Security-Enhanced Linux in Android. Required Reading.
  2. Stephen Smaley, "Security Enhanced (SE) Android: Bringing Flexible MAC to Android." ./SEAndroid-NDSS2013-pm-tab.pdf NDSS 2013 paper, with a few of my annotations. Slides: ./seandroid-Presentation02_4.pdf http://kernsec.org/files/lss2015/lss2014_androidtcb_smalley.pdf Recommended Reading.
  3. http://www.electronicsweekly.com/eyes-on-android/what-is/what-is-security-enhanced-se-android-2013-03/ 2013 Overview. Light reading. Recommended.

3 End

Copyright © 2017 www.wright.edu/~pmateti 2017-08-15