从selinux到SeAndroid新手分钟入门

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,*,SEAndroid,Overview,For beginner,1,1 From SeLinux,Best and short summary,2,Why,Integrity (Type Enforcement),Confidentiality (Multi Level Security),Role Based Access Control,3,What,SELinux is a security enhancement to Linux which allows users and administrators more control over access control.,DAC and MAC,4,When,SELinux kernel policy is presently compiled as part of the Android build and added to the ramdisk image so that it can be loaded by init very early in boot, before mounting the system partition.,Once the data partition has been mounted, policy can be updated by placing policy files under a subdirectory of /data/security, creating a symbolic link named current under /data/security to that subdirectory, and setting the selinux.reload_policy property to 1 (setprop selinux.reload_policy 1). This will trigger a reload of policy by init.,5,Where?,Kernel: Security server, Object manager, Access Vector Cache,User Space: Coreutils, Policy coreutils, Checkpolicy,SELinux-policy: Configuration data , Rules that govern access,6,Traditional UNIX DAC approach,Owner controls access to object,Process with effective UID/GID,Almighty root user above the rules,7,SELinux MAC approach,Policy controls access to objects,Labeled objects (files, sockets, ),Labeled processes (domains),Policy rules,Concept of “almighty” unconfined processes is defined within policy,8,DAC of UNIX VS MAC of SELinux,: UID/GID,Process effective user/group:,UID/GID,setuid(),Setuid bit,(FC): label,Process domain: label,Type Enforcement (TE) rules,Domain transition,+ implicit domain,transition rule,9,labels,$ ls -Z /var/spool/anacron/cron.daily,-rw-. root root system_u:object_r:system_cron_spool_t:s0,/var/spool/anacron/cron.daily,$ ps uxZ |grep /usr/sbin/atd,system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ?,Ss 2012 0:00 /usr/sbin/atd,10,Policy,Delivered via RPM packages,selinux-policy, selinux-policy-targeted,Reference policy, multiple available,Modular,(*.fc),Type enforcement rules (*.te),M4 macros, interfaces (*.if),11,Labeling rules delivered with policy packages,RPM applies labels upon package installation,Files inherit labels otherwise,Example,cron.fc,：,/etc/cron.d(/.*)?,gen_context(system_u:object_r:system_cron_spool_t,s0),12,Type Enforcement rules,Specified in custom DSL + M4,Compiled & loaded into kernel at runtime,Example,cron.te:,allow system_cronjob_t cron_log_t:file,manage_;,13,Domains,TE rules control domain transition,Transitioned into upon execution of labeled file,Remember the setuid bit?,unconfined domains,Exmaple cron.te:,init_daemon_domain(system_cronjob_t, anacron_exec_t),14,Management Tools,getenforce 1; getenforce,/var/sysconfig/selinux,UNIX tools with -Z argument,Semanage,Example,# chcon -t etc_t /var/spool/anacron,# restorecon -v /var/spool/anacron,15,What if things dont work?,audit2why, audit2allow to analyze,restorecon to fix context,16,2 To SEAndroid,Android 4.3 was the first Android release version to fully include and enable the SELinux support contributed by the SE for Android project. Android 4.4 is the first release to put SELinux into enforcing mode, beginning by confining a specific set of root daemons.,The Android SELinux support is discussed in,17,SE for Android App and Service Logging,SE for Android services will log errors using the standard Android logging service logcat. The entries will generally be categorised by the service such as SELinuxMMAC, IntentMMAC, MMACtypes,Generally though, there are enough clues to find most errors, and be aware that events logged may change with each update.,18,Log Example:, 14.401242 type=1400 audit(112.879:6): avc: denied write for pid=200 comm=app_process name=property_service dev=tmpfs ino=8557 scontext=u:r:zygote:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file,E/PackageManager( 281): INTENT_DENIAL: intent:action:android.intent.action.CALL_PRIVILEGED, data:tel:085-2369, callingPid:600, callingPkgs:com.android.providers.contacts,com.android.providers.applications,com.android.contacts,com.android.providers.userdictionary, callingTypes:phone_state_perm,nfc_handler, destPkgs:com.android.phone, destTypes:,phone_state_perm,telephony_app,19,Audit2allow,$ adb shell dmesg |audit2allow,And setpolicy,$ adb shell dmesg |audit2allow w,$ adb shell dmesg |grep avc,20,not part of the regular SELinux policy,The property_contexts, seapp_contexts, and mac_permissions.xml configurations are unique to SE for Android ().,21,SELinux enabled adb shell commands (in Android toolbox),Command,Comment,chcon,Change security context of file. As the first part ofchcon(1)(only supports thecontext pathparameters).chcon context pathname,getenforce,Get current enforcing mode:getenforce,getsebool,Get SELinux boolean value(s):getsebool -a | boolean,id,Does not take any options. If SELinux is enabled then the security context is automatically displayed.,load_policy,Load new policy into kernel:load_policy policy-file,ls,Supports -Z option to display security context.,restorecon,Restore security context as defined in thefile. Asrestorecon(8)but supports less options:restorecon -nrRv pathname,runcon,Run command in specified security context:runcon context program args.,setenforce,Modify the SELinux enforcing mode:setenforce enforcing|permissive|1|0,setsebool,Set SELinux boolean to a value (note that the cmd does not set the boolean across reboots):setsebool name 1|true|on|0|false|off,22,SeAndroid Resources,SELinux,SEAndroid,SEAndroid1,SEAndroid2,SELinux Test Suite - set up to run on Fedora or RHEL NOT Android,The SELinux Notebook The Foundations,A Security Policy Configuration for the Security-Enhanced Linux,Google SELinux documentation,SEAndroid repositories,Mako sepolicies in MR2,Mako sepolicies in KK,HH sepolicies in KK,AOSP changes - sepolicy project,23,