SElinux-2

9.selinux commands

1. SELinux Commands.

参考(http://selinuxproject.org/page/NB_SEforAndroid_1):

CommandCommentchconChange security context of file:

chcon context path

getenforceReturns the current enforcing mode.

getenforce

getseboolReturns SELinux boolean value(s):

getsebool [-a | boolean_name]

idIf SELinux is enabled then the security context is automatically displayed.load_policyLoad new policy into kernel:

load_policy policy-file

lsSupports -Z option to display security context.psSupports -Z option to display security context.restoreconRestore file default security context as defined in the file_contexts or seapp_contexts files. The options are: D - data files, F - Force reset, n - do not change, R/r - Recursive change, v - Show changes.

restorecon [-DFnrRv] pathname

runconRun command in specified security context:

runcon context program args...

setenforceModify the SELinux enforcing mode:

setenforce [enforcing|permissive|1|0]

setseboolSet SELinux boolean to a value (note that the cmd does not set the boolean across reboots):

setsebool boolean_name [1|true|on|0|false|off]

 

2. Init.rc Commands.

seclabel <securitycontext>

service option: Change to security context before exec'ing this service. Primarily for use by services run from the rootfs, e.g. ueventd, adbd. Services on the system partition can instead use policy defined transitions based on their file security context. If not specified and no transition is defined in policy, defaults to the init context.

restorecon <path>

action command: Restore the file named by <path> to the security context specified in the file_contexts configuration. Not required for directories created by the init.rc as these are automatically labeled correctly by init.

restorecon_recursive <path> [ <path> ]*

action command: Recursively restore the directory tree named by <path> to the security context specified in the file_contexts configuration. Do NOT use this with paths leading to shell-writable or app-writable directories, e.g. /data/local/tmp, /data/data or any prefix thereof.

See the Checking File Labels section for further details.

setcon <securitycontext>

action command: Set the current process security context to the specified string. This is typically only used from early-init to set the init context before any other process is started (see init.rc example above).

setenforce 0|1

action command: Set the SELinux system-wide enforcing status. 0 is permissive (i.e. log but do not deny), 1 is enforcing.

setsebool <name> <value>

action command: Set SELinux boolean <name> to <value>.

<value> may be 1|true|on or 0|false|off

SELinux Policy
10SEAndroid Policy Files

1. SELinux Policy Path.
 两个路径:
 Google Original： alps/external/sepolicy/XXX.te  (通常不建议修改)
 MTK： alps/device/mediatek/common/sepolicy/XXX.te
 所有的Policy 最终采用Union(合并) 的方式编译在一起.

 

 

2. SELinux Policy Files. external/sepolicy/*
 access_vectors, security_classes
  :SE for Android classes and permissions.
 initial_sids, initial_sids_contexts,
  :Initial_sid
 fs_use, genfs_contexts, port_contexts
  : file system label
 users, roles
  : only user (u) and role (r) used by the policy
 mls
  : Contains the constraints applied to the defined classes and permissions.
 global_macros, mls_macro, te_marcos
  : Some macros use to policy define…
 attributes
  : Contains the attribute names that will be used to group type identifiers defined by the policy.
 policy_capabilities
  : Contains the policy capabilities enabled for the kernel policy
 *.te
  : Contains all type enforcement policy for process and resources
 file_contexts
  : contains default file contexts for setting the filesystem as standard SELinux
 property_contexts
  : contains default contexts to be applied to Android property services
 service_contexts
  : Contains default contexts for Android services
 seapp_contexts
  : contains information to allow domain or file contexts to be computed based on parameters
 mac_permissions.xml
  : contains information to allow apk install permissions and mappings to selinux domain
 selinux-network.sh
  :If using iptables, then the information may be configured in this file as part of the build.
 

  
3. SELinux Files in Phone
 SELinux Policy 手机上关键性的配置文件包括
 /sepolicy :  所有SELinux Policy 编译后的sepolicy 文件
 /file_contexts : 系统文件以及device 所对应的security context
 /seapp_contexts:  zygote 设置app 的security context 的配置项
 /service_contexts:  service 所绑定的security context
 /property_contexts:  property 所绑定的security context
 /system/etc/security/mac_permissions.xml 定义app 的security context 类型
 /selinux_version:  对应system property: ro.build.fingerprint
 /selinux_network.sh 设置selinux 对网络端的访问

 

 临时性设置/data/security/current/

 

 KK 上SELinux 是实验性质的,  相关如file_contexts, seapp_contexts 等都优选/data/security/current 下面的特别文件.
 L 版本上, 在android.c 中使用了特别的判定函数 set_policy_index,  此用来比较
 /selinux_version
 /data/security/current/selinux_version

 两只文件都存在, 并且完全一致, 只有这样才会使用/data/security/current 下面的文件, 其它情况下都会使用根目录的配置文件.
 selinux_version 中存储的是build 的BUILD_FINGERPRINT 即system property:  ro.build.fingerprint

11Understand SEAndroid Policy

1. Security Classes and Permissions 
 针对系统中不同的“文件” 类型(Class), 如普通的file, socket, 比如SELinux 使用的security, 比如针对每个process 参数的process 等定义相关的class. 而每一个class 都有相对应的permissions. 比如file 就有 read, write, create, getattr, setattr, lock, ioctl 等等. 比如process 就有fork, sigchld, sigkill, ptrace, getpgid, setpgid 等等.
 
 具体在SEAndroid 当中, 在external/sepolicy/access_vectors 中定义相关的class, 以及他们具有那些Permissions. 在security_classes 中声明这些classes.
 
 比如file:
 external/access_vectors
 #
 # Define a common prefix for file access vectors.
 #

 common file
 {
  ioctl
  read
  write
  create
  getattr
  setattr
  lock
  relabelfrom
  relabelto
  append
  unlink
  link
  rename
  execute
  swapon
  quotaon
  mounton
 }
 
 ==============>
 
 class file
 inherits file
 {
  execute_no_trans
  entrypoint
  execmod
  open
  audit_access
 }

 

 =============>
 external/security_classes
 class file
 
 注意的是, 这些定义和 Kernel 中相关API 是强相关的，普通用户严禁修改.
 
2. SE for Android Classes and Permissions
 除了Kernel 默认定义的Class/Permissions 之外, Google 还为SEAndroid 定义了几个 UserSpace 会使用到的Class/Permissions, 它们是:

binder class - This is a kernel object to manage the Binder IPC service.PermissionDescription (4 unique permissions)callPerform a binder IPC to a given target process (can A call B?).impersonatePerform a binder IPC on behalf of another process (can A impersonate B on an IPC?).

Not currently used in policy but kernel (selinux/hooks.c) checks permission in selinux_binder_transaction call.

set_context_mgrRegister self as the Binder Context Manager aka servicemanager (global name service). Can A set the context manager to B, where normally A == B.

See policy module servicemanager.te.

transferTransfer a binder reference to another process (can A transfer a binder reference to B?).

 

zygote class - This is a userspace object to manage the Android application loader. See Java SELinux.checkSELinuxAccess() in frameworks/base/core/java/com/android/internal/os/ZygoteConnection.javaPermissionDescription (4 unique permissions)specifyidsPeer may specify uid’s or gid’s.specifyrlimitsPeer may specify rlimits.specifyinvokewithPeer may specify --invoke-with to launch Zygote with a wrapper command.specifyseinfoSpecify a seinfo string for use in determining the app security label.

property_service class - This is a userspace object to manage the Android Property Service. See check_mac_perms() in system/core/init/property_service.cPermissionDescription (1 unique permission)setSet a property.

 

service_manager class - This is a userspace object to manage Android services. See check_mac_perms() in frameworks/native/cmds/servicemanager/service_manager.cPermissionDescription (3 unique permission)addAdd a service.findFind a service.listList services.

 

keystore_key class - This is a userspace object to manage the Android keystore (see system/security/keystore/keystore.cpp).PermissionDescription (16 unique permissions)testTest if keystore okay.getGet key.insertInsert/update key.deleteDelete key.existCheck if key exists.sawSearch for matching string.resetReset keystore.passwordGenerate new keystore password.lockLock keystore.unlockUnlock keystore.zeroCheck if keystore empty.signSign data.verifyVerify data.grantAdd or remove access.duplicateDuplicate the key.clear_uidClear keys for this uid.

 

rd class - This is a userspace object to allow file dumps (see system/core/debuggerd/debuggerd.cpp).PermissionDescription (2 unique permissions)dump_tombstoneWrite tombstone file.dump_backtraceWrite backtrace file.

 

drmservice class - This is a userspace object to allow finer access control of the Digital Rights Management services (see frameworks/av/drm/drmserver/DrmManagerService.cpp).PermissionDescription (8 unique permissions)consumeRightsConsume rights for content.setPlaybackStatusSet the playback state.openDecryptSessionOpen the DRM session for the requested DRM plugin.closeDecryptSessionClose DRM session.initializeDecrypSessionInitialise the decrypt resources.decryptDecrypt data stream.finalizeDecryptUnitRelease DRM resources.preadRead the data stream.

 
3. Multi-Level Security and Multi-Category
 Google 目前虽然已经定义好了MLS/MCS 的框架，但并没有真正使用. 相关的policy code 主要定义在mls, 以及 mls_macros 当中.
 比如:
 # Process read operations: No read up unless trusted.
 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
    (l1 dom l2 or t1 == mlstrustedsubject);

 # Process write operations:  No write down unless trusted.
 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
    (l1 domby l2 or t1 == mlstrustedsubject);
 
 但目前mls_num_sens=1, mls_num_cats=1024; 所有process 的level 都是0 并且, 所有的process 都还没有真正使用level 属性, 所以MLS/MCS 目前我们可以不关注.

 

4. Attribute and Type
 这个是SELinux 的重点之一, 每一个文件有唯一的Security Context, 而目前版本type 是Security Context 中最重要的栏目. 即可以说，每一个文件对应一个type, 而每一个type 都对应有一个或几个Attribute.
 所有常见的Attribute 定义在: external/attrubites 下面, 如；
 # All types used for devices.
 attribute dev_type;

 # All types used for processes.
 attribute domain;

 # All types used for filesystems.
 attribute fs_type;

 # All types used for context= mounts.
 attribute contextmount_type;
 
 Type 的定义就比较分散, 主要有: