Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to NOT
disable SELinux
on Android
SPEAKERS
Rémy Gottschalk
● SoftAtHome : 3 years - Linux
System for HGW and STB
● Genymobile : 3 years - ROM
cooking
Guilla...
FOREWORD
Motivation
(According to google trends)
What is the most popular search associated to “SELinux” ?
FOREWORD
Motivation
(According to google trends)
What is the most popular search associated to “SELinux” ?
“Disable SELinu...
AGENDA
01
SELinux in a
nutshell
02
Impact on
Android
03
SE policy
in practice
SELinux in a nutshell01
Traditional Unix permissions
· User / Group
· Permissions mask (rwxs)
· Permissions may be passed from
an object to anothe...
Divides privileges in subset
· Limits root power
· Exemples :
· reboot (CAP_SYS_BOOT)
· bypass file permissions
(CAP_DAC_R...
INTRO TO SELINUX
Unix permissions
root
bypass all
Lack of
granularity
No
confinement
Limits
CVE-2011-1717
· App has control over data’s permissions
· Set world readable permissions (666)
· No encryption
· Any app c...
CVE-2010-EASY
· Fork self to reach RLIMIT_NPROC
· Get adbd pid in /proc to restart it
· setuid() fails
· Shell can run as ...
SELinux
· Complements unix permissions
· Confines daemon
· Sandbox applications
· Centralized policy
· Deny by default
INT...
INTRO TO SELINUX
Timeline
SELinux
Patchset on
kernel 2.4.0
DTMach
DTOS
Flask
90’s 2000 2003
SELinux
mainlined in
kernel 2....
INTRO TO SELINUX
Who?
National
Security
Agency
Secure
Computing
Corp.
University
of Utah
· Mainline
· open source
· path : security/selinux
INTRO TO SELINUX
Where?
Linux
Kernel
· Open source
· github.com/SELinuxProject/selinux
Submit bug reports and patches to NSA
· github.com/TresysTechnology
· se...
INTRO TO SELINUX
Basics
INTRO TO SELINUX
Policy Mechanisms
Role
Based
Access
Control
Type
Enforcement
Multi
Level / Category
Security
(optional)
INTRO TO SELINUX
Type enforcement : basics
LABELS
metadata associated with
each subject and object
INTRO TO SELINUX
Who’s who?
user:role:type:sensitivity:category
Fo...
INTRO TO SELINUX
Type enforcement rules
[rule_name] [subject type] [object type]:[object class] [perm set]
allow user_t us...
INTRO TO SELINUX
Type enforcement
Main security mechanism
● Denial by default
● Access rules
● allow
● neverallow
● much m...
Impact on Android02
IMPACT ON ANDROID
Historic
4.1 : Hello world
● SELinux introduced
● Not enabled
4.3 : Enable ...
● … but permissive
4.4 : ...
IMPACT ON ANDROID
Historic
5.0 : Policy hardening
● All system services and apps are confined
● Only kernel and init uncon...
IMPACT ON ANDROID
Main components
SELinux
● external/libselinux
● external/selinux
Base policy
● external/sepolicy
Policy ...
IMPACT ON ANDROID
How to disable
Kernel
● Add SELinux support in configuration
● Desactivation with kernel cmd line : seli...
IMPACT ON ANDROID
Policy implementation
Type
enforcement
only
Labels
● One user : u
● One role for subject : r
● One role ...
IMPACT ON ANDROID
Label examples
Subject
init process : u:r:init:s0
Object
/init file : u:object_r:init_exec:s0
IMPACT ON ANDROID
Application confinement
Use MCS to confine applications
Categories are built using one, both or none fro...
IMPACT ON ANDROID
Labeling
Subject (processes)
● seapp_contexts : Android applications
user=system seinfo=platform domain=...
IMPACT ON ANDROID
Labeling
Objects
● file_contexts : Files
/dev(/.*)? u:object_r:device:s0
/dev/accelerometer u:object_r:s...
IMPACT ON ANDROID
Labeling
Objects
● property_contexts : System properties
net.lte u:object_r:net_radio_prop:s0
vold. u:ob...
IMPACT ON ANDROID
Build system
BoardConfig.mk
● BOARD_SEPOLICY_DIRS : /device/manufacturer/device-
name/sepolicy
● include...
Build
· only check consistency
Manual tests
· corner cases
IMPACT ON ANDROID
Tests
CTS
· check enforcing for all
· init, s...
SE Policy in practice03
SE POLICY IN PRACTICE
Some tools
Host side
● setools(-gui) package
○ apol : policy analysis GUI
○ seinfo : CLI query
○ ses...
SE POLICY IN PRACTICE
Some tools
$ adb shell ls -Z
dr-x------ root root u:object_r:rootfs:s0 config
drwxrwx--x system syst...
SE POLICY IN PRACTICE
Some tools
$ adb pull /sepolicies
$ sesearch --allow -t sysfs ./sepolicy
Found 32 semantic av rules:...
INTRO TO SELINUX
Audit Event Message
type=1400 audit(16565661:9): avc: denied { module_request }
for pid=717 comm="netd" k...
SE POLICY IN PRACTICE
New Service : BBQ
Use case
● Create a new system service with custom permissions
Specific needs
● Re...
SE POLICY IN PRACTICE
New Service : BBQ
Requirement
● Access to the framework source code
How to
1. Create a new UID
2. La...
frameworks/base/core/java/android/os/Process.java
public static final int SYSTEM_UID = 1000;
+ public static final int BBQ...
Label service (as subject)
seapp_contexts
user=bbq seinfo=platform domain=bbq type=bbq_data_file
Label Service (as object)...
SE POLICY IN PRACTICE
New sepolicy
Label files
file.te
type bbq_data_file, file_type, data_file_type;
type bbq_device, dev...
bbq.te
type bbq, domain;
app_domain(bbq)
net_domain(bbq)
binder_service(bbq)
# Data file accesses.
allow bbq bbq_data_file...
New policy files
vendor/vendor-name/sepolicy/{*.te, *_contexts}
Declare new policy
vendor/vendor-name/sepolicy.mk
BOARD_SE...
A few more words04
A few more words
General advices
When in trouble
● Look at existing policies
● Source code doesn’t lie
● Git history is av...
A few more words
Some resources
Links
https://wiki.gentoo.org/wiki/SELinux
http://selinuxproject.org
http://seandroid.bitb...
Thank You for your time !
If you have any question
Guillaume Vercoutère
gvercoutere@genymobile.com
Rémy Gottschalk
rgottsc...
# app_domain(domain)
# base set of permissions for all apps.
define(`app_domain',
`typeattribute $1 appdomain;
# Label ash...
common file
{
ioctl
read
write
execute
….
}
class sock_file
inherits file
{
open
audit_access
execmod
}
INTRO TO SELINUX
A...
Upcoming SlideShare
Loading in …5
×

How to not disable SELinux

4,960 views

Published on

A talk about handling SELinux for Android ROM cookers.

Published in: Technology

How to not disable SELinux

  1. 1. How to NOT disable SELinux on Android
  2. 2. SPEAKERS Rémy Gottschalk ● SoftAtHome : 3 years - Linux System for HGW and STB ● Genymobile : 3 years - ROM cooking Guillaume Vercoutère ● Mindscape : 2 years - Linux System on the Karotz ● Genymobile : 3 years - ROM cooking
  3. 3. FOREWORD Motivation (According to google trends) What is the most popular search associated to “SELinux” ?
  4. 4. FOREWORD Motivation (According to google trends) What is the most popular search associated to “SELinux” ? “Disable SELinux”
  5. 5. AGENDA 01 SELinux in a nutshell 02 Impact on Android 03 SE policy in practice
  6. 6. SELinux in a nutshell01
  7. 7. Traditional Unix permissions · User / Group · Permissions mask (rwxs) · Permissions may be passed from an object to another · All powerful root user INTRO TO SELINUX Unix permissions Discretionary Access Control
  8. 8. Divides privileges in subset · Limits root power · Exemples : · reboot (CAP_SYS_BOOT) · bypass file permissions (CAP_DAC_READ_SEARCH) INTRO TO SELINUX Linux capabilities Linux Capabilities
  9. 9. INTRO TO SELINUX Unix permissions root bypass all Lack of granularity No confinement Limits
  10. 10. CVE-2011-1717 · App has control over data’s permissions · Set world readable permissions (666) · No encryption · Any app can read Skype app’s data SELinux categories (MCS) · Each app is confined · Access to other app’s data is blocked INTRO TO SELINUX Security flaws Skype #opendata
  11. 11. CVE-2010-EASY · Fork self to reach RLIMIT_NPROC · Get adbd pid in /proc to restart it · setuid() fails · Shell can run as root SELinux · Read /proc/pid/, signal adbd : denied · Shell run unprivileged INTRO TO SELINUX Security flaws Rage against the cage
  12. 12. SELinux · Complements unix permissions · Confines daemon · Sandbox applications · Centralized policy · Deny by default INTRO TO SELINUX SELinux Mandatory Access Control
  13. 13. INTRO TO SELINUX Timeline SELinux Patchset on kernel 2.4.0 DTMach DTOS Flask 90’s 2000 2003 SELinux mainlined in kernel 2.6.0
  14. 14. INTRO TO SELINUX Who? National Security Agency Secure Computing Corp. University of Utah
  15. 15. · Mainline · open source · path : security/selinux INTRO TO SELINUX Where? Linux Kernel
  16. 16. · Open source · github.com/SELinuxProject/selinux Submit bug reports and patches to NSA · github.com/TresysTechnology · setools · refpolicy INTRO TO SELINUX Where? Userland
  17. 17. INTRO TO SELINUX Basics
  18. 18. INTRO TO SELINUX Policy Mechanisms Role Based Access Control Type Enforcement Multi Level / Category Security (optional)
  19. 19. INTRO TO SELINUX Type enforcement : basics
  20. 20. LABELS metadata associated with each subject and object INTRO TO SELINUX Who’s who? user:role:type:sensitivity:category For TE For MLS (opt) != unix user For RBAC For MCS (opt)
  21. 21. INTRO TO SELINUX Type enforcement rules [rule_name] [subject type] [object type]:[object class] [perm set] allow user_t user_home_t:file { create read write } allow netd sysfs : file { write } neverallow user_t sysfs : file { write }
  22. 22. INTRO TO SELINUX Type enforcement Main security mechanism ● Denial by default ● Access rules ● allow ● neverallow ● much more ● Domain and type transition
  23. 23. Impact on Android02
  24. 24. IMPACT ON ANDROID Historic 4.1 : Hello world ● SELinux introduced ● Not enabled 4.3 : Enable ... ● … but permissive 4.4 : Enforcing ● Confining a minimal set of root daemons ● Still permissive for the rest
  25. 25. IMPACT ON ANDROID Historic 5.0 : Policy hardening ● All system services and apps are confined ● Only kernel and init unconfined ● Basic CTS for SELinux policy 6.0 : Fine tuning ● No more unconfined domain ● Confine users ● More neverallows ● Drop BOARD_SEPOLICY_UNION/IGNORE/REPLACE
  26. 26. IMPACT ON ANDROID Main components SELinux ● external/libselinux ● external/selinux Base policy ● external/sepolicy Policy extensions (opt.) ● device/[...]/sepolicy ● vendor/[...]/sepolicy SELinux aware ● art/runtime ● bootable/recovery ● system/core/adb ● system/core/fastboot ● system/core/init ● ...
  27. 27. IMPACT ON ANDROID How to disable Kernel ● Add SELinux support in configuration ● Desactivation with kernel cmd line : selinux=0 system/core/init compilation flag ALLOW_DISABLE_SELINUX : ● set if build is userdebug or eng ● read kernel cmdline arg : androidboot.selinux (disable/permissive)
  28. 28. IMPACT ON ANDROID Policy implementation Type enforcement only Labels ● One user : u ● One role for subject : r ● One role for object : object_r ● No MLS, one range : s0 ● Categories for apps : c[...] ● Mainly relies on type
  29. 29. IMPACT ON ANDROID Label examples Subject init process : u:r:init:s0 Object /init file : u:object_r:init_exec:s0
  30. 30. IMPACT ON ANDROID Application confinement Use MCS to confine applications Categories are built using one, both or none from : ● Application UID ● Android user ID (AOSP default) Example for a fully confined environnement : com.android.calendar process : u:r:untrusted_app:s0:c22,c256,c512,c768 /data/data/com.android.calendar/ directory : u:object_r:app_data_file:s0:c22,c256,c512,c768
  31. 31. IMPACT ON ANDROID Labeling Subject (processes) ● seapp_contexts : Android applications user=system seinfo=platform domain=system_app type=system_app_data_file user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=all user=_app domain=untrusted_app type=app_data_file levelFrom=all
  32. 32. IMPACT ON ANDROID Labeling Objects ● file_contexts : Files /dev(/.*)? u:object_r:device:s0 /dev/accelerometer u:object_r:sensors_device:s0 /system/bin/app_process32 u:object_r:zygote_exec:s0 ● genfs_contexts : Full files systems genfscon rootfs / u:object_r:rootfs:s0 genfscon proc /net u:object_r:proc_net:s0
  33. 33. IMPACT ON ANDROID Labeling Objects ● property_contexts : System properties net.lte u:object_r:net_radio_prop:s0 vold. u:object_r:vold_prop:s0 ● service_contexts : Services SurfaceFlinger u:object_r:surfaceflinger_service:s0 alarm u:object_r:system_server_service:s0
  34. 34. IMPACT ON ANDROID Build system BoardConfig.mk ● BOARD_SEPOLICY_DIRS : /device/manufacturer/device- name/sepolicy ● include other sepolicy.mk (device/vendor) ● BOARD_KERNEL_CMDLINE : androidboot. selinux=permissive / …. Build policies ● make sepolicy
  35. 35. Build · only check consistency Manual tests · corner cases IMPACT ON ANDROID Tests CTS · check enforcing for all · init, system service in their domain · neverallow respect
  36. 36. SE Policy in practice03
  37. 37. SE POLICY IN PRACTICE Some tools Host side ● setools(-gui) package ○ apol : policy analysis GUI ○ seinfo : CLI query ○ sesearch : CLI search ● policycoreutils(-gui) package ○ sepolicy : policy inspection tools ○ audit2allow : rule generator
  38. 38. SE POLICY IN PRACTICE Some tools $ adb shell ls -Z dr-x------ root root u:object_r:rootfs:s0 config drwxrwx--x system system u:object_r:system_data_file:s0 data -rw-r--r-- root root u:object_r:rootfs:s0 default.prop [...] $ adb shell ps -Z LABEL USER PID PPID NAME u:r:init:s0 root 1 0 /init u:r:kernel:s0 root 2 0 kthreadd u:r:platform_app:s0:c14,c256,c512,c768 u0_a14 1007 437 com.android.systemui [...]
  39. 39. SE POLICY IN PRACTICE Some tools $ adb pull /sepolicies $ sesearch --allow -t sysfs ./sepolicy Found 32 semantic av rules: allow netd sysfs : file write ; [...] $ adb shell dmesg | grep avc [..] type=1400 audit(16565661:9): avc: denied { module_request } for pid=717 comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system
  40. 40. INTRO TO SELINUX Audit Event Message type=1400 audit(16565661:9): avc: denied { module_request } for pid=717 comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system permission (load module)name of executable source’s context target’s context
  41. 41. SE POLICY IN PRACTICE New Service : BBQ Use case ● Create a new system service with custom permissions Specific needs ● Register to ServiceManager ● Direct access to a device (/dev/bbq) Existing policies ● App policies are too limited ● System policies are too powerful
  42. 42. SE POLICY IN PRACTICE New Service : BBQ Requirement ● Access to the framework source code How to 1. Create a new UID 2. Label the service (and its files) 3. Label the device 4. Write a policy for the service
  43. 43. frameworks/base/core/java/android/os/Process.java public static final int SYSTEM_UID = 1000; + public static final int BBQ_UID = 1101; public static final int FIRST_APPLICATION_UID = 10000; frameworks/base/services/../server/pm/PackageManagerService.java + private static final int BBQ_UID = Process.BBQ_UID; + mSettings.addSharedUserLPw("android.uid.bbq", BBQ_UID, + ApplicationInfo.FLAG_SYSTEM|ApplicationInfo. FLAG_PRIVILEGED); New service AndroidManifest.xml android:sharedUserId="android.uid.bbq" SE POLICY IN PRACTICE New app uid
  44. 44. Label service (as subject) seapp_contexts user=bbq seinfo=platform domain=bbq type=bbq_data_file Label Service (as object) service.te type bbq_service, service_manager_type; service_contexts bbq u:object_r:bbq_service:s0 SE POLICY IN PRACTICE New sepolicy ServiceManager.getService(“bbq”) uid
  45. 45. SE POLICY IN PRACTICE New sepolicy Label files file.te type bbq_data_file, file_type, data_file_type; type bbq_device, dev_type; file_contexts /dev/bbq u:object_r:bbq_device:s0 installd.te allow installd { bbq_data_file }:dir { create_dir_perms relabelfrom relabelto }; system_server.te allow system_server { bbq_data_file }:dir { getattr read search };
  46. 46. bbq.te type bbq, domain; app_domain(bbq) net_domain(bbq) binder_service(bbq) # Data file accesses. allow bbq bbq_data_file:dir create_dir_perms; allow bbq bbq_data_file:notdevfile_class_set create_file_perms; # Device file access allow bbq bbq_device:chr_file rw_file_perms; # Service Manager access allow bbq bbq_service:service_manager add; SE POLICY IN PRACTICE New sepolicy
  47. 47. New policy files vendor/vendor-name/sepolicy/{*.te, *_contexts} Declare new policy vendor/vendor-name/sepolicy.mk BOARD_SEPOLICY_DIRS += vendor/vendor-name/sepolicy Use new policy device/manufacturer/device-name/BoardConfig.mk -include vendor/vendor-name/sepolicy.mk SE POLICY IN PRACTICE Use new sepolicy
  48. 48. A few more words04
  49. 49. A few more words General advices When in trouble ● Look at existing policies ● Source code doesn’t lie ● Git history is available Respect the philosophy ● Good labeling is key ● Don’t allow more than needed
  50. 50. A few more words Some resources Links https://wiki.gentoo.org/wiki/SELinux http://selinuxproject.org http://seandroid.bitbucket.org https://source.android.com/devices/tech/security/selinux https://github.com/mairin/selinux-coloring-book Books The SELinux Notebook, 4th Edition Selinux Cookbook, ISBN: 9781783989669
  51. 51. Thank You for your time ! If you have any question Guillaume Vercoutère gvercoutere@genymobile.com Rémy Gottschalk rgottschalk@genymobile.com
  52. 52. # app_domain(domain) # base set of permissions for all apps. define(`app_domain', `typeattribute $1 appdomain; # Label ashmem objects with unique type. tmpfs_domain($1) # Map with PROT_EXEC. allow $1 $1_tmpfs:file execute; ') # net_domain(domain) # base set of permissions required for # network access. define(`net_domain', ` typeattribute $1 netdomain; ') IMPACT ON ANDROID Macro define(`r_file_perms', `{ getattr open read ioctl lock }')
  53. 53. common file { ioctl read write execute …. } class sock_file inherits file { open audit_access execmod } INTRO TO SELINUX Access vector class property_service { set } class service_manager { add find list }

×