2. SPEAKERS
Rémy Gottschalk
● SoftAtHome : 3 years - Linux
System for HGW and STB
● Genymobile : 3 years - ROM
cooking
Guillaume Vercoutère
● Mindscape : 2 years - Linux
System on the Karotz
● Genymobile : 3 years - ROM
cooking
7. Traditional Unix permissions
· User / Group
· Permissions mask (rwxs)
· Permissions may be passed from
an object to another
· All powerful root user
INTRO TO SELINUX
Unix permissions
Discretionary
Access
Control
8. Divides privileges in subset
· Limits root power
· Exemples :
· reboot (CAP_SYS_BOOT)
· bypass file permissions
(CAP_DAC_READ_SEARCH)
INTRO TO SELINUX
Linux capabilities
Linux
Capabilities
9. INTRO TO SELINUX
Unix permissions
root
bypass all
Lack of
granularity
No
confinement
Limits
10. CVE-2011-1717
· App has control over data’s permissions
· Set world readable permissions (666)
· No encryption
· Any app can read Skype app’s data
SELinux categories (MCS)
· Each app is confined
· Access to other app’s data is blocked
INTRO TO SELINUX
Security flaws
Skype
#opendata
11. CVE-2010-EASY
· Fork self to reach RLIMIT_NPROC
· Get adbd pid in /proc to restart it
· setuid() fails
· Shell can run as root
SELinux
· Read /proc/pid/, signal adbd : denied
· Shell run unprivileged
INTRO TO SELINUX
Security flaws
Rage
against
the cage
12. SELinux
· Complements unix permissions
· Confines daemon
· Sandbox applications
· Centralized policy
· Deny by default
INTRO TO SELINUX
SELinux
Mandatory
Access
Control
20. LABELS
metadata associated with
each subject and object
INTRO TO SELINUX
Who’s who?
user:role:type:sensitivity:category
For TE
For MLS (opt)
!= unix user
For RBAC For MCS (opt)
22. INTRO TO SELINUX
Type enforcement
Main security mechanism
● Denial by default
● Access rules
● allow
● neverallow
● much more
● Domain and type transition
24. IMPACT ON ANDROID
Historic
4.1 : Hello world
● SELinux introduced
● Not enabled
4.3 : Enable ...
● … but permissive
4.4 : Enforcing
● Confining a minimal set of root daemons
● Still permissive for the rest
25. IMPACT ON ANDROID
Historic
5.0 : Policy hardening
● All system services and apps are confined
● Only kernel and init unconfined
● Basic CTS for SELinux policy
6.0 : Fine tuning
● No more unconfined domain
● Confine users
● More neverallows
● Drop BOARD_SEPOLICY_UNION/IGNORE/REPLACE
27. IMPACT ON ANDROID
How to disable
Kernel
● Add SELinux support in configuration
● Desactivation with kernel cmd line : selinux=0
system/core/init
compilation flag ALLOW_DISABLE_SELINUX :
● set if build is userdebug or eng
● read kernel cmdline arg :
androidboot.selinux (disable/permissive)
28. IMPACT ON ANDROID
Policy implementation
Type
enforcement
only
Labels
● One user : u
● One role for subject : r
● One role for object : object_r
● No MLS, one range : s0
● Categories for apps : c[...]
● Mainly relies on type
29. IMPACT ON ANDROID
Label examples
Subject
init process : u:r:init:s0
Object
/init file : u:object_r:init_exec:s0
30. IMPACT ON ANDROID
Application confinement
Use MCS to confine applications
Categories are built using one, both or none from :
● Application UID
● Android user ID (AOSP default)
Example for a fully confined environnement :
com.android.calendar process :
u:r:untrusted_app:s0:c22,c256,c512,c768
/data/data/com.android.calendar/ directory :
u:object_r:app_data_file:s0:c22,c256,c512,c768
34. IMPACT ON ANDROID
Build system
BoardConfig.mk
● BOARD_SEPOLICY_DIRS : /device/manufacturer/device-
name/sepolicy
● include other sepolicy.mk (device/vendor)
● BOARD_KERNEL_CMDLINE : androidboot.
selinux=permissive / ….
Build policies
● make sepolicy
35. Build
· only check consistency
Manual tests
· corner cases
IMPACT ON ANDROID
Tests
CTS
· check enforcing for all
· init, system service in their domain
· neverallow respect
37. SE POLICY IN PRACTICE
Some tools
Host side
● setools(-gui) package
○ apol : policy analysis GUI
○ seinfo : CLI query
○ sesearch : CLI search
● policycoreutils(-gui) package
○ sepolicy : policy inspection tools
○ audit2allow : rule generator
38. SE POLICY IN PRACTICE
Some tools
$ adb shell ls -Z
dr-x------ root root u:object_r:rootfs:s0 config
drwxrwx--x system system u:object_r:system_data_file:s0 data
-rw-r--r-- root root u:object_r:rootfs:s0 default.prop
[...]
$ adb shell ps -Z
LABEL USER PID PPID NAME
u:r:init:s0 root 1 0 /init
u:r:kernel:s0 root 2 0 kthreadd
u:r:platform_app:s0:c14,c256,c512,c768 u0_a14 1007 437 com.android.systemui
[...]
39. SE POLICY IN PRACTICE
Some tools
$ adb pull /sepolicies
$ sesearch --allow -t sysfs ./sepolicy
Found 32 semantic av rules:
allow netd sysfs : file write ;
[...]
$ adb shell dmesg | grep avc
[..] type=1400 audit(16565661:9): avc: denied { module_request } for pid=717
comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system
40. INTRO TO SELINUX
Audit Event Message
type=1400 audit(16565661:9): avc: denied { module_request }
for pid=717 comm="netd" kmod="netdev-wlan0"
scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system
permission
(load module)name of
executable
source’s context
target’s context
41. SE POLICY IN PRACTICE
New Service : BBQ
Use case
● Create a new system service with custom permissions
Specific needs
● Register to ServiceManager
● Direct access to a device (/dev/bbq)
Existing policies
● App policies are too limited
● System policies are too powerful
42. SE POLICY IN PRACTICE
New Service : BBQ
Requirement
● Access to the framework source code
How to
1. Create a new UID
2. Label the service (and its files)
3. Label the device
4. Write a policy for the service
43. frameworks/base/core/java/android/os/Process.java
public static final int SYSTEM_UID = 1000;
+ public static final int BBQ_UID = 1101;
public static final int FIRST_APPLICATION_UID = 10000;
frameworks/base/services/../server/pm/PackageManagerService.java
+ private static final int BBQ_UID = Process.BBQ_UID;
+ mSettings.addSharedUserLPw("android.uid.bbq", BBQ_UID,
+ ApplicationInfo.FLAG_SYSTEM|ApplicationInfo.
FLAG_PRIVILEGED);
New service AndroidManifest.xml
android:sharedUserId="android.uid.bbq"
SE POLICY IN PRACTICE
New app uid
44. Label service (as subject)
seapp_contexts
user=bbq seinfo=platform domain=bbq type=bbq_data_file
Label Service (as object)
service.te
type bbq_service, service_manager_type;
service_contexts
bbq u:object_r:bbq_service:s0
SE POLICY IN PRACTICE
New sepolicy
ServiceManager.getService(“bbq”)
uid
45. SE POLICY IN PRACTICE
New sepolicy
Label files
file.te
type bbq_data_file, file_type, data_file_type;
type bbq_device, dev_type;
file_contexts
/dev/bbq u:object_r:bbq_device:s0
installd.te
allow installd { bbq_data_file }:dir { create_dir_perms relabelfrom relabelto };
system_server.te
allow system_server { bbq_data_file }:dir { getattr read search };
46. bbq.te
type bbq, domain;
app_domain(bbq)
net_domain(bbq)
binder_service(bbq)
# Data file accesses.
allow bbq bbq_data_file:dir create_dir_perms;
allow bbq bbq_data_file:notdevfile_class_set create_file_perms;
# Device file access
allow bbq bbq_device:chr_file rw_file_perms;
# Service Manager access
allow bbq bbq_service:service_manager add;
SE POLICY IN PRACTICE
New sepolicy
47. New policy files
vendor/vendor-name/sepolicy/{*.te, *_contexts}
Declare new policy
vendor/vendor-name/sepolicy.mk
BOARD_SEPOLICY_DIRS += vendor/vendor-name/sepolicy
Use new policy
device/manufacturer/device-name/BoardConfig.mk
-include vendor/vendor-name/sepolicy.mk
SE POLICY IN PRACTICE
Use new sepolicy
49. A few more words
General advices
When in trouble
● Look at existing policies
● Source code doesn’t lie
● Git history is available
Respect the philosophy
● Good labeling is key
● Don’t allow more than needed
50. A few more words
Some resources
Links
https://wiki.gentoo.org/wiki/SELinux
http://selinuxproject.org
http://seandroid.bitbucket.org
https://source.android.com/devices/tech/security/selinux
https://github.com/mairin/selinux-coloring-book
Books
The SELinux Notebook, 4th Edition
Selinux Cookbook, ISBN: 9781783989669
51. Thank You for your time !
If you have any question
Guillaume Vercoutère
gvercoutere@genymobile.com
Rémy Gottschalk
rgottschalk@genymobile.com
52. # app_domain(domain)
# base set of permissions for all apps.
define(`app_domain',
`typeattribute $1 appdomain;
# Label ashmem objects with unique type.
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
')
# net_domain(domain)
# base set of permissions required for
# network access.
define(`net_domain', `
typeattribute $1 netdomain;
')
IMPACT ON ANDROID
Macro
define(`r_file_perms',
`{ getattr open read ioctl lock }')