SELinux

A short primer for Android hackers

Basically

• Mandatory Access Control: white-list all the things
• Processes and files have a security context

• user:role:type:sensitivity[:categories]
  • user, role, sensitivity: Android doesn't use them
  • categories: Android M uses them
• Access vectors and constraints define what's allowed

$ ps -Z
u:r:zygote:s0         root     2981     1  zygote
u:r:untrusted_app:s0  u0_a114  9901  2981  com.instagram.android

$ ls -Z /data/data | grep instagram
drwxr-x--x u0_a114 u0_a114 u:object_r:app_data_file:s0 com.instagram.android

Core concepts

• type
  • ​who is acting or being acted on
  • used to label processes and files
  • optionally tagged with attributes
  •  
• class
  • what kind of object is acted on
  •  
• permission

type mediaserver, domain;

class fifo_file

class fifo_file
inherits file
{
        open
        audit_access
        execmod
}

Access Vectors

allow mediaserver appdomain:fifo_file { getattr read write };
           |          |         |                |
     source  target class    permissions

You typically discover which ones are needed through audit logs:

$ adb logcat | grep permissive=0
E/audit   ( 5289): type=1400 msg=audit(1440766358.544:45217): avc:
  denied  { read } for  pid=4731 comm="mediaserver" path="/foo/fifo"
  scontext=u:r:mediaserver:s0 tcontext=u:r:appdomain:s0 tclass=fifo_file
  permissive=0

aka “rules”

Constraints

Applied to classes:

mlsconstrain fifo_file { read getattr }
  (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);

Manipulating

• The AOSP sepolicy repo is a nice reference

$ git clone https://android.googlesource.com/platform/external/sepolicy

• Updating your device' policy is however quite tricky:
  • Vendor is likely to have patched the AOSP policy
  • Android forked the policy format, so using off-the-shelf tools isn't going to work unless you recompile their dependencies with Android patches.
• SuperSU bundles the supolicy tool, although it is closed source and limited.
• Community effort to cover supolicy use-cases: https://github.com/xmikos/setools-android

Under the hood

• System policy
  • Read: /sys/fs/selinux/policy
  • Write: /sys/fs/selinux/load
• Policy database is a binary blob
  • libsepol can parse it

Case study: Frida

EOP

Questions?