SELinux

A short primer for Android hackers

Basically

  • Mandatory Access Control: white-list all the things
  • Processes and files have a security context

 

 

 

  • user:role:type:sensitivity[:categories]
    • user, role, sensitivity: Android doesn't use them
    • categories: Android M uses them
  • Access vectors and constraints define what's allowed
$ ps -Z
u:r:zygote:s0         root     2981     1  zygote
u:r:untrusted_app:s0  u0_a114  9901  2981  com.instagram.android
$ ls -Z /data/data | grep instagram
drwxr-x--x u0_a114 u0_a114 u:object_r:app_data_file:s0 com.instagram.android

Core concepts

  • type
    • who is acting or being acted on
    • used to label processes and files
    • optionally tagged with attributes
    •  
  • class
    • what kind of object is acted on
    •  
  • permission
type mediaserver, domain;
class fifo_file
class fifo_file
inherits file
{
        open
        audit_access
        execmod
}

Access Vectors

allow mediaserver appdomain:fifo_file { getattr read write };
           |          |         |                |
     source  target class    permissions

You typically discover which ones are needed through audit logs:

$ adb logcat | grep permissive=0
E/audit   ( 5289): type=1400 msg=audit(1440766358.544:45217): avc:
  denied  { read } for  pid=4731 comm="mediaserver" path="/foo/fifo"
  scontext=u:r:mediaserver:s0 tcontext=u:r:appdomain:s0 tclass=fifo_file
  permissive=0

aka “rules”

Constraints

Applied to classes:

mlsconstrain fifo_file { read getattr }
  (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);

Manipulating

  • The AOSP sepolicy repo is a nice reference
$ git clone https://android.googlesource.com/platform/external/sepolicy
  • Updating your device' policy is however quite tricky:
    • Vendor is likely to have patched the AOSP policy
    • Android forked the policy format, so using off-the-shelf tools isn't going to work unless you recompile their dependencies with Android patches.
  • SuperSU bundles the supolicy tool, although it is closed source and limited.
  • Community effort to cover supolicy use-cases: https://github.com/xmikos/setools-android

Under the hood

  • System policy
    • Read: /sys/fs/selinux/policy
    • Write: /sys/fs/selinux/load
  • Policy database is a binary blob
    • libsepol can parse it

Case study: Frida

https://github.com/frida/frida-core/blob/master/lib/selinux/src/policy.c

EOP

Questions?