Skip to content

Instantly share code, notes, and snippets.

@steadfasterX

steadfasterX/Android.md

Created January 12, 2024 11:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save steadfasterX/e674749d6ca475ca8f4facdb7244e964 to your computer and use it in GitHub Desktop.
Save steadfasterX/e674749d6ca475ca8f4facdb7244e964 to your computer and use it in GitHub Desktop.
Download ZIP
SELinux guides
Raw
Android.md

About

SELinux is a security enhancement to Linux which allows users and administrators more control over access control.

Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.

SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC).

Deeper understanding

So you think its easy writing a selinux policy? It actually is - I mean .. technically.

There are tools which auto generate policies from a log but are they good to use? It depends. and here it stops being easy as you, the integrator have to have a deep understanding what the IMPACT of each policy has.

To be able to go on you should really go through this first:

as it helps a lot to understand how it works. and why is that important? because only if you know how it works you can make a decision if an auto generated policy is doing any harm or not.

How to write a policy (extremely ROUGH)?

On Ubuntu you can install audit2allow like this: apt install policycoreutils-python-utils

the process usally is:

  1. fetching the denials:
    • using Linux: adb logcat -b all |grep avc: > /tmp/denies
    • using Windows: adb shell "logcat -b all |grep avc: > /sdcard/Download/denies" + adb pull /sdcard/Download/denies
  2. creating the current policy in your android sources dir
    • source build/envsetup.sh + lunch <device> as usual
    • mka libselinux sepolicy
  3. autogen policies: cat /tmp/denies |audit2allow -p out/target/product/<device-codename>/root/sepolicy
  4. check the output + add the policies to their according filename (ensure you don't open security holes)
  5. start to build the sepolicies (mka sepolicy)
  6. fix neverallows, etc occurring during the build
  7. if all is fixed build the full OS as usual

Step 6 in particular will have you tearing your hair out.. and that's why it is so important to understand the whole thing or learn by doing - keep in mind, however, that workarounds or too wide policies open holes that negate the security benefits of SELinux.

Last but not least:

!!! You do NOT need to solve ALL denials you find !!!

Denials in your log are not necessarily something you should fix, really. The rule of thumb is that you fix denials ONLY when they fix a problem - and if you are sure (enough) it is worth to write an allow (i.e. no breaking the security).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment