SlideShare a Scribd company logo

How to not disable SELinux

Rémy Gottschalk
Rémy Gottschalk

A talk about handling SELinux for Android ROM cookers.

Technology
1 of 53
Download to read offline
How to NOT disable SELinux on Android
SPEAKERS Rémy Gottschalk ● SoftAtHome : 3 years - Linux System for HGW and STB ● Genymobile : 3 years - ROM cooking Guillaume Vercoutère ● Mindscape : 2 years - Linux System on the Karotz ● Genymobile : 3 years - ROM cooking
FOREWORD Motivation (According to google trends) What is the most popular search associated to “SELinux” ?
FOREWORD Motivation (According to google trends) What is the most popular search associated to “SELinux” ? “Disable SELinux”
AGENDA 01 SELinux in a nutshell 02 Impact on Android 03 SE policy in practice
SELinux in a nutshell01
Traditional Unix permissions · User / Group · Permissions mask (rwxs) · Permissions may be passed from an object to another · All powerful root user INTRO TO SELINUX Unix permissions Discretionary Access Control
Divides privileges in subset · Limits root power · Exemples : · reboot (CAP_SYS_BOOT) · bypass file permissions (CAP_DAC_READ_SEARCH) INTRO TO SELINUX Linux capabilities Linux Capabilities
INTRO TO SELINUX Unix permissions root bypass all Lack of granularity No confinement Limits
CVE-2011-1717 · App has control over data’s permissions · Set world readable permissions (666) · No encryption · Any app can read Skype app’s data SELinux categories (MCS) · Each app is confined · Access to other app’s data is blocked INTRO TO SELINUX Security flaws Skype #opendata
CVE-2010-EASY · Fork self to reach RLIMIT_NPROC · Get adbd pid in /proc to restart it · setuid() fails · Shell can run as root SELinux · Read /proc/pid/, signal adbd : denied · Shell run unprivileged INTRO TO SELINUX Security flaws Rage against the cage
SELinux · Complements unix permissions · Confines daemon · Sandbox applications · Centralized policy · Deny by default INTRO TO SELINUX SELinux Mandatory Access Control
INTRO TO SELINUX Timeline SELinux Patchset on kernel 2.4.0 DTMach DTOS Flask 90’s 2000 2003 SELinux mainlined in kernel 2.6.0
INTRO TO SELINUX Who? National Security Agency Secure Computing Corp. University of Utah
· Mainline · open source · path : security/selinux INTRO TO SELINUX Where? Linux Kernel
· Open source · github.com/SELinuxProject/selinux Submit bug reports and patches to NSA · github.com/TresysTechnology · setools · refpolicy INTRO TO SELINUX Where? Userland
INTRO TO SELINUX Basics
INTRO TO SELINUX Policy Mechanisms Role Based Access Control Type Enforcement Multi Level / Category Security (optional)
INTRO TO SELINUX Type enforcement : basics
LABELS metadata associated with each subject and object INTRO TO SELINUX Who’s who? user:role:type:sensitivity:category For TE For MLS (opt) != unix user For RBAC For MCS (opt)
INTRO TO SELINUX Type enforcement rules [rule_name] [subject type] [object type]:[object class] [perm set] allow user_t user_home_t:file { create read write } allow netd sysfs : file { write } neverallow user_t sysfs : file { write }
INTRO TO SELINUX Type enforcement Main security mechanism ● Denial by default ● Access rules ● allow ● neverallow ● much more ● Domain and type transition
Impact on Android02
IMPACT ON ANDROID Historic 4.1 : Hello world ● SELinux introduced ● Not enabled 4.3 : Enable ... ● … but permissive 4.4 : Enforcing ● Confining a minimal set of root daemons ● Still permissive for the rest
IMPACT ON ANDROID Historic 5.0 : Policy hardening ● All system services and apps are confined ● Only kernel and init unconfined ● Basic CTS for SELinux policy 6.0 : Fine tuning ● No more unconfined domain ● Confine users ● More neverallows ● Drop BOARD_SEPOLICY_UNION/IGNORE/REPLACE
IMPACT ON ANDROID Main components SELinux ● external/libselinux ● external/selinux Base policy ● external/sepolicy Policy extensions (opt.) ● device/[...]/sepolicy ● vendor/[...]/sepolicy SELinux aware ● art/runtime ● bootable/recovery ● system/core/adb ● system/core/fastboot ● system/core/init ● ...
IMPACT ON ANDROID How to disable Kernel ● Add SELinux support in configuration ● Desactivation with kernel cmd line : selinux=0 system/core/init compilation flag ALLOW_DISABLE_SELINUX : ● set if build is userdebug or eng ● read kernel cmdline arg : androidboot.selinux (disable/permissive)
IMPACT ON ANDROID Policy implementation Type enforcement only Labels ● One user : u ● One role for subject : r ● One role for object : object_r ● No MLS, one range : s0 ● Categories for apps : c[...] ● Mainly relies on type
IMPACT ON ANDROID Label examples Subject init process : u:r:init:s0 Object /init file : u:object_r:init_exec:s0
IMPACT ON ANDROID Application confinement Use MCS to confine applications Categories are built using one, both or none from : ● Application UID ● Android user ID (AOSP default) Example for a fully confined environnement : com.android.calendar process : u:r:untrusted_app:s0:c22,c256,c512,c768 /data/data/com.android.calendar/ directory : u:object_r:app_data_file:s0:c22,c256,c512,c768
IMPACT ON ANDROID Labeling Subject (processes) ● seapp_contexts : Android applications user=system seinfo=platform domain=system_app type=system_app_data_file user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=all user=_app domain=untrusted_app type=app_data_file levelFrom=all
IMPACT ON ANDROID Labeling Objects ● file_contexts : Files /dev(/.*)? u:object_r:device:s0 /dev/accelerometer u:object_r:sensors_device:s0 /system/bin/app_process32 u:object_r:zygote_exec:s0 ● genfs_contexts : Full files systems genfscon rootfs / u:object_r:rootfs:s0 genfscon proc /net u:object_r:proc_net:s0
IMPACT ON ANDROID Labeling Objects ● property_contexts : System properties net.lte u:object_r:net_radio_prop:s0 vold. u:object_r:vold_prop:s0 ● service_contexts : Services SurfaceFlinger u:object_r:surfaceflinger_service:s0 alarm u:object_r:system_server_service:s0
IMPACT ON ANDROID Build system BoardConfig.mk ● BOARD_SEPOLICY_DIRS : /device/manufacturer/device- name/sepolicy ● include other sepolicy.mk (device/vendor) ● BOARD_KERNEL_CMDLINE : androidboot. selinux=permissive / …. Build policies ● make sepolicy
Build · only check consistency Manual tests · corner cases IMPACT ON ANDROID Tests CTS · check enforcing for all · init, system service in their domain · neverallow respect
SE Policy in practice03
SE POLICY IN PRACTICE Some tools Host side ● setools(-gui) package ○ apol : policy analysis GUI ○ seinfo : CLI query ○ sesearch : CLI search ● policycoreutils(-gui) package ○ sepolicy : policy inspection tools ○ audit2allow : rule generator
SE POLICY IN PRACTICE Some tools $ adb shell ls -Z dr-x------ root root u:object_r:rootfs:s0 config drwxrwx--x system system u:object_r:system_data_file:s0 data -rw-r--r-- root root u:object_r:rootfs:s0 default.prop [...] $ adb shell ps -Z LABEL USER PID PPID NAME u:r:init:s0 root 1 0 /init u:r:kernel:s0 root 2 0 kthreadd u:r:platform_app:s0:c14,c256,c512,c768 u0_a14 1007 437 com.android.systemui [...]
SE POLICY IN PRACTICE Some tools $ adb pull /sepolicies $ sesearch --allow -t sysfs ./sepolicy Found 32 semantic av rules: allow netd sysfs : file write ; [...] $ adb shell dmesg | grep avc [..] type=1400 audit(16565661:9): avc: denied { module_request } for pid=717 comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system
INTRO TO SELINUX Audit Event Message type=1400 audit(16565661:9): avc: denied { module_request } for pid=717 comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system permission (load module)name of executable source’s context target’s context
SE POLICY IN PRACTICE New Service : BBQ Use case ● Create a new system service with custom permissions Specific needs ● Register to ServiceManager ● Direct access to a device (/dev/bbq) Existing policies ● App policies are too limited ● System policies are too powerful
SE POLICY IN PRACTICE New Service : BBQ Requirement ● Access to the framework source code How to 1. Create a new UID 2. Label the service (and its files) 3. Label the device 4. Write a policy for the service
frameworks/base/core/java/android/os/Process.java public static final int SYSTEM_UID = 1000; + public static final int BBQ_UID = 1101; public static final int FIRST_APPLICATION_UID = 10000; frameworks/base/services/../server/pm/PackageManagerService.java + private static final int BBQ_UID = Process.BBQ_UID; + mSettings.addSharedUserLPw("android.uid.bbq", BBQ_UID, + ApplicationInfo.FLAG_SYSTEM|ApplicationInfo. FLAG_PRIVILEGED); New service AndroidManifest.xml android:sharedUserId="android.uid.bbq" SE POLICY IN PRACTICE New app uid
Label service (as subject) seapp_contexts user=bbq seinfo=platform domain=bbq type=bbq_data_file Label Service (as object) service.te type bbq_service, service_manager_type; service_contexts bbq u:object_r:bbq_service:s0 SE POLICY IN PRACTICE New sepolicy ServiceManager.getService(“bbq”) uid
SE POLICY IN PRACTICE New sepolicy Label files file.te type bbq_data_file, file_type, data_file_type; type bbq_device, dev_type; file_contexts /dev/bbq u:object_r:bbq_device:s0 installd.te allow installd { bbq_data_file }:dir { create_dir_perms relabelfrom relabelto }; system_server.te allow system_server { bbq_data_file }:dir { getattr read search };
bbq.te type bbq, domain; app_domain(bbq) net_domain(bbq) binder_service(bbq) # Data file accesses. allow bbq bbq_data_file:dir create_dir_perms; allow bbq bbq_data_file:notdevfile_class_set create_file_perms; # Device file access allow bbq bbq_device:chr_file rw_file_perms; # Service Manager access allow bbq bbq_service:service_manager add; SE POLICY IN PRACTICE New sepolicy
New policy files vendor/vendor-name/sepolicy/{*.te, *_contexts} Declare new policy vendor/vendor-name/sepolicy.mk BOARD_SEPOLICY_DIRS += vendor/vendor-name/sepolicy Use new policy device/manufacturer/device-name/BoardConfig.mk -include vendor/vendor-name/sepolicy.mk SE POLICY IN PRACTICE Use new sepolicy
A few more words04
A few more words General advices When in trouble ● Look at existing policies ● Source code doesn’t lie ● Git history is available Respect the philosophy ● Good labeling is key ● Don’t allow more than needed
A few more words Some resources Links https://wiki.gentoo.org/wiki/SELinux http://selinuxproject.org http://seandroid.bitbucket.org https://source.android.com/devices/tech/security/selinux https://github.com/mairin/selinux-coloring-book Books The SELinux Notebook, 4th Edition Selinux Cookbook, ISBN: 9781783989669
Thank You for your time ! If you have any question Guillaume Vercoutère gvercoutere@genymobile.com Rémy Gottschalk rgottschalk@genymobile.com
# app_domain(domain) # base set of permissions for all apps. define(`app_domain', `typeattribute $1 appdomain; # Label ashmem objects with unique type. tmpfs_domain($1) # Map with PROT_EXEC. allow $1 $1_tmpfs:file execute; ') # net_domain(domain) # base set of permissions required for # network access. define(`net_domain', ` typeattribute $1 netdomain; ') IMPACT ON ANDROID Macro define(`r_file_perms', `{ getattr open read ioctl lock }')
common file { ioctl read write execute …. } class sock_file inherits file { open audit_access execmod } INTRO TO SELINUX Access vector class property_service { set } class service_manager { add find list }

Recommended

Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseConsulthinkspa
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)Chuck Reeves
 
SELinux basics
SELinux basicsSELinux basics
SELinux basicsLubomir Rintel
 

Recommended

Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseConsulthinkspa
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)Chuck Reeves
 
SELinux basics
SELinux basicsSELinux basics
SELinux basicsLubomir Rintel
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introductionMichael Nazzareno Trimarchi
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to SelinuxAtul Jha
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security PuzzleVic Hargrave
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016DefensiveDepth
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisObserveIT
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 

More Related Content

What's hot

SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to SelinuxAtul Jha
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security PuzzleVic Hargrave
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016DefensiveDepth
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisObserveIT
 

What's hot (20)

Selinux
SelinuxSelinux
Selinux
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
Selinux
SelinuxSelinux
Selinux
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
 

Similar to How to not disable SELinux

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Systemd evolution revolution_regression
Systemd evolution revolution_regressionSystemd evolution revolution_regression
Systemd evolution revolution_regressionSusant Sahani
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Week 13, Protection and Security.ppt
Week 13, Protection and Security.pptWeek 13, Protection and Security.ppt
Week 13, Protection and Security.pptPriyadarshiSharma7
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlKohei KaiGai
 

Similar to How to not disable SELinux (20)

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Systemd evolution revolution_regression
Systemd evolution revolution_regressionSystemd evolution revolution_regression
Systemd evolution revolution_regression
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
Week 13, Protection and Security.ppt
Week 13, Protection and Security.pptWeek 13, Protection and Security.ppt
Week 13, Protection and Security.ppt
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Container security
Container securityContainer security
Container security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
 

Recently uploaded

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

How to not disable SELinux

  • 1. How to NOT disable SELinux on Android
  • 2. SPEAKERS Rémy Gottschalk ● SoftAtHome : 3 years - Linux System for HGW and STB ● Genymobile : 3 years - ROM cooking Guillaume Vercoutère ● Mindscape : 2 years - Linux System on the Karotz ● Genymobile : 3 years - ROM cooking
  • 3. FOREWORD Motivation (According to google trends) What is the most popular search associated to “SELinux” ?
  • 4. FOREWORD Motivation (According to google trends) What is the most popular search associated to “SELinux” ? “Disable SELinux”
  • 5. AGENDA 01 SELinux in a nutshell 02 Impact on Android 03 SE policy in practice
  • 6. SELinux in a nutshell01
  • 7. Traditional Unix permissions · User / Group · Permissions mask (rwxs) · Permissions may be passed from an object to another · All powerful root user INTRO TO SELINUX Unix permissions Discretionary Access Control
  • 8. Divides privileges in subset · Limits root power · Exemples : · reboot (CAP_SYS_BOOT) · bypass file permissions (CAP_DAC_READ_SEARCH) INTRO TO SELINUX Linux capabilities Linux Capabilities
  • 9. INTRO TO SELINUX Unix permissions root bypass all Lack of granularity No confinement Limits
  • 10. CVE-2011-1717 · App has control over data’s permissions · Set world readable permissions (666) · No encryption · Any app can read Skype app’s data SELinux categories (MCS) · Each app is confined · Access to other app’s data is blocked INTRO TO SELINUX Security flaws Skype #opendata
  • 11. CVE-2010-EASY · Fork self to reach RLIMIT_NPROC · Get adbd pid in /proc to restart it · setuid() fails · Shell can run as root SELinux · Read /proc/pid/, signal adbd : denied · Shell run unprivileged INTRO TO SELINUX Security flaws Rage against the cage
  • 12. SELinux · Complements unix permissions · Confines daemon · Sandbox applications · Centralized policy · Deny by default INTRO TO SELINUX SELinux Mandatory Access Control
  • 13. INTRO TO SELINUX Timeline SELinux Patchset on kernel 2.4.0 DTMach DTOS Flask 90’s 2000 2003 SELinux mainlined in kernel 2.6.0
  • 15. · Mainline · open source · path : security/selinux INTRO TO SELINUX Where? Linux Kernel
  • 16. · Open source · github.com/SELinuxProject/selinux Submit bug reports and patches to NSA · github.com/TresysTechnology · setools · refpolicy INTRO TO SELINUX Where? Userland
  • 18. INTRO TO SELINUX Policy Mechanisms Role Based Access Control Type Enforcement Multi Level / Category Security (optional)
  • 19. INTRO TO SELINUX Type enforcement : basics
  • 20. LABELS metadata associated with each subject and object INTRO TO SELINUX Who’s who? user:role:type:sensitivity:category For TE For MLS (opt) != unix user For RBAC For MCS (opt)
  • 21. INTRO TO SELINUX Type enforcement rules [rule_name] [subject type] [object type]:[object class] [perm set] allow user_t user_home_t:file { create read write } allow netd sysfs : file { write } neverallow user_t sysfs : file { write }
  • 22. INTRO TO SELINUX Type enforcement Main security mechanism ● Denial by default ● Access rules ● allow ● neverallow ● much more ● Domain and type transition
  • 24. IMPACT ON ANDROID Historic 4.1 : Hello world ● SELinux introduced ● Not enabled 4.3 : Enable ... ● … but permissive 4.4 : Enforcing ● Confining a minimal set of root daemons ● Still permissive for the rest
  • 25. IMPACT ON ANDROID Historic 5.0 : Policy hardening ● All system services and apps are confined ● Only kernel and init unconfined ● Basic CTS for SELinux policy 6.0 : Fine tuning ● No more unconfined domain ● Confine users ● More neverallows ● Drop BOARD_SEPOLICY_UNION/IGNORE/REPLACE
  • 26. IMPACT ON ANDROID Main components SELinux ● external/libselinux ● external/selinux Base policy ● external/sepolicy Policy extensions (opt.) ● device/[...]/sepolicy ● vendor/[...]/sepolicy SELinux aware ● art/runtime ● bootable/recovery ● system/core/adb ● system/core/fastboot ● system/core/init ● ...
  • 27. IMPACT ON ANDROID How to disable Kernel ● Add SELinux support in configuration ● Desactivation with kernel cmd line : selinux=0 system/core/init compilation flag ALLOW_DISABLE_SELINUX : ● set if build is userdebug or eng ● read kernel cmdline arg : androidboot.selinux (disable/permissive)
  • 28. IMPACT ON ANDROID Policy implementation Type enforcement only Labels ● One user : u ● One role for subject : r ● One role for object : object_r ● No MLS, one range : s0 ● Categories for apps : c[...] ● Mainly relies on type
  • 29. IMPACT ON ANDROID Label examples Subject init process : u:r:init:s0 Object /init file : u:object_r:init_exec:s0
  • 30. IMPACT ON ANDROID Application confinement Use MCS to confine applications Categories are built using one, both or none from : ● Application UID ● Android user ID (AOSP default) Example for a fully confined environnement : com.android.calendar process : u:r:untrusted_app:s0:c22,c256,c512,c768 /data/data/com.android.calendar/ directory : u:object_r:app_data_file:s0:c22,c256,c512,c768
  • 31. IMPACT ON ANDROID Labeling Subject (processes) ● seapp_contexts : Android applications user=system seinfo=platform domain=system_app type=system_app_data_file user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=all user=_app domain=untrusted_app type=app_data_file levelFrom=all
  • 32. IMPACT ON ANDROID Labeling Objects ● file_contexts : Files /dev(/.*)? u:object_r:device:s0 /dev/accelerometer u:object_r:sensors_device:s0 /system/bin/app_process32 u:object_r:zygote_exec:s0 ● genfs_contexts : Full files systems genfscon rootfs / u:object_r:rootfs:s0 genfscon proc /net u:object_r:proc_net:s0
  • 33. IMPACT ON ANDROID Labeling Objects ● property_contexts : System properties net.lte u:object_r:net_radio_prop:s0 vold. u:object_r:vold_prop:s0 ● service_contexts : Services SurfaceFlinger u:object_r:surfaceflinger_service:s0 alarm u:object_r:system_server_service:s0
  • 34. IMPACT ON ANDROID Build system BoardConfig.mk ● BOARD_SEPOLICY_DIRS : /device/manufacturer/device- name/sepolicy ● include other sepolicy.mk (device/vendor) ● BOARD_KERNEL_CMDLINE : androidboot. selinux=permissive / …. Build policies ● make sepolicy
  • 35. Build · only check consistency Manual tests · corner cases IMPACT ON ANDROID Tests CTS · check enforcing for all · init, system service in their domain · neverallow respect
  • 36. SE Policy in practice03
  • 37. SE POLICY IN PRACTICE Some tools Host side ● setools(-gui) package ○ apol : policy analysis GUI ○ seinfo : CLI query ○ sesearch : CLI search ● policycoreutils(-gui) package ○ sepolicy : policy inspection tools ○ audit2allow : rule generator
  • 38. SE POLICY IN PRACTICE Some tools $ adb shell ls -Z dr-x------ root root u:object_r:rootfs:s0 config drwxrwx--x system system u:object_r:system_data_file:s0 data -rw-r--r-- root root u:object_r:rootfs:s0 default.prop [...] $ adb shell ps -Z LABEL USER PID PPID NAME u:r:init:s0 root 1 0 /init u:r:kernel:s0 root 2 0 kthreadd u:r:platform_app:s0:c14,c256,c512,c768 u0_a14 1007 437 com.android.systemui [...]
  • 39. SE POLICY IN PRACTICE Some tools $ adb pull /sepolicies $ sesearch --allow -t sysfs ./sepolicy Found 32 semantic av rules: allow netd sysfs : file write ; [...] $ adb shell dmesg | grep avc [..] type=1400 audit(16565661:9): avc: denied { module_request } for pid=717 comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system
  • 40. INTRO TO SELINUX Audit Event Message type=1400 audit(16565661:9): avc: denied { module_request } for pid=717 comm="netd" kmod="netdev-wlan0" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 tclass=system permission (load module)name of executable source’s context target’s context
  • 41. SE POLICY IN PRACTICE New Service : BBQ Use case ● Create a new system service with custom permissions Specific needs ● Register to ServiceManager ● Direct access to a device (/dev/bbq) Existing policies ● App policies are too limited ● System policies are too powerful
  • 42. SE POLICY IN PRACTICE New Service : BBQ Requirement ● Access to the framework source code How to 1. Create a new UID 2. Label the service (and its files) 3. Label the device 4. Write a policy for the service
  • 43. frameworks/base/core/java/android/os/Process.java public static final int SYSTEM_UID = 1000; + public static final int BBQ_UID = 1101; public static final int FIRST_APPLICATION_UID = 10000; frameworks/base/services/../server/pm/PackageManagerService.java + private static final int BBQ_UID = Process.BBQ_UID; + mSettings.addSharedUserLPw("android.uid.bbq", BBQ_UID, + ApplicationInfo.FLAG_SYSTEM|ApplicationInfo. FLAG_PRIVILEGED); New service AndroidManifest.xml android:sharedUserId="android.uid.bbq" SE POLICY IN PRACTICE New app uid
  • 44. Label service (as subject) seapp_contexts user=bbq seinfo=platform domain=bbq type=bbq_data_file Label Service (as object) service.te type bbq_service, service_manager_type; service_contexts bbq u:object_r:bbq_service:s0 SE POLICY IN PRACTICE New sepolicy ServiceManager.getService(“bbq”) uid
  • 45. SE POLICY IN PRACTICE New sepolicy Label files file.te type bbq_data_file, file_type, data_file_type; type bbq_device, dev_type; file_contexts /dev/bbq u:object_r:bbq_device:s0 installd.te allow installd { bbq_data_file }:dir { create_dir_perms relabelfrom relabelto }; system_server.te allow system_server { bbq_data_file }:dir { getattr read search };
  • 46. bbq.te type bbq, domain; app_domain(bbq) net_domain(bbq) binder_service(bbq) # Data file accesses. allow bbq bbq_data_file:dir create_dir_perms; allow bbq bbq_data_file:notdevfile_class_set create_file_perms; # Device file access allow bbq bbq_device:chr_file rw_file_perms; # Service Manager access allow bbq bbq_service:service_manager add; SE POLICY IN PRACTICE New sepolicy
  • 47. New policy files vendor/vendor-name/sepolicy/{*.te, *_contexts} Declare new policy vendor/vendor-name/sepolicy.mk BOARD_SEPOLICY_DIRS += vendor/vendor-name/sepolicy Use new policy device/manufacturer/device-name/BoardConfig.mk -include vendor/vendor-name/sepolicy.mk SE POLICY IN PRACTICE Use new sepolicy
  • 48. A few more words04
  • 49. A few more words General advices When in trouble ● Look at existing policies ● Source code doesn’t lie ● Git history is available Respect the philosophy ● Good labeling is key ● Don’t allow more than needed
  • 50. A few more words Some resources Links https://wiki.gentoo.org/wiki/SELinux http://selinuxproject.org http://seandroid.bitbucket.org https://source.android.com/devices/tech/security/selinux https://github.com/mairin/selinux-coloring-book Books The SELinux Notebook, 4th Edition Selinux Cookbook, ISBN: 9781783989669
  • 51. Thank You for your time ! If you have any question Guillaume Vercoutère gvercoutere@genymobile.com Rémy Gottschalk rgottschalk@genymobile.com
  • 52. # app_domain(domain) # base set of permissions for all apps. define(`app_domain', `typeattribute $1 appdomain; # Label ashmem objects with unique type. tmpfs_domain($1) # Map with PROT_EXEC. allow $1 $1_tmpfs:file execute; ') # net_domain(domain) # base set of permissions required for # network access. define(`net_domain', ` typeattribute $1 netdomain; ') IMPACT ON ANDROID Macro define(`r_file_perms', `{ getattr open read ioctl lock }')
  • 53. common file { ioctl read write execute …. } class sock_file inherits file { open audit_access execmod } INTRO TO SELINUX Access vector class property_service { set } class service_manager { add find list }