SELinux

SELinux

 

Background

LSM中文全称是linux安全模块。英文全称：linux security module.
LSM是一种轻量级、通用的访问控制框架，适合多种访问控制模型以内核模块的形式实现。
通过系统调用进入内核之后，系统首先进行传统的权限检查（传统权限检查主要是基于用户的，用户通过验证之后就可以访问资源），通过之后才会进行强制访问控制。（强制访问控制是不允许主体干涉的一种访问控制，其采用安全标识、信息分级等信息敏感性进行访问控制。并且通过比较主体的级别和资源的敏感性来确定是否允许访问。比如说系统设置A用户不允许访问文件B，即便A是文件B的所有者，访问也是受限制的。）从图上看来，LSM实现访问控制主要通过安全模块的钩子函数实现。
关于DAC和MAC
DAC 自主访问的含义是有访问许可的主体能够直接或间接地向其他主体转让访问权。
MAC 强制访问控制是“强加”给访问主体的，即系统强制主体服从访问控制政策。
而selinux就是一种LSM安全模块引擎的实现方案，另外还有别的实现，比如smack

 

Resources:

/*selinux history and introduction*/
https://www.nsa.gov/research/selinux/
/*SELinux docuemnt from fedora*/
http://fedoraproject.org/wiki/SELinux#Documentation

/*Configuring the SELinux Policy*/
https://www.nsa.gov/research/_files/selinux/papers/policy2/t1.shtml
/*SELinux policy language*/
http://selinuxproject.org/page/PolicyLanguage
/*sepolicy instructions*/
android/external/sepolicy/README  [Micro-definition and tools explanation]
 

NOTE: Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf, this final and overall sepolicy configuration

 

BOOK: The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf

Security_Enhanced_(SE)_Android_Bringing_Flexible_MAC_to_Android.pdf （Stephen Smalley and Robert Craig）

http://seandroid.bitbucket.org/

 

OVERVIEW

标准的UNIX安全模型是“任意的访问控制“DAC（Discretionary Access Control），任何程序对其资源享有完全的控制权，这些控制权由用户自己定义。SELinux的安全模型则是MAC（Mandatory Access Control），即强制访问控制，它的做法是“最小权限原则”，通过定义哪些用户可以访问哪些文件，从而提供了一系列的机制，来限制用户和文件的权限。
在没有使用SELinux的android系统上，一旦手机被root，用户就获得了su权限，就可以对系统文件和其他应用进行操作。如果启用了 SELinux，管理员就可以设置策略，限定su的访问，比如可以设置su不可以修改系统文件，这样就算手机被root，也可以保障android系统不 被恶意篡改。
SEAndroid的安全检查覆盖了所有重要的方面包括了域转换、类型转换、进程相关操作、内核相关操作、文件目录相关操作、文件系统相关操作、对设备相关操作、对app相关操作、对网络相关操作、对IPC相关操作。
 

STUDY NOTE

http://blog.csdn.net/innost/article/details/19299937?utm_source=tuicool
http://blog.csdn.net/innost/article/details/19641487
http://blog.csdn.net/innost/article/details/19767621
以上三个link，重要内容摘录如下：
 

SELinux concepts

Security Context: 系统中存在的各类资源（进程，文件，IPC等等）都赋予一个安全属性，称之为Security context，由user:role:type[:range]组成，分别对应用户，角色，类型，安全等级。
MAC基本管理单位是TEAC（Type Enforcement Accesc Control），然后是高一级别的Role Based Accesc Control。RBAC是基于TE的，而TE也是SELinux中最主要的部分。Android主要用到的是TE。

SELinux policy的语法举例
rule_name source_type target_type : class perm_set
其中source_type and target_type可以为Type，也可以为Attribuite

concept explanation:

rule_name: 定义的规则
allow：赋予某项权限。
allowaudit：audit含义就是记录某项操作。默认情况下是SELinux只记录那些权限检查失败的操作。allowaudit则使得权限检查成功的操作也被记录。注意，allowaudit只是允许记录，它和赋予权限没关系。赋予权限必须且只能使用allow语句。
dontaudit：对那些权限检查失败的操作不做记录。
neverallow：前面讲过，用来检查安全策略文件中是否有违反该项规则的allow语句。

class: defined in external/sepolicy/security_classes; 描述系统的所有资源对象

perm_set: defined in external/sepolicy/access_vectors; 描述对资源的操作方式，
两种定义方式，
其一：common common_name { permission_name ... }；
eg：
 37 common socket
 38 {
 39 # inherited from file
 40         ioctl
 41         read
 42         write
 43         create
......
 63 }
其二：class class_name [ inherits common_name ] { permission_name ... }
eg:
648 class netlink_audit_socket
649 inherits socket
650 {
651         nlmsg_read
652         nlmsg_write
653         nlmsg_relay
.......
656 }

attribuite：defined in external/sepolicy/attributes

type:　defined in external/sepolicy/*.te
定义格式：type type_id [alias alias_id,] [attribute_id]

eg:
27 type system_file, file_type;
定义名为system_file的type，并且关联名为file_type的attribute。

注：
type和attribute是被包含的关系, 关联的作用在于让type默认继承attribute的安全权限，以便构建系统所有资源的security context

eg.
#允许zygote域中的进程向init type的进程（Object Class为process）发送sigchld信号
allow zygote init:process sigchld;
#允许zygote域中的进程search或getattr类型为appdomain的目录。
allow zygote appdomain:dir { getattr search };
Security policy configuration generation
external/sepolicy，存放安全策略定义文件和生成转化工具，主要包含文件：
*.te, users, roles, attribute, security_classes, access_vectors等

通过m4, checkpolicy等工具，最终生成的Sepolicy二进制配置文件（rootfs根目录）如下：
sepolicy：源于各个*.te和type/attribute/class等等的定义文件
file_context：文件目录先关
seapp_context：和应用程序相关
property_contexts：Android系统属性相关
 

Security policy initialization

由Init进程负责初始化policy配置文件，主要流程函数如下：

selinux_initialize()；初始化SEAndroid，包括检查/sys/fs/selinux节点，设置selinux的工作模式permissive OR enforcing，
selinux_android_load_policy（）：调用libsecurity库函数来加载sepolicy到kernel的LSM
selinux_init_all_handles：初始化file_context，seapp_context及property_context相关内容。
restorecon("/dev");根据file_contexts中的内容给目录打标签，即设置目录的安全配置
restorecon("/dev/socket");
restorecon...
 

property权限检查

一般而言，SELinux权限检查都是由kernel来完成的，不过对于Android平台中的Property而言，这却完全是一个用户空间的内容。
system/core/init/property_service.c:: check_mac_perms
用户空间的权限检查主要就是通过selinux_check_access完成，其输入参数包括：
    源的SContext：它就是调用setprop的进程的SContext
    目标的SContext：不同的属性有不同的SContext，这是在property_context中定义的。
    要检查的Object class（系统所支持的类在external/sepolicy/security_classes文件中定义）。
    操作名称（perm，由access vector定义。对Property这种Object class而言，其唯一需要做权限检查的操作就是set。读者可参考external/sepolicy/access_vectors这个文件）。
 

[Offical] Security-Enhanced Linux in Android

The following segments are quoted from https://source.android.com/devices/tech/security/selinux/index.html#introduction
In this document
1.    Introduction
2.    Background
3.    Supporting documentation
4.    Help
Introduction

The Android security model is based in part on the concept of application sandboxes. Each application runs in its own sandbox. Prior to Android 4.3, these sandboxes were defined by the creation of a unique Linux UID for each application at time of installation. Starting with Android 4.3, Security-Enhanced Linux (SELinux) is used to further define the boundaries of the Android application sandbox.
As part of the Android security model, Android uses SELinux to enforce mandatory access control (MAC) over all processes, even processes running with root/superuser privileges (a.k.a. Linux capabilities). SELinux enhances Android security by confining privileged processes and automating security policy creation.
Contributions to it have been made by a number of companies and organizations; all Android code and contributors are publicly available for review on android.googlesource.com. With SELinux, Android can better protect and confine system services, control access to application data and system logs, reduce the effects of malicious software, and protect users from potential flaws in code on mobile devices.
Android includes SELinux in enforcing mode and a corresponding security policy that works by default across the Android Open Source Project. In enforcing mode, illegitimate actions are prevented and all attempted violations are logged by the kernel to dmesg and logcat. Android device manufacturers should gather information about errors so they may refine their software and SELinux policies before enforcing them.
Background

SELinux operates on the ethos of default denial. Anything that is not explicitly allowed is denied. SELinux can operate in one of two global modes: permissive mode, in which permission denials are logged but not enforced, and enforcing mode, in which denials are both logged and enforced. SELinux also supports a per-domain permissive mode in which specific domains (processes) can be made permissive while placing the rest of the system in global enforcing mode. A domain is simply a label identifying a process or set of processes in the security policy, where all processes labeled with the same domain are treated identically by the security policy. Per-domain permissive mode enables incremental application of SELinux to an ever-increasing portion of the system. Per-domain permissive mode also enables policy development for new services while keeping the rest of the system enforcing.
In the Android 5.0 (L) release, Android moves to full enforcement of SELinux. This builds upon the permissive release of 4.3 and the partial enforcement of 4.4. In short, Android is shifting from enforcement on a limited set of crucial domains (installd, netd, vold and zygote) to everything (more than 60 domains). This means manufacturers will have to better understand and scale their SELinux implementations to provide compatible devices. Understand that:
?    Everything is in enforcing mode in the 5.0 release
?    No processes other than init should run in the init domain
?    Any generic denial (for a block_device, socket_device, default_service, etc.) indicates that device needs a special domain

 

Supporting documentation

See the documentation below for details on constructing useful policies:
http://seandroid.bitbucket.org/PapersandPresentations.html
https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid
https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf
https://www.internetsociety.org/sites/default/files/02_4.pdf
http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf
http://selinuxproject.org/page/ObjectClassesPerms
https://www.nsa.gov/research/_files/publications/implementing_selinux.pdf
https://www.nsa.gov/research/_files/publications/selinux_configuring_policy.pdf
https://www.gnu.org/software/m4/manual/index.html

 

 

steps_of_adding_sepolicy

How to generate te file for sepolicy

1. Searching string "avc" + "denied" to fetch error kernel and android log on permissive mode like below messages
[   14.382870] C2  2607 (             cp) audit: type=1400 audit(1388534447.639:8): avc:  denied  { write } for  pid=2607 comm="cp" name="/" dev="mmcblk0p12" ino=2 scontext=u:r:init_shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0

2. Utility audit2arrow tool to generate te file
  - apt-get install policycoreutils => audit2allow ? setools ??
  - audit2allow -i test.txt -o temp.te
  - cat temp.te
#============= init_shell ==============
allow init_shell unlabeled:dir write;

3. apply te files into related directory, for example, android/device/qualcomm/msmxxx_common/sepolicy/ add.te

4. build kernel again and burn it

 

 

 

MISC

#Change SELinux security mode
in init.rc, echo 0 > /sys/fs/selinux/enforce OR setenforce 0
OR directly modify init/main in function selinux_initialize()

#getenforce
get current enforce mode

external/sepolicy：提供了Android平台中的安全策略源文件
external/libselinux：提供了Android平台中的libselinux
external/libsepol：提供了供安全策略文件编译时使用的一个工具checkcon

#/sys/fs/selinux/*
create VFS : selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
(以/sys/fs/selinux为安装点，安装一个类型为selinuxfs的文件系统，也就是SELinux文件系统，用来与内核空间的SELinux LSM模块通信)

root@core33g:/sys/fs/selinux # ls -lZ mls
-r--r--r-- root     root              u:object_r:selinuxfs:s0 mls

root@core33g:/sys/fs/selinux # ps -Z
LABEL                          USER     PID   PPID  NAME
u:r:init:s0                    root      1     0     /init
u:r:kernel:s0                  root      2     0     kthreadd