SEAndroid学习

概要

SEAndroid 基于SELinux实现, SELinux 的目标就是实现对Linux 系统上的操作做精细化安全管理.
为了达到精细化安全管理无非就限制一些主体访问对某些资源执行某些操作. 在SEAndroid里面主体一般是进程, 客体一般是资源.

SELinux 的架构如下图:

    SELinux 内核模块在Linux内核中添加了一些钩子函数,当对某些资源进行某些操作的时候就会调用SELinux钩子函数进行检查, 检查的目的是验证主体进程有没有对客体资源进行该操作的权利,有则放行,无则拒绝.  这个内核模块较多SELinux LSM Moudle.
    SELinux在进行安全检查的时候，首先是看一下自己的Access Vector Cache是否已经有结果。如果有的话，就直接将结果返回给相应的内核子系统就可以了。如果没有的话，就需要到Security Server中去进行检查。检查出来的结果在返回给相应的内核子系统的同时，也会保存在自己的Access Vector Cache中，以便下次可以快速地得到检查结果。

    Linux内核涉及的一个哲学就是内核提供机制,上层用户提供策略, 所以SELinux LSM Moudle对于资源访问策略的配置对上层开放了接口.  用户程序将一系列访问控制策略同步给SELinux LSM Moudle.  这些策略通过一系列te文件描述,也就是上图的Securt Context. 
   策略是静态的, 在系统启动之初由init进程加载到SELinux LSM Moudle. 但是主体和客体都可能动态产生. 这就需要用户空间的Securt Service 来描述主体和客体对应的类型(看到这里可能不明白类型的含义,不用担心,这正是此文要进行说明的).

详解

通过对概要的阅读我们了解到SEAndroid的主要目的是限制一些主体访问对某些资源执行某些操作. 所以我们知道SEAndroid需要描述下列几种概念:

• 资源类型
• 资源支持的操作
• 主体访问资源的权限
• 客体资源操作限制

下面我们来看下SEAndroid是如何描述这些概念的:

• 资源类型(class): https://android.googlesource.com/platform/system/sepolicy/+/refs/heads/master/private/security_classes

class filesystem  文件系统资源类型
class file   文件资源类型
class anon_inode inode资源类型
class dir 目录资源类型
class fd  文件描述符资源类型
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

• 资源支持的操作(permissions) (资源类型访问向量): https://android.googlesource.com/platform/system/sepolicy/+/refs/heads/master/private/access_vectors
  common file // 文件类型资源支持的操作
  {
  read // 读
  write // 写
  create // 创建
  …
  }

• 访问规则(描述主体访问资源的权限 和 客体资源操作限制): 格式如allow source target:class permissions;其中：

  • domain域(source tag)- 主体标签(描述主体)
  • type (客体标签)- 客体标签(描述客体)
  • class - 客体类型 (描述资源类型)
  • permissions - 要执行的操作（或一组操作，例如读取、写入）, 访问向量的集合。 (描述操作)

allow device_domain_deprecated rootfs:file r_file_perms; // 允许device_domain_deprecated域的主体对带有rootfs标签的客体文件进行读操作
allow init rootfs:dir create_dir_perms;  // 允许init域的主体对带有rootfs标签的客体目录资源进行创建操作
allow untrusted_app app_data_file:file { read write };        // 允许untrusted_app域的主体对带有app_data_file标签的客体文件资源进行读写操作   
allow priv_app update_engine_service:service_manager find;  // 允许priv_app域的主体对service_manager类型并且带有 

update_engine_service标签的客体service_manager资源进行读写操作
注意:这里面class 和 permissions 在其他地方就定义好了,domain 和 type 都是规则定义的.
例子中的permission有些并不是直接使用的资源访问向量,特别是对于文件访问权限，有很多种权限需要考虑。例如，read 权限不足以打开相应文件或对其调用 stat。为了简化规则定义，Android 提供了一组宏来处理最常见的情况。例如，r_file_perms就是一个宏, 请参阅 global_macros 和 te_macros 文件。请尽可能使用宏，以降低因相关权限被拒而导致失败的可能性。

给资源(客体)打标签:
u:object_r:rootfs:s0
描述一个资源的selinux权限, 它由四部分内容组成

• 分别是SELinux用户: SEAndroid里固定为object_r
• SELinux角色: SEAndroid 固定为
• TAG : 对应上面访问规则里面的target tag
• 安全级别: SEAndroid 固定为s0

/build\.prop        u:object_r:rootfs:s0            // /build.prop 的客体标签为rootfs

这条资源标签结合上面权限规则allow device_domain_deprecated rootfs:file r_file_perms; 可以得出 device_domain_deprecated 域的主体可以对build.prop 文件进行读取.

注意: 上述都是给静态文件打标签,也就是系统启动前就存在的文件. 本文意在描述SEAndroid的配置规则和原理, 动态生成的文件打标签请参考SEAndroid安全机制中的文件安全上下文关联分析 一文.

给主体设置domain. 主要通过se_appcontexts定义, 由于主体一般为进程,进程是动态创建的, 所以需要PackageManagerService 读取se_appcontexts 文件,来告知Zygote如何设置进程的domain.

# Input selectors:
#       isSystemServer (boolean)
#       isEphemeralApp (boolean)
#       isV2App (boolean)
#       isOwner (boolean)
#       user (string)
#       seinfo (string)
#       name (string)
#       path (string)
#       isPrivApp (boolean)
#       minTargetSdkVersion (unsigned integer)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isV2App=true will match apps in the v2 app sandbox.
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
# An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match.
# user=_app will match any regular app UID.
# user=_isolated will match any isolated service UID.
# isPrivApp=true will only match for applications preinstalled in
#       /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
#       greater than or equal to the specified value. If unspecified,
#       it has a default value of 0.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
#
# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
#       (1) isSystemServer=true before isSystemServer=false.
#       (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
#       (3) Specified isV2App= before unspecified isV2App= boolean.
#       (4) Specified isOwner= before unspecified isOwner= boolean.
#       (5) Specified user= string before unspecified user= string.
#       (6) Fixed user= string before user= prefix (i.e. ending in *).
#       (7) Longer user= prefix before shorter user= prefix.
#       (8) Specified seinfo= string before unspecified seinfo= string.
#           ':' character is reserved and may not be used.
#       (9) Specified name= string before unspecified name= string.
#       (10) Specified path= string before unspecified path= string.
#       (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
#       (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
#              integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
#
# Outputs:
#       domain (string)
#       type (string)
#       levelFrom (string; one of none, all, app, or user)
#       level (string)
# Only entries that specify domain= will be used for app process labeling.
# Only entries that specify type= will be used for app directory labeling.
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
#
# Neverallow Assertions
# Additional compile time assertion checks can be added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
# neverallows are case-insensitive. A neverallow is asserted when all key value
# inputs are matched on a key value rule line.
#

# only the system server can be in system_server domain
neverallow isSystemServer=false domain=system_server
neverallow isSystemServer="" domain=system_server

# system domains should never be assigned outside of system uid
neverallow user=((?!system).)* domain=system_app
neverallow user=((?!system).)* type=system_app_data_file

# anything with a non-known uid with a specified name should have a specified seinfo
neverallow user=_app name=.* seinfo=""
neverallow user=_app name=.* seinfo=default

# neverallow shared relro to any other domain
# and neverallow any other uid into shared_relro
neverallow user=shared_relro domain=((?!shared_relro).)*
neverallow user=((?!shared_relro).)* domain=shared_relro

# neverallow non-isolated uids into isolated_app domain
# and vice versa
neverallow user=_isolated domain=((?!isolated_app).)*
neverallow user=((?!_isolated).)* domain=isolated_app

# uid shell should always be in shell domain, however non-shell
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*

# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*

isSystemServer=true domain=system_server
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user

关于如何给应用程序设置domain 请参考 SEAndroid安全机制中的进程安全上下文关联分析 一文.

注意domain也是可以继承的,比如type system_app, domain; 标识system_app 集成自domain 这个域.

编译过程

[ 14% 1/7] /bin/bash -c "m4  -D mls_num_sens=1 -D mls_num_cats=1024 -D target_build_variant=userdebug -D target_with_dexpreopt=true -D target_arch=arm64 -D target_with_asan=false -D target_full_treble=true  -s system/sepolicy/reqd_mask/security_classes system/sepolicy/reqd_mask/initial_sids system/sepolicy/reqd_mask/access_vectors system/sepolicy/reqd_mask/mls_macros system/sepolicy/reqd_mask/mls_decl system/sepolicy/reqd_mask/mls system/sepolicy/reqd_mask/reqd_mask.te system/sepolicy/reqd_mask/roles_decl system/sepolicy/reqd_mask/roles system/sepolicy/reqd_mask/users system/sepolicy/reqd_mask/initial_sid_contexts > out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.conf"
[ 28% 2/7] /bin/bash -c "ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -C -M -c 		30 -o out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.cil out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.conf"
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.conf
out/host/linux-x86/bin/checkpolicy:  policy configuration loaded
out/host/linux-x86/bin/checkpolicy:  writing CIL to out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.cil
[ 42% 3/7] /bin/bash -c "m4  -D mls_num_sens=1 -D mls_num_cats=1024 -D target_build_variant=userdebug -D target_with_dexpreopt=true -D target_arch=arm64 -D target_with_asan=false -D target_full_treble=true  -s system/sepolicy/reqd_mask/security_classes system/sepolicy/reqd_mask/initial_sids system/sepolicy/reqd_mask/access_vectors system/sepolicy/public/global_macros system/sepolicy/public/neverallow_macros system/sepolicy/reqd_mask/mls_macros system/sepolicy/reqd_mask/mls_decl system/sepolicy/reqd_mask/mls system/sepolicy/public/te_macros system/sepolicy/public/attributes system/sepolicy/public/ioctl_defines system/sepolicy/public/ioctl_macros system/sepolicy/public/adbd.te system/sepolicy/public/asan_extract.te system/sepolicy/public/audioserver.te system/sepolicy/public/blkid.te system/sepolicy/public/blkid_untrusted.te system/sepolicy/public/bluetooth.te system/sepolicy/public/bootanim.te system/sepolicy/public/bootstat.te system/sepolicy/public/bufferhubd.te system/sepolicy/public/cameraserver.te system/sepolicy/public/charger.te system/sepolicy/public/clatd.te system/sepolicy/public/cppreopts.te system/sepolicy/public/crash_dump.te system/sepolicy/public/device.te system/sepolicy/public/dex2oat.te system/sepolicy/public/dhcp.te system/sepolicy/public/display_service_server.te system/sepolicy/public/dnsmasq.te system/sepolicy/public/domain.te system/sepolicy/public/drmserver.te system/sepolicy/public/dumpstate.te system/sepolicy/public/e2fs.te system/sepolicy/public/ephemeral_app.te system/sepolicy/public/file.te system/sepolicy/public/fingerprintd.te system/sepolicy/public/fsck.te system/sepolicy/public/fsck_untrusted.te system/sepolicy/public/gatekeeperd.te system/sepolicy/public/hal_allocator.te system/sepolicy/public/hal_audio.te system/sepolicy/public/hal_bluetooth.te system/sepolicy/public/hal_bootctl.te system/sepolicy/public/hal_broadcastradio.te system/sepolicy/public/hal_camera.te system/sepolicy/public/hal_cas.te system/sepolicy/public/hal_configstore.te system/sepolicy/public/hal_contexthub.te system/sepolicy/public/hal_drm.te system/sepolicy/public/hal_dumpstate.te system/sepolicy/public/hal_fingerprint.te system/sepolicy/public/hal_gatekeeper.te system/sepolicy/public/hal_gnss.te system/sepolicy/public/hal_graphics_allocator.te system/sepolicy/public/hal_graphics_composer.te system/sepolicy/public/hal_health.te system/sepolicy/public/hal_ir.te system/sepolicy/public/hal_keymaster.te system/sepolicy/public/hal_light.te system/sepolicy/public/hal_memtrack.te system/sepolicy/public/hal_neuralnetworks.te system/sepolicy/public/hal_neverallows.te system/sepolicy/public/hal_nfc.te system/sepolicy/public/hal_oemlock.te system/sepolicy/public/hal_power.te system/sepolicy/public/hal_sensors.te system/sepolicy/public/hal_telephony.te system/sepolicy/public/hal_tetheroffload.te system/sepolicy/public/hal_thermal.te system/sepolicy/public/hal_tv_cec.te system/sepolicy/public/hal_tv_input.te system/sepolicy/public/hal_usb.te system/sepolicy/public/hal_vibrator.te system/sepolicy/public/hal_vr.te system/sepolicy/public/hal_weaver.te system/sepolicy/public/hal_wifi.te system/sepolicy/public/hal_wifi_offload.te system/sepolicy/public/hal_wifi_supplicant.te system/sepolicy/public/healthd.te system/sepolicy/public/hwservice.te system/sepolicy/public/hwservicemanager.te system/sepolicy/public/idmap.te system/sepolicy/public/incident.te system/sepolicy/public/incidentd.te system/sepolicy/public/init.te system/sepolicy/public/inputflinger.te system/sepolicy/public/install_recovery.te system/sepolicy/public/installd.te system/sepolicy/public/isolated_app.te system/sepolicy/public/kernel.te system/sepolicy/public/keystore.te system/sepolicy/public/lmkd.te system/sepolicy/public/logd.te system/sepolicy/public/logpersist.te system/sepolicy/public/mdnsd.te system/sepolicy/public/mediacodec.te system/sepolicy/public/mediadrmserver.te system/sepolicy/public/mediaextractor.te system/sepolicy/public/mediametrics.te system/sepolicy/public/mediaprovider.te system/sepolicy/public/mediaserver.te system/sepolicy/public/modprobe.te system/sepolicy/public/mtp.te system/sepolicy/public/net.te system/sepolicy/public/netd.te system/sepolicy/public/netutils_wrapper.te system/sepolicy/public/nfc.te system/sepolicy/public/otapreopt_chroot.te system/sepolicy/public/otapreopt_slot.te system/sepolicy/public/performanced.te system/sepolicy/public/perfprofd.te system/sepolicy/public/platform_app.te system/sepolicy/public/postinstall.te system/sepolicy/public/postinstall_dexopt.te system/sepolicy/public/ppp.te system/sepolicy/public/preopt2cachename.te system/sepolicy/public/priv_app.te system/sepolicy/public/profman.te system/sepolicy/public/property.te system/sepolicy/public/racoon.te system/sepolicy/public/radio.te system/sepolicy/public/recovery.te system/sepolicy/public/recovery_persist.te system/sepolicy/public/recovery_refresh.te system/sepolicy/public/rild.te system/sepolicy/public/runas.te system/sepolicy/public/sdcardd.te system/sepolicy/public/service.te system/sepolicy/public/servicemanager.te system/sepolicy/public/sgdisk.te system/sepolicy/public/shared_relro.te system/sepolicy/public/shell.te system/sepolicy/public/slideshow.te system/sepolicy/public/su.te system/sepolicy/public/surfaceflinger.te system/sepolicy/public/system_app.te system/sepolicy/public/system_server.te system/sepolicy/public/tee.te system/sepolicy/public/thermalserviced.te system/sepolicy/public/tombstoned.te system/sepolicy/public/toolbox.te system/sepolicy/public/tzdatacheck.te system/sepolicy/public/ueventd.te system/sepolicy/public/uncrypt.te system/sepolicy/public/untrusted_app.te system/sepolicy/public/untrusted_app_25.te system/sepolicy/public/untrusted_v2_app.te system/sepolicy/public/update_engine.te system/sepolicy/public/update_engine_common.te system/sepolicy/public/update_verifier.te system/sepolicy/public/vdc.te system/sepolicy/public/vendor_shell.te system/sepolicy/public/vendor_toolbox.te system/sepolicy/public/virtual_touchpad.te system/sepolicy/public/vndservice.te system/sepolicy/public/vndservicemanager.te system/sepolicy/public/vold.te system/sepolicy/public/vr_hwc.te system/sepolicy/public/watchdogd.te system/sepolicy/public/webview_zygote.te system/sepolicy/public/wificond.te system/sepolicy/public/zygote.te system/sepolicy/reqd_mask/reqd_mask.te system/sepolicy/reqd_mask/roles_decl system/sepolicy/public/roles system/sepolicy/reqd_mask/roles system/sepolicy/reqd_mask/users system/sepolicy/reqd_mask/initial_sid_contexts > out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.conf"
[ 57% 4/7] /bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -C -M -c 30 -o out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil.tmp out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.conf ) && (grep -Fxv -f out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/reqd_policy_mask.cil out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil.tmp > out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil )"
out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.conf
out/host/linux-x86/bin/checkpolicy:  policy configuration loaded
out/host/linux-x86/bin/checkpolicy:  writing CIL to out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil.tmp
[ 71% 5/7] /bin/bash -c "out/host/linux-x86/bin/version_policy -b out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil -m -n 27.0 -o out/target/product/sailfish/obj/ETC/27.0.cil_intermediates/mapping/27.0.cil"
Parsing out/target/product/sailfish/obj/FAKE/selinux_policy_intermediates/plat_pub_policy.cil
[ 85% 6/7] /bin/bash -c "prebuilts/build-tools/linux-x86/bin/acp out/target/product/sailfish/obj/ETC/27.0.cil_intermediates/mapping/27.0.cil out/target/product/sailfish/obj/ETC/27.0.cil_intermediates/27.0.cil"
[100% 7/7] /bin/bash -c "(rm -f out/target/product/sailfish/system/etc/selinux/mapping/27.0.cil ) && (cp out/target/product/sailfish/obj/ETC/27.0.cil_intermediates/27.0.cil out/target/product/sailfish/system/etc/selinux/mapping/27.0.cil )"