레이블이 Linux-SELinux인 게시물을 표시합니다. 모든 게시물 표시
레이블이 Linux-SELinux인 게시물을 표시합니다. 모든 게시물 표시

1/10/2021

SELinux (Security-Enhanced Linux) 자료조사 및 정리

1. SELinux (Security-Enhanced Linux) 이해 

SELinux는 보안강화로 문제가 있는 Application들로 부터 이를 보호하기 위해서 생겨났다고 한다. 
아래와 같이 Linux Kernel의 Security Module은 Mandatory Access Control (MAC)를 지원하며, 
한마디로 필수적인 접근권한접근을 Kernel 단에서 부터 이를 실행한다. 

https://www.ni.com/ko-kr/support/documentation/supplemental/15/selinux---addressing-access-control-security-in-labview-rio-devi.html

상위과 같이 User Process  매번 Linux Kernel에게 접근권한을 허락(Yes or No)을 받아 접근하는 방식이다. 
이는 Android에서도 쉽게 볼수 있는 구조이며, 특정 Resource or File에 접근권한 외부로부터 보호할수가 있다.  


물론 SELinux 를 사용하더라도 이기능을 ON/OFF 처럼 할수있다.
  1. Enforcing : SELinux Policy에 적용하여 접근권한제어 행사  
  2. Permissive: SELinux는 접근권한제어는 하지는 않지만, warnning/debug 표시됨 
이외 disabled 비활성화가 존재 (아예사용안함)

Enforcing의 경우 SELinux Policy를 반드시 확인 

SElinux-Addressing Access Control Security in Labview
NI(National Instrument)의 Labview에서 RIO Devices 의 SELInux 관련내용 


  • SELinux의 Policy이해 
Linux User는 SELinux ID or SELinux User로 Mapping되어 동작되어진다. 






  1. Linux User 
  2. SELinux ID or SELinux User 
  3. SELinux Role
  4. SELinux Domain or SELinux Type 

  https://en.wikipedia.org/wiki/Security-Enhanced_Linux


1.1 SELinux 기본동작방식 

DAC(Discretionary Access Control) : 일반적인 Linux의 권한 접근방식
MAC(Mandatory Access Control): SELinux 기반으로 Policy에 의한 접근방식

DAC vs MAC

  • 일반 Linux DAC 동작방식 
Process ( User: swift / Group: users(media,video)가 File (User:root / Group:root) 에 접근은 아래와 같이 한다.  



DAC(Discretionary Access Control)

  • SELinux MAC 동작방식 
SELinux를 사용할 경우 Linux Kernel에서 Policy Rules에 맞게 허락을 받고 SELinux context 가 Process에 추가되어 사용할 Target context 에 접근한다. 
하지만, Policy Rules를 보면 현재 Process는 File에 접근할 권한이 없다. 



MAC(Mandatory Access Control)



  • SELinux의 Context 분석 
  1. Target 의 Context  구조 
  2. Process 의 Security Context  구조



중요한것을 설정시 서로 양쪽의 SELinux Type 기준으로 설정하며, SELinux의 Sensitivity 도 설정가능 


  • SELinux의 Sensitivity 의 Multi-Category Security (MCS) 
Sensitivity 설정방법 
user_r:user_r:user_t:s0 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
#
#                          s0           부터     s0:c0.c5 까지 범위설정 (c는 category 약어)
#
#system_u:system_r:httpd_t:s0           -        s0:c0.c5
#                          ▼                     ▼
#                  Low security level,    High security level, also
#                  associated with no     associated with compartments
#                  compartments.          c0, c1, c2, c3, c4 and c5.

Sensitivity 확인방법 
$ semanage user -l  //SELinux User 와 Roles 확인 
SELinux User    SELinux Roles
  
root            staff_r sysadm_r
staff_u         staff_r sysadm_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    unconfined_r
user_u          user_r

$ semanage user -l  //Sensitivity인 MCS의 Level 과 Range  c0.c1023 는 c0 부터 c1023까지   
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
  
root            sysadm     s0         s0-s0:c0.c1023                 staff_r sysadm_r
staff_u         staff      s0         s0-s0:c0.c1023                 staff_r sysadm_r
sysadm_u        sysadm     s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    unconfined s0         s0-s0:c0.c1023                 unconfined_r
user_u          user       s0         s0                             user_r  



  • Type enforcement 
Process의 Context가 Target Context를 실행하기 위해서는 아래와 같은 Type enforcement 로 양쪽의 Type를 추가 하고 Class를 File하고 실행권한  추가한다.
그러면, 상위 SELinux는 실행이 가능해진다.  

      allow  type(process)  type(target) : class { }

allow user_t lib_t : file { execute };

1.2  SELinux 의 class 와 permission확인 

class는 일반 file 부터 다양한 종류의 device file 비롯하여 socket 부터 다양하게 class를 분리를 해놓았으며, 이 권한을 주는 것이므로
아래와 같이 접근할 경우 class 와 permission을 반드시 확인하자. 

  • General SELinux 
$ ls /sys/fs/selinux/class   //상위에서 정의한 class file 확인 (Linux)
appletalk_socket  db_procedure  file            netlink_audit_socket           node           socket              x_cursor     x_screen
association       db_schema     filesystem      netlink_dnrt_socket            nscd           sock_file           x_device     x_selection
blk_file          db_sequence   ipc             netlink_firewall_socket        packet         system              x_drawable   x_server
capability        db_table      kernel_service  netlink_ip6fw_socket           packet_socket  tcp_socket          x_event      x_synthetic_event
capability2       db_tuple      key             netlink_kobject_uevent_socket  passwd         tun_socket          x_extension
chr_file          dbus          key_socket      netlink_nflog_socket           peer           udp_socket          x_font
context           db_view       lnk_file        netlink_route_socket           process        unix_dgram_socket   x_gc
db_blob           dccp_socket   memprotect      netlink_selinux_socket         rawip_socket   unix_stream_socket  x_keyboard
db_column         dir           msg             netlink_socket                 security       x_application_data  x_pointer
db_database       fd            msgq            netlink_tcpdiag_socket         sem            x_client            x_property
db_language       fifo_file     netif           netlink_xfrm_socket            shm            x_colormap          x_resource

$ ls /sys/fs/selinux/class/file/perms/    //class file permission 기능 확인 
append      execmod           getattr  lock     quotaon      relabelto  swapon
create      execute           ioctl    mounton  read         rename     unlink
entrypoint  execute_no_trans  link     open     relabelfrom  setattr    write

  • Android SELinux
$ ls /sys/fs/selinux/class  //상위에서 정의한 class file 확인 (Android)
alg_socket         isdn_socket                   packet
appletalk_socket   iucv_socket                   packet_socket
association        kcm_socket                    peer
atmpvc_socket      kernel_service                phonet_socket
atmsvc_socket      key                           pppox_socket
ax25_socket        key_socket                    process
binder             keystore_key                  process2
blk_file           llc_socket                    property_service
bluetooth_socket   lnk_file                      qipcrtr_socket
bpf                memprotect                    rawip_socket
caif_socket        msg                           rds_socket
can_socket         msgq                          rose_socket
cap2_userns        netif                         rxrpc_socket
cap_userns         netlink_audit_socket          sctp_socket
capability         netlink_connector_socket      security
capability2        netlink_crypto_socket         sem
chr_file           netlink_dnrt_socket           service_manager
dccp_socket        netlink_fib_lookup_socket     shm
decnet_socket      netlink_generic_socket        smc_socket
dir                netlink_iscsi_socket          sock_file
drmservice         netlink_kobject_uevent_socket socket
fd                 netlink_netfilter_socket      system
fifo_file          netlink_nflog_socket          tcp_socket
file               netlink_rdma_socket           tipc_socket
filesystem         netlink_route_socket          tun_socket
hwservice_manager  netlink_scsitransport_socket  udp_socket
icmp_socket        netlink_selinux_socket        unix_dgram_socket
ieee802154_socket  netlink_socket                unix_stream_socket
infiniband_endport netlink_tcpdiag_socket        vsock_socket
infiniband_pkey    netlink_xfrm_socket           x25_socket
ipc                netrom_socket                 xdp_socket
ipx_socket         nfc_socket
irda_socket        node
db_language       fifo_file     netif           netlink_xfrm_socket            shm            x_colormap          x_resource

$ ls /sys/fs/selinux/class/file/perms/       //class file permission 기능 확인 
append       execute_no_trans mounton     rename      watch_sb
audit_access getattr          open        setattr     watch_with_perm
create       ioctl            quotaon     unlink      write
entrypoint   link             read        watch
execmod      lock             relabelfrom watch_mount
execute      map              relabelto   watch_reads


2. SELinux 의 Access Control 방법 

위에서 SELinux MAC 동작 방식을 봤지만 SELinux에서 Acess Control 하는 방법 아래로 구분되는 것 같다. 

  1. Type Enforcement (TE) : 가장 처음적용되는 기능 
  2. Role-Based Access Control (RBAC): 기본으로 사용하지 않는다고 함
  3. Multi-Level Security (MLS) : 상위에서 Sensitivity 에서 설정
  4. Multi-Category Security(MCS): MLS의 확장으로 



2.1 SELinux 에러 Message 분석 


avc:  denied  { read write } for  pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1 
상위 에러는 SELinux Policy에 따라 read , write 접근이 되지 않았아 발생한 에러 
  1. scontext: process의 context
  2. tcontext: target의 context
  3. tclass: target class
  4. permissive: 1은 permissive 상태이므로 접근은 가능하지만 warning/debug 발생 




SElinux 부분 별도정리 필요 
Android App에서 권한문제로 인하여 이 관련부분을 알아보게됨 







Android SELinux 관련부분 수정방법 
*.te 생성방법 
  1. system/sepolicy/public
  2. system/sepolicy/private
  3. system/sepolicy/vendor
  4. device/manufacturer/device-name/sepolicy

  1. genfs_contexts
  2. file_contexts
  3. *.te


  • SELinux 빌드 
system/sepolicy/Android.mk

 //sepolicy 문제 , 
https://kodejava.org/how-do-i-use-datainputstream-and-dataoutputstream/
https://jung-max.github.io/2019/09/02/Android-NDK%EB%A5%BC-%EC%82%AC%EC%9A%A9%ED%95%B4%EC%84%9C-kernel%EB%93%9C%EB%9D%BC%EC%9D%B4%EB%B2%84-%EC%82%AC%EC%9A%A9%ED%95%98%EA%B8%B0/

[  368.428751] type=1400 audit(1610446043.380:38): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37608 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun
[  368.452747] type=1400 audit(1610446056.140:39): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun
[  368.476177] type=1400 audit(1610446056.140:39): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun
[  368.500078] type=1400 audit(1610446056.140:40): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37608 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun


I/om.example.beep: type=1400 audit(0.0:56): avc: denied { write } for name="duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c99,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.example.beep
I/om.example.beep: type=1400 audit(0.0:57): avc: denied { open } for path="/sys/devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c99,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.example.beep


//분석 
https://source.android.com/security/selinux/validate

//JNI
https://www.programmersought.com/article/5477408309/
https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaNativeInterface.html#zz-2.1


https://android.googlesource.com/platform/external/sepolicy/+/57531cacb40682be4b1189c721fd1e7f25bf3786/untrusted_app.te

//sys filesystem 권한 
$ vi ./system/sepolicy/public/file.te
$ vi ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts

$ find . -name untrusted_app*.te
./device/fsl/imx6sl/sepolicy/untrusted_app_25.te
./device/fsl/imx7d/sepolicy/untrusted_app_25.te
./device/fsl/imx6sx/sepolicy/untrusted_app_25.te
./device/fsl/imx6dq/sepolicy/untrusted_app_25.te
./device/fsl/imx7ulp/sepolicy/untrusted_app_25.te
./device/fsl/imx8m/sepolicy/untrusted_app_25.te
./device/fsl/imx8q/sepolicy/untrusted_app_25.te
./device/google/wahoo/sepolicy/private/untrusted_app_all.te
./device/linaro/poplar/sepolicy/untrusted_app_25.te
./device/linaro/poplar/sepolicy/untrusted_app.te
./device/linaro/poplar/sepolicy/untrusted_app_27.te
./system/sepolicy/private/untrusted_app_25.te
./system/sepolicy/private/untrusted_app.te
./system/sepolicy/private/untrusted_app_27.te
./system/sepolicy/private/untrusted_app_all.te
./system/sepolicy/public/untrusted_app.te
./system/sepolicy/prebuilts/api/28.0/private/untrusted_app_25.te
./system/sepolicy/prebuilts/api/28.0/private/untrusted_app.te
./system/sepolicy/prebuilts/api/28.0/private/untrusted_app_27.te
./system/sepolicy/prebuilts/api/28.0/private/untrusted_app_all.te
./system/sepolicy/prebuilts/api/28.0/public/untrusted_app.te
./system/sepolicy/prebuilts/api/26.0/private/untrusted_app_25.te
./system/sepolicy/prebuilts/api/26.0/private/untrusted_app.te
./system/sepolicy/prebuilts/api/26.0/private/untrusted_app_all.te
./system/sepolicy/prebuilts/api/26.0/public/untrusted_app_25.te
./system/sepolicy/prebuilts/api/26.0/public/untrusted_app.te
./system/sepolicy/prebuilts/api/27.0/private/untrusted_app_25.te
./system/sepolicy/prebuilts/api/27.0/private/untrusted_app.te
./system/sepolicy/prebuilts/api/27.0/private/untrusted_app_all.te
./system/sepolicy/prebuilts/api/27.0/public/untrusted_app_25.te
./system/sepolicy/prebuilts/api/27.0/public/untrusted_app.te
./system/sepolicy/prebuilts/api/29.0/private/untrusted_app_25.te
./system/sepolicy/prebuilts/api/29.0/private/untrusted_app.te
./system/sepolicy/prebuilts/api/29.0/private/untrusted_app_27.te
./system/sepolicy/prebuilts/api/29.0/private/untrusted_app_all.te
./system/sepolicy/prebuilts/api/29.0/public/untrusted_app.te

//일반적인 Android 앱 
https://source.android.com/security/selinux/concepts
http://shincdevnote.blogspot.com/2017/04/se-for-android.html

//이것을 고치면 문제 발생 (app_neverallows.te 같이 수정해야함)
$ vi system/sepolicy/prebuilts/api/29.0/public/untrusted_app.te
$ vi ./system/sepolicy/public/untrusted_app.te
type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;

# 상위 untrusted_app domain이 선언되었음 
# sysfs 허용 sysfs domain 허용 이 부분은 file_contexts 에 각 도메인 선언 
allow untrusted_app sysfs:file rw_file_perms;


$ cat ./system/sepolicy/private/untrusted_app.te
typeattribute untrusted_app coredomain;

app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)


$ cat ./device/fsl/imx8q/mek_8q/sepolicy/genfs_contexts
genfscon nfs / u:object_r:rootfs:s0
genfscon fuseblk / u:object_r:vfat:s0
genfscon sysfs /class/typec                                             u:object_r:sysfs_usb_c:s0
genfscon sysfs /devices/virtual/power_supply/usb                  u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/virtual/power_supply/battery              u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/rtc/rtc/rtc0/hctosys             u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/scu/scu:rtc/rtc/rtc0/hctosys     u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/sound/extcon                     u:object_r:sysfs_extcon:s0
genfscon sysfs /devices/platform/sound-wm8960/extcon              u:object_r:sysfs_extcon:s0
genfscon sysfs /devices/platform/bus@56260000/56268000.hdmi/extcon      u:object_r:sysfs_extcon:s0
genfscon debugfs /dma_buf u:object_r:debugfs_dma:s0
genfscon debugfs /sync/sw_sync u:object_r:debugfs_sw_sync:s0
genfscon sysfs /devices/soc0   u:object_r:sysfs_soc:s0

#mek_8q ethernet
genfscon sysfs /devices/platform/bus@5b000000/5b040000.ethernet/net  u:object_r:sysfs_net:s0
#mek_8qm wifi
genfscon sysfs /devices/platform/bus@5f000000/5f000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net u:object_r:sysfs_net:s0
#mek_8qxp wifi
genfscon sysfs /devices/platform/bus@5f000000/5f010000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net u:object_r:sysfs_net:s0
genfscon binder /binder u:object_r:binder_device:s0
genfscon binder /hwbinder u:object_r:hwbinder_device:s0
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon binder / u:object_r:binderfs:s0

$ ls ./device/fsl/imx8q/sepolicy/
adbd.te                           hal_composer.te                   init-insmod-sh.te                 recovery.te
audioserver.te                    hal_drm_clearkey.te               init.te                           sensors.te
bluetooth.te                      hal_drm_default.te                installd.te                       shell.te
bootanim.te                       hal_drm_widevine.te               install_recovery.te               surfaceflinger.te
bootstat.te                       hal_dumpstate_impl.te             kernel.te                         system_app.te
cameraserver.te                   hal_graphics_composer_default.te  logd.te                           system_server.te
device.te                         hal_health_default.te             mediacodec.te                     tee.te
dnsmasq.te                        hal_light_default.te              mediaextractor.te                 toolbox.te
domain.te                         hal_neuralnetworks_imx.te         mediaprovider.te                  untrusted_app_25.te
dumpstate.te                      hal_oemlock.te                    mediaserver.te                    update_engine_common.te
ephemeral_app.te                  hal_power_default.te              mediaswcodec.te                   update_engine.te
fastbootd.te                      hal_sensors_default.te            modprobe.te                       vendor_init.te
file_contexts                     hal_thermal_default.te            netd.te                           vndservicemanager.te
file.te                           hal_usb_default.te                platform_app.te                   vold_prepare_subdirs.te
genfs_contexts                    hal_usb_impl.te                   priv_app.te                       vold.te
hal_bluetooth_default.te          hal_wifi_default.te               proc_net.te                       webview_zygote.te
hal_bootctl_default.te            hal_wifi_supplicant_default.te    profman.te                        wificond.te
hal_camera_default.te             healthd.te                        property_contexts                 zygote.te
hal_cas_default.te                hwservice_contexts                property.te

$ ls ./device/fsl/imx8q/mek_8q/sepolicy
file_contexts  genfs_contexts

https://source.android.com/security/selinux/device-policy
https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#139

$ cat ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts
/dev/mxc_asrc                   u:object_r:audio_device:s0
/dev/mxc_hdmi                   u:object_r:video_device:s0
/dev/mxc_hantro                 u:object_r:video_device:s0
/dev/mxc_hantro_h1              u:object_r:video_device:s0
/dev/mxc_vpu_malone             u:object_r:video_device:s0
/dev/mxc_hifi4                  u:object_r:audio_device:s0
/dev/galcore                    u:object_r:gpu_device:s0
/dev/imxdpu                     u:object_r:gpu_device:s0
/dev/caam_kb                    u:object_r:caam_device:s0
/dev/dri                        u:object_r:gpu_device:s0
/dev/dri/card0                  u:object_r:graphics_device:s0
/dev/dri/card1                  u:object_r:graphics_device:s0
/dev/dri/card2                  u:object_r:graphics_device:s0
/dev/dri/controlD64             u:object_r:graphics_device:s0
/dev/dri/controlD65             u:object_r:graphics_device:s0
/dev/dri/renderD128             u:object_r:gpu_device:s0
/dev/dri/renderD129             u:object_r:gpu_device:s0
/vendor/bin/hw/android\.hardware\.usb@1\.1-service.imx             u:object_r:hal_usb_impl_exec:s0
/dev/diag                       u:object_r:diag_device:s0
/vendor/app(/.*)?               u:object_r:same_process_hal_file:s0
/data/vendor/ss(/.*)?           u:object_r:tee_data_file:s0
/data/vendor/.opencl-cache(/.*)?       u:object_r:opencl_cache_file:s0

###############################################
# same-process HAL files and their dependencies
#
/vendor/lib(64)?/hw/gralloc\.imx\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfsldisplay\.so          u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/nxp.hardware.display@1.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libedid\.so                u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm_android\.so         u:object_r:same_process_hal_file:s0

/vendor/lib(64)?/libGLSLC\.so               u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libVSC\.so                 u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGAL\.so                 u:object_r:same_process_hal_file:s0

/vendor/lib(64)?/hw/vulkan\.imx\.so        u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/gralloc_viv\.imx\.so   u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm_vivante\.so         u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libvulkan_VIVANTE\.so      u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libSPIRV_viv\.so           u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libCLC\.so                 u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libLLVM_viv\.so            u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libOpenCL\.so              u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libopencl-2d\.so           u:object_r:same_process_hal_file:s0

#early_init_sh service
/vendor/bin/init\.insmod\.sh                u:object_r:init-insmod-sh_exec:s0
/vendor/etc/early\.init\.cfg                u:object_r:init-insmod-sh_exec:s0
/vendor/etc/setup\.core\.cfg                u:object_r:init-insmod-sh_exec:s0
/vendor/etc/setup\.main\.cfg                u:object_r:init-insmod-sh_exec:s0

/vendor/lib(64)?/lib_aac_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_amr_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_asf_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_avi_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_dsf_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_flac_parser_arm11_elinux\.3\.0\.so      u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_flv_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_mkv_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_mp3_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_mp3_parser_v2_arm11_elinux\.so          u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_mp4_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_mpg2_parser_arm11_elinux\.3\.0\.so      u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_ogg_parser_arm11_elinux\.3\.0\.so       u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/lib_rm_parser_arm11_elinux\.3\.0\.so        u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/extractors/libimxextractor\.so              u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service.trusty      u:object_r:hal_keymaster_default_exec:s0

# trusty ipc target
/dev/trusty-ipc-dev0        u:object_r:tee_device:s0

/vendor/bin/hw/android\.hardware\.health@2\.0-service.imx          u:object_r:hal_health_default_exec:s0

/vendor/bin/hw/android\.hardware\.power@1\.3-service\.imx  u:object_r:hal_power_default_exec:s0
# mmc rpmb
/dev/mmcblk0rpmb      u:object_r:mmc_rpmb_char_device:s0

# secure os storage
/vendor/bin/storageproxyd   u:object_r:tee_exec:s0

/vendor/bin/hw/android\.hardware\.drm@1\.2-service\.widevine u:object_r:hal_drm_widevine_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service\.imx      u:object_r:hal_dumpstate_impl_exec:s0
/dev/cpu_dma_latency u:object_r:latency_device:s0
/vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.imx      u:object_r:hal_oemlock_impl_exec:s0
/vendor/bin/hw/android\.hardware\.boot@1\.0-service\.imx      u:object_r:hal_bootctl_default_exec:s0


 http://shincdevnote.blogspot.com/2017/04/se-for-android.html
https://android.googlesource.com/platform/system/sepolicy/+/nougat-dr1-release/file_contexts
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/sec-sel-building-policy-module
https://community.nxp.com/t5/i-MX-Processors/How-to-access-serial-port-from-Android-MM-application/m-p/600424
https://wenchiching.wordpress.com/2016/12/05/how-to-change-process-domain-from-untrusted_app-to-system_app/
https://jung-max.github.io/2019/09/16/Android-SEAndroid%EC%A0%81%EC%9A%A9/

$ vi ./device/fsl/imx8q/sepolicy/system_app.te
...
allow system_app sysfs:file { open read write };


$ vi ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts  // /dev 이면 이곳에 추가 
....
# pwm0
/sys/devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle            u:object_r:pwm0_device:s0

$ vi ./device/fsl/imx8q/mek_8q/sepolicy/genfs_contexts //
...
# pwm0
genfscon sysfs /devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle u:object_r:sysfs_pwm0_device:s0

새 정책파일 
https://source.android.com/security/selinux/implement


$ vi ./device/fsl/imx8q/sepolicy/device.te
type sysfs_pwm0_device, sysfs_type, fs_type;

$ vi ./device/fsl/imx8q/sepolicy/pwm.te
type sysfs_pwm0_device, sysfs_type, fs_type;

allow untrusted_app sysfs_pwm0_device:dir r_dir_perms;
allow untrusted_app sysfs_pwm0_device:file rw_file_perms;
allow untrusted_app sysfs_pwm0_device:file { read write open };



****************** app.te 와 주의 
$ vi system/sepolicy/private/app_neverallows.te  //상위를 고쳐도 app이 지켜야할 부분이므로 여기서 에러 발생 
$ vi system/sepolicy/prebuilts/api/29.0/private/app_neverallows.te
주석처리 
# Do not allow any write access to files in /sys
#neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };

# Apps may never access the default sysfs label.
#neverallow all_untrusted_apps sysfs:file no_rw_file_perms;

$ vi ./device/fsl/imx8q/sepolicy/file_contexts
$ vi ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts
# pwm0
/sys/devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle            u:object_r:sysfs_pwm0_device:s0
/sys/devices/platform/bus@5d000000/5d020000.pwm/pwm/pwmchip1/pwm0/duty_cycle            u:object_r:sysfs_pwm1_device:s0

$ vi ./device/fsl/imx8q/sepolicy/pwm.te
type sysfs_pwm0_device, sysfs_type, fs_type;

allow untrusted_app sysfs_pwm0_device:dir r_dir_perms;
allow untrusted_app sysfs_pwm0_device:file rw_file_perms;
allow untrusted_app sysfs_pwm0_device:file { read write open };


BOARD_SEPOLICY_DIRS  확인

system_app 



이 설정 때문인지 shell에서 su 명령어가 되어 root 권한으로 실행가능하지만, vi가 없음
그래서 현재 adb shell로 연결할 방법모색
cat 으로 수정하려고 함 


보안  (dm-verity)

remount 후 소스 수정후 recovery 모드로 동작