1. SELinux (Security-Enhanced Linux) 이해
SELinux는 보안강화로 문제가 있는 Application들로 부터 이를 보호하기 위해서 생겨났다고 한다.
아래와 같이 Linux Kernel의 Security Module은 Mandatory Access Control (MAC)를 지원하며,
한마디로 필수적인 접근권한접근을 Kernel 단에서 부터 이를 실행한다.
https://www.ni.com/ko-kr/support/documentation/supplemental/15/selinux---addressing-access-control-security-in-labview-rio-devi.html |
상위과 같이 User Process 매번 Linux Kernel에게 접근권한을 허락(Yes or No)을 받아 접근하는 방식이다.
이는 Android에서도 쉽게 볼수 있는 구조이며, 특정 Resource or File에 접근권한 외부로부터 보호할수가 있다.
- Enforcing : SELinux Policy에 적용하여 접근권한제어 행사
- Permissive: SELinux는 접근권한제어는 하지는 않지만, warnning/debug 표시됨
이외 disabled 비활성화가 존재 (아예사용안함)
Enforcing의 경우 SELinux Policy를 반드시 확인
SElinux-Addressing Access Control Security in Labview
NI(National Instrument)의 Labview에서 RIO Devices 의 SELInux 관련내용
- SELinux의 Policy이해
Linux User는 SELinux ID or SELinux User로 Mapping되어 동작되어진다.
- Linux User
- SELinux ID or SELinux User
- SELinux Role
- SELinux Domain or SELinux Type
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
1.1 SELinux 기본동작방식
DAC(Discretionary Access Control) : 일반적인 Linux의 권한 접근방식
MAC(Mandatory Access Control): SELinux 기반으로 Policy에 의한 접근방식
DAC vs MAC
- 일반 Linux DAC 동작방식
Process ( User: swift / Group: users(media,video)가 File (User:root / Group:root) 에 접근은 아래와 같이 한다.
DAC(Discretionary Access Control)
- SELinux MAC 동작방식
SELinux를 사용할 경우 Linux Kernel에서 Policy Rules에 맞게 허락을 받고 SELinux context 가 Process에 추가되어 사용할 Target context 에 접근한다.
하지만, Policy Rules를 보면 현재 Process는 File에 접근할 권한이 없다.
- SELinux의 Context 분석
- Target 의 Context 구조
- Process 의 Security Context 구조
중요한것을 설정시 서로 양쪽의 SELinux Type 기준으로 설정하며, SELinux의 Sensitivity 도 설정가능
- SELinux의 Sensitivity 의 Multi-Category Security (MCS)
Sensitivity 설정방법
user_r:user_r:user_t:s0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # # s0 부터 s0:c0.c5 까지 범위설정 (c는 category 약어) # #system_u:system_r:httpd_t:s0 - s0:c0.c5 # ▼ ▼ # Low security level, High security level, also # associated with no associated with compartments # compartments. c0, c1, c2, c3, c4 and c5.
Sensitivity 확인방법
$ semanage user -l //SELinux User 와 Roles 확인 SELinux User SELinux Roles root staff_r sysadm_r staff_u staff_r sysadm_r sysadm_u sysadm_r system_u system_r unconfined_u unconfined_r user_u user_r $ semanage user -l //Sensitivity인 MCS의 Level 과 Range c0.c1023 는 c0 부터 c1023까지 Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root sysadm s0 s0-s0:c0.c1023 staff_r sysadm_r staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u unconfined s0 s0-s0:c0.c1023 unconfined_r user_u user s0 s0 user_r
- Type enforcement
Process의 Context가 Target Context를 실행하기 위해서는 아래와 같은 Type enforcement 로 양쪽의 Type를 추가 하고 Class를 File하고 실행권한 추가한다.
그러면, 상위 SELinux는 실행이 가능해진다.
allow type(process) type(target) : class { }
allow user_t lib_t : file { execute };
1.2 SELinux 의 class 와 permission확인
class는 일반 file 부터 다양한 종류의 device file 비롯하여 socket 부터 다양하게 class를 분리를 해놓았으며, 이 권한을 주는 것이므로
아래와 같이 접근할 경우 class 와 permission을 반드시 확인하자.
- General SELinux
$ ls /sys/fs/selinux/class //상위에서 정의한 class file 확인 (Linux) appletalk_socket db_procedure file netlink_audit_socket node socket x_cursor x_screen association db_schema filesystem netlink_dnrt_socket nscd sock_file x_device x_selection blk_file db_sequence ipc netlink_firewall_socket packet system x_drawable x_server capability db_table kernel_service netlink_ip6fw_socket packet_socket tcp_socket x_event x_synthetic_event capability2 db_tuple key netlink_kobject_uevent_socket passwd tun_socket x_extension chr_file dbus key_socket netlink_nflog_socket peer udp_socket x_font context db_view lnk_file netlink_route_socket process unix_dgram_socket x_gc db_blob dccp_socket memprotect netlink_selinux_socket rawip_socket unix_stream_socket x_keyboard db_column dir msg netlink_socket security x_application_data x_pointer db_database fd msgq netlink_tcpdiag_socket sem x_client x_property db_language fifo_file netif netlink_xfrm_socket shm x_colormap x_resource $ ls /sys/fs/selinux/class/file/perms/ //class file permission 기능 확인 append execmod getattr lock quotaon relabelto swapon create execute ioctl mounton read rename unlink entrypoint execute_no_trans link open relabelfrom setattr write
- Android SELinux
$ ls /sys/fs/selinux/class //상위에서 정의한 class file 확인 (Android) alg_socket isdn_socket packet appletalk_socket iucv_socket packet_socket association kcm_socket peer atmpvc_socket kernel_service phonet_socket atmsvc_socket key pppox_socket ax25_socket key_socket process binder keystore_key process2 blk_file llc_socket property_service bluetooth_socket lnk_file qipcrtr_socket bpf memprotect rawip_socket caif_socket msg rds_socket can_socket msgq rose_socket cap2_userns netif rxrpc_socket cap_userns netlink_audit_socket sctp_socket capability netlink_connector_socket security capability2 netlink_crypto_socket sem chr_file netlink_dnrt_socket service_manager dccp_socket netlink_fib_lookup_socket shm decnet_socket netlink_generic_socket smc_socket dir netlink_iscsi_socket sock_file drmservice netlink_kobject_uevent_socket socket fd netlink_netfilter_socket system fifo_file netlink_nflog_socket tcp_socket file netlink_rdma_socket tipc_socket filesystem netlink_route_socket tun_socket hwservice_manager netlink_scsitransport_socket udp_socket icmp_socket netlink_selinux_socket unix_dgram_socket ieee802154_socket netlink_socket unix_stream_socket infiniband_endport netlink_tcpdiag_socket vsock_socket infiniband_pkey netlink_xfrm_socket x25_socket ipc netrom_socket xdp_socket ipx_socket nfc_socket irda_socket node db_language fifo_file netif netlink_xfrm_socket shm x_colormap x_resource $ ls /sys/fs/selinux/class/file/perms/ //class file permission 기능 확인 append execute_no_trans mounton rename watch_sb audit_access getattr open setattr watch_with_perm create ioctl quotaon unlink write entrypoint link read watch execmod lock relabelfrom watch_mount execute map relabelto watch_reads
2. SELinux 의 Access Control 방법
위에서 SELinux MAC 동작 방식을 봤지만 SELinux에서 Acess Control 하는 방법 아래로 구분되는 것 같다.
- Type Enforcement (TE) : 가장 처음적용되는 기능
- Role-Based Access Control (RBAC): 기본으로 사용하지 않는다고 함
- Multi-Level Security (MLS) : 상위에서 Sensitivity 에서 설정
- Multi-Category Security(MCS): MLS의 확장으로
2.1 SELinux 에러 Message 분석
avc: denied { read write } for pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1
상위 에러는 SELinux Policy에 따라 read , write 접근이 되지 않았아 발생한 에러
- scontext: process의 context
- tcontext: target의 context
- tclass: target class
- permissive: 1은 permissive 상태이므로 접근은 가능하지만 warning/debug 발생
상위자료출처
SElinux 부분 별도정리 필요
Android App에서 권한문제로 인하여 이 관련부분을 알아보게됨
Android SELinux 관련부분 수정방법
*.te 생성방법
- system/sepolicy/public
- system/sepolicy/private
- system/sepolicy/vendor
- device/manufacturer/device-name/sepolicy
- genfs_contexts
- file_contexts
- *.te
- SELinux 빌드
system/sepolicy/Android.mk
//sepolicy 문제 , https://kodejava.org/how-do-i-use-datainputstream-and-dataoutputstream/ https://jung-max.github.io/2019/09/02/Android-NDK%EB%A5%BC-%EC%82%AC%EC%9A%A9%ED%95%B4%EC%84%9C-kernel%EB%93%9C%EB%9D%BC%EC%9D%B4%EB%B2%84-%EC%82%AC%EC%9A%A9%ED%95%98%EA%B8%B0/ [ 368.428751] type=1400 audit(1610446043.380:38): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37608 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun [ 368.452747] type=1400 audit(1610446056.140:39): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun [ 368.476177] type=1400 audit(1610446056.140:39): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun [ 368.500078] type=1400 audit(1610446056.140:40): avc: denied { write } for comm="sh" name="duty_cycle" dev="sysfs" ino=37608 scontext=u:r:untrusted_app:s0:c101,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 app=com.example.testjeonghun I/om.example.beep: type=1400 audit(0.0:56): avc: denied { write } for name="duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c99,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.example.beep I/om.example.beep: type=1400 audit(0.0:57): avc: denied { open } for path="/sys/devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle" dev="sysfs" ino=37592 scontext=u:r:untrusted_app:s0:c99,c256,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.example.beep //분석 https://source.android.com/security/selinux/validate //JNI https://www.programmersought.com/article/5477408309/ https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaNativeInterface.html#zz-2.1 https://android.googlesource.com/platform/external/sepolicy/+/57531cacb40682be4b1189c721fd1e7f25bf3786/untrusted_app.te //sys filesystem 권한 $ vi ./system/sepolicy/public/file.te $ vi ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts $ find . -name untrusted_app*.te ./device/fsl/imx6sl/sepolicy/untrusted_app_25.te ./device/fsl/imx7d/sepolicy/untrusted_app_25.te ./device/fsl/imx6sx/sepolicy/untrusted_app_25.te ./device/fsl/imx6dq/sepolicy/untrusted_app_25.te ./device/fsl/imx7ulp/sepolicy/untrusted_app_25.te ./device/fsl/imx8m/sepolicy/untrusted_app_25.te ./device/fsl/imx8q/sepolicy/untrusted_app_25.te ./device/google/wahoo/sepolicy/private/untrusted_app_all.te ./device/linaro/poplar/sepolicy/untrusted_app_25.te ./device/linaro/poplar/sepolicy/untrusted_app.te ./device/linaro/poplar/sepolicy/untrusted_app_27.te ./system/sepolicy/private/untrusted_app_25.te ./system/sepolicy/private/untrusted_app.te ./system/sepolicy/private/untrusted_app_27.te ./system/sepolicy/private/untrusted_app_all.te ./system/sepolicy/public/untrusted_app.te ./system/sepolicy/prebuilts/api/28.0/private/untrusted_app_25.te ./system/sepolicy/prebuilts/api/28.0/private/untrusted_app.te ./system/sepolicy/prebuilts/api/28.0/private/untrusted_app_27.te ./system/sepolicy/prebuilts/api/28.0/private/untrusted_app_all.te ./system/sepolicy/prebuilts/api/28.0/public/untrusted_app.te ./system/sepolicy/prebuilts/api/26.0/private/untrusted_app_25.te ./system/sepolicy/prebuilts/api/26.0/private/untrusted_app.te ./system/sepolicy/prebuilts/api/26.0/private/untrusted_app_all.te ./system/sepolicy/prebuilts/api/26.0/public/untrusted_app_25.te ./system/sepolicy/prebuilts/api/26.0/public/untrusted_app.te ./system/sepolicy/prebuilts/api/27.0/private/untrusted_app_25.te ./system/sepolicy/prebuilts/api/27.0/private/untrusted_app.te ./system/sepolicy/prebuilts/api/27.0/private/untrusted_app_all.te ./system/sepolicy/prebuilts/api/27.0/public/untrusted_app_25.te ./system/sepolicy/prebuilts/api/27.0/public/untrusted_app.te ./system/sepolicy/prebuilts/api/29.0/private/untrusted_app_25.te ./system/sepolicy/prebuilts/api/29.0/private/untrusted_app.te ./system/sepolicy/prebuilts/api/29.0/private/untrusted_app_27.te ./system/sepolicy/prebuilts/api/29.0/private/untrusted_app_all.te ./system/sepolicy/prebuilts/api/29.0/public/untrusted_app.te //일반적인 Android 앱 https://source.android.com/security/selinux/concepts http://shincdevnote.blogspot.com/2017/04/se-for-android.html //이것을 고치면 문제 발생 (app_neverallows.te 같이 수정해야함) $ vi system/sepolicy/prebuilts/api/29.0/public/untrusted_app.te $ vi ./system/sepolicy/public/untrusted_app.te type untrusted_app, domain; type untrusted_app_27, domain; type untrusted_app_25, domain; # 상위 untrusted_app domain이 선언되었음 # sysfs 허용 sysfs domain 허용 이 부분은 file_contexts 에 각 도메인 선언 allow untrusted_app sysfs:file rw_file_perms; $ cat ./system/sepolicy/private/untrusted_app.te typeattribute untrusted_app coredomain; app_domain(untrusted_app) untrusted_app_domain(untrusted_app) net_domain(untrusted_app) bluetooth_domain(untrusted_app) $ cat ./device/fsl/imx8q/mek_8q/sepolicy/genfs_contexts genfscon nfs / u:object_r:rootfs:s0 genfscon fuseblk / u:object_r:vfat:s0 genfscon sysfs /class/typec u:object_r:sysfs_usb_c:s0 genfscon sysfs /devices/virtual/power_supply/usb u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/virtual/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/rtc/rtc/rtc0/hctosys u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/scu/scu:rtc/rtc/rtc0/hctosys u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/sound/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/sound-wm8960/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /devices/platform/bus@56260000/56268000.hdmi/extcon u:object_r:sysfs_extcon:s0 genfscon debugfs /dma_buf u:object_r:debugfs_dma:s0 genfscon debugfs /sync/sw_sync u:object_r:debugfs_sw_sync:s0 genfscon sysfs /devices/soc0 u:object_r:sysfs_soc:s0 #mek_8q ethernet genfscon sysfs /devices/platform/bus@5b000000/5b040000.ethernet/net u:object_r:sysfs_net:s0 #mek_8qm wifi genfscon sysfs /devices/platform/bus@5f000000/5f000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net u:object_r:sysfs_net:s0 #mek_8qxp wifi genfscon sysfs /devices/platform/bus@5f000000/5f010000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net u:object_r:sysfs_net:s0 genfscon binder /binder u:object_r:binder_device:s0 genfscon binder /hwbinder u:object_r:hwbinder_device:s0 genfscon binder /vndbinder u:object_r:vndbinder_device:s0 genfscon binder /binder_logs u:object_r:binderfs_logs:s0 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0 genfscon binder / u:object_r:binderfs:s0 $ ls ./device/fsl/imx8q/sepolicy/ adbd.te hal_composer.te init-insmod-sh.te recovery.te audioserver.te hal_drm_clearkey.te init.te sensors.te bluetooth.te hal_drm_default.te installd.te shell.te bootanim.te hal_drm_widevine.te install_recovery.te surfaceflinger.te bootstat.te hal_dumpstate_impl.te kernel.te system_app.te cameraserver.te hal_graphics_composer_default.te logd.te system_server.te device.te hal_health_default.te mediacodec.te tee.te dnsmasq.te hal_light_default.te mediaextractor.te toolbox.te domain.te hal_neuralnetworks_imx.te mediaprovider.te untrusted_app_25.te dumpstate.te hal_oemlock.te mediaserver.te update_engine_common.te ephemeral_app.te hal_power_default.te mediaswcodec.te update_engine.te fastbootd.te hal_sensors_default.te modprobe.te vendor_init.te file_contexts hal_thermal_default.te netd.te vndservicemanager.te file.te hal_usb_default.te platform_app.te vold_prepare_subdirs.te genfs_contexts hal_usb_impl.te priv_app.te vold.te hal_bluetooth_default.te hal_wifi_default.te proc_net.te webview_zygote.te hal_bootctl_default.te hal_wifi_supplicant_default.te profman.te wificond.te hal_camera_default.te healthd.te property_contexts zygote.te hal_cas_default.te hwservice_contexts property.te $ ls ./device/fsl/imx8q/mek_8q/sepolicy file_contexts genfs_contexts https://source.android.com/security/selinux/device-policy https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#139 $ cat ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts /dev/mxc_asrc u:object_r:audio_device:s0 /dev/mxc_hdmi u:object_r:video_device:s0 /dev/mxc_hantro u:object_r:video_device:s0 /dev/mxc_hantro_h1 u:object_r:video_device:s0 /dev/mxc_vpu_malone u:object_r:video_device:s0 /dev/mxc_hifi4 u:object_r:audio_device:s0 /dev/galcore u:object_r:gpu_device:s0 /dev/imxdpu u:object_r:gpu_device:s0 /dev/caam_kb u:object_r:caam_device:s0 /dev/dri u:object_r:gpu_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/dri/card1 u:object_r:graphics_device:s0 /dev/dri/card2 u:object_r:graphics_device:s0 /dev/dri/controlD64 u:object_r:graphics_device:s0 /dev/dri/controlD65 u:object_r:graphics_device:s0 /dev/dri/renderD128 u:object_r:gpu_device:s0 /dev/dri/renderD129 u:object_r:gpu_device:s0 /vendor/bin/hw/android\.hardware\.usb@1\.1-service.imx u:object_r:hal_usb_impl_exec:s0 /dev/diag u:object_r:diag_device:s0 /vendor/app(/.*)? u:object_r:same_process_hal_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/vendor/.opencl-cache(/.*)? u:object_r:opencl_cache_file:s0 ############################################### # same-process HAL files and their dependencies # /vendor/lib(64)?/hw/gralloc\.imx\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libfsldisplay\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/nxp.hardware.display@1.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libedid\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libdrm_android\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libGLSLC\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libVSC\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libGAL\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.imx\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/gralloc_viv\.imx\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libdrm_vivante\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libvulkan_VIVANTE\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libSPIRV_viv\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libCLC\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libLLVM_viv\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libopencl-2d\.so u:object_r:same_process_hal_file:s0 #early_init_sh service /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/etc/early\.init\.cfg u:object_r:init-insmod-sh_exec:s0 /vendor/etc/setup\.core\.cfg u:object_r:init-insmod-sh_exec:s0 /vendor/etc/setup\.main\.cfg u:object_r:init-insmod-sh_exec:s0 /vendor/lib(64)?/lib_aac_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_amr_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_asf_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_avi_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_dsf_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_flac_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_flv_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_mkv_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_mp3_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_mp3_parser_v2_arm11_elinux\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_mp4_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_mpg2_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_ogg_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_rm_parser_arm11_elinux\.3\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/extractors/libimxextractor\.so u:object_r:same_process_hal_file:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service.trusty u:object_r:hal_keymaster_default_exec:s0 # trusty ipc target /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /vendor/bin/hw/android\.hardware\.health@2\.0-service.imx u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/android\.hardware\.power@1\.3-service\.imx u:object_r:hal_power_default_exec:s0 # mmc rpmb /dev/mmcblk0rpmb u:object_r:mmc_rpmb_char_device:s0 # secure os storage /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.2-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service\.imx u:object_r:hal_dumpstate_impl_exec:s0 /dev/cpu_dma_latency u:object_r:latency_device:s0 /vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.imx u:object_r:hal_oemlock_impl_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.0-service\.imx u:object_r:hal_bootctl_default_exec:s0
http://shincdevnote.blogspot.com/2017/04/se-for-android.html https://android.googlesource.com/platform/system/sepolicy/+/nougat-dr1-release/file_contexts https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/sec-sel-building-policy-module https://community.nxp.com/t5/i-MX-Processors/How-to-access-serial-port-from-Android-MM-application/m-p/600424 https://wenchiching.wordpress.com/2016/12/05/how-to-change-process-domain-from-untrusted_app-to-system_app/ https://jung-max.github.io/2019/09/16/Android-SEAndroid%EC%A0%81%EC%9A%A9/ $ vi ./device/fsl/imx8q/sepolicy/system_app.te ... allow system_app sysfs:file { open read write }; $ vi ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts // /dev 이면 이곳에 추가 .... # pwm0 /sys/devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle u:object_r:pwm0_device:s0 $ vi ./device/fsl/imx8q/mek_8q/sepolicy/genfs_contexts // ... # pwm0 genfscon sysfs /devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle u:object_r:sysfs_pwm0_device:s0 새 정책파일 https://source.android.com/security/selinux/implement $ vi ./device/fsl/imx8q/sepolicy/device.te type sysfs_pwm0_device, sysfs_type, fs_type; $ vi ./device/fsl/imx8q/sepolicy/pwm.te type sysfs_pwm0_device, sysfs_type, fs_type; allow untrusted_app sysfs_pwm0_device:dir r_dir_perms; allow untrusted_app sysfs_pwm0_device:file rw_file_perms; allow untrusted_app sysfs_pwm0_device:file { read write open };
****************** app.te 와 주의 $ vi system/sepolicy/private/app_neverallows.te //상위를 고쳐도 app이 지켜야할 부분이므로 여기서 에러 발생 $ vi system/sepolicy/prebuilts/api/29.0/private/app_neverallows.te 주석처리 # Do not allow any write access to files in /sys #neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms }; # Apps may never access the default sysfs label. #neverallow all_untrusted_apps sysfs:file no_rw_file_perms; $ vi ./device/fsl/imx8q/sepolicy/file_contexts $ vi ./device/fsl/imx8q/mek_8q/sepolicy/file_contexts # pwm0 /sys/devices/platform/bus@5d000000/5d010000.pwm/pwm/pwmchip0/pwm0/duty_cycle u:object_r:sysfs_pwm0_device:s0 /sys/devices/platform/bus@5d000000/5d020000.pwm/pwm/pwmchip1/pwm0/duty_cycle u:object_r:sysfs_pwm1_device:s0 $ vi ./device/fsl/imx8q/sepolicy/pwm.te type sysfs_pwm0_device, sysfs_type, fs_type; allow untrusted_app sysfs_pwm0_device:dir r_dir_perms; allow untrusted_app sysfs_pwm0_device:file rw_file_perms; allow untrusted_app sysfs_pwm0_device:file { read write open }; BOARD_SEPOLICY_DIRS 확인
system_app
이 설정 때문인지 shell에서 su 명령어가 되어 root 권한으로 실행가능하지만, vi가 없음
그래서 현재 adb shell로 연결할 방법모색cat 으로 수정하려고 함
보안 (dm-verity)
remount 후 소스 수정후 recovery 모드로 동작