我的自定义selinux策略似乎被android系统忽略了
[英]My custom selinux policies seem to be ignored by android system
问题描述
I have some trouble on getting custom selinux policies running properly on an AOSP based Android 7.1.2 (more precisely based on sony open devices tree). 
我在基于AOSP的Android 7.1.2(更准确地说是基于sony开放设备树)上正确运行自定义selinux策略时遇到一些麻烦。
My problem is that the audit logs keep telling me about missing file access rules that I actually added. 我的问题是审计日志不断告诉我我实际添加的文件访问规则丢失。 I also copied rules that audit2allow has created to my policy files, but even those do not properly work. 我还将audit2allow创建的规则复制到我的策略文件中,但即使那些规则也没有正常工作。
So, let's dig into the details: 那么,让我们深入了解细节:
I created a custom domain called vendor_app . 我创建了一个名为vendor_app的自定义域。 This domain is assigned to an app based on its signature. 此域根据其签名分配给应用程序。 I have added an entry to the mac_permissions.xml to assign the seinfo field vendor . 我在mac_permissions.xml中添加了一个条目来分配seinfo字段供应商 。 In seapp_contexts I assign the vendor_app domain like this: 在seapp_contexts中,我像这样分配vendor_app域:
user=_app seinfo=vendor domain=vendor_app type=app_data_file levelFrom=user
My app is properly started in the vendor_app context: 我的应用程序在vendor_app上下文中正确启动:
# ps -Z | grep permissiontest
u:r:vendor_app:s0:c512,c768 u0_a109 4110 508 1620732 79584 SyS_epoll_ 0000000000 S com.vendor.android.permissiontest
So, now for the part that does not work at all. 所以,现在对于根本不起作用的部分。 An app running in the vendor_app context shall get read/write access to files in /persist/vendor . 在vendor_app上下文中运行的应用程序将获得/ persist / vendor中文件的读/写访问权限。 To create the nessesary rules, I added a file called vendor.te to the sepolicy folder in the device directory with the followin content: 为了创建nessesary规则,我将一个名为vendor.te的文件添加到设备目录中的sepolicy文件夹中,其中包含以下内容:
type vendor_app, domain;
type vendor_file, file_type, data_file_type;
# permissive vendor_app;
app_domain(vendor_app)
net_domain(vendor_app)
bluetooth_domain(vendor_app)
allow vendor_app persist_file:dir r_dir_perms;
allow vendor_app vendor_file:dir create_dir_perms;
allow vendor_app vendor_file:file create_file_perms;
allow vendor_app audioserver_service:service_manager find;
allow vendor_app cameraserver_service:service_manager find;
allow vendor_app drmserver_service:service_manager find;
allow vendor_app mediaserver_service:service_manager find;
allow vendor_app mediaextractor_service:service_manager find;
allow vendor_app mediacodec_service:service_manager find;
allow vendor_app mediadrmserver_service:service_manager find;
allow vendor_app persistent_data_block_service:service_manager find;
allow vendor_app radio_service:service_manager find;
allow vendor_app surfaceflinger_service:service_manager find;
allow vendor_app app_api_service:service_manager find;
allow vendor_app system_api_service:service_manager find;
allow vendor_app vr_manager_service:service_manager find;
And I have added one entry in the file_contexts configuration: 我在file_contexts配置中添加了一个条目:
###################################
# persist files
#
/persist(/.*)? u:object_r:persist_file:s0
/persist/vendor(/.*)? u:object_r:vendor_file:s0
On the /persist partition, I created some directory structure to have folders with appropriate permissions to add some files there. 在/ persist分区上,我创建了一些目录结构,使文件夹具有适当的权限,可以在那里添加一些文件。
# ls -Zal /persist/vendor/
total 56
drwxrwxrwx 5 persist persist u:object_r:vendor_file:s0 4096 2017-08-03 22:27 .
drwxrwx--x 16 system system u:object_r:persist_file:s0 4096 2017-08-01 16:24 ..
drwxrwxrwx 2 profile profile u:object_r:vendor_file:s0 4096 2017-08-04 13:34 profile
drwxrwxrwx 2 provision provision u:object_r:vendor_file:s0 4096 2017-08-04 13:34 provisioning
drwxrwxrwx 2 updater updater u:object_r:vendor_file:s0 4096 2017-08-04 13:34 updater
I know that the find -rules for the services are working, as I am able to start my app in enforcing mode and do not get any complaints about that. 我知道服务的查找规则正在运行,因为我能够以强制模式启动我的应用程序并且不会对此有任何抱怨。 I am also able to access the /persist directory for { search } as allowed by the rule regarding persist_file:dir . 我也能够访问有关persist_file:dir的规则所允许的{search}的/ persist目录。
As soon as I try writing a new file like /persist/vendor/updater/test to the /persist directory, I get error messages from auditd: 一旦我尝试将/ persist / vendor / updater / test等新文件写入/ persist目录,我就会从auditd收到错误消息:
08-04 16:34:29.269 4108 4108 W .permissiontest: type=1400 audit(0.0:27): avc: denied { write } for name="updater" dev="mmcblk0p44" ino=55 scontext=u:r:vendor_app:s0:c512,c768 tcontext=u:object_r:vendor_file:s0 tclass=dir permissive=0
That error is of course converted by audit2allow to the following rule: 该错误当然由audit2allow转换为以下规则:
#============= vendor_app ==============
allow vendor_app vendor_file:dir write;
As write is a member of create_dir_perms , it actually should be there. 由于write是create_dir_perms的成员,它实际上应该在那里。 I have also tried adding the line created by audit2allow to my vendor.te without any success. 我也尝试将audit2allow创建的行添加到我的vendor.te中,但没有成功。
Please notice that writing to updater also involves search on persist_file and search on vendor_file which both seem to work without any problems. 请注意,写入更新程序还涉及搜索 persist_file并搜索 vendor_file ,它们似乎都没有任何问题。
Has anyone any advice, how to debug that properly or maybe even any solution for this problem? 有没有人有任何建议,如何正确调试,甚至可能解决这个问题? I have been digging on this for two days now and it's driving me nuts. 我现在已经挖了两天了,这让我疯了。
EDIT: 编辑:
Ah. 啊。 /persist is of course mounted writable: / persist当然是可写的:
# mount | grep persist
/dev/block/bootdevice/by-name/persist on /persist type ext4 (rw,seclabel,nosuid,nodev,relatime,nodelalloc,errors=panic,data=ordered)
EDIT 2: 编辑2:
As Paul Ratazzi has asked, I have scanned the sepolicy file and the version actually loaded into the kernel for the presence of my rules as well. 正如Paul Ratazzi所问,我已经扫描了sepolicy文件以及实际加载到内核中的版本,以了解我的规则。
$ sesearch -A -s vendor_app -t vendor_file policy
allow vendor_app vendor_file:dir { rename search setattr read lock create reparent getattr write ioctl rmdir remove_name open add_name };
allow vendor_app vendor_file:file { rename setattr read lock create getattr write ioctl unlink open append };
So they are infact deployed to the device properly. 因此它们实际上已正确部署到设备上。
1 个解决方案
解决方案1
3 已采纳 2017-08-07 16:02:14
Well, after some more digging, it looks like I finally found the answer. 好吧,经过一些挖掘,看起来我终于找到了答案。 To maybe save someone running into the same problem some brain-hurting days, here is the solution: 为了节省一些遇到同样问题的人在一些脑力痛苦的日子,这里是解决方案:
Besides MAC (Mandatory Access Control) SElinux on android also MLS (Multi-Level Security) . 除了Android上的MAC(强制访问控制) SElinux还有MLS(多级安全) 。
While MAC is somehow described in the Android SELinux concepts , the information about MLS is only mentioned very brief and implicitly: 虽然在Android SELinux概念中以某种方式描述了MAC,但有关MLS的信息仅在非常简短和隐含地提到:
In SELinux, a label takes the form: user:role:type: mls_level , where the type is the primary component of the access decisions, which may be modified by the other sections components which make up the label.
So, what happens is that my Android app runs in a MLS level (indicated by c512,c768) that can read files on /persist but not write them. 所以,我的Android应用程序运行在MLS级别(由c512,c768表示),可以读取/ persist上的文件但不写入它们。 So what needs to happen is that my app gets an MLS level to properly access those files. 所以需要发生的是我的应用程序获得MLS级别以正确访问这些文件。
I have (for now) archived this by changing my custom label to 我(现在)通过将我的自定义标签更改为存档来存档
type vendor_app, domain, mlstrustedsubject;
which makes my app trusted. 这让我的应用程序值得信赖 This fixes the problem but grants a whole lot of access to my app. 这解决了问题,但授予了我的应用程序的大量访问权限。 Thus a better option would be to lover the security level of the destination to a level that grants read and write access to my app. 因此,更好的选择是将目标的安全级别置于允许对我的应用程序进行读写访问的级别。
So this is basically the solution for this problem up to now (while still not yet complete). 所以这基本上是迄今为止这个问题的解决方案(虽然还没有完成)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.