筆記本: SELinux MAC Policy Files

The MAC policy configuration files are contained in the external/sepolicy directory, however there may also be policy configuration files to enable specific device features under device/<vendor> directories (see the Building the Policy section). Once generated, the policy and its supporting configuration files are installed on the device as part of the build process.

The following files are used to build the kernel binary policy file that will be named sepolicy and installed by default in the root directory. An updated policy may be installed at /data/security/sepolicy. The initialisation or policy reload process will always check for a policy at /data/security/sepolicy first and then if not present at /sepolicy. The policy files consist of the following:

access_vectors, security_classes

These have been modified to support the new SE for Android classes and permissions.

Access decisions specify whether or not a permission is granted for a given pair of SIDs and class. Each object class has a set of associated permissions deﬁned to control operations on objects with that class. These permission sets are represented by a bitmap called an access vector. The corresponding constants for permissions are defined in the automatically generated header file av_permissions.h (external/libsepol/src and kernel/goldfish/security/selinux). This file looks like below figure:

Above table is generated by "kernel/goldfish/scripts/selinux/genheaders.c" according to "kernel/goldfish/security/selinux/include/classmap.h". Below figure shows the contents of classmap.h.

access_vectors is used in external/libsepol/include/sepol/policydb/flask_types.h. It deﬁnes the access vector permissions for each class.

Below is an example of access_vectors file

# Define common prefixes for access vectors
#
# common common_name { permission_name ... }

#
# Define a common prefix for file access vectors.
#

common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}

security_classes is used in external/libsepol/include/sepol/policydb/flask_types.h. It declares the security classes.
Below is an example of security_classes file

#Classes marked as userspace are classes
#for userspace object managers

class security
class process
class system
class capability

#file-related classes
class filesystem
class file
class dir

#network-related classes
class socket
class tcp_socket
class udp_socket

The relation between access_vectors and security_classes is as below figure:

initial_sids, initial_sid_contexts, fs_use, genfs_contexts, port_contexts
For flexibility of policy building, these files have been separated to allow additional policy files to be defined for specific devices.
initial_sids is used in external/libselinux/src/avc.c and external/libselinux/src/get_initial_context.c. It Declares initial SIDs. Such as:

sid kernel 
sid security
sid fs 
sid file

initial_sid_contexts declares initial SID contexts. Such as:

sid kernel u:r:kernel:s0
sid security u:object_r:kernel:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:unlabeled:s0

The relation of init_sids and init_sid_contexts is as below figure:

fs_use is used in external/libsepol/include/sepol/policydb/service.h & kernel/goldfish/security/selinux/ss/services.c, ... files.

fs_use_xattr yaff2 u:object_r:labeledfs:s0;
fs_use_xattr ext2 u:object_r:labeledfs:s0;
fs_use_trans tmpfs u:object_r:tmpfs:s0;
fs_use_trans mqueue u:object_r:mqueue:s0

genfs_contexts is used in kernel/goldfish/security/selinux/hooks.c

genfscon rootfs / u:object_r:rootfs:s0
# sysfs labels can be set by userspace
genfscon sysfs / u:object_r:sysfs:s0
genfscon vfat / u:object_r:sdcard:s0

port_contexts defines the socket port contexts. It is used in external/libsepol/src/polcaps.c and kernel/goldfish/security/selinux/selinuxfs.c

# portcon statements 
portcon tcp 80 u:object_r:http_port:s0

users, roles
These define the only user (u) and role (r) used by the policy, although there is no reason why others cannot be added.
users file:

user u roles { r } level s0 range s0 - mls_systemhigh;

roles file:

role r; 
role r types domain;

mls
Contains the constraints applied to the defined classes and permissions.

global_macros, mls_macro, te_marcos
These contain the m4 macros that expand the policy files to build a policy in the kernel policy language as described in the Policy Language section. The policy can then be compiled by checkpolicy(8). For reference, the policy text file is built and placed in: out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf The compiled kernel policy can also be found in this directory and is named sepolicy. There are also policy.conf.dontaudit andsepolicy.dontaudit files that have the dontaudit rules removed. Stripping out these rules stops the auditing of denial messages as they are known events and do not cause any issues. This also helps to manage the audit log by excluding known denial events.

attributes
Contains the attribute names (forming the attribute statements) that will be used to group type identifiers defined by the policy. Types are the basic building blocks for TE rules. SELinux primarily uses types to determine what access is allowed. Attributes and aliases are policy features that ease the management and use of types. We use attributes to refer to a group of types with a single identifier.
The statement definition is:

attribute attribute_id;

Where:

attribute	The attribute keyword.
attribute_id	The attribute identifier.

Type statement syntax:

type type_id [alias alias_id] [,attribute_id];

attributes declarations:

#All types used for devices.
attribute dev_type;

#All types used for processes
attribute domain;

#All types used for domain entry points
attribute exec_type;

policy_capabilities
Contains the policy capabilities enabled for the kernel policy (see policycap statement). It is used in external/libsepol/src/polcaps.c and kernel/goldfish/security/selinux/selinuxfs.c.
The statement definition is:

policycap capability;

Where:

policycap	The policycap keyword.
capability	The capability identifier that needs to be enabled for this policy.

# This statement enables the network_peer_controls to be enabled
# for use by the policy. 
# 

policycap network_peer_controls;

*.te
The *.te files are the policy module definition files. These are the same format as the standard reference policy and are expanded by the m4 macros. There is (generally) one .te file for each domain/service defined for the device and will contain all the required allow, type_transition etc. rules. It will also call any te_macros to access other domains resources (e.g. init_daemon_domain, binder_call).

The following files are used to compute and/or configure SE for Android security contexts and reflect information configured within the kernel policy. These files are:

file_contexts
Contains default file contexts for setting the filesystem as standard SELinux. The format of this file is defined in file_contexts(5). The file is installed by default in the root directory. SE for Android services (such as restorecon(8)) will first check for this file at (this is where updated files should be placed):
/data/security/file_contexts
If not present they will then check the root directory:
/file_contexts
Example file_contexts contents:

#root
/                  u:object_r:rootfs:s0

#Data File
/adb_keys          u:object_r:rootfs:s0
/defcult.prop      u:object_r:rootfs:s0

#Executables       
/init              u:object_r:rootfs:s0
/sbin(/.*)?        u:object_r:rootfs:s0

#Devices
/dev(/.*)?         u:object_r:device:s0
/dev/alarm         u:object_r:alarm_device:s0
/dev/audio.*       u:object_r:audio_device:s0

Below figures show the file_contexts you will see in the console.

property_contexts
Contains default contexts to be applied to Android property services as discussed in the property_contexts file section. The file is installed by default in the root directory. The SE for Android initialisation / reload process will first check for this file at (this is where updated files should be placed):
/data/security/property_contexts
If not present they will then check the root directory:
/property_contexts
This file is used in system/core/init/initc.

Example of property_contexts

##########################
# property service keys
#
 
net.rmnet0              u:object_r:radio_prop:s0
net.gprs                u:object_r:radio_prop:s0
net.ppp                 u:object_r:radio_prop:s0
net.qmi                 u:object_r:radio_prop:s0
net.lte                 u:object_r:radio_prop:s0
net.cdma                u:object_r:radio_prop:s0
gsm.                    u:object_r:radio_prop:s0
persist.radio           u:object_r:radio_prop:s0
net.dns                 u:object_r:radio_prop:s0
sys.                    u:object_r:system_prop:s0
service.                u:object_r:system_prop:s0
wlan.                   u:object_r:system_prop:s0
dhcp.                   u:object_r:system_prop:s0
debug.                  u:object_r:shell_prop:s0
log.                    u:object_r:shell_prop:s0

system/core/init/property_service.c will set property services

seapp_contexts
Contains information to allow domain or file contexts to be computed based on parameters as discussed in the seapp_contexts file section. The file is installed by default in the root directory. The SE for Android initialisation / reload process will first check for this file at (this is where updated files should be placed):
/data/security/seapp_contexts
If not present they will then check the root directory:
/seapp_contexts
This file is used in external/sepolicy/check_seapp/check_seapp.c and external/libselinux/src/android.c

isSystemServer=true domain=system
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file levelFrom=app
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=_app seinfo=media domain=media_app type=platform_app_data_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app

Above picture shows "untrusted_app" domain defined in seapp_contexts and the process contexts shown in system.
If the "untrusted_app" domain is not defined in seapp_coontexts, the process context will become "zygote", a default label. The picture is shown as below.

selinux-network.sh
If using iptables(8) then SECMARK information may be configured in this file as part of the build. It is installed in system/bin and executed at system initialisation time.

Reference:

http://selinuxproject.org/page/NB_SEforAndroid_1#SELinux_MAC_Policy_Files
http://selinuxproject.org/page/NB_MLS
http://selinuxproject.org/page/MLSStatements

筆記本

2013年5月26日星期日

SELinux MAC Policy Files

沒有留言:

張貼留言

2013年5月26日 星期日

SELinux MAC Policy Files

沒有留言:

張貼留言

2013年5月26日星期日