androidqf (Android Quick Forensics) helps quickly gathering forensic evidence from Android devices, in order to identify potential traces of compromise.
Some exploits add additional rules to the local in-memory SELinux policy to give their implants extra capabilities rather than completely disabling SELinux.
On Android the SELinux policies are part of the OEM system image and show should be fixed for a particular build. They can be found at multiple paths included:
The currently active SELinux compiled policy is accessible under /sys. This file is accesible via adb pull even if its not directly readable from the ADB shell.
/sys/fs/selinux/policy
Unfortunately the in-memory file is not byte-for-byte identical in the few tests I have seen. There may be some standard transformation happening to the roles when loaded which would also us to detect rule changes with some further analysis.
We should collect the on-disk and active SELinux policies in AndroidQF and add an MVT module to parse them
Te-k
commented
1 year ago
Some exploits add additional rules to the local in-memory SELinux policy to give their implants extra capabilities rather than completely disabling SELinux.
On Android the SELinux policies are part of the OEM system image and show should be fixed for a particular build. They can be found at multiple paths included:
The currently active SELinux compiled policy is accessible under /sys. This file is accesible via
adb pulleven if its not directly readable from the ADB shell.Unfortunately the in-memory file is not byte-for-byte identical in the few tests I have seen. There may be some standard transformation happening to the roles when loaded which would also us to detect rule changes with some further analysis.
We should collect the on-disk and active SELinux policies in AndroidQF and add an MVT module to parse them