rainit2006 / Android-

记录一下Android基本知识
0 stars 0 forks source link

System app, platform app, SE linux #19

Open rainit2006 opened 4 years ago

rainit2006 commented 4 years ago

SELinux:

rainit2006 commented 4 years ago

SELinux

网上说明文章:

SELinux also supports a per-domain permissive mode in which specific domains (processes) can be made permissive while placing the rest of the system in global enforcing mode. A domain is simply a label identifying a process or set of processes in the security policy, where all processes labeled with the same domain are treated identically by the security policy. Per-domain permissive mode enables incremental application of SELinux to an ever-increasing portion of the system and policy development for new services (while keeping the rest of the system enforcing). https://source.android.google.cn/security/selinux

SELinux is set up to default-deny, which means that every single access for which it has a hook in the kernel must be explicitly allowed by policy. This means a policy file is comprised of a large amount of information regarding rules, types, classes, permissions, and more.

其他参考: https://blog.csdn.net/huangyabin001/article/details/79264222

https://stackoverflow.com/questions/61337865/what-will-be-happen-if-we-change-selinux-set-to-permissive-mode You are right. If you set SELinux to permissive, you disable an important security feature of Android. That's why you use that mode for developing only. What the permissive mode will do for you is trace all the allow rules your service is missing. You would typically proceed like this:

  1. Implement your service.
  2. Enable SELinux permissive mode (see here).
  3. Start your service and check avc output for missing allow rules or violated neverallow rules of your service (see here).
  4. Carefully think about security implications and add the required contexts and allow rules to the system (see here).
  5. Enable SELinux enforcing mode.
  6. Check that your service works and avc does not complain anymore.

Example of ".te" file

# Allow read / write access to /dev/null
    allow domain null_device:chr_file { getattr open read ioctl lock append write};

    # Allow read-only access to /dev/zero
    allow domain zero_device:chr_file { getattr open read ioctl lock };

Exapmle2.

    type dhcp, domain;  #DHCP デーモンが基本セキュリティ ポリシーから継承します(domain)。前のステートメントの例のように、DHCP は /dev/null に対して読み取りと書き込みが可能です。
    permissive dhcp;  # DHCP が permissive ドメインとして指定されています。
    type dhcp_exec, exec_type, file_type;  # ファイルタイプを定義(複数可)
    type dhcp_data_file, file_type, data_file_type;

    init_daemon_domain(dhcp) #DHCP が init から生成され、それとの通信が可能であることを示しています。
    net_domain(dhcp) # DHCP が TCP パケットの読み取りと書き込み、ソケット経由の通信、DNS リクエストの実行などの一般的なネットワーク機能を net ドメインから使用することを許可しています。

    allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service
    };
    allow dhcp self:packet_socket create_socket_perms;
    allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
    allow dhcp shell_exec:file rx_file_perms;
    allow dhcp system_file:file rx_file_perms;
    # For /proc/sys/net/ipv4/conf/*/promote_secondaries
    allow dhcp proc_net:file write;   # DHCP が /proc 内の特定のファイルに書き込めることを示しています。ここでは proc_net ラベルを使用して、書き込みアクセス権の対象を /proc/sys/net 以下のファイルに限定しています。
    allow dhcp system_prop:property_service set ;
    unix_socket_connect(dhcp, property, init)

    type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
    allow dhcp dhcp_data_file:dir create_dir_perms;
    allow dhcp dhcp_data_file:file create_file_perms;

    allow dhcp netd:fd use;
    allow dhcp netd:fifo_file rw_file_perms;
    allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
    allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket
    netlink_nflog_socket } { read write };

SELinux(或SEAndroid)将app划分为主要三种类型(根据user不同,也有其他的domain类型): 1)untrusted_app 第三方app,没有Android平台签名,没有system权限 2)platform_app 有android平台签名,没有system权限 3)system_app 有android平台签名和system权限 app对应的te文件:

http://www.gandalf.site/2019/02/androidseandroid.html AOSP提供的所有Android策略文件都在源码路径external/sepolicy目录下面,在编译完成之后一共会生成如下个module:

路径:external/sepolicy/seapp_context

sisSystemServer=true domain=system_server
user=system domain=system_app type=system_app_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell domain=shell type=shell_data_file
user=_isolated domain=isolated_app
user=_app seinfo=platform domain=platform_app type=app_data_file
user=_app domain=untrusted_app type=app_data_file

将window服务设置为u:object_r:system_server_service:s0,意味着只有有权限访问type为system_server_service的资源的进程才可以访问这个服务。

画像説明:
![image](https://user-images.githubusercontent.com/12871721/88059455-d448c980-cb9f-11ea-9850-15dcdd169b9f.png)
![image](https://user-images.githubusercontent.com/12871721/88059188-79af6d80-cb9f-11ea-8736-0ffa99f13763.png)
![image](https://user-images.githubusercontent.com/12871721/88059485-e1fe4f00-cb9f-11ea-8ae1-c3ce2138bb56.png)

![image](https://user-images.githubusercontent.com/12871721/88059751-3e616e80-cba0-11ea-9368-bde23d5c5cc9.png)
rainit2006 commented 4 years ago

app type label in SELinux policy For example, a typical Android app is running in its own process and has the label of untrusted_app that grants it certain restricted permissions. Platform apps built into the system run under a separate label and are granted a distinct set of permissions. System UID apps that are part of the core Android system run under the system_app label for yet another set of privileges.

例子:包含了platform_app, system_app https://android.googlesource.com/platform/system/sepolicy/+/3286fca7db279b9e5d69da408301fc48b52b4c4b/app.te

rainit2006 commented 4 years ago

System app https://www.hexnode.com/mobile-device-management/help/what-are-system-apps/

System apps are pre-installed apps in the system partition with your ROM. In other words, a system app is simply an app placed under /system/app folder on an Android device.

/system/app is a read-only folder. Android device users do not have access to this partition. Hence, users cannot directly install or uninstall apps to/from it.

Apps such as camera, settings, messages, Google Play Store, etc. come pre-installed with the phone and manufacturers do not generally provide an option to remove such apps as this might impact the functioning of your device. If you want to remove a system app you need to root your device first.

A non-system app is installed under /data/app folder and has read, write privileges.

SELinux(或SEAndroid)将app划分为主要三种类型(根据user不同,也有其他的domain类型): 1)untrusted_app  第三方app,没有android平台签名,没有system权限 2)platform_app    有android平台签名,没有system权限 3)system_app      有android平台签名和system权限 从上面划分,权限等级,理论上:untrusted_app < platform_app < system_app ———————————————— 原文链接:https://blog.csdn.net/zhudaozhuan/java/article/details/50964832

rainit2006 commented 4 years ago

itmedia.co.jp/enterprise/articles/1112/26/news015_2.html Androidの実行権限には3種類ある。

一般権限……アプリケーション開発者が自己署名してMarketプレイスを通じて(一部不法Marketもあるようだが)配布されるアプリケーション。「Dalvik」サンドボックス内で動作し、利用者承認のパーミッションの機能を持つ。保存先は「/data/app」「/data/app-private」「SDカード」の3つ

システム権限(管理者権限と混同されがちだが異なる)……「/system」ディレクトリ配下にインストールされたアプリケーション、もしくは「SharedUserID='android.uid.system’」が設定されたアプリケーションに与えられる権限。Androidが持つ特別な操作を実現できるSignatureOrSystemパーミッションを利用できる

管理者権限……Androidの領域外でLinuxのroot権限が割り当てられたものでLinuxコマンドを利用できる。

rainit2006 commented 4 years ago

Root化破解 对于Android手机,平常所说的Root,其实就是通过各种方法,将系统的SU程序文件拷贝到/system/bin目录下,并安装SuperUser授权管理,第三方应用程序可以通过su程序(su程序是权限管理文件)执行需要Root权限的操作。

rainit2006 commented 4 years ago

Apps that run with the system UID, e.g. com.android.system.ui, com.android.settings.

rainit2006 commented 4 years ago

https://www.nskint.co.jp/wp-content/uploads/2015/08/ESEC2011_Android_Knowhow.pdf