Android SELinux policy 작성
프로젝트 수행 중 SELinux policy 작성을 위해 진행한 수행사항에 대해 기록한다.
[ SELinux 설정 상태 확인 ]
$ adb shell getenforce
bootcmd에 아래와 같이 selinux=permissive 상태인 경우, 정의되지 않은 정책은 실행이 거부된다.
BOARD_KERNEL_CMDLINE
:= console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0
androidboot.hardware=qcom msm_rtb.filter=0x237 androidboot.selinux=permissive ehci-hcd.park=3
androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabl
ed=1 earlyprintk
[ selinux error/warning log 확보하기 ]
$ adb shell su 0 cat /proc/kmsg > dmesg.txtex)
[ 18.755615] init: avc: denied { set } for property=ro.radio.noril pid=517 uid=0 gid=0 scontext=u:r:qti_init_shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
[ audit2allow tool을 통해 policy 생성 ]
$ audit2allow -p out/target/product/device/root/sepolicy < dmesg.txt정상적으로 수행된다면 아래와 같은 추가되어야 할 policy 가 출력된다.
ex)
#============= audioserver ==============
allow audioserver audio_prop:property_service set;
allow audioserver bootanim:binder call;
allow audioserver rootfs:lnk_file getattr;
[ audit2allow 수행 Error case ]
==> audit2allow 명령어는 android build system ( source ./build/envsetup.sh && ㅣlunch <product_name>-<build_variant> 실행) 로딩 후 사용해야 한다.3.1. libsepol.policydb_read: policydb version 30 does not match my version range 15-29
=> Android prebuilt util을 사용해야 한다.
3.2.
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
=> android build system 환경에서 실행해야 한다.
$ cd [Android Top Dir]
$ source ./build/envsetup.sh
$ lunch
$ which audit2allow
[Android Build Top]/external/selinux/prebuilts/bin/audit2allow
wschoi@flabIot-ubuntu:~/work/qct/apq8009-la-2-0-2/LINUX/android/external/selinux/prebuilts/bin$ vi audit2allow
1 #!/bin/sh
2
3 unamestr=`uname`
4 if [ "$unamestr" = "Linux" -o "$unamestr" = "linux" ]; then
5 export LD_LIBRARY_PATH=$ANDROID_BUILD_TOP/external/selinux/prebuilts/lib
6 export PYTHONPATH=$ANDROID_BUILD_TOP/prebuilts/python/linux-x86/2.7.5/lib/python2.7/site-packages
7 python $ANDROID_BUILD_TOP/external/selinux/policycoreutils/audit2allow/audit2allow "$@"
8 else
9 echo "audit2allow is only supported on linux"
10 fi
#########################################################
수정사항
#########################################################
allow audioserver audio_prop:property_service set;
allow audioserver bootanim:binder call;
allow audioserver rootfs:lnk_file getattr;
#============= bootanim ==============
allow bootanim rootfs:lnk_file getattr;
#============= bootstat ==============
allow bootstat rootfs:lnk_file getattr;
#============= cameraserver ==============
allow cameraserver rootfs:lnk_file getattr;
#============= init ==============
allow init sdcardd_exec:file getattr;
#============= location ==============
allow location self:capability net_raw;
#============= mediacodec ==============
allow mediacodec rootfs:lnk_file getattr;
#============= mediadrmserver ==============
allow mediadrmserver rootfs:lnk_file getattr;
#============= perfd ==============
# allow perfd self:capability sys_ptrace;
libsepol.report_failure: neverallow on line 162 of system/sepolicy/domain.te (or line 9034 of policy.conf) violated by allow perfd perfd:capability { sys_ptrace };
libsepol.check_assertions: 1 neverallow failures occurred
#============= qti_init_shell ==============
allow qti_init_shell btnvtool_exec:file { execute execute_no_trans getattr open read };
allow qti_init_shell console_device:chr_file { getattr ioctl read write };
allow qti_init_shell ctl_default_prop:property_service set;
# allow qti_init_shell default_prop:property_service set;
allow qti_init_shell shell_prop:property_service set;
allow qti_init_shell sysfs_rqstats:dir { open read search };
#============= radio ==============
allow radio system_app_data_file:dir getattr;
#============= untrusted_app ==============
allow untrusted_app sysfs:file { getattr open read };
#============= wcnss_service ==============
allow wcnss_service self:capability { chown setgid setuid };
#============= healthd ==============
allow healthd device:dir { open read };
#############################################
# non permissive
#############################################
#============= bluetooth ==============
allow bluetooth storage_stub_file:dir getattr;
#============= perfd ==============
allow perfd self:capability sys_ptrace;
#============= priv_app ==============
allow priv_app device:dir read;
allow priv_app device:dir open;
allow priv_app self:udp_socket ioctl;
#============= shell ==============
allow shell cmxservices_prop:file read;
allow shell ctl_default_prop:property_service set;
#============= system_server ==============
allow system_server cmxservices_prop:file read;
allow system_server cmxservices_prop:file open;
#============= perfd ==============
allow perfd self:capability sys_ptrace;
#============= priv_app ==============
allow priv_app self:udp_socket ioctl;
#============= system_server ==============
allow system_server cmxservices_prop:file getattr;
댓글 없음:
댓글 쓰기