Dbus / Session bus error

새 프로젝트에 DBus / session bus 연동으로 몇일을 고생한 듯 하다.

init process 또는 console에서 동작시킨 process에서는 문제가 없는데,

system 권한을 가진 process는 아래와 같은 [Error Log] 발생.

• system bus와 session bus는 모두 init process에서 동작시켰으니 root 권한.
• system bus 통신을 위한 socket device는 root:system ownership을 가져서 OK
• session bus 에서만 문제가 발생.

[ Error Log ]

Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

session bus를 사용하는 방법이 일반적이지 않은걸까?

자료를 찾다 보니 config option 중에 <allow_anonymous>가 있다.

configuration파일 (session.conf) 에 <allow_anonymous /> 추가하니 문제는 해결이 된다.

하지만, anonymous 에서 좀 걸린다.

dbus-daemon configuration file에 대한 내용을 찾아보니. 역시나 위험성에 대해 경고하고 있다. ( https://dbus.freedesktop.org/doc/dbus-daemon.1.html )

• <allow_anonymous>

If present, connections that authenticated using the ANONYMOUS mechanism will be authorized to connect. This option has no practical effect unless the ANONYMOUS mechanism has also been enabled using the <auth> element, described below.

Using this directive in the configuration of the well-known system bus or the well-known session bus will make that bus insecure and should never be done. Similarly, on custom bus types, using this directive will usually make the custom bus insecure, unless its configuration has been specifically designed to prevent anonymous users from causing damage or escalating privileges.

보안과 안정성 관련된 내용은 추가 검토 필요!!

Ubuntu - GPG error ( NO_PUBKEY )

Ubuntu 14.04 LTS + Jenkins 운영 중 발생한 GPG error 발생에 대한 처리.

Jenkins Server 설치 후 마음먹고 version update 시도 했으나, error message 부터 만났다.

[ Error case ]

$ sudo apt-get update

.....

W: GPG error: https://pkg.jenkins.io binary/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FCEF32E745F2C3D5

[ Resolve ]

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys FCEF32E745F2C3D5

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.FjsBEAHsJi --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys FCEF32E745F2C3D5

gpg: requesting key 45F2C3D5 from hkp server keyserver.ubuntu.com

gpg: key 45F2C3D5: public key "Jenkins Project <jenkinsci-board@googlegroups.com>" imported

gpg: Total number processed: 1

gpg:               imported: 1  (RSA: 1)

$ sudo apt-get update

.....

Fetched 833 B in 20s (41 B/s)                                                  

Reading package lists... Done

Error case는 간단한 명령어 한줄로 해결되었으니.. 

명령어의 의미가 궁금해졌다. 

--------------------------------------------

$ apt-key -help

"apt-key는 apt가 패키지를 인증하는데 사용하는 키 리스트를 관리하는데 사용하는 유틸" 이라고 설명하고 있다. (http://manpages.ubuntu.com/manpages/bionic/man8/apt-key.8.html)

그럼 apt는?? (평소에 아무런 의심없이 사용해왔던 명령어(?기능) 들에 대한 정의를 모르고 있었다. 반성하자..ㅜ.ㅜ )

apt는 패키지 관리를 위한 high-level command line 인터페이스라고 정의가 되어 있다.

(http://manpages.ubuntu.com/manpages/hirsute/en/man8/apt.8.html)

처음으로 돌아가서.. 명령어에 대한 의미에 대한 정리를 해보자.

"sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [Key]"

"gpg(GunPG, the GNU Privacy Guard)명령을 통해 keyserver.ubuntu.com에서 [Key] 에 대한 public key를 apt가 패키지를 인증하는데 사용하는 key list에서 추가한다." 의 의미가 된다.

ubuntu man page에는 --keyserver option 이 나오지 않는다.

gnupg.org(https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html) GPG Opitons page 에 deprecated 되었다고 나온다. ( 옵션 리스트에 나오지 않는 이유가 있었다.)

dirmngr.conf 사용에 대한 방법은 다시 정리를 해 봐야겠다.

--keyserver name

This option is deprecated - please use the --keyserver in dirmngr.conf instead.

Use name as your keyserver. This is the server that --receive-keys, --send-keys, and --search-keys will communicate with to receive keys from, send keys to, and search for keys on. The format of the name is a URI: ‘scheme:[//]keyservername[:port]’ The scheme is the type of keyserver: "hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP keyservers, or "mailto" for the Graff email keyserver. Note that your particular installation of GnuPG may have other keyserver types available as well. Keyserver schemes are case-insensitive. After the keyserver name, optional keyserver configuration options may be provided. These are the same as the global --keyserver-options from below, but apply only to this particular keyserver.

[Android] SELinux on Android

Android SELinux policy 작성

프로젝트 수행 중 SELinux policy 작성을 위해 진행한 수행사항에 대해 기록한다.

[ SELinux 설정 상태  확인 ]

$ adb shell getenforce

bootcmd에 아래와 같이 selinux=permissive 상태인 경우, 정의되지 않은 정책은 실행이 거부된다.

BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 androidboot.selinux=permissive ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabl

    ed=1 earlyprintk

[ selinux error/warning log 확보하기 ]

 $ adb shell su 0 cat /proc/kmsg > dmesg.txt
ex)
[   18.755615] init: avc:  denied  { set } for property=ro.radio.noril pid=517 uid=0 gid=0 scontext=u:r:qti_init_shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1

[ audit2allow tool을 통해 policy 생성 ]

 $ audit2allow -p out/target/product/device/root/sepolicy < dmesg.txt

정상적으로 수행된다면 아래와 같은 추가되어야 할 policy 가 출력된다.
ex)
#============= audioserver ==============
allow audioserver audio_prop:property_service set;
allow audioserver bootanim:binder call;
allow audioserver rootfs:lnk_file getattr;

[ audit2allow 수행 Error case ]

==> audit2allow 명령어는 android build system ( source ./build/envsetup.sh && ㅣlunch <product_name>-<build_variant> 실행) 로딩 후 사용해야 한다. 

3.1. libsepol.policydb_read: policydb version 30 does not match my version range 15-29
=> Android prebuilt util을 사용해야 한다.

3.2.
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
=> android build system 환경에서 실행해야 한다.
$ cd [Android Top Dir]
$ source ./build/envsetup.sh
$ lunch
$ which audit2allow
[Android Build Top]/external/selinux/prebuilts/bin/audit2allow

wschoi@flabIot-ubuntu:~/work/qct/apq8009-la-2-0-2/LINUX/android/external/selinux/prebuilts/bin$ vi audit2allow
  1 #!/bin/sh
  2
  3 unamestr=`uname`
  4 if [ "$unamestr" = "Linux" -o "$unamestr" = "linux" ]; then
  5     export LD_LIBRARY_PATH=$ANDROID_BUILD_TOP/external/selinux/prebuilts/lib
  6     export PYTHONPATH=$ANDROID_BUILD_TOP/prebuilts/python/linux-x86/2.7.5/lib/python2.7/site-packages
  7     python $ANDROID_BUILD_TOP/external/selinux/policycoreutils/audit2allow/audit2allow "$@"
  8 else
  9     echo "audit2allow is only supported on linux"
 10 fi

#########################################################

수정사항

#########################################################

#============= audioserver ==============
allow audioserver audio_prop:property_service set;
allow audioserver bootanim:binder call;
allow audioserver rootfs:lnk_file getattr;

#============= bootanim ==============
allow bootanim rootfs:lnk_file getattr;

#============= bootstat ==============
allow bootstat rootfs:lnk_file getattr;


#============= cameraserver ==============
allow cameraserver rootfs:lnk_file getattr;

#============= init ==============
allow init sdcardd_exec:file getattr;

#============= location ==============
allow location self:capability net_raw;

#============= mediacodec ==============
allow mediacodec rootfs:lnk_file getattr;

#============= mediadrmserver ==============
allow mediadrmserver rootfs:lnk_file getattr;


#============= perfd ==============
# allow perfd self:capability sys_ptrace;

libsepol.report_failure: neverallow on line 162 of system/sepolicy/domain.te (or line 9034 of policy.conf) violated by allow perfd perfd:capability { sys_ptrace };
libsepol.check_assertions: 1 neverallow failures occurred



#============= qti_init_shell ==============
allow qti_init_shell btnvtool_exec:file { execute execute_no_trans getattr open read };
allow qti_init_shell console_device:chr_file { getattr ioctl read write };
allow qti_init_shell ctl_default_prop:property_service set;
# allow qti_init_shell default_prop:property_service set;
allow qti_init_shell shell_prop:property_service set;
allow qti_init_shell sysfs_rqstats:dir { open read search };

#============= radio ==============
allow radio system_app_data_file:dir getattr;

#============= untrusted_app ==============
allow untrusted_app sysfs:file { getattr open read };

#============= wcnss_service ==============
allow wcnss_service self:capability { chown setgid setuid };


#============= healthd ==============
allow healthd device:dir { open read };


#############################################
# non permissive
#############################################
#============= bluetooth ==============
allow bluetooth storage_stub_file:dir getattr;

#============= perfd ==============
allow perfd self:capability sys_ptrace;

#============= priv_app ==============
allow priv_app device:dir read;
allow priv_app device:dir open;
allow priv_app self:udp_socket ioctl;

#============= shell ==============
allow shell cmxservices_prop:file read;
allow shell ctl_default_prop:property_service set;

#============= system_server ==============
allow system_server cmxservices_prop:file read;
allow system_server cmxservices_prop:file open;


#============= perfd ==============
allow perfd self:capability sys_ptrace;

#============= priv_app ==============
allow priv_app self:udp_socket ioctl;

#============= system_server ==============
allow system_server cmxservices_prop:file getattr;