I'm trying to find what policy is actually enforced by my phone using selinux. You'd think this would be easy. After all, for security it is good to verify that your policy matches expectations. Unfortunately, I've found this shockingly hard to do, because A) android seems to use a forked policy version 30, and B) the policy toolchain seems to have a very low-quality build process (lots of hard-coded paths, etc.).
Here are two things I've tried that have not worked. If I try to use off-the-shelf setools tools (such as come packaged for fedora, or can be installed from AUR with arch linux), then I get the following (after pulling /sepolicy from by phone's root directory or factory image):
$ sedispol sepolicy
Reading policy...
libsepol.policydb_read: policydb version 30 does not match my version range 15-29
sedispol: error(s) encountered while parsing configuration
$ sesearch --all sepolicy
ERROR: policydb version 30 does not match my version range 15-29
ERROR: Unable to open policy sepolicy.
ERROR: Success
$
Okay, so that suggests I have to build the android version of the selinux libraries. The AOSP source tree comes with precompiled versions of some tools but these depend on old shared libraries that I don't have (like libpcre3). Anyway, it's pretty shocking if the only way to check your security policy is to trust some binary shared library you get off the net.
So here's what I did to build the android selinux libraries. On arch, I had to install ustr-selinux from AUR, because ustr uses inline where it is now required to use static inline. Okay, so far so good. Unfortunately, the build process is really gross, but I was able to get enough of it compiled and installed with the following:
git clone https://android.googlesource.com/platform/external/selinux \
android/external/selinux
export ANDROID_BUILD_TOP=$PWD/android
DESTDIR=$HOME/android_selinux
export LD_LIBRARY_PATH="$DESTDIR/lib:$DESTDIR/usr/lib"
cd android/external/selinux
sed -ie '/^LDLIBS.*(LIBDIR)/s/$/ ..\/lex.yy.o/' checkpolicy/test/Makefile
make install DESTDIR="$DESTDIR" \
PREFIX='$(DESTDIR)/usr' \
CFLAGS='-I$(PREFIX)/include' \
-j20 -k
cp checkpolicy/test/dispol "$DESTDIR/usr/sbin/sedispol"
cp checkpolicy/test/dismod "$DESTDIR/usr/sbin/sedismod"
At this point, sedispol works an an ordinary SElinux policy (like a version 29 policy.29 from fedora), but still won't show me what's going on with android:
$ ~/android_selinux/usr/sbin/sedispol sepolicy
Reading policy...
libsepol.avtab_read_item: more than one specifier
libsepol.avtab_read: failed on entry 457 of 5582
/home/user/android_selinux/usr/sbin/dispol: error(s) encountered while parsing configuration
$
I also tried compiling the vanilla setools3 tools against the android libraries. Again, not so easy, but I got it to work with:
DESTDIR=$HOME/android_selinux
export LD_LIBRARY_PATH="$DESTDIR/lib:$DESTDIR/usr/lib"
git clone https://github.com/TresysTechnology/setools3.git
cd setools3
./configure --prefix=$DESTDIR/usr --with-sepol-devel=$DESTDIR/usr CPPFLAGS="-I$DESTDIR/usr/include -L$DESTDIR/usr/lib"
make -k -j20
This doesn't fully build, but builds enough of the source tree that I can execute secmds/sesearch. This sort of works on a vanilla policy.29 file (I can search -A and -T, but --all gives me operation not supported). However, it completely fails with a similar error when trying to examine an android version 30 file:
$ ./secmds/sesearch -A sepolicy
ERROR: more than one specifier
ERROR: failed on entry 457 of 5582
ERROR: Unable to open policy sepolicy.
ERROR: Success
$
At this point my mind is kind of boggling that the tooling around something so critical as the system security policy is really this hard to build. Surely I must be doing something wrong. Has anyone actually managed to examine an android security policy without relying on externally distributed binary shared libraries?
I should add that I also tried the techniques suggested for rebuilding all prebuilt tools (ndk/build/tools/download-toolchain-sources.sh and ndk/build/tools/rebuild-all-prebuilt.sh). However the download-toolchain-sources.sh script is currently broken. It tries to check out old version directories that are not in the repositories any more, and anyway it doesn't appear to download any selinux related tools, despite that fact that prebuilts/python contains selinux-related code. Again, I'm shocked at how crufty these build systems are, and think there has to be an easier way. The question how can I get tools that allow me to check my android selinux policy?
No comments:
Post a Comment