FORUMS
Remove All Ads from XDA
Honor 7x
Win an Honor 7X!

setools-android with sepolicy-inject

16 posts
Thanks Meter: 21
 
By Mikos, Junior Member on 19th December 2014, 02:59 AM
Post Reply Email Thread
Announcement from Mikos: Sepolicy-inject - opensource tool for changing SELinux policy at runtime (alternative to supolicy)
Introduction
In Android 5.0, SELinux is in enforcing mode and sometimes you (or some root application) need to change SELinux policy. There has been only one tool capable of this at runtime - Chainfire's supolicy (part of SuperSU). But this tool is closed source and closed source root apps are great security risk. So I have fixed and enhanced sepolicy-inject from Joshua Brindle and combined it with setools-android by Dmitry Podgorny (pasis) to make it buildable with Android NDK.

Installation instructions
You must have android-ndk installed. Then run:

Code:
git clone https://github.com/xmikos/setools-android.git
cd setools-android
ndk-build
Now you can copy executables from libs/armeabi directory (sepolicy-inject, sesearch and seinfo) to /system/xbin directory on your device.

Usage
Code:
sepolicy-inject -s <source type> -t <target type> -c <class> -p <perm>[,<perm2>,<perm3>,...] [-P <policy file>] [-o <output file>] [-l|--load]
sepolicy-inject -Z type_to_make_permissive [-P <policy file>] [-o <output file>] [-l|--load]
sepolicy-inject -z type_to_make_nonpermissive [-P <policy file>] [-o <output file>] [-l|--load]
For example if you want to allow vdc to write to pseudo-terminal (so you can see replies from vdc command):

Code:
sepolicy-inject -s vdc -t devpts -c chr_file -p read,write -l
Download
Latest binaries for all architectures
Project on GitHub


XDA:DevDB Information
setools-android with sepolicy-inject, Tool/Utility for all devices (see above for details)

Contributors
Mikos, joshua_brindle, Dmitry Podgorny (pasis)
Source Code: https://github.com/xmikos/setools-android


Version Information
Status: Stable
Current Stable Version: 1.3
Stable Release Date: 2017-08-22

Created 2014-12-19
Last Updated 2017-08-22
The Following 11 Users Say Thank You to Mikos For This Useful Post: [ View ] Gift Mikos Ad-Free
 
 
moonbutt74
20th July 2015, 07:06 PM |#2  
Guest
Thanks Meter: 0
 
More
Mikos,

hi,

i was wondering if you would go further into depth on the command line options,
specifically can i "piggy-back" supolicy onto sepolicy or can you provide a non-generic example of
how to inject say a static su binary with the proper context [seapp_context,file_context,property_context,servic e_context]

i would be doing this in a debian arm chroot,
the policy is for samsung galaxy tab 4 8.0 sm-t330nu LP 5.1.1 firmware release.

i'm battling apparently selinux AND knox

my current adventure is outlined here..,
http://forum.xda-developers.com/tab-...persu-t3160110

i have clone your repo and am downloading either ndk or studio.

thanks

m
20th July 2015, 09:51 PM |#3  
OP Junior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by moonbutt74

Mikos,
i was wondering if you would go further into depth on the command line options,
specifically can i "piggy-back" supolicy onto sepolicy or can you provide a non-generic example of
how to inject say a static su binary with the proper context [seapp_context,file_context,property_context,servic e_context]

Hello, the syntax is simple, if you want comparison with supolicy, here is one example (taken from my SnooperStopper app):

Code:
supolicy --live 'allow vdc init fifo_file {read write getattr}'
is equivalent to:

Code:
sepolicy-inject -s vdc -t init -c fifo_file -p read,write,getattr -l
The Following User Says Thank You to Mikos For This Useful Post: [ View ] Gift Mikos Ad-Free
moonbutt74
21st July 2015, 12:46 AM |#4  
Guest
Thanks Meter: 0
 
More
Mikos,

thanks i got your toolkit built API 19 armeabi-v7a
seinfo is neat.
okay so i am a bit of a dumb dumb, would be up for jumping in on my thread and helping out.
the problem with supersu seems to be at app_process -> /system/xbin/daemonsu
Code:
F/appproc (  305): Error changing dalvik-cache ownership : Permission denied
F/libc    (  305): Fatal signal 6 (SIGABRT), code -6 in tid 305 (app_process32_o)
and that's where i'm stuck,
also how do i build these tools fully static if possible ? the deb arm chroot doesn't seem to like them

thanks

m
23rd July 2015, 02:26 PM |#5  
OP Junior Member
Thanks Meter: 21
 
More
I have released version 1.1 (with support for allowing multiple SELinux permissions at once). I have also updated binaries (now built for armeabi, armeabi-v7a, mips and x86). You can download them from XDA Developers or GitHub.
The Following User Says Thank You to Mikos For This Useful Post: [ View ] Gift Mikos Ad-Free
23rd July 2015, 02:31 PM |#6  
OP Junior Member
Thanks Meter: 21
 
More
Quote:
Originally Posted by moonbutt74

okay so i am a bit of a dumb dumb, would be up for jumping in on my thread and helping out.
the problem with supersu seems to be at app_process -> /system/xbin/daemonsu

Code:
F/appproc (  305): Error changing dalvik-cache ownership : Permission denied
F/libc    (  305): Fatal signal 6 (SIGABRT), code -6 in tid 305 (app_process32_o)

Sorry, I don't know what can be your problem. But have you looked at logcat? You should see exact missing SELinux permissions there...

Quote:
Originally Posted by moonbutt74

also how do i build these tools fully static if possible ? the deb arm chroot doesn't seem to like them

These binaries are built static. Or at least static for Android (standard NDK build). Debian in chroot may use different libc or something like that.
The Following User Says Thank You to Mikos For This Useful Post: [ View ] Gift Mikos Ad-Free
moonbutt74
25th July 2015, 06:35 PM |#7  
Guest
Thanks Meter: 0
 
More
Mikos,

hi , thanks again i got sorted on working with the toolkit

i am 33 permissive domains and numerous modified permissions in and still haven't hit on the right one yet, but i'm having fun.
i am guessing file_lnk or a trans permission is what i should be focusing on ?

a quick question, the policy injection is permanent or do i need to script out an init.rc or init.d function[s] ?

i ask because i did an experiment while in recovery with system mounted to restrict/remove a permission/permissive domain and on rebooting to recovery the change stuck, i modified access to sbin and sure enough after rebooting to recovery i could not run the custom utillities i have installed even with root access.

also i can not access allow/neverallow [av rules] rules when using sesearch, is this an intended limitation, or is there some additional code/patching required?

thanks.

m
29th July 2015, 11:16 AM |#8  
Member
Thanks Meter: 3
 
More
Nice tool, thanks. Is there a way to inject new source and target types or is it only possible to expand existing contexts?
moonbutt74
29th July 2015, 02:15 PM |#9  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by cloooned

Nice tool, thanks. Is there a way to inject new source and target types or is it only possible to expand existing contexts?

C,
hi, you can only work with what's in the policy if i'm doing the following correctly

for -s <source type>
Code:
sepolicy-inject -s hack -t system -c process -p write -P sepolicy -o sepolicy-UNdead                                                                                             
libsepol.policydb_index_others: security:  1 users, 2 roles, 1331 types, 0 bools                                                                                                                                                 
libsepol.policydb_index_others: security: 1 sens, 1024 cats                                                                                                                                                                      
libsepol.policydb_index_others: security:  86 classes, 15661 rules, 0 cond rules                                                                                                                                                 
source type hack does not exist                                                                                                                                                                                                  
Could not add rule
same for -t <target type>
Code:
sepolicy-inject -s shell -t hack -c process -p write -P sepolicy -o sepolicy-UNdead
"blah blah"
target type hack does not exist                                                                                                                                                                                                  
Could not add rule
NOT the same for -c <class> , with class i was looking through external/sepolicy/security_classes to find a valid class not in policy
# More SE-X Windows stuff
class x_resource # userspace
so

Code:
sepolicy-inject -s shell -t system -c x_resource -p write -P sepolicy -o sepolicy-UNdead
libsepol.policydb_index_others: security:  1 users, 2 roles, 1331 types, 0 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  86 classes, 15661 rules, 0 cond rules

sesearch -A -c x_resource sepolicy-UNdead
Found 1 semantic av rules:
   allow shell system_server : x_resource write ;
so, again i am probably doing the first two wrong but i'm having a difficult time finding out what valid entries i can attempt
for <source> and <target> that aren't in the policy. <class> was easier as i figured there would be any x_window stuff.

m
10th September 2015, 09:42 AM |#10  
Member
Thanks Meter: 11
 
More
Quote:
Originally Posted by Mikos

In Android 5.0, SELinux is in enforcing mode and sometimes you (or some root application) need to change SELinux policy. There has been only one tool capable of this at runtime - Chainfire's supolicy (part of SuperSU). But this tool is closed source and closed source root apps are great security risk. So I have fixed and enhanced sepolicy-inject from Joshua Brindle and combined it with setools-android by Dmitry Podgorny (pasis) to make it buildable with Android NDK.

Hi and thank you for the awesome tool!

A little question (probably also a dumb one) - will it work if called for init service, user root group root, default init service context?

Something like

Code:
service humble_sepatcher /system/bin/sh /system/xbin/sepolicy-inject "[ parameters go here I suppose ;) ]"
    user root
    group root
    class core
     oneshot
Usecase:
I want to temporarily switch Selinux to Permissive mode very early in the init sequence (adding early initd to a ROM I don't have sources for)

setenforce and "write /sys/fs/selinux/enforce 0" do not work during init (but after the system boots completely and SUperSu finally does its deed, I can do setenforce 0 and enter permissive mode)

Also, since I am rather lame when it comes to Selinux what would be the best way to go about it ? (I suspect that allowing /system/bin/sh and echo to write to /sys/fs/selinux/enforce might be enough, but so far I can't even think of where to start)
13th December 2015, 02:35 PM |#11  
Senior Member
Flag Near Nijmegen
Thanks Meter: 159
 
More
Hello @Mikos,
I was wondering if your tool would get an update to support android 6 and policydb version 30. In the attachment is the error I receive.
Attached Thumbnails
Click image for larger version

Name:	Screenshot_20151213-133659.png
Views:	818
Size:	155.0 KB
ID:	3574993  
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes