Modify the Android10 system source code to close selinux

1. Introduction to seandroid

SEAndroid is a set of system security mechanism with SELinux as the core officially launched by Google on Android4.4. In the Android source code, the system default seandroid configuration is stored in the following path:

/home/qiang/lineageOs/system/sepolicy

The directory stores te configuration files such as adbd, system_server, system app, and third-party app.

As the Android system introduced the seandroid strategy. Strengthen the app's access restrictions on resources. Security is greatly improved. For example, take an example of obtaining wifi mac as an example:

Many apps in the android app obtain the wifi mac address of the mobile phone by reading /sys/class/net/wlan0/address. The permissions to view the file through the adb command are as follows:

C:\Users\Qiang>adb shell ls -la  /sys/class/net/wlan0/address-r--r--r-- 1 root root 4096 2021-01-12 14:57 /sys/class/net/wlan0/address

The above shows that the mobile app can read and access the file. But in Android 10, the system is configured with seandroid policy permission that ordinary App cannot read /sys/class/net/wlan0/address. Caused reading failure in Android 10, prompting permission denied. Since seandroid strengthens system security, if you want an App to access a certain directory or path of the system, you need to specifically configure the te file strategy. It is a little difficult to configure for developers who are not familiar with seandroid configuration. Is there a way to access the file or directory without configuring the seandroid policy file and setting the readable permission of the file or directory. The answer is to close seandroid globally .

2. Discussion on the way to close seandroid in Android

1. Use the setenforce command to temporarily close

The command is as follows

adb shell setenforce 0

The setenforce command can only temporarily shut down seandroid, and if the phone is restarted, it will be restored to its normal state.

The path of setenforce in the Android source code is as follows:

external/toybox/toys/android/setenforce.c

The setenforce implementation code is as follows:

#define FOR_setenforce

#include "toys.h"
void setenforce_main(void){
   
     char *new = *toys.optargs;  int state, ret;
  if (!is_selinux_enabled()) error_exit("SELinux is disabled");  else if (!strcmp(new, "1") || !strcasecmp(new, "enforcing")) state = 1;  else if (!strcmp(new, "0") || !strcasecmp(new, "permissive")) state = 0;  else error_exit("Invalid state: %s", new);
  ret = security_setenforce(state);  if (ret == -1) perror_msg("Couldn't set enforcing status to '%s'", new);}

From the above code, we can see that setenforce finally calls the function security_setenforce to complete selinux control.

2. Close selinux in the kernel

Configure SECURITY_SELINUX to false in the kernel, recompile the kernel and flash the machine. Seandroid can be closed permanently.

The following is the configuration information after selinux is turned off in the .config file of the tested kernel compilation:

CONFIG_SECURITY_SELINUX=n

3. Close selinux when the init process starts

During the startup of the Android system, the init process will initialize selinux. By reading the /proc/cmdline file, determine whether the value of androidboot.selinux needs to enable selinux. Therefore, we can force the shutdown operation when the init process initializes selinux.

The following will discuss the third option to achieve global shutdown of selinux.

3. Globally close selinux in the init process

1. Selinux initialization process analysis in the init process

The file paths related to selinux initialization in the init process are as follows:

system/core/init/selinux.cppsystem/core/init/main.cpp

The approximate initialization process is as follows:

a. The main function in main.cpp calls SetupSelinux in selinux.cpp:

int main(int argc, char** argv) {

        ...省略        if (!strcmp(argv[1], "selinux_setup")) {
   
               return SetupSelinux(argv);        }        ...省略}

b. The SetupSelinux function in selinux.cpp is implemented as follows:

int SetupSelinux(char** argv) {

    ...省略    SelinuxInitialize();
    ...省略    return 1;}

c. SetupSelinux calls the SelinuxInitialize method. The code of the SelinuxInitialize method is as follows:

//SelinuxInitialize can see that the IsEnforcing method is called to determine

void SelinuxInitialize() {
   
       ...省略    bool kernel_enforcing = (security_getenforce() == 1);    //判断是否强制模式    bool is_enforcing = IsEnforcing();    if (kernel_enforcing != is_enforcing) {
   
           //调用security_setenforce函数，和setenforce原理一样        if (security_setenforce(is_enforcing)) {
   
               PLOG(FATAL) << "security_setenforce(%s) failed" << (is_enforcing ? "true" : "false");        }    }    ...省略}

d. The IsEnforcing method is implemented as follows:

//Determine whether mandatory mode is required

bool IsEnforcing() {
   
       if (ALLOW_PERMISSIVE_SELINUX) {
   
           return StatusFromCmdline() == SELINUX_ENFORCING;    }    return true;}

It can be known from IsEnforcing that if it keeps returning false, selinux will be closed.

2. Globally forcibly close selinux modification

The process of initializing selinux from the above init process can provide two modification schemes to shut down globally.

The first is to modify the IsEnforcing function to always return false. Modify as follows:

  bool IsEnforcing() {
   
        ///ADD START    if(1>0)    {
   
          //一直返回false       return false;    }    ///ADD END    if (ALLOW_PERMISSIVE_SELINUX) {
   
           return StatusFromCmdline() == SELINUX_ENFORCING;    }    return true;}

The second is to modify the SelinuxInitialize method to actively call security_setenforce(false) in the function. After modification as follows:

void SelinuxInitialize() {
   
       Timer t;
    LOG(INFO) << "Loading SELinux policy";    if (!LoadPolicy()) {
   
           LOG(FATAL) << "Unable to load SELinux policy";    }
    bool kernel_enforcing = (security_getenforce() == 1);    bool is_enforcing = IsEnforcing();    if (kernel_enforcing != is_enforcing) {
   
           if (security_setenforce(is_enforcing)) {
   
               PLOG(FATAL) << "security_setenforce(%s) failed" << (is_enforcing ? "true" : "false");        }    }    //直接调用security_setenforce方法来关闭    ///ADD START    security_setenforce(false);    ///ADD END    if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result) {
   
           LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();    }
    // init's first stage can't set properties, so pass the time to the second stage.    setenv("INIT_SELINUX_TOOK", std::to_string(t.duration().count()).c_str(), 1);}