O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Exploring SE for Android

Exploring SE for Android

by William Confer, William Roberts
Publisher: Packt Publishing
Release Date: February 2015
ISBN: 9781784390594
View table of contents
Start reading

Book Description

Discover Security Enhancements (SE) for Android to build your own protected Android-based systems

In Detail

You will start by exploring the nature of the security mechanisms behind Linux and SELinux, and as you complete the chapters, you will integrate and enable SE for Android into a System on Chip (SoC), a process that, prior to this book, has never before been documented in its entirety! Discover Android's unique user space, from its use of the common UID and GID model to promote its security goals to its custom binder IPC mechanism. Explore the interface between the kernel and user space with respect to SELinux and investigate contexts and labels and their application to system objects.

This book will help you develop the necessary skills to evaluate and engineer secured products with the Android platform, whether you are new to world of Security Enhanced Linux (SELinux) or experienced in secure system deployment.

What You Will Learn

  • Experiment with Linux and SELinux access controls
  • Build custom Android kernels
  • Backport SE for Android patches to different Android versions
  • Explore binder and property services, what they are, and how and why SELinux integrates them
  • Work with Android core internal systems like init and zygote
  • Learn how to keep pace with and navigate the details of fast moving open source projects
  • Overcome obstacles in policy development through directed experimentation

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Exploring SE for Android
    1. Table of Contents
    2. Exploring SE for Android
    3. Credits
    4. Foreword
    5. About the Authors
    6. About the Reviewers
    7. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    8. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the example code
        2. Errata
        3. Piracy
        4. Questions
    9. 1. Linux Access Controls
      1. Changing permission bits
      2. Changing owners and groups
      3. The case for more
      4. Capabilities model
      5. Android's use of DAC
      6. Glancing at Android vulnerabilities
        1. Skype vulnerability
        2. GingerBreak
        3. Rage against the cage
        4. MotoChopper
      7. Summary
    10. 2. Mandatory Access Controls and SELinux
      1. Getting back to the basics
      2. Labels
        1. Users
        2. Roles
        3. Types
      3. Access vectors
      4. Multilevel security
      5. Putting it together
      6. Complexities and best practices
      7. Summary
    11. 3. Android Is Weird
      1. Android's security model
      2. Binder
        1. Binder's architecture
        2. Binder and security
      3. Zygote – application spawn
      4. The property service
      5. Summary
    12. 4. Installation on the UDOO
      1. Retrieving the source
      2. Flashing image on an SD card
      3. UDOO serial and Android Debug Bridge
      4. Flipping the switch
      5. It's alive
      6. Summary
    13. 5. Booting the System
      1. Policy load
      2. Fixing the policy version
      3. Summary
    14. 6. Exploring SELinuxFS
      1. Locating the filesystem
      2. Interrogating the filesystem
        1. The enforce node
        2. The disable file interface
        3. The policy file
        4. The null file
        5. The mls file
        6. The status file
        7. Access Vector Cache
        8. The booleans directory
        9. The class directory
        10. The initial_contexts directory
        11. The policy_capabilities directory
        12. ProcFS
      3. Java SELinux API
      4. Summary
    15. 7. Utilizing Audit Logs
      1. Upgrades – patches galore
      2. The audit system
        1. The auditd daemon
        2. Auditd internals
      3. Interpreting SELinux denial logs
      4. Contexts
      5. Summary
    16. 8. Applying Contexts to Files
      1. Labeling filesystems
        1. fs_use
        2. fs_task_use
        3. fs_use_trans
        4. genfscon
        5. Mount options
        6. Labeling with extended attributes
        7. The file_contexts file
        8. Dynamic type transitions
      2. Examples and tools
        1. Fixing up /data
      3. A side note on security
      4. Summary
    17. 9. Adding Services to Domains
      1. Init – the king of daemons
      2. Dynamic domain transitions
      3. Explicit contexts via seclabel
      4. Relabeling processes
      5. Limitations on app labeling
      6. Summary
    18. 10. Placing Applications in Domains
      1. The case to secure the zygote
      2. Fortifying the zygote
        1. Plumbing the zygote socket
        2. The mac_permissions.xml file
        3. keys.conf
        4. seapp_contexts
      3. Summary
    19. 11. Labeling Properties
      1. Labeling via property_contexts
      2. Permissions on properties
      3. Relabeling existing properties
      4. Creating and labeling new properties
      5. Special properties
        1. Control properties
        2. Persistent properties
        3. SELinux properties
      6. Summary
    20. 12. Mastering the Tool Chain
      1. Building subcomponents – targets and projects
      2. Exploring sepolicy's Android.mk
        1. Building sepolicy
        2. Controlling the policy build
        3. Digging deeper into build_policy
        4. Building mac_permissions.xml
        5. Building seapp_contexts
        6. Building file_contexts
        7. Building property_contexts
        8. Current NSA research files
      3. Standalone tools
        1. sepolicy-check
        2. sepolicy-analyze
      4. Summary
    21. 13. Getting to Enforcing Mode
      1. Updating to SEPolicy master
      2. Purging the device
      3. Setting up CTS
      4. Running CTS
      5. Gathering the results
        1. CTS test results
        2. Audit logs
      6. Authoring device policy
        1. adbd
        2. bootanim
        3. debuggerd
        4. drmserver
        5. dumpstate
        6. installd
        7. keystore
        8. mediaserver
        9. netd
        10. rild
        11. servicemanager
        12. surfaceflinger
        13. system_server
        14. toolbox
        15. untrusted_app
        16. vold
        17. watchdogd
        18. wpa
      7. Second policy pass
        1. init
        2. shell
        3. init_shell.te
      8. Field trials
      9. Going enforcing
      10. Summary
    22. A. The Development Environment
      1. VirtualBox
      2. Ubuntu Linux 12.04 (precise pangolin)
      3. VirtualBox extension pack and guest additions
        1. VirtualBox extension pack
        2. VirtualBox guest additions
      4. Save time with shared folders
      5. The build environment
      6. Oracle Java 6
      7. Summary
    23. Index