You are previewing Exploring SE for Android.
O'Reilly logo
Exploring SE for Android

Book Description

Discover Security Enhancements (SE) for Android to build your own protected Android-based systems

In Detail

You will start by exploring the nature of the security mechanisms behind Linux and SELinux, and as you complete the chapters, you will integrate and enable SE for Android into a System on Chip (SoC), a process that, prior to this book, has never before been documented in its entirety! Discover Android’s unique user space, from its use of the common UID and GID model to promote its security goals to its custom binder IPC mechanism. Explore the interface between the kernel and user space with respect to SELinux and investigate contexts and labels and their application to system objects.

This book will help you develop the necessary skills to evaluate and engineer secured products with the Android platform, whether you are new to world of Security Enhanced Linux (SELinux) or experienced in secure system deployment.

What You Will Learn

  • Experiment with Linux and SELinux access controls

  • Build custom Android kernels

  • Backport SE for Android patches to different Android versions

  • Explore binder and property services, what they are, and how and why SELinux integrates them

  • Work with Android core internal systems like init and zygote

  • Learn how to keep pace with and navigate the details of fast moving open source projects

  • Overcome obstacles in policy development through directed experimentation

  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

    Table of Contents

    1. Exploring SE for Android
      1. Table of Contents
      2. Exploring SE for Android
      3. Credits
      4. Foreword
      5. About the Authors
      6. About the Reviewers
      7. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      9. 1. Linux Access Controls
        1. Changing permission bits
        2. Changing owners and groups
        3. The case for more
        4. Capabilities model
        5. Android's use of DAC
        6. Glancing at Android vulnerabilities
          1. Skype vulnerability
          2. GingerBreak
          3. Rage against the cage
          4. MotoChopper
        7. Summary
      10. 2. Mandatory Access Controls and SELinux
        1. Getting back to the basics
        2. Labels
          1. Users
          2. Roles
          3. Types
        3. Access vectors
        4. Multilevel security
        5. Putting it together
        6. Complexities and best practices
        7. Summary
      11. 3. Android Is Weird
        1. Android's security model
        2. Binder
          1. Binder's architecture
          2. Binder and security
        3. Zygote – application spawn
        4. The property service
        5. Summary
      12. 4. Installation on the UDOO
        1. Retrieving the source
        2. Flashing image on an SD card
        3. UDOO serial and Android Debug Bridge
        4. Flipping the switch
        5. It's alive
        6. Summary
      13. 5. Booting the System
        1. Policy load
        2. Fixing the policy version
        3. Summary
      14. 6. Exploring SELinuxFS
        1. Locating the filesystem
        2. Interrogating the filesystem
          1. The enforce node
          2. The disable file interface
          3. The policy file
          4. The null file
          5. The mls file
          6. The status file
          7. Access Vector Cache
          8. The booleans directory
          9. The class directory
          10. The initial_contexts directory
          11. The policy_capabilities directory
          12. ProcFS
        3. Java SELinux API
        4. Summary
      15. 7. Utilizing Audit Logs
        1. Upgrades – patches galore
        2. The audit system
          1. The auditd daemon
          2. Auditd internals
        3. Interpreting SELinux denial logs
        4. Contexts
        5. Summary
      16. 8. Applying Contexts to Files
        1. Labeling filesystems
          1. fs_use
          2. fs_task_use
          3. fs_use_trans
          4. genfscon
          5. Mount options
          6. Labeling with extended attributes
          7. The file_contexts file
          8. Dynamic type transitions
        2. Examples and tools
          1. Fixing up /data
        3. A side note on security
        4. Summary
      17. 9. Adding Services to Domains
        1. Init – the king of daemons
        2. Dynamic domain transitions
        3. Explicit contexts via seclabel
        4. Relabeling processes
        5. Limitations on app labeling
        6. Summary
      18. 10. Placing Applications in Domains
        1. The case to secure the zygote
        2. Fortifying the zygote
          1. Plumbing the zygote socket
          2. The mac_permissions.xml file
          3. keys.conf
          4. seapp_contexts
        3. Summary
      19. 11. Labeling Properties
        1. Labeling via property_contexts
        2. Permissions on properties
        3. Relabeling existing properties
        4. Creating and labeling new properties
        5. Special properties
          1. Control properties
          2. Persistent properties
          3. SELinux properties
        6. Summary
      20. 12. Mastering the Tool Chain
        1. Building subcomponents – targets and projects
        2. Exploring sepolicy's Android.mk
          1. Building sepolicy
          2. Controlling the policy build
          3. Digging deeper into build_policy
          4. Building mac_permissions.xml
          5. Building seapp_contexts
          6. Building file_contexts
          7. Building property_contexts
          8. Current NSA research files
        3. Standalone tools
          1. sepolicy-check
          2. sepolicy-analyze
        4. Summary
      21. 13. Getting to Enforcing Mode
        1. Updating to SEPolicy master
        2. Purging the device
        3. Setting up CTS
        4. Running CTS
        5. Gathering the results
          1. CTS test results
          2. Audit logs
        6. Authoring device policy
          1. adbd
          2. bootanim
          3. debuggerd
          4. drmserver
          5. dumpstate
          6. installd
          7. keystore
          8. mediaserver
          9. netd
          10. rild
          11. servicemanager
          12. surfaceflinger
          13. system_server
          14. toolbox
          15. untrusted_app
          16. vold
          17. watchdogd
          18. wpa
        7. Second policy pass
          1. init
          2. shell
          3. init_shell.te
        8. Field trials
        9. Going enforcing
        10. Summary
      22. A. The Development Environment
        1. VirtualBox
        2. Ubuntu Linux 12.04 (precise pangolin)
        3. VirtualBox extension pack and guest additions
          1. VirtualBox extension pack
          2. VirtualBox guest additions
        4. Save time with shared folders
        5. The build environment
        6. Oracle Java 6
        7. Summary
      23. Index