Android R setenforce 实现[通俗易懂]

大家好，又见面了，我是你们的朋友全栈君。

一、上层代码

开机启动 init 类 system/core/init/main.cpp 

int main(int argc, char** argv) {
#if __has_feature(address_sanitizer)
    __asan_set_error_report_callback(AsanReportCallback);
#endif

    if (!strcmp(basename(argv[0]), "ueventd")) {
        return ueventd_main(argc, argv);
    }

    if (argc > 1) {
        if (!strcmp(argv[1], "subcontext")) {
            android::base::InitLogging(argv, &android::base::KernelLogger);
            const BuiltinFunctionMap& function_map = GetBuiltinFunctionMap();

            return SubcontextMain(argc, argv, &function_map);
        }

        if (!strcmp(argv[1], "selinux_setup")) {
            return SetupSelinux(argv);
        }

        if (!strcmp(argv[1], "second_stage")) {
            return SecondStageMain(argc, argv);
        }
    }

    return FirstStageMain(argc, argv);
}

这里关键执行 SetupSelinux 调用，函数在 system/core/init/selinux.cpp 类中，这个类主要是初始化的 SELinux 操作。

SetupSelinux 函数中关注 SelinuxInitialize 函数，执行加载 policy 和设置 selinux 默认值。

enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };

// 根据系统 androidboot.selinux k-v判断是否是关闭 selinux
EnforcingStatus StatusFromCmdline() {
    EnforcingStatus status = SELINUX_ENFORCING;

    ImportKernelCmdline([&](const std::string& key, const std::string& value) {
        if (key == "androidboot.selinux" && value == "permissive") {
            status = SELINUX_PERMISSIVE;
        }
    });

    return status;
}

// 判断 selinux 状态
bool IsEnforcing() {
    if (ALLOW_PERMISSIVE_SELINUX) {
        return StatusFromCmdline() == SELINUX_ENFORCING;
    }
    return true;
}


void SelinuxInitialize() {
    LOG(INFO) << "Loading SELinux policy";
    if (!LoadPolicy()) {
        LOG(FATAL) << "Unable to load SELinux policy";
    }

    bool kernel_enforcing = (security_getenforce() == 1);
    bool is_enforcing = IsEnforcing();
    if (kernel_enforcing != is_enforcing) {
        // 设置 selinux 开启关闭
        if (security_setenforce(is_enforcing)) {
            PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
                        << ") failed";
        }
    }

    if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
        LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
    }
}

security_setenforce 函数是 libselinux 库中，代码路径 external/selinux/libselinux/src/setenforce.c 

int security_setenforce(int value)
{
	int fd, ret;
	char path[PATH_MAX];
	char buf[20];

	if (!selinux_mnt) {
		errno = ENOENT;
		return -1;
	}

	snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
	fd = open(path, O_RDWR | O_CLOEXEC);
	if (fd < 0)
		return -1;

	snprintf(buf, sizeof buf, "%d", value);
	ret = write(fd, buf, strlen(buf));
	close(fd);
	if (ret < 0)
		return -1;

	return 0;
}

向对应节点写入数据。 selinux_mnt 定义在 external/selinux/libselinux/src/policy.h 中

/* Preferred selinux mount location */
#define SELINUXMNT "/sys/fs/selinux"
#define OLDSELINUXMNT "/selinux"

/* selinuxfs mount point */
extern char *selinux_mnt;

#define FILECONTEXTS "/etc/security/selinux/file_contexts"

#define DEFAULT_POLICY_VERSION 15

#endif

在 external/selinux/libselinux/src/init.c 中赋的值

/* 验证selinux文件系统的装载点是否具有selinuxfs。
*如果文件系统存在
*安装了selinux文件系统，
*文件系统是可读/写的
*然后将其设置为默认文件系统。
*/
static int verify_selinuxmnt(const char *mnt)
{
	struct statfs sfbuf;
	int rc;

	do {
		rc = statfs(mnt, &sfbuf);
	} while (rc < 0 && errno == EINTR);
	if (rc == 0) {
		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
			struct statvfs vfsbuf;
			rc = statvfs(mnt, &vfsbuf);
			if (rc == 0) {
				if (!(vfsbuf.f_flag & ST_RDONLY)) {
                    // 进行赋值
					set_selinuxmnt(mnt);
				}
				return 0;
			}
		}
	}

	return -1;
}
...

static void init_selinuxmnt(void)
{
	char *buf = NULL, *p;
	FILE *fp = NULL;
	size_t len;
	ssize_t num;

	if (selinux_mnt)
		return;

    // 优先 SELINUXMNT 值，在 external/selinux/libselinux/src/policy.h 中声明定义
	if (verify_selinuxmnt(SELINUXMNT) == 0) return;

	if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
...
}
...

void set_selinuxmnt(const char *mnt)
{
    // 最终赋值
	selinux_mnt = strdup(mnt);
}

即 selinux_mnt 这个目录路径等于 /sys/fs/selinux 。设置 selinux 值向节点 /sys/fs/selinux/enforce

中写入值，通过这个节点值的读写和驱动关联起来。kernel 层通过节点的写入读出执行相应操作。

二、kernel 代码

节点的相关操作类 kernel/msm-4.19/security/selinux/selinuxfs.c

static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
				size_t count, loff_t *ppos)
{
	struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
	char tmpbuf[TMPBUFLEN];
	ssize_t length;

	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
			   enforcing_enabled(fsi->state));
	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}

// 这个宏大致是表示 debug 版本
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
				 size_t count, loff_t *ppos)

{
	struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;
	struct selinux_state *state = fsi->state;
	char *page = NULL;
	ssize_t length;
	int old_value, new_value;

	if (count >= PAGE_SIZE)
		return -ENOMEM;

	/* No partial writes. */
	if (*ppos != 0)
		return -EINVAL;

	page = memdup_user_nul(buf, count);
	if (IS_ERR(page))
		return PTR_ERR(page);

	length = -EINVAL;
	if (sscanf(page, "%d", &new_value) != 1)
		goto out;

	new_value = !!new_value;

	old_value = enforcing_enabled(state);
	if (new_value != old_value) {
		length = avc_has_perm(&selinux_state,
				      current_sid(), SECINITSID_SECURITY,
				      SECCLASS_SECURITY, SECURITY__SETENFORCE,
				      NULL);
		if (length)
			goto out;
		audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
			"enforcing=%d old_enforcing=%d auid=%u ses=%u"
			" enabled=%d old-enabled=%d lsm=selinux res=1",
			new_value, old_value,
			from_kuid(&init_user_ns, audit_get_loginuid(current)),
			audit_get_sessionid(current),
			selinux_enabled, selinux_enabled);
		enforcing_set(state, new_value);
		if (new_value)
			avc_ss_reset(state->avc, 0);
		selnl_notify_setenforce(new_value);
		selinux_status_update_setenforce(state, new_value);
		if (!new_value)
			call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
	}
	length = count;
out:
	kfree(page);
	return length;
}
#else
#define sel_write_enforce NULL
#endif

static const struct file_operations sel_enforce_ops = {
	.read		= sel_read_enforce,
	.write		= sel_write_enforce,
	.llseek		= generic_file_llseek,
};

读取文件时执行 sel_read_enforce ，写入时执行 sel_write_enforce 

读取函数比较简单，通过 enforcing_enabled 获取，enforcing_enabled 函数包括下面 write 中的相关函数 enforcing_set 都在文件 kernel/msm-4.19/security/selinux/include/security.h 中。

#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
static inline bool enforcing_enabled(struct selinux_state *state)
{
	return state->enforcing;
}

static inline void enforcing_set(struct selinux_state *state, bool value)
{
	state->enforcing = value;
}
#else
static inline bool enforcing_enabled(struct selinux_state *state)
{
	return true;
}

static inline void enforcing_set(struct selinux_state *state, bool value)
{
}
#endif

这里也是通过 CONFIG_SECURITY_SELINUX_DEVELOP 宏进行区分，user版本无法进行设置修改的意思。

enforcing_enabled 主要作用在avc判断上，源码文件 kernel/msm-4.19/security/selinux/avc.c

static noinline int avc_denied(struct selinux_state *state,
			       u32 ssid, u32 tsid,
			       u16 tclass, u32 requested,
			       u8 driver, u8 xperm, unsigned int flags,
			       struct av_decision *avd)
{
    audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, " TEST %d", flags);
	if (flags & AVC_STRICT)
		return -EACCES;

	if (enforcing_enabled(state) &&
	    !(avd->flags & AVD_FLAGS_PERMISSIVE))
		return -EACCES;

	avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver,
			xperm, ssid, tsid, tclass, avd->seqno, NULL, flags);
	return 0;
}

在这里通过判断是否执行 avc denied ，然后执行授权 AVC_CALLBACK_GRANT 。

三、bin 文件

system/bin 目录下有 setenforce 和 getenforce 两个可执行文件，相关源码位于

external/toybox/toys/android/setenforce.c

void setenforce_main(void)
{
  char *new = *toys.optargs;
  int state, ret;

  if (!is_selinux_enabled()) error_exit("SELinux is disabled");
  else if (!strcmp(new, "1") || !strcasecmp(new, "enforcing")) state = 1;
  else if (!strcmp(new, "0") || !strcasecmp(new, "permissive")) state = 0;
  else error_exit("Invalid state: %s", new);

  ret = security_setenforce(state);
  if (ret == -1) perror_msg("Couldn't set enforcing status to '%s'", new);
}

 这里的 security_setenforce 函数即调用的上面的 libselinux 库中函数，流程一致

external/toybox/toys/android/getenforce.c

void getenforce_main(void)
{
  if (!is_selinux_enabled()) puts("Disabled");
  else {
    int ret = security_getenforce();

    if (ret == -1) perror_exit("Couldn't get enforcing status");
    else puts(ret ? "Enforcing" : "Permissive");
  }
}

同样的，这里 security_getenforce 也是调用的 libselinux 库，对应的源码 external/selinux/libselinux/src/getenforce.c 中函数

int security_getenforce(void)
{
	int fd, ret, enforce = 0;
	char path[PATH_MAX];
	char buf[20];

	if (!selinux_mnt) {
		errno = ENOENT;
		return -1;
	}

	snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
	fd = open(path, O_RDONLY | O_CLOEXEC);
	if (fd < 0)
		return -1;

	memset(buf, 0, sizeof buf);
	ret = read(fd, buf, sizeof buf - 1);
	close(fd);
	if (ret < 0)
		return -1;

	if (sscanf(buf, "%d", &enforce) != 1)
		return -1;

	return !!enforce;
}

对节点 sys/fs/selinux/enforce 进行读取。

由于这个 sys/fs/selinux/enforce 节点权限是 600 的，所以必须是 root 后才能操作。