Introduction to Android SELinux

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system integrated into the Linux kernel. On Android, SELinux is critical, enforcing granular permissions that go beyond traditional Unix discretionary access control (DAC). It defines what every process, file, and system resource can and cannot do, significantly hardening the platform against privilege escalation and malicious applications. For reverse engineers and security researchers, understanding Android’s SELinux policy is paramount to identifying potential attack surfaces, understanding sandbox limitations, and discovering policy bypass opportunities.

This guide delves into the core concepts of Android SELinux, demonstrating how to analyze its policies and discussing common techniques that attackers might leverage to bypass its stringent controls. We’ll cover everything from policy structure to practical command-line analysis.

SELinux Fundamentals on Android

SELinux operates on the principle of least privilege, meaning everything is denied unless explicitly allowed. Key concepts include:

• Security Contexts: Every process, file, and network port has an associated security context, typically represented as user:role:type:sensitivity. On Android, the common format simplifies to u:object_r:type:s0 for objects and u:r:domain:s0 for processes. The type (or domain for processes) is the most critical component for policy decisions.
• Policy Rules: These rules define interactions between contexts. A typical rule is allow source_type target_type:class permissions;.
• Classes & Permissions: Resources (like files, sockets, processes) are categorized into object classes (e.g., file, dir, socket), and specific permissions (e.g., read, write, execute, bind, transfer) are defined for each class.
• Domains & Types: A process’s security context is called a domain, while a file or other resource’s context is called a type. Policies define how domains can interact with types and other domains.
• Policy Files: On a device, the compiled SELinux policy is found at /sepolicy (or sometimes /vendor/etc/selinux/precompiled_sepolicy or similar paths in newer Android versions). This binary file is compiled from a collection of .te (type enforcement) files, common interface (.if) files, and policy language (.cil) files.

Analyzing the Android SELinux Policy

To begin, you need access to the device’s SELinux policy. For rooted devices, you can pull it directly. For unrooted devices, you might extract it from factory images.

1. Extracting the Policy

Using adb, you can pull the active policy:

adb shell su -c 'cp /sys/fs/selinux/policy /data/local/tmp/sepolicy'adb pull /data/local/tmp/sepolicy ./

Alternatively, find the policy file in common locations:

adb shell find / -name "*sepolicy*" 2>/dev/null

2. Decompiling and Analyzing

Once you have sepolicy, you’ll need tools to decompile and analyze it. The Android open-source project (AOSP) provides sepolicy-analyze and sesearch. You can build these from the AOSP source or find precompiled versions.

# Assuming you have sesearch in your PATHsesearch -A -s untrusted_app -t app_data_file -c file -p read,write

This command searches for rules allowing untrusted_app domain to read or write app_data_file type files. Replace untrusted_app, app_data_file, and permissions with your targets.

3. Checking Current Context and Enforcement

On the device, you can query the current SELinux state:

# Check current enforcement mode (Enforcing or Permissive)adb shell getenforce# Get the security context of the shell processadb shell id -Z# Get the security context of a fileadb shell ls -Z /data/local/tmp

Identifying and Leveraging Policy Weaknesses

Attackers often look for gaps or overly permissive rules in the SELinux policy. These aren’t necessarily