Design and Implementation of smack security policy for Android Access Control

1. Develop smack rules

The "zygote" process is created by the INIT process, which is responsible for creating the System Service process "systemserver", "Radio" process and app process. The UID of the "radio" process is 1001. It can call and send text messages. The UID of the "systemserver" process is 1000. It is responsible for creating system service components, and the UID of the address book process is 10000, it can access the address book database. Processes with a uid greater than or equal to 10000 belong to Android application processes.

To implement access control for the "radio" and address book processes, this topic uses the "setsmack" function in the "libsmack" library to set the "radio" process security tag to "1001 ". Set the security label of the address book process to 10000 ". It should be emphasized that the above two UIDs are hard-coded by the Android system and do not change with the Android version. Assume that the UID of a process is XXX. When the "zygote" process is "fork", the process is first a privileged process, therefore, it can use the "setsmack" function to set its own security tag to "XXX" and load the smack security policy. Based on a large number of experiments, this study summarizes the following rules:

(1) ensure that a process runs properly: "XXX _ rwxa" & "_ XXX rwxa"

Because smack is compiled into the Android system, the security labels of all files and processes in the Android system are "_" by default. to run a process that has been reset with a security label properly, it must communicate with the security label "_" process or read and write files whose security labels are.

(2) prohibit a process from running normally: "XXX _----"

(3) prohibit a process from sending text messages: "XXX 1001 ----"

Any process must communicate with the radio process in the "binder driver" to send text messages. Therefore, as long as the process cannot send messages to the "radio" process, this process cannot complete the function of sending text messages.

(4) allow a process to send text messages: "XXX 1001 rwxa" & "1001 XXX rwxa"

(5) Allow the address book process to normally access the address book: "10000 contact rwxa"

"/Data/COM. android. providers. contacts/database/contact2.db "stores information in the address book. Therefore, in "dalvik_system_zygote.cpp", use the function "setxattr" in the "libsmack" library to set the security label of the database file to "Contact ". In order for the address book process to normally access the address book, the address book process must have read, write, execute, and blind write permissions on the database file.

(6) allow a process to access the address book normally:

"XXX 10000 rwxa" & "10000 XXX rwxa"

Under rule 5, a process must communicate with the address book process in the "binder driver" to access the address book. Therefore, the two processes must be allowed to send messages to each other.

(7) prohibit a process from accessing the address book and calling record: "XXX 10000 ----"

(8) allow a process to access the SMS record: "xxx sms rwxa"

"/Data/COM. android. providers. telephony/database/mmssms. DB is the information database file for SMS and MMS messages. It also uses the "setxattr" function to set the Security Label "SMS" for this database file. Any process wants to view the text message, you must be able to access this database file.

(9) prohibit a process from accessing the SMS record: "xxx sms ----"

(10) allow a process to access the SD card file: "XXX sdcard rwxa"

Smack uses the Virtual File System VFS's "inode" and "super_block" to set security labels for the file system. Therefore, no matter what file system the SD card uses, you can set the Security Label "sdcard" for all files on the SD card ".

(11) prohibit a process from accessing the SD card file: "XXX sdcard ----"

(12) do not call or send text messages to Android: "1001 _----"

The "_" here represents the radio daemon. It is created by the "init" Process and Its executable file is "/system/bin/Radio ", android phones and text message functions ultimately rely on them to drive hardware implementation. The "1001" process communicates with the radio daemon in the "binder driver" to complete the call and text message sending functions. If you want to disable all processes in the Android system from making phone calls and sending text messages, as long as the "1001" process cannot send messages to the radio daemon.

(13) Allow the Android system to call and send text messages normally:

"1001 _ rwxa" & "_ 1001 rwxa"

2. Load the smack Policy

Because every "fork" sub-process of zygote is a privileged process first, as shown below:

Dvmdumploaderstats ("zygote ");

PID = fork ();

If (pid = 0 ){

Int err;

......

}

Therefore, you can add control code after defining the variable err. Here, the following four functions are designed:

# Ifdef have_smack

/*

* Set process self smack label and smack rules

* Return-1 if the database can not be opencorrectly

* Return 2 If the uerid can not be found inthe smack Rules table

* Else return 1 if the smack label and rulecan be set correctly

* Else return 0 if the smack label can not beset correctly

**/

Static int setsmacklabelrules (intuserid );

Setsmacklabelrules is used to search for related smack rules in the security policy database based on the uerid value.

/*

* Set sdcard label to the files on sdcard interms of encryptedfiles table

* Return-1 if the database can not be opencorrectly

* Return 1 If files xattr can be set correctlyon the sdcard

* Else return 0

**/

# Ifdef have_smack

Static intsetlabeltosdcardfiles ();

Setlabeltosfcardfiles is the absolute path of the file from the sdcard file list, And setxattr is called to set security labels for the file. Here, the code for setting Security labels for the SMS database and Address Book database is also included, as follows:

If (setxattr ("/data/COM. android. providers. telephony/databases/mmssms. DB ", smackattr," SMS ", strlen (" SMS ") + 1, 0) <0 ){

Xattr = false;

}

If (setxattr ("/data/COM. android. providers. contacts/databases/contacts2.db ", smackattr," Contact ", strlen (" Contact ") + 1, 0) <0 ){

Xattr = false;

}

In order to further control the call and SMS behaviors, this topic designs the initializeoutgoingcallwhitelist function to import the content of the whitelist data table to the whitelist configuration file, as shown below:

# Ifdef have_smack

/*

* To initialize outgoingcallwhitelist

* Return 1 if the outgoingcallwhitelist fileis initialized correctly

* Else return 0

**/

Static int initializeoutgoingcallwhitelist ();

Because radio belongs to a user group, it cannot read the whitelist Configuration File Created by zygote. Therefore, you must use chmod to modify the access mode of the whitelist configuration file.