Thanks for the response.
They aren't setuid binaries. The app invokes an interactive root shell
by executing su and then piping shell commands to it and reading
from it.
There does not appear to be any system service for interacting with
NFLOG, which is why the nflog binary was created.
I read your paper, "Security Enhanced (SE) Android: Bringing
Flexible MAC to Android", and there is this statement in it:
"Next, the policy denied GingerBreak’s attempt to create
the netlink socket, as there is no legitimate need for user
shells or apps to create this type of socket."
I do think that using netlink sockets to be able to read NFLOG
entries is a legitimate need, especially since there is no such
system service for this and that there is unlikely to be one.
But in any case, I'm not very familiar with SELinux/SEAndroid
commands, and I would like to know if there's a simple way
for the app or the end-user to allow the nflog binary to access
netlink sockets.
I am hoping for something not so all-or-nothing as executing
'setenforce 0' and less invasive then moving the binary to
/system and chowning/chmodding it to be a system command.
Ideally, it'd be great if it were possible for the user to set an
exemption or to change the context -- is this or something similar
possible?
On Thu, Apr 24, 2014 at 12:32 PM, Stephen Smalley <[email protected]> wrote:
> On 04/24/2014 02:23 PM, pragma wrote:
> > Hello SEAndroid folks,
> >
> > I created and maintain an Android app called Network Log. It uses
> > iptables logging to monitor network transmissions and record statistics
> > about them.
> >
> > Historically, Android has shipped with a Linux kernel with the
> > iptables/netfilter LOG (CONFIG_NETFILTER_XT_TARGET_LOG) target enabled.
> > To monitor the logging using the LOG target, you would typically read
> > /proc/kmsg and watch for the logging output. Network Log has no
> > problems doing this with SEAndroid since it uses the system's grep or
> > cat commands in a su root shell to read /proc/kmsg.
> >
> > However, more recent Android systems have been using the newer(ish)
> > NFLOG (CONFIG_NETFILTER_XT_TARGET_NFLOG) target instead. This target
> > requires using netlink sockets to read the logging information. My app
> > uses a native binary based on
> > http://netfilter.org/projects/libnetfilter_log/ to interact with NFLOG.
> > The app installs this binary to the app's files location
> > (/data/data/com.googlecode.networklog/files/) and executes it in a su
> > root shell. This has been working successfully until SEAndroid started
> > shipping in Enforcing mode.
> >
> > My question is: Is there a simple way for the app or the end-user to
> > allow the nflog binary to run without being restricted? What would be
> > your recommendations? Alternatively, might there be a better approach
> > for interacting with NFLOG of which SEAndroid is more tolerant?
> >
> > Thanks for your attention.
>
> You need to move away from having your app directly execute setuid
> helpers (which is already disabled in Android 4.3 and later even apart
> from SELinux by nosuid mount of /system) and instead have it get its
> information from a legitimate service running on the platform that has
> the necessary access rights. So if you want this information to be
> available to apps, it needs to be read by some system service and then
> exported to apps via an API, not directly collected by the app.
>
>
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
