Re: 答复: A question about booting process with SELinux.

[Stephen Smalley]

On 09/27/2016 03:00 AM, Weiyuan (David, Euler) wrote:
> "The rootfs is typically just unpacked from initramfs and all files within it 
> are assigned a default label based on the genfscon statement"
> 
> Do you mean Kernel lable rootfs with genfscon before init loading the 
> sepolicy into kernel？
> 
> 
> Could you please describe the details of the process that how does the rootfs 
> be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as 
> Nexus) ?

If you really want to delve into that level of detail, then this is what
happens:

When the inodes are allocated, SELinux initializes them with the
unlabeled SID (inode_alloc_security).  When the corresponding dentry is
instantiated, SELinux adds them to a list associated with the superblock
because policy has not yet been loaded so we do not yet know how to
label them (inode_doinit_with_dentry, sbsec->flags does not yet have
SE_SBINITIALIZED set).  When init loads the /sepolicy file into the
kernel, security_load_policy() calls selinux_complete_init() after
loading the policy.  selinux_complete_init() iterates the superblocks
with delayed_superblock_init() as the callback, which calls
superblock_doinit().  superblock_doinit() calls selinux_set_mnt_opts(),
which calls security_fs_use().  security_fs_use() checks to see if the
filesystem type has a fs_use_* rule, and if not, checks for a genfscon
rule.  For the rootfs, we find the genfscon rule and return
SECURITY_FS_USE_GENFS along with the SID/context from the rule.  Then
selinux_set_mnt_opts() calls sb_finish_set_opts().  sb_finish_set_opts()
calls inode_doinit_with_dentry() on the root inode and inode_doinit() on
any inode in the list (which in turn calls inode_doinit_with_dentry()
with a NULL dentry). inode_doinit_with_dentry() falls through to the
default case of the switch statement.  inode_doinit_with_dentry() then
sets the inode SID to the superblock SID (which came from the genfscon
rule) and is done (rootfs does not enable SE_SBGENFS).  The inode is now
labeled with the context specified by the genfscon rule.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

答复: A question about booting process with SELinux.

[Weiyuan (David, Euler)]

"The rootfs is typically just unpacked from initramfs and all files within it 
are assigned a default label based on the genfscon statement"

Do you mean Kernel lable rootfs with genfscon before init loading the sepolicy 
into kernel？


Could you please describe the details of the process that how does the rootfs 
be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as 
Nexus) ?



Thanks.


-邮件原件-
发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov] 
发送时间: 2016年9月27日 0:43
收件人: Weiyuan (David, Euler); William Roberts
抄送: seandroid-list@tycho.nsa.gov
主题: Re: A question about booting process with SELinux.

On 09/26/2016 12:23 PM, Weiyuan (David, Euler) wrote:
> Dear All:
> 
>I have a question that is when and how the root“/”and files in 
> it are labeled?
> 
>  
> 
> There are  "/ u:object_r:rootfs:s0" in file_contexts,  and  "genfscon 
> rootfs / u:object_r:rootfs:s0" in genfs_contexts.
> 
> My understanding is, First, kernel will load the initial_sid_contexts 
> before init process do the selinux_initialize().
> 
> Then when rootfs is mounted to “/”, kernel will label it with 
> “u:object_r:labeledfs.
> 
> And After init process do the selinux_initialize() to load sepolicy to 
> kernel,  there will be a restorecon to “/”.
> 
>  
> 
> Am I right?   If I am right, then when do this restorecon happen?

restorecon is only needed for /data or other filesystems that are updated at 
runtime.  The rootfs is typically just unpacked from initramfs and all files 
within it are assigned a default label based on the genfscon statement, unless 
using a real ext4 root filesystem partition (in which case the inode xattrs 
would be set when the filesystem image is generated, not when the system is 
booting).


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: 答复: A question about booting process with SELinux.

[William Roberts]

On Sep 27, 2016 00:00, "Weiyuan (David, Euler)" 
wrote:
>
> "The rootfs is typically just unpacked from initramfs and all files
within it are assigned a default label based on the genfscon statement"
>
> Do you mean Kernel lable rootfs with genfscon before init loading the
sepolicy into kernel？
>
>
> Could you please describe the details of the process that how does the
rootfs be labeled with u:object_r:rootfs:s0 during the booting of Android
(Such as Nexus) ?

There is nothing happening with selinux until userspace mounts selinuxfs
and loads the policy file. The initial sid, which is the initial label for
an object, is encoded in the loaded policy along with the genfscon
statements. Genfscon is used primarily for labeling filesystems that do not
have xattr support.

For filesystems that have xattr, if set, the sid encoded in the xattr
security.selinux is used.

The file_contexts file, file_contexts.bin as of late, is used by userspace
services to.properly set the xattr label on filesystems. Namely init and
ueventd use it.

The basic boot sequence is:
1. Boot the kernel and exec init
2. Initialize selinux mount
3. Load the policy file
3. Restorecon /init
4. setenforce(1) unless non-user build and Android boot variable is set to
permissive.
5. Exec init in the second stage
6. Init script calls restorecon /data and /sys to reset labels if
fike_contexts changed (ie update).

I'm recalling this off the top of my head, some of the ordering might be
slightly off, but the concepts should be correct. You can verify by reading
init.cpp in system/core/init for the userspace load sequence.

To answer your question concisely, selinux isn't doing anything or labeling
anything until the policy is loaded.

>
>
>
> Thanks.
>
>
> -邮件原件-
> 发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> 发送时间: 2016年9月27日 0:43
> 收件人: Weiyuan (David, Euler); William Roberts
> 抄送: seandroid-list@tycho.nsa.gov
> 主题: Re: A question about booting process with SELinux.
>
> On 09/26/2016 12:23 PM, Weiyuan (David, Euler) wrote:
> > Dear All:
> >
> >I have a question that is when and how the root“/”and files in
> > it are labeled?
> >
> >
> >
> > There are  "/ u:object_r:rootfs:s0" in file_contexts,  and  "genfscon
> > rootfs / u:object_r:rootfs:s0" in genfs_contexts.
> >
> > My understanding is, First, kernel will load the initial_sid_contexts
> > before init process do the selinux_initialize().
> >
> > Then when rootfs is mounted to “/”, kernel will label it with
> > “u:object_r:labeledfs.
> >
> > And After init process do the selinux_initialize() to load sepolicy to
> > kernel,  there will be a restorecon to “/”.
> >
> >
> >
> > Am I right?   If I am right, then when do this restorecon happen?
>
> restorecon is only needed for /data or other filesystems that are updated
at runtime.  The rootfs is typically just unpacked from initramfs and all
files within it are assigned a default label based on the genfscon
statement, unless using a real ext4 root filesystem partition (in which
case the inode xattrs would be set when the filesystem image is generated,
not when the system is booting).
>
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.