6

I am in a position to create my own boot image for my Android tablet - which means I can in theory modify the /sepolicy file to, for example, give the shell account that is used by adb shell sessions, complete root privileges.

How do I do that? How can I e.g. list the data already in that file, and then modify them?

Community
  • 1
ttsiodras
  • 2,371
  • 1
  • 21
  • 26
  • Is the problem that you want to obtain the current /sepolicy file but you lack the permission to read it? Or that you have the file but you don't know how to parse it into something that can be edited meaningfully? If it's the latter, note that /sepolicy is likely to be an automatically generated file, and figuring out how it's structured is hard, just like it's harder to read disassembled binaries than the original source code. Did you check if the source code of your Android image is available? (Google's is but some vendors don't publish theirs.) – Gilles 'SO- stop being evil' Sep 30 '15 at 22:34
  • @Gilles: It is the latter - can you tell me what to look for in the "source code" sense? ie. what are the files that drive the creation of /sepolicy? I have the complete OverTheAir (OTA) update zip file from the manufacturer - that's where I got hold of the boot.img, opened it, and unwrapped the initrd.img - which gave me access to /sepolicy. Any pointers to what are the "sources" and the tool(s) invocation(s) that parse them and create /sepolicy will be most appreciated. – ttsiodras Oct 01 '15 at 10:34
  • There is a similar question on Android.SE: Examine android (v30) selinux policy. I give a step-by-step procedure to build yourself an environment allowing you to fetch, analyze, modify and flash back Android's sepolicy files. – WhiteWinterWolf Aug 15 '16 at 14:48

1 Answers1

3

After a lot of searching, I found exactly what I needed - the page shows how to use sepolicy-inject to manipulate an existing /sepolicy file.

Executive summary - I can now root my tablet in a generic manner, without any exploit whatsoever... I can just massage my boot image initrd to contain tweaked policy settings for my ADB shell.

EDIT: The journey continued - I eventually patched and compiled my own kernel and became root.

Community
  • 1
ttsiodras
  • 2,371
  • 1
  • 21
  • 26
  • It would be great if you could say a little something about how you actually compiled sepolicy-inject. I've been having a horrible time compiling a any version of libsepol that can grok the android sepolicy format. Better yet, answer here and I'll gladly give you reputation (even though I don't mention sepolicy-inject, I get the same problem with that tool): http://android.stackexchange.com/questions/128965/examine-android-v30-selinux-policy – user3188445 Nov 16 '15 at 08:33
  • @user3188445: I ended up going a different way - if you follow the last link in my post you'll see that in the end, I didn't modify the policy file - I recompiled my tablet's kernel and booted from it. Also, I am afraid I can't help with your compilation effort... on my side it wasn't an issue (I did the work inside an Ubuntu 14.04 docker container, and via the stock Android SDK/NDKs). – ttsiodras Nov 17 '15 at 08:55
  • So there was no command-line option (like enforcing=0 or selinux=0) that you could give, and you really had to recompile the kernel? Or what about just editing init.rc to run setenforce 0 (or write /sys/fs/selinux/enforce 0)? But I guess what you did works. In my case, I'm hoping to keep selinux, just amend the policy slightly, so I haven't looked into totally disabling it. – user3188445 Nov 17 '15 at 10:45
  • @user3188445: I had to recompile my kernel, because no matter what I tried (including your two suggestions) I could not disable SELinux (or switch it to permissive). I can only imagine that the manufacturer's kernel had extra measures taken to stop me from doing this - so I had to compile my own. Thankfully, they did provide the sources - so I was able to do it. – ttsiodras Nov 17 '15 at 13:29
  • @ttsiodras can you please in detail write the specific steps (commands) you wrote for doing it for adb? – user2284570 Mar 28 '20 at 19:24