Saturday, October 21, 2017

Tool Release: sefcontext-parser / sefparse

Recently I've been diving deeper into SEAndroid and building tools to map out a given device's policy, mostly for identifying vulnerabilities. This content has made its way into dtf modules.

As I was preparing my slides for ArcticCon 2017, I realized that I was missing the ability to parse the new compiled "file_contexts" format that was introduced in Android Nougat. Before Nougat, this file was text-based and writing a parser was trivial. This newer format is a little more involved, but is still documented by Google. This file is still typically found in the rootfs ("/"), but has been renamed from "file_contexts" to "file_contexts.bin".

There are already some existing tools out there for parsing this format, notability here, here, and here, but some are part of an existing project and all (that I could find) are written in C. With dtf, I'm trying to stay away from using compiled tools, in favor of a more cross-platform friendly Python/Java combination. This inspired me to code up a quick parser in Python, which is now available from my GitHub. It has also been merged into dtf and will automatically perform the decoding when processing the SE database.

There should be enough information in the README to get curious users started, and running the tool is straight forward. Any issues or feature requests can be submitted on the project's Issues tracker.