mvt-project
Collect full SELinux policy on Android
Some exploits add additional rules to the local in-memory SELinux policy to give their implants extra capabilities rather than completely disabling SELinux.
On Android the SELinux policies are part of the OEM system image and show should be fixed for a particular build. They can be found at multiple paths included:
/odm/etc/selinux/precompiled_sepolicy
/vendor/etc/selinux/precompiled_sepolicy
The currently active SELinux compiled policy is accessible under /sys. This file is accesible via adb pull even if its not directly readable from the ADB shell.
/sys/fs/selinux/policy
Unfortunately the in-memory file is not byte-for-byte identical in the few tests I have seen. There may be some standard transformation happening to the roles when loaded which would also us to detect rule changes with some further analysis.
We should collect the on-disk and active SELinux policies in AndroidQF and add an MVT module to parse them
